On March 9, software company Blackbaud agreed to pay $3 million to the SEC as a result of alleged misleading disclosures arising out of a 2020 data breach that involved customer bank account information and Social Security numbers. This order underscores again the importance of effective internal communication between data security and privacy personnel and senior management responsible for a company’s public disclosures. In March 2022, the SEC proposed comprehensive rule changes to standardize and enhance disclosures relating to cybersecurity risk management (see our prior alert). As these proposals are expected to take effect soon, companies should continue to ensure that their disclosure policies and procedures meet regulatory guidelines.

Background

On May 14, 2020, Blackbaud, a company that provides data management software to nonprofit organizations, detected that it had suffered a data breach that resulted in the unauthorized access of over 13,000 customers’ information. At that time, company personnel were unaware whether bank account information or Social Security numbers had been accessed.  

Approximately two months later, on July 16, 2020, Blackbaud notified customers individually and also via its website, stating that no bank account information or Social Security numbers were accessed. However, Blackbaud personnel learned soon afterward that bank account information and Social Security numbers had, in fact, been accessed in an unencrypted form. Although certain Blackbaud technology and customer relations personnel knew the scope of the breach, they did not communicate the full nature of the breach to senior management. Nor did Blackbaud have procedures in place to ensure that this information was conveyed to senior management or to those responsible for making public disclosures.

On Aug. 4, 2020, Blackbaud filed a form 10-Q that did not disclose the unauthorized access of bank account information and Social Security numbers. The SEC described that filing as follows:

“[Blackbaud] misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical … . This [10-Q] statement omitted the material fact that a number of customers had unencrypted bank account and [S]ocial [S]ecurity numbers exfiltrated, in contrast to the company’s unequivocal, and ultimately erroneous[,] claims in the July 16, 2020 website post and customer notices.”

Blackbaud eventually disclosed on Sept. 29, 2020, that the data breach had resulted in the access of customer bank account information and Social Security numbers.

Consent Order

In its order, the SEC found that Blackbaud had violated, among other provisions, the non-scienter anti-fraud sections of the Securities Act as well as SEC rules governing disclosure controls and procedures. Specifically, Blackbaud consented to violations of Sections 17(a)(2) and (3) of the Securities Act, as well as of Section 13(a) of the Exchange Act and of Rule 13a-13 thereunder. Further, the SEC found that Blackbaud violated Rules 12b-20 and 13a-15(a) of the Exchange Act. As a result, the SEC ordered Blackbaud to pay a $3 million civil penalty. It also ordered Blackbaud to cease and desist from committing or causing any future violations of those sections and rules.[1]

Conclusion

The order against Blackbaud highlights an issuer’s responsibility to make timely disclosures relating to cybersecurity incidents. As David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, stated, “[p]ublic companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.” Further, the process of making disclosures should include effective channels of communication between those involved in the quotidian management of electronic networks and data security and those involved in making public disclosures. The SEC’s focus on cybersecurity enforcement and disclosure controls relating to cybersecurity incidents is reflected in the fact that the fine against Blackbaud exceeds fines the SEC has levied in the past for similar violations.


[1] Sections 17(a)(2) and (3) of the Securities Act prohibit any person from directly or indirectly obtaining money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading, or engaging in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser, in the offer or sale of securities. Section 13(a) of the Exchange Act and Rule 13a-13 require issuers of a security registered pursuant to Section 12 of the Exchange Act to file with the Commission quarterly reports in conformity with the Commission’s rules and regulations. Rule 12b-20 of the Exchange requires, among other things, that issuers include in quarterly reports filed with the Commission any material information necessary to make the required statements in the filing not misleading. Exchange Act Rule 13a-15(a) requires issuers to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms.