On July 19th 2020, Blackbaud Inc released a statement on a security incident that they had experienced.
This incident resulted in a data breach of UK data associated with a number of UK Universities and a number of charity organisations. A full list of affected UK legal entities has not been disclosed by Blackbaud Inc.
The University of York released this statement relating to the breach and the associated notification to the ICO as required by the GDPR.
This data breach highlights the difficulty of ensuring GDPR compliance through the use of third-party service providers. A good summary on the key points is provided here.
Data Breach timeline
Analysis of the Blackbaud Data breach timeline highlights some worrying findings.
Blackbaud admits to knowing about the attack in May 2020 in their security incident statement. Notification to the affected data controllers only occurred on the 16th July 2020 according to the University of York statement.
Article 33.2 of the GDPR required a data processor to inform the data controller of a data breach “without undue delay”. It is difficult to see how such a long notification delay of over a month, is not a breach of Article 33.2 of the GDPR.
Digging a little deeper into Blackbaud’s security incident statement, it references a security page on their website which is intended to provide further details of the security controls employed by Blackbaud to protect client data.
The security page references three security white papers. Taking a quick look reveals that two of these documents are dated from June 2020, after the breach occurred but before clients were notified. Further confirmation of this can be found by looking at the history of this webpage on Archive.org. The 20th June instance in the archive fails to include the white papers which were not visible previously on this page.
This leads to an intriguing question. Why does an organisation spend effort to update their security white papers on their external website, after they have suffered a data breach, but still have not had the time to notify their clients?
Clearly the cyber team had a bit of downtime to turn around this documentation. Maybe the downtime could have been better used contacting affected clients?
Blackbaud make a big deal about their GDPR credentials on their website. It would therefore be strange to argue that they did not understand the GDPR or were not aware of their obligations to report.
In a mirror of the Equifax data breach, it will be the UK subsidiary of Blackbaud, Blackbaud Europe Ltd, who will feel the brunt of the ICO’s actions in this case.
This is an extract from the ICO monetary penalty notice on the Equifax case, which was under the previous Data Protection Act 98 (DPA98) legislation in the UK.
(9) Communications between Equifax Ltd and Equifax Inc were inadequate, as evidenced by the delay of over a month between Equifax Inc becoming aware of the data breach and Equifax Ltd being informed of it. Even in respect of the loss of UK data, Equifax Inc became aware of this at least over a week before Equifax Ltd was informed (and then took steps to inform the affected data subjects and the Commissioner). This failure to communicate in a timely manner suggests that communications procedures were inadequate and/or not followed.
The scale of the fine
The GDPR allows the ICO to apply a maximum fine in line with a percentage of the revenue of the “undertaking”. What this basically means is that the parent organisation, Blackbaud Inc, is the revenue measure to be used for any fine under the GDPR, not the revenue of Blackbaud Europe Ltd.
Blackbaud Inc reported revenues last year just shy of $238m with a profit of $3.1m. The maximum fine for a breach of Article 33.2 is 2% of global revenue or 10 million Euros (whichever is the greater) as stipulated in Article 83.4 of the GDPR, assuming the ICO investigation does not uncover any other reasons to fine Blackbaud Europe Ltd that might fall into the 4% bracket.
The GDPR also kindly lists out the reasons to be considered for applying the scale of the fine in Article 83.2.
- the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected, and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the controller or processor to mitigate the damage suffered by data subjects;
and then a host of other lesser crimes.
Clearly, based on (b) and (c), Blackbaud Europe Ltd may have a hard time explaining its actions and limiting the fine in any way.
Lawyers on standby
As if that were not enough, there is the potential for all of the UK data controllers to seek legal redress for Blackbaud’s failure to notify appropriately. The contractual terms that apply are helpfully provided on Blackbaud’s website. This may even result in a Class action from all of the affected UK entities bringing a single case against Blackbaud Europe Ltd.
After a busy few months for the Cyber team at Blackbaud, it could be the legal team’s turn to burn the midnight oil.
The only winners here will be the suppliers of coffee and Red Bull to Blackbaud offices.