Blackbaud, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 10076-10079 [2024-02970]

Download as PDF lotter on DSK11XQN23PROD with NOTICES1 10076 Federal Register / Vol. 89, No. 30 / Tuesday, February 13, 2024 / Notices or bank holding company. The factors that are considered in acting on the applications are set forth in paragraph 7 of the Act (12 U.S.C. 1817(j)(7)). The public portions of the applications listed below, as well as other related filings required by the Board, if any, are available for immediate inspection at the Federal Reserve Bank(s) indicated below and at the offices of the Board of Governors. This information may also be obtained on an expedited basis, upon request, by contacting the appropriate Federal Reserve Bank and from the Board’s Freedom of Information Office at https://www.federalreserve.gov/foia/ request.htm. Interested persons may express their views in writing on the standards enumerated in paragraph 7 of the Act. Comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors, Ann E. Misback, Secretary of the Board, 20th Street and Constitution Avenue, NW, Washington DC 20551–0001, not later than February 27, 2024. A. Federal Reserve Bank of St. Louis (Holly A. Rieser, Senior Manager) P.O. Box 442, St. Louis, Missouri 63166– 2034. Comments can also be sent electronically to Comments.applications@stls.frb.org: 1. Bennie F. Ryburn, III, Ray Morrison Ryburn, Marion B. Ryburn, and Halley A. Ryburn, all of Monticello, Arkansas; Angelia D. Ryburn, Wilmar, Arkansas; Margaret Anne Ryburn, Atlanta, Georgia; and Madison A. Ryburn, Dallas, Texas; to join the Ryburn Family Control Group, a group acting in concert, to retain voting shares of Drew Bancshares, Inc., and thereby indirectly retain voting shares of Commercial Bank & Trust Company, both of Monticello, Arkansas. 2. The Michael F. Bender Revocable Living Trust dated February 10, 2023, and The Diane M. Bender Revocable Living Trust dated February 10, 2023, Michael F. Bender and Diane M. Bender as co-trustees of both trusts, all of Farmington, Missouri; to retain voting shares of Midwest Regional Bancorp, Inc., Festus, Missouri, and thereby indirectly retain voting shares of Midwest Regional Bank, Clayton, Missouri. A. Federal Reserve Bank of Kansas City (Jeffrey Imgarten, Assistant Vice President) 1 Memorial Drive, Kansas City, Missouri, 64198–0001. Comments can also be sent electronically to KCApplicationComments@kc.frb.org: 1. Daniel J. Murphy, Elkhorn, Nebraska; to join the Murphy Family Control Group, a group acting in VerDate Sep<11>2014 16:57 Feb 12, 2024 Jkt 262001 concert, to acquire voting shares of Ameriwest Corporation, and thereby indirectly acquire voting shares of First Westroads Bank, Inc., both of Omaha, Nebraska. Board of Governors of the Federal Reserve System. Michele Taylor Fennell, Deputy Associate Secretary of the Board. Board of Governors of the Federal Reserve System. Michele Taylor Fennell, Deputy Associate Secretary of the Board. BILLING CODE P [FR Doc. 2024–02848 Filed 2–12–24; 8:45 am] [File No. 202 3181] [FR Doc. 2024–02947 Filed 2–12–24; 8:45 am] FEDERAL TRADE COMMISSION BILLING CODE P Blackbaud, Inc.; Analysis of Proposed Consent Order To Aid Public Comment FEDERAL RESERVE SYSTEM Change in Bank Control Notices; Acquisitions of Shares of a Bank or Bank Holding Company The notificants listed below have applied under the Change in Bank Control Act (Act) (12 U.S.C. 1817(j)) and 225.41 of the Board’s Regulation Y (12 CFR 225.41) to acquire shares of a bank or bank holding company. The factors that are considered in acting on the applications are set forth in paragraph 7 of the Act (12 U.S.C. 1817(j)(7)). The public portions of the applications listed below, as well as other related filings required by the Board, if any, are available for immediate inspection at the Federal Reserve Bank(s) indicated below and at the offices of the Board of Governors. This information may also be obtained on an expedited basis, upon request, by contacting the appropriate Federal Reserve Bank and from the Board’s Freedom of Information Office at https://www.federalreserve.gov/foia/ request.htm. Interested persons may express their views in writing on the standards enumerated in paragraph 7 of the Act. Comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors, Ann E. Misback, Secretary of the Board, 20th Street and Constitution Avenue NW, Washington, DC 20551–0001, not later than February 28, 2024. A. Federal Reserve Bank of St. Louis (Holly A. Rieser, Senior Manager) P.O. Box 442, St. Louis, Missouri 63166– 2034. Comments can also be sent electronically to Comments.applications@stls.frb.org: 1. Rondal L. Wright Irrevocable Grantor Trust, R. Brent Wright, individually and as trustee, both of Glasgow, Kentucky; to acquire voting shares of Buffalo Bancshares, Inc., and thereby indirectly acquire voting shares of Bank of Buffalo, both of Buffalo, Kentucky. PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 Federal Trade Commission. Proposed consent agreement; request for comment. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before March 14, 2024. ADDRESSES: Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write ‘‘Blackbaud, Inc.; File No. 202 3181’’ on your comment and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Drop H–144 (Annex D), Washington, DC 20580. FOR FURTHER INFORMATION CONTACT: Cathlin Tully (202–326–3644), Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An SUMMARY: E:\FR\FM\13FEN1.SGM 13FEN1 lotter on DSK11XQN23PROD with NOTICES1 Federal Register / Vol. 89, No. 30 / Tuesday, February 13, 2024 / Notices electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/newsevents/commission-actions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before March 14, 2024. Write ‘‘Blackbaud, Inc.; File No. 202 3181,’’ on your comment. Your comment— including your name and your state— will be placed on the public record of this proceeding, including, to the extent practicable, on the https:// www.regulations.gov website. Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https:// www.regulations.gov website. If you prefer to file your comment on paper, write ‘‘Blackbaud, Inc.; File No. 202 3181’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Drop H–144 (Annex D), Washington, DC 20580. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that VerDate Sep<11>2014 16:57 Feb 12, 2024 Jkt 262001 accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)— we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request. Visit the FTC website at https:// www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before March 14, 2024. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission (the ‘‘Commission’’) has accepted, subject to final approval, an agreement containing consent order from Blackbaud, Inc. (‘‘Respondent’’ or ‘‘Blackbaud’’). The proposed consent order (‘‘Proposed Order’’) has been placed on the public record for 30 days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement, along with any comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the Proposed Order. Blackbaud is a publicly traded South Carolina corporation that provides a variety of data services and financial, fundraising, and administrative software solutions to over 45,000 companies, nonprofits, foundations, educational institutions, healthcare organizations, and individual customers throughout the U.S. and abroad. Blackbaud maintains the personal information of millions of U.S. consumers that have donor, student, patient, and other relationships with Blackbaud’s customers. PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 10077 According to the FTC’s Complaint, despite representing that it would protect consumers’ data from unauthorized access through a variety of safeguards, from February through May 2020, Blackbaud’s networks suffered a data breach from an attacker that exfiltrated data from thousands of Blackbaud customers. This data comprised millions of consumers’ personal information, including, in some cases, sensitive information including social security numbers and financial information. Adding to the scope and severity of the breach was Blackbaud’s indefinite retention of customer backup files, which impacted additional current, prospective, and former customers, whose consumer data would not have otherwise been impacted by the data breach. And when Blackbaud informed customers of the breach in July 2020, its initial breach notification statement inaccurately stated that the hacker had not stolen sensitive consumer data. Blackbaud did not correct this information until October 2020, despite knowing it was inaccurate only a couple of weeks after the initial breach notification. The Commission’s proposed fivecount complaint alleges that Respondent violated section 5(a) of the FTC Act by (1) failing to employ reasonable information security practices to protect consumers’ personal information; (2) failing to implement and enforce reasonable data retention practices; (3) failing to accurately communicate about the breach in its initial breach notification; (4) misrepresenting that it used appropriate safeguards to protect consumers’ personal information; and (5) misrepresenting the scope of the breach by stating that consumers’ personal information had not been impacted by the breach in its initial notification. With respect to the first count, the proposed complaint alleges that Respondent: • failed to implement appropriate password controls, which resulted in employees often using default, weak or identical passwords; • failed to apply adequate multifactor authentication for both employees and customers to protect sensitive consumer information; • failed to prevent data theft by (1) monitoring for unauthorized attempts to transfer or exfiltrate consumers’ personal information from its networks; (2) continuously logging and monitoring its systems and assets to identify data security events; and (3) performing regular assessments as to the effectiveness of protection measures; E:\FR\FM\13FEN1.SGM 13FEN1 lotter on DSK11XQN23PROD with NOTICES1 10078 Federal Register / Vol. 89, No. 30 / Tuesday, February 13, 2024 / Notices • failed to implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network; • failed to patch outdated software and systems in a timely manner; • failed to test, audit, assess or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases; • failed to implement appropriate firewall controls; and • failed to implement appropriate network segmentation to prevent attackers from moving freely across its networks and databases. The proposed complaint alleges that Respondent could have addressed each of these failures by implementing readily available and relatively low-cost security measures. With respect to the second count, the proposed complaint alleges that Respondent failed to implement and enforce reasonable data retention practices for sensitive consumer data maintained by its customers on its network. With respect to the third count, the proposed complaint alleges that Respondent failed to accurately communicate the scope and severity of the breach in its initial notification to consumers. The proposed complaint alleges that, with respect to counts one, two, and three, Respondent’s failures caused, or are likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. Such practices constitute unfair acts or practices under section 5 of the FTC Act. With respect the fourth count, the proposed complaint alleges that, at various times, Respondent claimed that is used appropriate safeguards to protect consumers’ personal information. The proposed complaint alleges that, in reality, and as noted above, Respondent failed to implement reasonable measures to protect consumer’s personal information. Such representations were deceptive under section 5 of the FTC Act. With respect to the fifth count, the proposed complaint alleges that, in its initial breach notification, Respondent claimed that consumers’ personal information had not been subject to the breach. The proposed complaint alleges that, in reality, and as noted above, consumers’ personal information had been exfiltrated by the attacker in the breach. Such representations were, VerDate Sep<11>2014 16:57 Feb 12, 2024 Jkt 262001 therefore, deceptive under section 5 of the FTC Act. Summary of the Proposed Order With Respondent The Proposed Order contains injunctive relief designed to prevent Respondent from engaging in the same or similar acts or practices in the future. Part I prohibits Respondent from misrepresenting the extent (1) to which it maintains, uses, deletes or disclosed consumers’ personal information; (2) to which it protects the privacy, security, availability, confidentiality, or integrity of consumers’ personal information; or (3) of any future data security incident or unauthorized disclosure of consumers’ personal information. Part II requires Respondent to delete or destroy customer backup files containing consumers’ personal information that are not being retained to provide its products or services and to refrain from maintaining consumers’ personal information that is not necessary for the purposes for which it is maintained by Respondent. Part III requires that Respondent document and adhere to a retention schedule for its customer backup files containing consumers’ personal information, including the purposes for which it maintains such information, the business needs for its retention, and the timeframe for its deletion. Part IV requires that Respondent establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, availability, confidentiality, and integrity of consumers’ personal information. Part V requires Respondent to obtain initial and biennial information security assessments by an independent, third-party professional for 20 years. Part VI requires Respondent to disclose all material facts to the assessor required by Part V and prohibits Respondent from misrepresenting any fact material to the assessments required by Part IV. Part VII requires Respondent to submit an annual certification from its Chief Information Security Officer that the company has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Part VIII requires Respondent to notify the Commission any time it notifies a federal, state, or local government that consumer personal information was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization. Parts IX–XII are reporting and compliance provisions, which include PO 00000 Frm 00058 Fmt 4703 Sfmt 4703 recordkeeping requirements and provisions requiring Respondent to provide information or documents necessary for the Commission to monitor compliance. Part XIII states that the Proposed Order will remain in effect for 20 years, with certain exceptions. The purpose of this analysis is to facilitate public comment on the Proposed Order, and it is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify the Proposed Order’s terms in any way. By direction of the Commission. April J. Tabor, Secretary. Joint Statement of Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya Today the FTC brings an enforcement action against Blackbaud for a series of unfair and deceptive data security practices. Blackbaud provides backend services for a variety of entities, ranging from businesses and nonprofits to schools and healthcare organizations. As noted in the FTC’s complaint, Blackbaud in 2020 was struck by a data breach that exposed the personal data of millions of Americans. The FTC charges that Blackbaud’s reckless data retention practices rendered its security failures much more costly: by hoarding reams of data that it did not reasonably need, Blackbaud’s breach exposed far more data. Moreover, Blackbaud’s notification alerting victims of the breach included false statements, which Blackbaud did not correct until months later—and months after it knew the statements were false. The FTC’s complaint alleges that Blackbaud’s practices violated Section 5’s prohibition on unfair or deceptive practices. The complaint marks a new step forward by alleging standalone unfairness counts for (a) failure to implement and enforce reasonable data retention practices (Count II) and (b) failure to accurately communicate the scope and severity of the breach in its notification to consumers (Count III).1 Blackbaud’s data retention failures exacerbated the harms of its data security failures because Blackbaud had failed to delete data it no longer needed. This action illustrates how indefinite retention of consumer data, which can lure hackers and magnify the harms stemming from a breach, is independently a prohibited unfair practice under the FTC Act. Similarly, Blackbaud’s failure to accurately convey 1 Complaint, In re Blackbaud, Inc., Docket No. C– 4804 (Jan. 30, 2024) ¶¶ 29–34, https://www.ftc.gov/ system/files/ftc_gov/pdf/Blackbaud-Complaint.pdf. E:\FR\FM\13FEN1.SGM 13FEN1 Federal Register / Vol. 89, No. 30 / Tuesday, February 13, 2024 / Notices the scope and severity of the breach kept victims in the dark and delayed them from taking protective actions, making a bad situation even worse. Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security.2 The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.3 We are grateful to the Division of Privacy and Identity Protection for their excellent work, which enables us to continue making key strides in protecting people’s data. As businesses face fresh incentives to hoard data to train AI models,4 protecting Americans from unlawful data practices will be especially critical. [FR Doc. 2024–02970 Filed 2–12–24; 8:45 am] lotter on DSK11XQN23PROD with NOTICES1 BILLING CODE 6750–01–P 2 See, e.g., Press Release, Fed. Trade Comm’n, Rite Aid Banned from Using AI Facial Recognition After FTC Says Retailer Deployed Technology Without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/pressreleases/2023/12/rite-aid-banned-using-ai-facialrecognition-after-ftc-says-retailer-deployedtechnology-without; Press Release, Fed. Trade Comm’n, FTC Finalizes Order With Online Alcohol Marketplace For Security Failures That Exposed Personal Data of 2.5 Million People (Jan. 10, 2023), https://www.ftc.gov/news-events/news/pressreleases/2023/01/ftc-finalizes-order-online-alcoholmarketplace-security-failures-exposed-personaldata-25-million; Press Release, Fed. Trade Comm’n, FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers (Oct. 31, 2022); Press Release, Fed. Trade Comm’n, FTC Takes Action Against Global Tel*Link Corp. for Failing to Adequately Secure Data, Notify Consumers After Their Personal Data Was Breached (Nov. 16, 2023), https://www.ftc.gov/news-events/news/pressreleases/2023/11/ftc-takes-action-against-globaltellink-corp-failing-adequately-secure-data-notifyconsumers-after. See also FTC Technology Blog, Security Principles: Addressing Underlying Causes of Risk in Complex Systems (Feb. 1, 2023), https:// www.ftc.gov/policy/advocacy-research/tech-at-ftc/ 2023/02/security-principles-addressing-underlyingcauses-risk-complex-systems. 3 See, e.g., Press Release, Fed. Trade Comm’n, FTC Takes Action Against CafePress for Data Breach Cover Up (Mar. 15, 2022), https:// www.ftc.gov/news-events/news/press-releases/2022/ 03/ftc-takes-action-against-cafepress-data-breachcover. See also FTC Technology Blog, Security Beyond Prevention: The Importance of Effective Breach Disclosures (May 20, 2022), https:// www.ftc.gov/policy/advocacy-research/tech-at-ftc/ 2022/05/security-beyond-prevention-importanceeffective-breach-disclosures. 4 Press Release, Fed. Trade Comm’n, FTC and DOJ Charge Amazon with Violating Children’s Privacy Law by Keeping Kids’ Alexa Voice Recordings Forever and Undermining Parents’ Deletion Request (May 31, 2023), https://www.ftc.gov/news-events/ news/press-releases/2023/05/ftc-doj-chargeamazon-violating-childrens-privacy-law-keepingkids-alexa-voice-recordings-forever. VerDate Sep<11>2014 16:57 Feb 12, 2024 Jkt 262001 GENERAL SERVICES ADMINISTRATION [Notice-PBS–2024–02; Docket No. 2024– 0002; Sequence No.3] Notice of Availability of a Draft Environmental Impact Statement for the Alcan Land Port of Entry Expansion and Modernization in Alcan, Alaska; Withdrawal Public Buildings Service, General Services Administration (GSA). ACTION: Notice; withdrawal. AGENCY: GSA is announcing the withdrawal of the Notice of availability of a draft environmental impact statement for the Alcan land port of entry expansion and modernization in Alcan, Alaska. The February 7,2024 notice announced GSAs intent to prepare a Draft Environmental Impact Statement (DEIS) to analyze the potential environmental effects of the proposed expansion and modernization of the existing Alcan LPOE. FOR FURTHER INFORMATION CONTACT: Aaron Evanson, Capital Project Manager, (206) 445–5876, AlcanLPOE@ gsa.gov. SUPPLEMENTARY INFORMATION: The Notice of availability published in the Federal Register on February 7, 2024. GSA plans to publish at a later date. SUMMARY: 10079 Name of Committee: Disease, Disability, and Injury Prevention and Control Special Emphasis Panel (SEP)— SIP24–012, Advancing Research in Immunization Services Network (ARISe Network). Date: May 14, 2024. Time: 10 a.m.–6 p.m., EDT. Place: Teleconference/Web Conference. Agenda: To review and evaluate grant applications. For Further Information Contact: Catherine Barrett, Ph.D., Scientific Review Officer, National Center for Chronic Disease Prevention and Health Promotion, Centers for Disease Control and Prevention, 4770 Buford Highway, Mailstop S106–3, Atlanta, Georgia 30341–3717. Telephone: (404) 718– 7664; Email: CBarrett@cdc.gov. The Director, Office of Strategic Business Initiatives, Office of the Chief Operating Officer, Centers for Disease Control and Prevention, has been delegated the authority to sign Federal Register notices pertaining to announcements of meetings and other committee management activities, for both the Centers for Disease Control and Prevention and the Agency for Toxic Substances and Disease Registry. Lois Mandell, Director Regulatory Secretariat Division, Office of Government-wide Policy. Kalwant Smagh, Director, Office of Strategic Business Initiatives, Office of the Chief Operating Officer, Centers for Disease Control and Prevention. [FR Doc. 2024–02847 Filed 2–12–24; 8:45 am] [FR Doc. 2024–02885 Filed 2–12–24; 8:45 am] BILLING CODE 6820–DL–P BILLING CODE 4163–18–P DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention Centers for Disease Control and Prevention Notice of Closed Meeting Notice of Closed Meeting Pursuant to 5 U.S.C. 1009(d), notice is hereby given of the following meeting. The meeting will be closed to the public in accordance with the provisions set forth in sections 552b(c)(4) and 552b(c)(6), Title 5 U.S.C., as amended, and the Determination of the Director, Office of Strategic Business Initiatives, Office of the Chief Operating Officer, CDC, pursuant to Public Law 92–463. The grant applications and the discussions could disclose confidential trade secrets or commercial property such as patentable material, and personal information concerning individuals associated with the grant applications, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. Pursuant to 5 U.S.C. 1009(d), notice is hereby given of the following meeting. The meeting will be closed to the public in accordance with the provisions set forth in sections 552b(c)(4) and 552b(c)(6), title 5 U.S.C., as amended, and the Determination of the Director, Office of Strategic Business Initiatives, Office of the Chief Operating Officer, CDC, pursuant to Public Law 92–463. The grant applications and the discussions could disclose confidential trade secrets or commercial property such as patentable material, and personal information concerning individuals associated with the grant applications, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. PO 00000 Frm 00059 Fmt 4703 Sfmt 4703 E:\FR\FM\13FEN1.SGM 13FEN1

Agencies

[Federal Register Volume 89, Number 30 (Tuesday, February 13, 2024)]
[Notices]
[Pages 10076-10079]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-02970]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 202 3181]


Blackbaud, Inc.; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before March 14, 2024.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Blackbaud, 
Inc.; File No. 202 3181'' on your comment and file your comment online 
at https://www.regulations.gov by following the instructions on the 
web-based form. If you prefer to file your comment on paper, please 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Drop H-144 
(Annex D), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Cathlin Tully (202-326-3644), 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An

[[Page 10077]]

electronic copy of the full text of the consent agreement package can 
be obtained at https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before March 14, 2024. 
Write ``Blackbaud, Inc.; File No. 202 3181,'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the https://www.regulations.gov website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the https://www.regulations.gov 
website. If you prefer to file your comment on paper, write 
``Blackbaud, Inc.; File No. 202 3181'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail 
Drop H-144 (Annex D), Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including competitively sensitive information such 
as costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the https://www.regulations.gov 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at https://www.ftc.gov to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before March 14, 2024. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (the ``Commission'') has accepted, 
subject to final approval, an agreement containing consent order from 
Blackbaud, Inc. (``Respondent'' or ``Blackbaud''). The proposed consent 
order (``Proposed Order'') has been placed on the public record for 30 
days for receipt of comments by interested persons. Comments received 
during this period will become part of the public record. After 30 
days, the Commission will again review the agreement, along with any 
comments received, and will decide whether it should withdraw from the 
agreement and take appropriate action or make final the Proposed Order.
    Blackbaud is a publicly traded South Carolina corporation that 
provides a variety of data services and financial, fundraising, and 
administrative software solutions to over 45,000 companies, nonprofits, 
foundations, educational institutions, healthcare organizations, and 
individual customers throughout the U.S. and abroad. Blackbaud 
maintains the personal information of millions of U.S. consumers that 
have donor, student, patient, and other relationships with Blackbaud's 
customers.
    According to the FTC's Complaint, despite representing that it 
would protect consumers' data from unauthorized access through a 
variety of safeguards, from February through May 2020, Blackbaud's 
networks suffered a data breach from an attacker that exfiltrated data 
from thousands of Blackbaud customers. This data comprised millions of 
consumers' personal information, including, in some cases, sensitive 
information including social security numbers and financial 
information. Adding to the scope and severity of the breach was 
Blackbaud's indefinite retention of customer backup files, which 
impacted additional current, prospective, and former customers, whose 
consumer data would not have otherwise been impacted by the data 
breach. And when Blackbaud informed customers of the breach in July 
2020, its initial breach notification statement inaccurately stated 
that the hacker had not stolen sensitive consumer data. Blackbaud did 
not correct this information until October 2020, despite knowing it was 
inaccurate only a couple of weeks after the initial breach 
notification.
    The Commission's proposed five-count complaint alleges that 
Respondent violated section 5(a) of the FTC Act by (1) failing to 
employ reasonable information security practices to protect consumers' 
personal information; (2) failing to implement and enforce reasonable 
data retention practices; (3) failing to accurately communicate about 
the breach in its initial breach notification; (4) misrepresenting that 
it used appropriate safeguards to protect consumers' personal 
information; and (5) misrepresenting the scope of the breach by stating 
that consumers' personal information had not been impacted by the 
breach in its initial notification. With respect to the first count, 
the proposed complaint alleges that Respondent:
     failed to implement appropriate password controls, which 
resulted in employees often using default, weak or identical passwords;
     failed to apply adequate multifactor authentication for 
both employees and customers to protect sensitive consumer information;
     failed to prevent data theft by (1) monitoring for 
unauthorized attempts to transfer or exfiltrate consumers' personal 
information from its networks; (2) continuously logging and monitoring 
its systems and assets to identify data security events; and (3) 
performing regular assessments as to the effectiveness of protection 
measures;

[[Page 10078]]

     failed to implement and enforce appropriate data retention 
schedules and deletion practices for the vast amounts of consumers' 
personal information stored on its network;
     failed to patch outdated software and systems in a timely 
manner;
     failed to test, audit, assess or review its products' or 
applications' security features; and conduct regular risk assessments, 
vulnerability scans, and penetration testing of its networks and 
databases;
     failed to implement appropriate firewall controls; and
     failed to implement appropriate network segmentation to 
prevent attackers from moving freely across its networks and databases.
    The proposed complaint alleges that Respondent could have addressed 
each of these failures by implementing readily available and relatively 
low-cost security measures. With respect to the second count, the 
proposed complaint alleges that Respondent failed to implement and 
enforce reasonable data retention practices for sensitive consumer data 
maintained by its customers on its network. With respect to the third 
count, the proposed complaint alleges that Respondent failed to 
accurately communicate the scope and severity of the breach in its 
initial notification to consumers.
    The proposed complaint alleges that, with respect to counts one, 
two, and three, Respondent's failures caused, or are likely to cause, 
substantial injury to consumers that is not outweighed by 
countervailing benefits to consumers or competition and is not 
reasonably avoidable by consumers themselves. Such practices constitute 
unfair acts or practices under section 5 of the FTC Act.
    With respect the fourth count, the proposed complaint alleges that, 
at various times, Respondent claimed that is used appropriate 
safeguards to protect consumers' personal information. The proposed 
complaint alleges that, in reality, and as noted above, Respondent 
failed to implement reasonable measures to protect consumer's personal 
information. Such representations were deceptive under section 5 of the 
FTC Act.
    With respect to the fifth count, the proposed complaint alleges 
that, in its initial breach notification, Respondent claimed that 
consumers' personal information had not been subject to the breach. The 
proposed complaint alleges that, in reality, and as noted above, 
consumers' personal information had been exfiltrated by the attacker in 
the breach. Such representations were, therefore, deceptive under 
section 5 of the FTC Act.

Summary of the Proposed Order With Respondent

    The Proposed Order contains injunctive relief designed to prevent 
Respondent from engaging in the same or similar acts or practices in 
the future. Part I prohibits Respondent from misrepresenting the extent 
(1) to which it maintains, uses, deletes or disclosed consumers' 
personal information; (2) to which it protects the privacy, security, 
availability, confidentiality, or integrity of consumers' personal 
information; or (3) of any future data security incident or 
unauthorized disclosure of consumers' personal information.
    Part II requires Respondent to delete or destroy customer backup 
files containing consumers' personal information that are not being 
retained to provide its products or services and to refrain from 
maintaining consumers' personal information that is not necessary for 
the purposes for which it is maintained by Respondent. Part III 
requires that Respondent document and adhere to a retention schedule 
for its customer backup files containing consumers' personal 
information, including the purposes for which it maintains such 
information, the business needs for its retention, and the timeframe 
for its deletion.
    Part IV requires that Respondent establish and implement, and 
thereafter maintain, a comprehensive information security program that 
protects the security, availability, confidentiality, and integrity of 
consumers' personal information. Part V requires Respondent to obtain 
initial and biennial information security assessments by an 
independent, third-party professional for 20 years. Part VI requires 
Respondent to disclose all material facts to the assessor required by 
Part V and prohibits Respondent from misrepresenting any fact material 
to the assessments required by Part IV.
    Part VII requires Respondent to submit an annual certification from 
its Chief Information Security Officer that the company has implemented 
the requirements of the Order and is not aware of any material 
noncompliance that has not been corrected or disclosed to the 
Commission. Part VIII requires Respondent to notify the Commission any 
time it notifies a federal, state, or local government that consumer 
personal information was, or is reasonably believed to have been, 
accessed, acquired, or publicly exposed without authorization.
    Parts IX-XII are reporting and compliance provisions, which include 
recordkeeping requirements and provisions requiring Respondent to 
provide information or documents necessary for the Commission to 
monitor compliance. Part XIII states that the Proposed Order will 
remain in effect for 20 years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
Proposed Order, and it is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify the 
Proposed Order's terms in any way.

    By direction of the Commission.
April J. Tabor,
Secretary.

Joint Statement of Chair Lina M. Khan, Commissioner Rebecca Kelly 
Slaughter, and Commissioner Alvaro M. Bedoya

    Today the FTC brings an enforcement action against Blackbaud for a 
series of unfair and deceptive data security practices. Blackbaud 
provides backend services for a variety of entities, ranging from 
businesses and nonprofits to schools and healthcare organizations. As 
noted in the FTC's complaint, Blackbaud in 2020 was struck by a data 
breach that exposed the personal data of millions of Americans. The FTC 
charges that Blackbaud's reckless data retention practices rendered its 
security failures much more costly: by hoarding reams of data that it 
did not reasonably need, Blackbaud's breach exposed far more data. 
Moreover, Blackbaud's notification alerting victims of the breach 
included false statements, which Blackbaud did not correct until months 
later--and months after it knew the statements were false.
    The FTC's complaint alleges that Blackbaud's practices violated 
Section 5's prohibition on unfair or deceptive practices. The complaint 
marks a new step forward by alleging standalone unfairness counts for 
(a) failure to implement and enforce reasonable data retention 
practices (Count II) and (b) failure to accurately communicate the 
scope and severity of the breach in its notification to consumers 
(Count III).\1\ Blackbaud's data retention failures exacerbated the 
harms of its data security failures because Blackbaud had failed to 
delete data it no longer needed. This action illustrates how indefinite 
retention of consumer data, which can lure hackers and magnify the 
harms stemming from a breach, is independently a prohibited unfair 
practice under the FTC Act. Similarly, Blackbaud's failure to 
accurately convey

[[Page 10079]]

the scope and severity of the breach kept victims in the dark and 
delayed them from taking protective actions, making a bad situation 
even worse.
---------------------------------------------------------------------------

    \1\ Complaint, In re Blackbaud, Inc., Docket No. C-4804 (Jan. 
30, 2024) ]] 29-34, https://www.ftc.gov/system/files/ftc_gov/pdf/Blackbaud-Complaint.pdf.
---------------------------------------------------------------------------

    Today's action builds on a series of cases that have made clear 
that maintaining a data retention and deletion schedule is a critical 
part of protecting consumers' data security.\2\ The Commission has also 
made clear that efforts to downplay the extent or severity of a data 
breach run afoul of the law.\3\
---------------------------------------------------------------------------

    \2\ See, e.g., Press Release, Fed. Trade Comm'n, Rite Aid Banned 
from Using AI Facial Recognition After FTC Says Retailer Deployed 
Technology Without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without; Press Release, Fed. Trade Comm'n, FTC Finalizes 
Order With Online Alcohol Marketplace For Security Failures That 
Exposed Personal Data of 2.5 Million People (Jan. 10, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-finalizes-order-online-alcohol-marketplace-security-failures-exposed-personal-data-25-million; Press Release, Fed. Trade Comm'n, FTC Brings Action 
Against Ed Tech Provider Chegg for Careless Security that Exposed 
Personal Data of Millions of Customers (Oct. 31, 2022); Press 
Release, Fed. Trade Comm'n, FTC Takes Action Against Global Tel*Link 
Corp. for Failing to Adequately Secure Data, Notify Consumers After 
Their Personal Data Was Breached (Nov. 16, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/11/ftc-takes-action-against-global-tellink-corp-failing-adequately-secure-data-notify-consumers-after. See also FTC Technology Blog, Security 
Principles: Addressing Underlying Causes of Risk in Complex Systems 
(Feb. 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.
    \3\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Takes 
Action Against CafePress for Data Breach Cover Up (Mar. 15, 2022), 
https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover. See also FTC 
Technology Blog, Security Beyond Prevention: The Importance of 
Effective Breach Disclosures (May 20, 2022), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/05/security-beyond-prevention-importance-effective-breach-disclosures.
---------------------------------------------------------------------------

    We are grateful to the Division of Privacy and Identity Protection 
for their excellent work, which enables us to continue making key 
strides in protecting people's data. As businesses face fresh 
incentives to hoard data to train AI models,\4\ protecting Americans 
from unlawful data practices will be especially critical.
---------------------------------------------------------------------------

    \4\ Press Release, Fed. Trade Comm'n, FTC and DOJ Charge Amazon 
with Violating Children's Privacy Law by Keeping Kids' Alexa Voice 
Recordings Forever and Undermining Parents' Deletion Request (May 
31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-doj-charge-amazon-violating-childrens-privacy-law-keeping-kids-alexa-voice-recordings-forever.

[FR Doc. 2024-02970 Filed 2-12-24; 8:45 am]
BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.