Multistate coalition, including New York, wins $49.5M settlement over data breach
New York was part of a multistate coalition that won a $49.5 million settlement from a donor management company that exposed donor information for thousands of nonprofit organizations around the nation and New York, including many on Long Island, in a data breach in 2020, New York Attorney General Letitia James announced Thursday.
Of the $49.5 million settlement with the cloud company Blackbaud, New York is to receive $2.9 million, which is to go into the state general fund, a spokesperson for James said. The "multistate coalition" involved the attorneys general of New York and all the other states and the District of Columbia.
James said in the statement that the company's data breach "impacted thousands of nonprofit institutions, including charities, colleges and universities and health care organizations in New York and across the country." She said the company provides donor management software and, in 2020, "experienced a data breach that exposed the personal information of its customers and millions of their donors and constituents."
The multistate investigation found that before the breach Blackbaud didn’t implement reasonable data security measures and fix known security gaps, and that after the breach, the company didn’t provide its customers with timely, complete, or accurate information about what happened, as required by law, James’ office said.
Among more than a thousand New York institutions on the list of organizations affected by the breach provided by James, were Long Island colleges, such as Hofstra University, SUNY Old Westbury and Nassau Community College, and a local hospital, J.T. Mather Hospital in Port Jefferson, among many others.
Terry Coniglio, vice president of marketing and communications at Hofstra, said that in 2020 the university was using Blackbaud "in a testing capacity. No personally identifiable information was released and it was only testing five names," which she said weren't real people.
The other colleges and the hospital did not immediately respond
Under the terms of the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices, James said. For example, the company must implement and maintain "incident and data breach response plans to prepare for and more appropriately respond to future security incidents and breaches."
Blackbaud must also update its "breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers' compliance with applicable notification requirements in the event of a breach."
In a statement on Blackbaud's website, Mike Gianoni, president and CEO, said: “Cyber-attacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape. We are pleased to fully resolve this matter.”
Sarra Sounds Off, Ep. 15: LI's top basketball players On the latest episode of "Sarra Sounds Off," Newsday's Gregg Sarra and Matt Lindsay take a look top boys and girls basketball players on Long Island.
Sarra Sounds Off, Ep. 15: LI's top basketball players On the latest episode of "Sarra Sounds Off," Newsday's Gregg Sarra and Matt Lindsay take a look top boys and girls basketball players on Long Island.
