Blackbaud, Inc. a data and software services company in the USA, will settle a complaint brought by the US Federal Trade Commission (FTC) to hold the company responsible for poor data practices which allowed a hacker to access and download sensitive information of Blackbaud customers in February 2020.
The files accessed by the hacker contained unencrypted personal information of millions of US consumers, such as Social Security numbers, financial and medical information, employment information and account credentials.
As part of the FTC settlement, Blackbaud will be required to delete personal information it no longer needs and implement a comprehensive information security program and an accountable data retention policy.
The settlement and fallout of the Blackbaud data breach is a timely reminder to Australian businesses to review their privacy compliance and data safety practices and consider how they would respond to a similar situation.
In this alert, we outline the major elements in the FTC case against Blackbaud, and how Australia’s privacy laws would apply to a similar data incident in Australia.
Why the Blackbaud scenario matters to Australian organisations
- Failure in proper data practices: Blackbaud’s weak security practices enabled a large-scale data breach which exposed sensitive data such as financial information and social security numbers for millions of US individuals and businesses.
In Australia, companies who store or hold this type of personal information must do so in accordance with the Privacy Act 1988 (Cth), with a particular eye towards complying with the Australian Privacy Principles (APP).
APP 11 (Security of personal information) requires APP entities to take reasonable steps to ensure that the personal information it holds is protected from misuse, interference, loss, unauthorised access, modification or disclosure from third parties.
What steps may be ‘reasonable’ is determined on a case-by-case basis and will vary considerably depending on a number of factors, such as the nature of the information, the environment in which the information is stored and the volume and complexity of the data. Office of the Australian Information Commissioner’s (OAIC) ‘Guide to Securing Personal Information’ provides examples of how entities can comply with their requirements, and situations where failure to comply will result in the OAIC taking regulatory action.
- Data hoarding: The FTC case drew attention to Blackbaud’s practice of retaining data even after the purpose for collection had ended. As part of the settlement, Blackbaud will have to delete unnecessary personal information.
In Australia, the practice of data hoarding is within APP 11. To comply with APP 11, entities must destroy or de-identify information when it is no longer relevant for the purposes it was collected.
In HopgoodGanim's cyber incident response experience, we see all too often that data hoarding leads directly to increased numbers of affected individuals; longer investigation and notifications times; and significantly higher costs of response and recovery for the organisation or its cyber insurer.
- Lack of notice: Blackbaud’s delay in notifying customers of the breach and its attempts at downplaying the severity of the breach were both spotlighted as being intentionally deceptive.
Australia’s Notifiable Data Breaches scheme requires federal government departments and agencies and private sector organisations to assess and notify the Commissioner and affected individuals within 30 days if they suffer an ‘eligible data breach’. An eligible data breach occurs where personal information held by an organisation is lost or is accessed or disclosed without authorisation, and that occurrence creates a risk of serious harm to any of the individuals to whom the information relates.
Despite this timeframe, the OAIC’s recent Notifiable Data Breaches Report for the period January-June 2023 flagged increasing concern that entities are dragging their feet when assessing and identifying eligible data breaches, exacerbating the risks of serious harm and preventing the victims from responding in a timely manner to protect themselves.
- Mandatory changes in policy: The FTC’s proposed order will require Blackbaud to implement an information security program and an accountable data retention policy. This is to ensure that unneeded data is erased, the company adopts and complies with truthful statements about its data handling practices, and it adopts a specific data retention policy and plan.
In Australia, the OAIC has powers to (among other things) accept an enforceable undertaking from an entity, or it can seek a court order for a pecuniary penalty in cases of serious or repeated privacy breaches.
The Blackbaud breach happened in February 2020. At that time, the maximum penalty imposable against a body corporate under Australia’s Privacy Act was approximately $2.1 million.
The Privacy Act was amended in December 2022 to allow the court to impose on a company or other body corporate a monetary penalty of up to $50,000,000, or three times the value of the benefit obtained or attributed to the contravening conduct, or if the court cannot determine the value of the benefit, then 30% of the entity’s adjusted turnover.
Whether a data breach occurs from a cyber-attack, a system malfunction or just plain human error, organisations should be aware of their obligations and be able to demonstrate that they are handling personal information in a legally compliant and responsible manner.
Australian regulatory responses
Regulators including ASIC, APRA and the OAIC have each increased their enforcement focus on proper information handling and management of cyber security risks. For example, after an investigation into the privacy practices and handling of a 2022 data breach (including alleged intentional delays in making notifications) which affected Australian Clinical Labs’ Medlab Pathology business and the health information of individual patients, the OAIC started legal proceedings against ACL in late 2023. The OAIC is seeking a civil penalty order of $2,220,000 for each contravention.
For additional information on how your organisation can improve its handling of personal information and reduce risks of a data breach, please get in touch with our Intellectual Property, Technology and Cyber Security team.