Blackbaud Inc., a South Carolina-based public company that provides donor data management software to non-profit organizations, has agreed to pay a $3 million civil penalty to settle charges over misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. The SEC announced the settlement on March 9, 2023.
On July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. However, within days, the company’s technology and customer relations personnel learned that the attacker had accessed and exfiltrated this sensitive information. Unfortunately, these employees did not communicate this information to senior management responsible for public disclosure. This was due to the company’s failure to maintain disclosure controls and procedures. As a result, in August 2020, the company filed a quarterly report with the SEC that omitted material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.
The SEC’s order finds that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Blackbaud agreed to cease and desist from committing violations of these provisions and pay a $3 million civil penalty without admitting or denying the SEC’s findings.
Have a securities law question? Call New York Securities Lawyers at 212-509-6544.
- SEC Office of Municipal Securities Issues FAQs for Registration of Municipal Advisors
- SEC Virtual Outreach Event Highlights Students on the Frontlines of Investor Protection
- UBS Acquires Credit Suisse
- SEC Charges Exiled Miles Guo and H William Je in $850 Million Fraud Scheme
- SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information
- SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets
- American Patriot Brands Inc. and its CEO Charged by SEC for $30 Million Investment Scheme
- What Does a Securities Lawyer Do?
- SEC Reopens Comment Period for Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
- No Further Rate Hikes?
- Former Co-Lead Engineer of FTX Trading Charged by SEC for Role in Multiyear Scheme to Defraud Equity Investors
- SEC Proposes to Enhance Private Fund Investor Protection
- SEC Shortens Settlement Cycle for Broker-Dealer Transactions
- Blackbaud Agrees to Pay $3 Million to Settle Charges Over Misleading Disclosures of Ransomware Attack
- Consultant to Biotech Company Settles Insider Trading Claim