Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? – Lexology
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the worlds largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbauds handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminals ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute sensitive data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbauds customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EUs General Data Protection Regulation (GDPR).
The GDPR is a far-reaching piece of European legislation which applies to organizations outside the EU and includes draconian financial sanctions for non-compliance. Moreover, the standard for notification to individuals and data protection authorities in the EU is much lower than in most U.S. states. The GDPR requires that data breaches are reported to European data protection supervisory authorities unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This requires the affected institution to perform a thorough, documented risk assessment in each case.
Larger institutions may have already analyzed the need to comply with the GDPR and will therefore be aware that, if they are in scope of the GDPR, they may be required to report the breach both to the individuals concerned and to the relevant data protection supervisory authority in the EU. However, many smaller institutions may not have performed that analysis. This situation may find them needing to report the breach, but in doing so perhaps also alerting the data protection authorities to the fact that they may be subject to GDPR and may not be compliant in other ways. For instance, the GDPR requires specific contractual terms (including terms relating to the handling of data breaches) to be in place between customers and vendors where vendors process personal data on behalf of the customer.
The attack on Blackbaud is a major data breach. It may serve as a catalyst for U.S. non-profits to take a longer look at the GDPR and analyze their own need to comply.
Affected organizations both in and outside the EU should be working to determine what data has been compromised and whether they need to notify the local supervisory authority. The breach should also prompt all organizations to review any vendor contracts where personal data is involved, with a particular focus on ensuring that (a) the responsibility for data breach falls on the vendor and (b) strict notification timescales are imposed on the vendor (with the aim of preventing the lengthy delay in informing customers that has occurred in the Blackbaud case). Organizations that are subject to GDPR should also ensure that they implement GDPR-compliant vendor contracts.
See more here:
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? - Lexology
- The European Union just issued a dire warning to its 450 million citizens: Stockpile supplies and prepare for disaster - Fortune - March 26th, 2025 [March 26th, 2025]
- The European Union is preparing for war and is calling for emergency reserves in every home - CiberCuba - March 26th, 2025 [March 26th, 2025]
- The European Union rejected Russias demand for a ceasefire in exchange for lifting sanctions - - March 26th, 2025 [March 26th, 2025]
- Exclusive | European Union to slap Meta with fine up to $1B or more for breaching strict antitrust rules: sources - New York Post - March 26th, 2025 [March 26th, 2025]
- Peter Rough sat down with Kaja Kallas, European Union high representative for foreign affairs and security policy and European Commission vice... - March 26th, 2025 [March 26th, 2025]
- Court of Justice of the European Union: Member states representatives appoint thirteen judges to the General Court - consilium.europa.eu - March 26th, 2025 [March 26th, 2025]
- When the European Union wants to get back to basics - Marketscreener.com - March 26th, 2025 [March 26th, 2025]
- The European Union urges citizens to stockpile supplies to last 3 days in case of crisis - Goshen News - March 26th, 2025 [March 26th, 2025]
- The European Union urges citizens to stockpile supplies to last 3 days in case of crisis - Oil City Derrick - March 26th, 2025 [March 26th, 2025]
- European Union's Transmission Shafts and Cranks Market Expected to Slightly Increase with a CAGR of +0.3% over the Next Decade - IndexBox, Inc. - March 26th, 2025 [March 26th, 2025]
- New European Union Plan To Boost Local Arms Production Would Freeze U.S. Out Of Billions - The War Zone - March 26th, 2025 [March 26th, 2025]
- European Union's Roasted Coffee Market to See Continued Growth with +0.6% CAGR by 2035 - IndexBox, Inc. - March 26th, 2025 [March 26th, 2025]
- EU Penalizes RPM And Other Vertical Conduct Violations - Cartels, Monopolies - European Union - Mondaq News Alerts - March 26th, 2025 [March 26th, 2025]
- European Union's Toilet Paper Market to Reach $27.1B by 2035 with +0.5% CAGR - IndexBox, Inc. - March 26th, 2025 [March 26th, 2025]
- European Union Delays Retaliatory Tariffs On U.S. ProductsIncluding Whiskey - Forbes - March 20th, 2025 [March 20th, 2025]
- ICC President visits Brussels, urges European Union to take immediate action to protect the Court - the International Criminal Court - March 20th, 2025 [March 20th, 2025]
- The European Sting is Your democratic, independent and top quality political newspaper specialized in European Union News. Unique Features: iSting... - March 20th, 2025 [March 20th, 2025]
- The Prime Minister of Slovakia supported Ukraine's integration into the European Union - Eurasia Daily - March 20th, 2025 [March 20th, 2025]
- Trump reacts to European Union slapping tariffs on U.S. goods - CBS News - March 13th, 2025 [March 13th, 2025]
- Rxulti approved in the European Union for adolescent schizophrenia - PharmaTimes - March 13th, 2025 [March 13th, 2025]
- European Union Responds With Tariffs on Soybeans, Other Ag Exports - DTN The Progressive Farmer - March 13th, 2025 [March 13th, 2025]
- European Union retaliates with tariffs on $28 billion U.S. products - RFD-TV - March 13th, 2025 [March 13th, 2025]
- Donald Trump threatens European Union with 200% tariffs on specific goods if they dont remove nasty tax - UNILAD - March 13th, 2025 [March 13th, 2025]
- Canada and the European Union announce retaliatory tariffs against the United States - KREM.com - March 13th, 2025 [March 13th, 2025]
- Commission decides to refer SPAIN to the Court of Justice of the European Union due to discriminatory tax treatment of non-resident taxpayers - The... - March 13th, 2025 [March 13th, 2025]
- European Union hits back with counter tariffs on US goods - USA TODAY - March 13th, 2025 [March 13th, 2025]
- Trade Wars: European Union Retaliates Against U.S. Tariffs on Steel and Aluminum - TipRanks - March 13th, 2025 [March 13th, 2025]
- Commission hosts event to gather input and expertise on upcoming European Water Resilience Strategy - European Union - March 7th, 2025 [March 7th, 2025]
- UNESCO and the European Union Promote Training in Creative Tourism in the Caribbean - UNESCO - March 7th, 2025 [March 7th, 2025]
- The Interests of the European Union and the United States Are Diverging - Modern Diplomacy - March 7th, 2025 [March 7th, 2025]
- Tunisia: Call for the European Union to send international observers to the so-called "conspiracy" trial - FIDH - March 7th, 2025 [March 7th, 2025]
- European Union Blasts Trump Tariff Threats as Starmer Visits White House - Newsweek - February 27th, 2025 [February 27th, 2025]
- Trump vows to slap 25% tariffs on the European Union - FRANCE 24 English - February 27th, 2025 [February 27th, 2025]
- Trump vows to impose 25% tariffs on imports from the European Union - The Associated Press - February 27th, 2025 [February 27th, 2025]
- Trump says tariff level will be 25% on European Union products - Le Monde - February 27th, 2025 [February 27th, 2025]
- EU reaffirms unwavering support to Ukraine on anniversary of invasion - European Union - February 27th, 2025 [February 27th, 2025]
- The European Union is financing a project to strengthen social protection for women in ten local communities in Bosnia and Herzegovina - EEAS - February 27th, 2025 [February 27th, 2025]
- Trump's reciprocal tariffs would hit these European Union products that Americans buy the hardest - CNBC - February 14th, 2025 [February 14th, 2025]
- European Union Says It Will Respond "Firmly, Immediately" To Trump's Tariffs - NDTV - February 14th, 2025 [February 14th, 2025]
- How the European Union could counter US tariffs - ING Think - February 14th, 2025 [February 14th, 2025]
- (Nemolizumab) Approved in the European Union for Moderate-to-Severe Atopic Dermatitis and Prurigo Nodularis - Business Wire - February 14th, 2025 [February 14th, 2025]
- European Union could ban the number 1 Catholic app in the world: Hallow - ZENIT - English - February 14th, 2025 [February 14th, 2025]
- Political contagion in Europe: can the European Union survive Trumpism? - Bruegel - January 19th, 2025 [January 19th, 2025]
- Bolstering the cybersecurity of the healthcare sector - European Union - January 19th, 2025 [January 19th, 2025]
- Medidatas Patient Experience Recognized as Sustainability Solution by the European Union, Paving the Way for Greener Clinical Trials - Dassault... - January 19th, 2025 [January 19th, 2025]
- European Union Special Representative for the Great Lakes Region, Johan Borgstam, makes first official visit to Tanzania - EEAS - January 19th, 2025 [January 19th, 2025]
- Indicating the way forward for sustainable European aviation - European Union - January 19th, 2025 [January 19th, 2025]
- UNHCR and the European Union join forces to provide lasting solutions for Afghan refugees and returnees - EEAS - January 19th, 2025 [January 19th, 2025]
- Irregular migration into the European Union fell sharply last year, border agency says - The Associated Press - January 19th, 2025 [January 19th, 2025]
- Poland Assumes the Presidency of the Council of the European Union - Kyiv Post - January 6th, 2025 [January 6th, 2025]
- Far From Ignorant: The European Union, Arms Exports and Israel - CounterPunch - January 3rd, 2025 [January 3rd, 2025]
- Major changes in the European Union - summary of 2024: everything you need to know in 2025 - Visit Ukraine - January 3rd, 2025 [January 3rd, 2025]
- Hungary's controversial presidency of the Council of the European Union comes to an end - Euronews - January 1st, 2025 [January 1st, 2025]
- 30 years together: Austria, Finland and Sweden in the EU - European Union - January 1st, 2025 [January 1st, 2025]
- AI and Employee Data Protection in the European Union: 8 Key Takeaways for Multinational Businesses - JD Supra - January 1st, 2025 [January 1st, 2025]
- Pro-European Union Protests in Georgia Continue into New Years Eve - AL24 News - January 1st, 2025 [January 1st, 2025]
- 2025, between the reformist drive and the structural challenges of the European Union - The Diplomat in Spain - January 1st, 2025 [January 1st, 2025]
- Statement on behalf of the European Union and its Member States by H.E. Ambassador Stavros Lambrinidis, Delegation of the European Union to the United... - December 30th, 2024 [December 30th, 2024]
- European Union to resume Association Council meetings with Israel - The Times of Israel - December 18th, 2024 [December 18th, 2024]
- Its time for the European Union to rethink personal social networking - Bruegel - December 18th, 2024 [December 18th, 2024]
- Mistral 3 project to receive 60 million from European Union - MBDA - December 18th, 2024 [December 18th, 2024]
- The European Union and Palestinian Authority convene Investment Platform and announce EUR 28.3 million of investments for the Palestine Financial... - December 18th, 2024 [December 18th, 2024]
- The EVERY Company Further Expands its IP Estate with European Union Patent for Recombinant Ovalbumin - Business Wire - December 18th, 2024 [December 18th, 2024]
- European Union sanctions 26 individuals and two entities in Belarus - euneighbourseast.eu - December 18th, 2024 [December 18th, 2024]
- European Union: What do CG&R companies need to know about the European Accessibility Act? - GlobalComplianceNews - December 18th, 2024 [December 18th, 2024]
- New EU norms to reduce environmental impact of smitheries and foundries - European Union - December 14th, 2024 [December 14th, 2024]
- Syria: Statement by the High Representative on behalf of the European Union on the fall of the Assad regime - consilium.europa.eu - December 10th, 2024 [December 10th, 2024]
- European Union and the Gates Foundation to co-host Gavi 6.0 High Level Pledging Summit - Bill & Melinda Gates Foundation - December 10th, 2024 [December 10th, 2024]
- European Union orders TikTok to preserve data related to Romanian election - The Associated Press - December 10th, 2024 [December 10th, 2024]
- European Union - United Republic of Tanzania: Joint Communique of the 2024 Partnership Dialogue - EEAS - December 10th, 2024 [December 10th, 2024]
- Human Rights Day: Statement by the High Representative on behalf of the European Union - consilium.europa.eu - December 10th, 2024 [December 10th, 2024]
- We are waiting to return home - helping refugees in Sudan - European Union - December 10th, 2024 [December 10th, 2024]
- Revised Regulation on Classification, Labelling and Packaging of Chemicals enters into force - European Union - December 10th, 2024 [December 10th, 2024]
- CCS legal framework for the development of carbon capture and storage technologies in Poland and the European Union - Dentons - December 10th, 2024 [December 10th, 2024]
- Mercosur and the European Union sign trade agreement - Fresh Fruit Portal - December 10th, 2024 [December 10th, 2024]
- European Union To Spend Over $4 Million And 3 Years To Create Report On European Animation Industry - Cartoon Brew - December 4th, 2024 [December 4th, 2024]
- Speech by President von der Leyen at the European Parliament Plenary on the new College of Commissioners and its programme - European Union - December 4th, 2024 [December 4th, 2024]
- ASSEMBLY | EU bishops reflect on Europes future and challenges of the new institutional cycle - The Catholic Church in the European Union - December 4th, 2024 [December 4th, 2024]
- Georgia suspends talks on joining the European Union and accuses the bloc of blackmail - The Associated Press - November 30th, 2024 [November 30th, 2024]
- An update on political advertising in the European Union - The Keyword - November 30th, 2024 [November 30th, 2024]