May 29, 2024

U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

Portrait Liana Chen
By Liana Chen

Partner

U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

As a business owner in the digital age, it is critical to remain compliant with FTC rules and guidelines, especially as the FTC is cracking down on various issues, including lax data security and privacy.

A Cautionary Tale & Claimed Security Issues

Blackbaud, a data service provider, was recently charged by the FTC for its purported lacking security, which lead to a hacker being able to allegedly “....breach the company’s network and access the personal data of millions of consumers, including Social Security and bank account numbers.”1

Further, the complaint from the FTC states that the company, “failed to use appropriate information security practices to protect consumers’ personal information. These failures allowed an attacker to access Blackbaud’s customer databases and steal personal information relating to millions...”2

Specifically, according to the FTC3, the company failed to do the following things that led to the hacking:

  • Monitor hacking or breaching attempts
  • Segment data to deter hackers
  • Ensure data that is no longer needed is deleted
  • Properly implement multifactor authentication amongst staff and users
  • Restrict use of weak or identical passwords for company accounts

As a result of these failures, a hacker was allegedly easily able to access a customer’s Blackbaud-hosted database.4 The attacker had no issue moving through Blackbaud servers and was able to create their own administration accounts and harvest vulnerable data of consumers.

These purported failures in data security are common claims in other types of lawsuits where there has been a security incident. Many companies may be dealing with similar issues and want to know what data privacy and security policies and practices should be adopted while still maintaining business.

FTC Focus & Requirements Moving Forward

While an FTC order against Blackbaud would not be binding upon unrelated third-party businesses, it is helpful to review to show the FTC’s position about best practices and reasonable security efforts.

Not only will Blackbaud be required to delete data no longer needed to provide services to customers, but the proposed order will ban Blackbaud from misrepresenting its data security and data retention policies. Blackbaud is also required to develop a comprehensive information security program that thoroughly highlights the issues brought by the FTC’s complaint, such as a data retention schedule and an explanation of why it keeps personal data and when such data will be deleted.

A joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya, noted that, “Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security... As businesses face fresh incentives to hoard data to train AI models, protecting Americans from unlawful data practices will be especially critical.”5

How Can Kronenberger Rosenfeld Help?

Kronenberger Rosenfeld, LLP regularly assists businesses with data privacy and security issues, including proactive compliance and experienced advice if any legal issues arise. If you need assistance for your business, contact our firm using our online case submission form here.

This entry was posted on Wednesday, May 29, 2024 and is filed under Privacy and Data Protection Updates, Internet Law News.



Related articles

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law) As a business owner in the digital age, it is critical to remain compliant with FTC rules and...

Read Article

Privacy & Cybersecurity

Novel CCPA/CPRA Enforcement Treats Targeted Ads as Data

In a novel case, the California Attorney General (AG) has treated targeted ads using third parties, such as through routine marketing and analytics cookies, as data "sales." What did the...

Read Article

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

The Federal Trade Commission ("FTC") has continued to be active in the realm of data privacy and security. As an initial matter, it is important to acknowledge that data is...

Read Article

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

In 2023, Washington State enacted a first-of-its-kind health privacy law known as the Washington My Health My Data Act (WMHMDA). This sweeping new privacy-focused law seeks to protect data that...

Read Article
Get the help you need.

We offer legal advice on a wide range of online topics

Get legal help now

Not seeing what you’re looking for?

Submit your case in 3 minutes and get legal help fast.

Submit your case online

OR

Give us a call
Join our mailing list

Stay ahead of legal matters

The internet moves fast. We'll keep you informed.