It has come to light in the last 24 hours that the technology provider Blackbaud (one of the largest suppliers of fundraising and other software tools such as Raiser’s Edge to the not for profit sector) was the victim of a ransomware attack on its systems in May.
It seems that the incident involved a cybercriminal removing a copy of a subset of data (this apparently included no credit card or bank account information) and Blackbaud ultimately paying the ransom demanded by the cybercriminal once it had received credible confirmation that the data was destroyed.
We understand that notifications have been provided to the subset of Blackbaud clients affected by the incident. In any event, given the ongoing risks posed by data security breaches (Blackbaud have said that they successfully defend against millions of attacks each month) this is the sort of security incident that is of relevance across the sector, regardless of which particular technology provider an organisation uses.
We recommend the following immediate action points for organisations who may be concerned that they have been affected:
1. Establish the facts quickly
Have you received a notification from Blackbaud? If so, review the details carefully and conduct your own internal enquiries to check that they marry up. Blackbaud has established a helpline and specific resources for clients affected so it would be sensible to utilise these to establish more specific detail about exactly what happened in respect of your organisation. If you use Blackbaud but have not received a notification, that should mean you have not been affected, but it would be worth confirming this with the company, and using your own internal checks too, as soon as feasible.
2. Assess the risk and consider the need for notification/s (but don’t panic)
Assuming that a company such as Blackbaud will be acting as a “data processor” for client organisations, its duty under the GDPR is to notify their “data controller” clients of the incident without undue delay. As we understand it, the incident happened in May but now that Blackbaud has notified clients, there is a requirement for data controllers to consider in short order whether they should submit a notification to the Information Commissioner’s Office (ICO).
It is not automatically the case that all data breaches need to be notified to the ICO, hence the importance of assessing risk at the outset. Under GDPR a data controller needs to report a personal data breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to individuals’ rights. It is also important to remember that a report to the ICO (or indeed to the police / Action Fraud) would, for charities, also necessitate a serious incident report to the Charity Commission.
In this case, given the breach occurred at a third party (which itself has confirmed the action it has taken to close down the issue), and that it might legitimately take a little longer than 72 hours to establish the exact facts and risk level (noting for example that Blackbaud’s helpline is likely to be very busy) we do not think organisations should be panicked into an early notification if they have not been able to establish the facts and conduct a proper risk assessment.
3. Consider affected individuals, such as your donor community
Separately, notification to the individuals whose data is involved also needs to be considered, but under GDPR there is a higher threshold for this: it is required where the breach is likely to result in a “high risk” to individuals. Different charities may take a different approach to this: whether because they take a different view of the risk, or the expectations of their donor community, or because the nature of the data compromised is different. However, all are likely to be looking to the lead of others in the sector.
We understand that Blackbaud has said that the only data compromised was comparatively low risk (ie names and email addresses but no payment information or usernames / passwords, which were encrypted). Naturally organisations will be most concerned with more impactful information, including donations and prospect research. It is still therefore important for organisations to make their own internal enquiries to satisfy themselves that this initial assessment by Blackbaud is reasonable, and supported by the facts.
We would recommend direct follow-up with Blackbaud, who are obliged to cooperate as processor, as well use of the ICO’s online self-assessment tool to assist the decision.
4. Document the steps you have taken and seek advice if needed
Even if you conclude that a data breach is low risk and does not need notifying to the ICO, it is important to keep an internal record of the incident and steps taken internally. To assist with the risk assessment, and with consideration of reporting thresholds and requirements, you should consider whether you need specialist assistance (whether that is in terms of IT expertise or external advice on the legal issues and reporting requirements).
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2020