McGuireWoods Richmond partner
Janet Peyton was quoted in an
Aug. 5, 2020, article in The Chronicle of Philanthropy about the challenges Blackbaud’s
May 2020 ransomware attack has created for affected nonprofits.
Cloud software company Blackbaud is one of the world’s largest providers of
education administration, fundraising and financial management software for
nonprofits across the United States, the UK and Canada.
As reported, the company did not notify users until mid-July about the May
data breach that involved personal data stored on its servers. Peyton
called Blackbaud's delay in notifying its customers “excessive” and said
she suspects the scope of the breach could account for the delay. She also
noted that Blackbaud’s assertion, following its payment of the ransom, that
it has “no reason to believe that any data went beyond the cybercriminal,
was or will be misused” seemed overly optimistic.
“I did find it odd that Blackbaud put so much emphasis on their belief that
by paying the ransom, they were keeping their clients' data safe somehow,"
said Peyton, a member of McGuireWoods’ data privacy and security team, who
represents several nonprofit clients impacted by the Blackbaud breach. "I
would not put so much stock in the hacker."
Organizations are now weighing ethical concerns and legal obligations tied
to disclosing the breach to those whose data privacy was compromised, with
careful consideration of varying state data privacy laws and the EU General
Data Protection Regulation. Peyton noted, “Every Blackbaud customer is
going to have to evaluate the nature of their specific data that was
For details on issues related to the breach and its implications for
nonprofits, see a McGuireWoods July 27 Password Protected blog
post Peyton co-authored with London associate
Alice O’Donovan, “Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU
Data Protection Authorities?”