Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? – Lexology
On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the worlds largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.
Blackbauds handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminals ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute sensitive data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbauds customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EUs General Data Protection Regulation (GDPR).
The GDPR is a far-reaching piece of European legislation which applies to organizations outside the EU and includes draconian financial sanctions for non-compliance. Moreover, the standard for notification to individuals and data protection authorities in the EU is much lower than in most U.S. states. The GDPR requires that data breaches are reported to European data protection supervisory authorities unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This requires the affected institution to perform a thorough, documented risk assessment in each case.
Larger institutions may have already analyzed the need to comply with the GDPR and will therefore be aware that, if they are in scope of the GDPR, they may be required to report the breach both to the individuals concerned and to the relevant data protection supervisory authority in the EU. However, many smaller institutions may not have performed that analysis. This situation may find them needing to report the breach, but in doing so perhaps also alerting the data protection authorities to the fact that they may be subject to GDPR and may not be compliant in other ways. For instance, the GDPR requires specific contractual terms (including terms relating to the handling of data breaches) to be in place between customers and vendors where vendors process personal data on behalf of the customer.
The attack on Blackbaud is a major data breach. It may serve as a catalyst for U.S. non-profits to take a longer look at the GDPR and analyze their own need to comply.
Affected organizations both in and outside the EU should be working to determine what data has been compromised and whether they need to notify the local supervisory authority. The breach should also prompt all organizations to review any vendor contracts where personal data is involved, with a particular focus on ensuring that (a) the responsibility for data breach falls on the vendor and (b) strict notification timescales are imposed on the vendor (with the aim of preventing the lengthy delay in informing customers that has occurred in the Blackbaud case). Organizations that are subject to GDPR should also ensure that they implement GDPR-compliant vendor contracts.
See more here:
Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities? - Lexology
- Georgia suspends talks on joining the European Union and accuses the bloc of blackmail - The Associated Press - November 30th, 2024 [November 30th, 2024]
- An update on political advertising in the European Union - The Keyword - November 30th, 2024 [November 30th, 2024]
- Protesters met with force in Georgia following suspension of talks on European Union accession - Civil Rights Defenders - November 30th, 2024 [November 30th, 2024]
- European Union Food Week is Coming to Hyundai Food Market - EEAS - November 30th, 2024 [November 30th, 2024]
- The European Union and International IDEA organised a study visit to Kenya for the National Assembly Gender Committee and the CSO Gender Platform -... - November 30th, 2024 [November 30th, 2024]
- Malawi and the European Union hold Partnership Dialogue - EEAS - November 30th, 2024 [November 30th, 2024]
- Georgia suspends talks on joining the European Union and accuses the bloc of blackmail - News-Press Now - November 30th, 2024 [November 30th, 2024]
- If you're traveling outside the United States this Christmas, you'll have to meet a new requirement to enter the European Union - it's now official -... - November 14th, 2024 [November 14th, 2024]
- What the European Union should expect from Trumps tariffs - Bruegel - November 14th, 2024 [November 14th, 2024]
- Ten countries hope to join the European Union. Here is their formal status - Reuters - November 5th, 2024 [November 5th, 2024]
- What Does an European Union Investigation Mean for Temu? - The Fashion Law - November 5th, 2024 [November 5th, 2024]
- Joint Statement by the European Commission and High Representative Josep Borrell on the second round of Presidential Elections in Moldova - European... - November 5th, 2024 [November 5th, 2024]
- Spanish fugitive deported to European Union country: NIA - Focus Taiwan - October 21st, 2024 [October 21st, 2024]
- Trump says Tim Cook called him to complain about the European Union - The Verge - October 21st, 2024 [October 21st, 2024]
- Joint Press Release : First Partnership Dialogue between the Republic of Seychelles and the European Union - EEAS - October 21st, 2024 [October 21st, 2024]
- European Union member States must shield the International Criminal Court from critical threats - FIDH - October 21st, 2024 [October 21st, 2024]
- Can the European Union get it together on capital markets? This is whats at stake - World Economic Forum - October 21st, 2024 [October 21st, 2024]
- Migration And Asylum Offshoring Top Of European Union Council Agenda - Forbes - October 21st, 2024 [October 21st, 2024]
- Intrigue is unfolding in Moldova around the referendum on joining the European Union - Eurasia Daily - October 21st, 2024 [October 21st, 2024]
- The European Union as a strong actor at the 57th session of the Human Rights Council - EEAS - October 21st, 2024 [October 21st, 2024]
- Meta to European Union: Your Tech Rules Threaten to Squelch the AI Boom - The Wall Street Journal - September 19th, 2024 [September 19th, 2024]
- European Union Considers Suspending Visa Free Travel for Georgia After October 16 Elections Amid Political Tensions and Strained Relations - Travel... - September 19th, 2024 [September 19th, 2024]
- Teva faces European Union antitrust fine over shenanigans to thwart rivals - The Times of Israel - September 12th, 2024 [September 12th, 2024]
- Auditors say European Union is likely exaggerating green spending - The Hindu - September 12th, 2024 [September 12th, 2024]
- China's Wang Wentao to discuss the high European Union tariffs on electric cars next week - HT Auto - September 12th, 2024 [September 12th, 2024]
- Travel Update- Schengen Travelers To Experience A New Era As European Union will begin automated stamping for passports - Travel And Tour World - August 25th, 2024 [August 25th, 2024]
- The Largest Standing Armies of the European Union - Worldatlas.com - August 25th, 2024 [August 25th, 2024]
- China questions, begins probe of European Union subsidies for dairy industry exports - Voice of America - VOA News - August 25th, 2024 [August 25th, 2024]
- Von der Leyen, Costa and Kallas have been approved for EU top jobs. Who are they? What do they do? - KELOLAND.com - June 27th, 2024 [June 27th, 2024]
- Von der Leyen, Costa and Kallas have been approved for EU top jobs. Who are they? What do they do? - WRIC ABC 8News - June 27th, 2024 [June 27th, 2024]
- Apple Intelligence Features Not Coming to European Union at Launch Due to DMA - MacRumors - June 27th, 2024 [June 27th, 2024]
- European Union leaders set to endorse Von der Leyen, Costa and Kallas for the bloc's top jobs | Daily Independent - Daily Independent - June 27th, 2024 [June 27th, 2024]
- European Union leaders agree on top officials who will be the face of world's largest trading bloc - Citrus County Chronicle - June 27th, 2024 [June 27th, 2024]
- Not All Tariffs Are the Same: The Core Differences between U.S. and EU Tariffs against Chinese EVs - CSIS | Center for Strategic and International... - June 27th, 2024 [June 27th, 2024]
- Seeking Safety in Cyprus, They're Stuck in Island's U.N. Buffer Zone - The New York Times - June 12th, 2024 [June 12th, 2024]
- What to Know About Europe's Extra Tariffs on Chinese Electric Cars - The New York Times - June 12th, 2024 [June 12th, 2024]
- The EU slaps additional tariffs on Chinese EV imports - The Verge - June 12th, 2024 [June 12th, 2024]
- Battered by Far Right in E.U. Vote, Macron Calls for New Elections in France - The New York Times - June 12th, 2024 [June 12th, 2024]
- Chinese EV makers face additional tariffs of up to 38 percent in the EU - Engadget - June 12th, 2024 [June 12th, 2024]
- Poland exit polls: PM Tusk keeps upper hand over PiS in EU elections - Euronews - June 12th, 2024 [June 12th, 2024]
- The European Union mobilises additional assistance to support Ukraine - European Union - June 12th, 2024 [June 12th, 2024]
- Far-right parties make stunning gains in EU election, prompting Macron to call snap vote in France - Fortune - June 12th, 2024 [June 12th, 2024]
- EU's Borrell: Rafah offensive will cause civilian casualties, no matter what Israel says - The Times of Israel - May 7th, 2024 [May 7th, 2024]
- Who would run the EU if decided by Eurovision? - POLITICO Europe - May 7th, 2024 [May 7th, 2024]
- Opinion | Europe Is About to Drown in the River of the Radical Right - The New York Times - May 7th, 2024 [May 7th, 2024]
- Poland's Tusk Calls on EU to Build Joint Air-Defense System - Yahoo! Voices - May 7th, 2024 [May 7th, 2024]
- Xi visits Europe amid growing tensions with the West - Courthouse News Service - May 7th, 2024 [May 7th, 2024]
- Netherlands joins call to shetler intercepted asylum seekers in non-EU countries: report - NL Times - May 7th, 2024 [May 7th, 2024]
- More civilians will be killed in Israel's Rafah offensive 'whatever they say' - EU's Borrell - The Jerusalem Post - May 7th, 2024 [May 7th, 2024]
- Lawyer: EU taxpayers might have to pay billions for Russian billionaire's unjustified inclusion on a sanctions list - bnn-news.com - May 7th, 2024 [May 7th, 2024]
- EU urged to have fair perception of China - China Daily - May 7th, 2024 [May 7th, 2024]
- EU hosts defence forum to rally its military industry behind Ukraine - Euronews - May 7th, 2024 [May 7th, 2024]
- EU in Tug-of-War for Georgia and Moldova - Center for European Policy Analysis - May 7th, 2024 [May 7th, 2024]
- EU Commission ends rule of law proceedings against Poland after six years - JURIST - May 7th, 2024 [May 7th, 2024]
- Seven out of 10 Europeans believe their country takes in too many immigrants - EL PAS USA - May 7th, 2024 [May 7th, 2024]
- George Robertson: Why Russia fears the European Union - The New Statesman - May 3rd, 2024 [May 3rd, 2024]
- Meta Faces EU Investigation Over Election Disinformation - The New York Times - May 3rd, 2024 [May 3rd, 2024]
- Europeans lack visceral attachment to the EU. Does it matter? - The Economist - May 3rd, 2024 [May 3rd, 2024]
- Europe's East Will Soon Overtake Club Med for Living Standards - Yahoo! Voices - May 3rd, 2024 [May 3rd, 2024]
- German Foreign Minister Aims To Abolish Veto in EU Council Ahead of Enlargement - The European Conservative - May 3rd, 2024 [May 3rd, 2024]
- Le Pen urges 'crushing' defeat of Macron in speech ahead of European elections - Le Monde - May 3rd, 2024 [May 3rd, 2024]
- The European Union is investigating Meta's election policies - Engadget - May 3rd, 2024 [May 3rd, 2024]
- Activists press for EU-wide abortion right - POLITICO Europe - May 3rd, 2024 [May 3rd, 2024]
- In the upcoming European elections, peace and security matter the most - Euronews - May 3rd, 2024 [May 3rd, 2024]
- The Greens' Reintke vows to keep EU on track towards climate neutrality amid right-wing backlash - Euronews - May 3rd, 2024 [May 3rd, 2024]
- President von der Leyen reaffirms EU's strong support for Lebanon and its people and announces a 1 billion package ... - European Union - May 3rd, 2024 [May 3rd, 2024]
- GDP up by 0.3% in both the euro area and the EU - European Commission - May 3rd, 2024 [May 3rd, 2024]
- Possible to enlarge and deepen EU at the same time, Barroso says - EURACTIV - May 3rd, 2024 [May 3rd, 2024]
- The European Union will reportedly open a new investigation into Meta over election policies - Engadget - May 3rd, 2024 [May 3rd, 2024]
- European elections: are national issues overshadowing European ones? - Euronews - May 3rd, 2024 [May 3rd, 2024]
- EU Enhances Protection of the Environment Through Criminal Law - Gibson Dunn - May 3rd, 2024 [May 3rd, 2024]
- What U.S. Policymakers Can Learn from the European Union's Probe of Meta - Just Security - May 3rd, 2024 [May 3rd, 2024]
- 20 years together: Facts and figures about the benefits of the enlargement for the EU - European Union - May 3rd, 2024 [May 3rd, 2024]
- Ten reasons to vote in the European elections - Social Europe - May 3rd, 2024 [May 3rd, 2024]
- Foreign Ministers mark NATO's 75th anniversary, meet with Ukraine, Indo-Pacific partners, European Union - NATO HQ - April 5th, 2024 [April 5th, 2024]
- Press statement by President von der Leyen on a Resilience and Growth Plan for Armenia - European Union - April 5th, 2024 [April 5th, 2024]
- EU pulls back the curtain on organized crime, with 821 networks numbering 25000 strong poisoning the economy - Fortune - April 5th, 2024 [April 5th, 2024]
- EU announces new 270 million Resilience and Growth package for Armenia - euneighbourseast.eu - April 5th, 2024 [April 5th, 2024]
- Mara Elsabet receives a special mention for Spufuglinn - EEAS - April 5th, 2024 [April 5th, 2024]
- Over 80% of the European Unions Common Agricultural Policy supports emissions-intensive animal products - Nature.com - April 5th, 2024 [April 5th, 2024]