EPIC Applauds Proposed FTC Order With Blackbaud, Urges Stronger Protections for Donor Privacy

On March 14, EPIC submitted comments in response to the FTC’s proposed order with Blackbaud, a donor management software company used by nonprofits, which failed to implement basic cybersecurity measures and failed to appropriately notify impacted consumers when a months-long breach occurred. EPIC supported the FTC’s proposed order, applauding its data minimization and third-party oversight provisions, as well as its attention to Blackbaud neglecting to update consumers when it became clear the breach was more severe than initially reported. EPIC also urged the FTC to consider the chilling effects this kind of breach could have on donations and to articulate an expectation of enhanced cybersecurity measures for donor data.

Millions of donors whose data was exposed likely had no choice in the fact that the nonprofits they supported entrusted Blackbaud with their sensitive information such as religious affiliations, family backgrounds, dates of birth, income brackets, sexual orientations, and disabilities. Moreover, Blackbaud failed to safeguard Social Security numbers, financial account details, and other private information gathered from its employees. Despite assuring consumers of robust data security measures, Blackbaud’s practices fell short.

EPIC also applauded the FTC for its consistency in taking companies to task for their deficient cybersecurity practices over the past decade-plus, while also updating their orders in light of evolving best practices, such as requiring use of non-SMS-based multi-factor authentication.

EPIC regularly submits comments in response to proposed FTC consent orders, files complaints regarding business practices that violate privacy rights, and defends donor privacy.