Blackbaud’s data breach settlement and what it means for Australian businesses
Blackbaud, Inc. a data and software services company in the USA, will settle a complaint brought by the US Federal Trade Commission (FTC) to hold the company responsible for poor data practices which allowed a hacker to access and download sensitive information of Blackbaud customers in February 2020.
The files accessed by the hacker contained unencrypted personal information of millions of US consumers, such as Social Security numbers, financial and medical information, employment information and account credentials.
As part of the FTC settlement, Blackbaud will be required to delete personal information it no longer needs and implement a comprehensive information security program and an accountable data retention policy.
The settlement and fallout of the Blackbaud data breach is a timely reminder to Australian businesses to review their privacy compliance and data safety practices and consider how they would respond to a similar situation.
In this alert, Vacation Clerk Tom Kelman and Head of Cyber Security and Special Counsel Steven Hunwicks outline the major elements in the FTC case against Blackbaud, and how Australia’s privacy laws would apply to a similar data incident in Australia.
In Australia, companies who store or hold this type of personal information must do so in accordance with the Privacy Act 1988 (Cth), with a particular eye towards complying with the Australian Privacy Principles (APP).
APP 11 (Security of personal information) requires APP entities to take reasonable steps to ensure that the personal information it holds is protected from misuse, interference, loss, unauthorised access, modification or disclosure from third parties.
What steps may be ‘reasonable’ is determined on a case-by-case basis and will vary considerably depending on a number of factors, such as the nature of the information, the environment in which the information is stored and the volume and complexity of the data. Office of the Australian Information Commissioner’s (OAIC) ‘Guide to Securing Personal Information’ provides examples of how entities can comply with their requirements, and situations where failure to comply will result in the OAIC taking regulatory action.
In Australia, the practice of data hoarding is within APP 11. To comply with APP 11, entities must destroy or de-identify information when it is no longer relevant for the purposes it was collected.
In HopgoodGanim's cyber incident response experience, we see all too often that data hoarding leads directly to increased numbers of affected individuals; longer investigation and notifications times; and significantly higher costs of response and recovery for the organisation or its cyber insurer.
Regulators including ASIC, APRA and the OAIC have each increased their enforcement focus on proper information handling and management of cyber security risks. For example, after an investigation into the privacy practices and handling of a 2022 data breach (including alleged intentional delays in making notifications) which affected Australian Clinical Labs’ Medlab Pathology business and the health information of individual patients, the OAIC started legal proceedings against ACL in late 2023. The OAIC is seeking a civil penalty order of $2,220,000 for each contravention.
For additional information on how your organisation can improve its handling of personal information and reduce risks of a data breach, please get in touch with our Intellectual Property, Technology and Cyber Security team.