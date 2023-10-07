Arizona is set to receive $1.8 million in a multistate settlement with software company Blackbaud in a suit accusing it of deficient data security practices and of falling short in response to a ransomware incident in 2020 that exposed millions of Americans' personal information.

The payout is part of a $49.5 million settlement between the Charleston, South Carolina-based Blackbaud and 50 attorneys general, Arizona Attorney General Kris Mayes' office announced Friday. "In today’s digital world, companies must stringently safeguard data to ensure consumer privacy," Mayes said in a statement. "Bad actors will stop at nothing to exploit vulnerabilities, and it is incumbent upon companies like Blackbaud to be proactive, transparent, and accountable in their cybersecurity measures."

The settlement also calls for Blackbaud to overhaul its data security and data breach notification practices, according to the Attorney General's Office.

"The significant settlement we’ve reached not only holds Blackbaud accountable for past deficiencies but also ensures that consumers are better protected moving forward," Mayes' statement said.

According to Mayes' office, Blackbaud stood accused by the AG of four infractions:

Violating state consumer protection laws.

Violating data breach notification laws.

Violating privacy laws by failing to implement reasonable data security.

Violating privacy laws by failing to remediate known security gaps allowing unauthorized individuals to access the company’s network.

Blackbaud, according to the AG's office, has agreed to stronger data security and breach notification practices:

Prohibit misrepresentations on the processing, storing and safeguarding of personal information.

Prohibit misrepresentations on the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse.

Prohibit misrepresentation on breach notification requirements under state laws and federal privacy laws.

Implement and maintain plans to prepare for and more appropriately respond to future security incidents and breaches.

Provide appropriate assistance to customers.

Support customers’ compliance with applicable notification requirements in the event of a breach.

Report security incidents to the CEO and the company's board.

Enhance employee training and appropriate resources and support for cybersecurity.

Safeguard and control personal information by requiring total database encryption and dark web monitoring.

Require specific security measures on network traffic controls, protections against vulnerabilities, intrusion detection, firewalls, access controls, logging and monitoring and the testing of hacking vulnerabilities.

Have the company's compliance assessed for seven years by a third party.

The investigation into Blackbaud was led by Indiana and Vermont, according to Mayes' office. Arizona, along with Alabama, Florida, Illinois and New York, assisted with the investigation, according to the AG's office. Another remaining 42 states and the District of Columbia were also part of the investigation, the office noted. The only state that appears to not have participated in the investigation is California.

"Your organization’s data security is mission-critical, and we take our commitment to protecting it extremely seriously," reads a statement on Blackbaud's website.

This article originally appeared on Arizona Republic: Software company settles for $1.8M with Arizona in data security case