U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

As a business owner in the digital age, it is critical to remain compliant with FTC rules and guidelines, especially as the FTC is cracking down on various issues, including lax data security and privacy.

A Cautionary Tale & Claimed Security Issues

Blackbaud, a data service provider, was recently charged by the FTC for its purported lacking security, which lead to a hacker being able to allegedly “....breach the company’s network and access the personal data of millions of consumers, including Social Security and bank account numbers.”¹

Further, the complaint from the FTC states that the company, “failed to use appropriate information security practices to protect consumers’ personal information. These failures allowed an attacker to access Blackbaud’s customer databases and steal personal information relating to millions...”²

Specifically, according to the FTC³, the company failed to do the following things that led to the hacking:

• Monitor hacking or breaching attempts
• Segment data to deter hackers
• Ensure data that is no longer needed is deleted
• Properly implement multifactor authentication amongst staff and users
• Restrict use of weak or identical passwords for company accounts

As a result of these failures, a hacker was allegedly easily able to access a customer’s Blackbaud-hosted database.⁴ The attacker had no issue moving through Blackbaud servers and was able to create their own administration accounts and harvest vulnerable data of consumers.

These purported failures in data security are common claims in other types of lawsuits where there has been a security incident. Many companies may be dealing with similar issues and want to know what data privacy and security policies and practices should be adopted while still maintaining business.

FTC Focus & Requirements Moving Forward

While an FTC order against Blackbaud would not be binding upon unrelated third-party businesses, it is helpful to review to show the FTC’s position about best practices and reasonable security efforts.

Not only will Blackbaud be required to delete data no longer needed to provide services to customers, but the proposed order will ban Blackbaud from misrepresenting its data security and data retention policies. Blackbaud is also required to develop a comprehensive information security program that thoroughly highlights the issues brought by the FTC’s complaint, such as a data retention schedule and an explanation of why it keeps personal data and when such data will be deleted.

A joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya, noted that, “Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security... As businesses face fresh incentives to hoard data to train AI models, protecting Americans from unlawful data practices will be especially critical.”⁵

How Can Kronenberger Rosenfeld Help?

Kronenberger Rosenfeld, LLP regularly assists businesses with data privacy and security issues, including proactive compliance and experienced advice if any legal issues arise. If you need assistance for your business, contact our firm using our online case submission form here.