May 29, 2024

U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

Portrait Liana Chen
By Liana Chen


U.S. Privacy and Data Protection | Insights | May 2024 (Federal Law)

As a business owner in the digital age, it is critical to remain compliant with FTC rules and guidelines, especially as the FTC is cracking down on various issues, including lax data security and privacy.

A Cautionary Tale & Claimed Security Issues

Blackbaud, a data service provider, was recently charged by the FTC for its purported lacking security, which lead to a hacker being able to allegedly “....breach the company’s network and access the personal data of millions of consumers, including Social Security and bank account numbers.”1

Further, the complaint from the FTC states that the company, “failed to use appropriate information security practices to protect consumers’ personal information. These failures allowed an attacker to access Blackbaud’s customer databases and steal personal information relating to millions...”2

Specifically, according to the FTC3, the company failed to do the following things that led to the hacking:

  • Monitor hacking or breaching attempts
  • Segment data to deter hackers
  • Ensure data that is no longer needed is deleted
  • Properly implement multifactor authentication amongst staff and users
  • Restrict use of weak or identical passwords for company accounts

As a result of these failures, a hacker was allegedly easily able to access a customer’s Blackbaud-hosted database.4 The attacker had no issue moving through Blackbaud servers and was able to create their own administration accounts and harvest vulnerable data of consumers.

These purported failures in data security are common claims in other types of lawsuits where there has been a security incident. Many companies may be dealing with similar issues and want to know what data privacy and security policies and practices should be adopted while still maintaining business.

FTC Focus & Requirements Moving Forward

While an FTC order against Blackbaud would not be binding upon unrelated third-party businesses, it is helpful to review to show the FTC’s position about best practices and reasonable security efforts.

Not only will Blackbaud be required to delete data no longer needed to provide services to customers, but the proposed order will ban Blackbaud from misrepresenting its data security and data retention policies. Blackbaud is also required to develop a comprehensive information security program that thoroughly highlights the issues brought by the FTC’s complaint, such as a data retention schedule and an explanation of why it keeps personal data and when such data will be deleted.

A joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya, noted that, “Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security... As businesses face fresh incentives to hoard data to train AI models, protecting Americans from unlawful data practices will be especially critical.”5

How Can Kronenberger Rosenfeld Help?

Kronenberger Rosenfeld, LLP regularly assists businesses with data privacy and security issues, including proactive compliance and experienced advice if any legal issues arise. If you need assistance for your business, contact our firm using our online case submission form here.

This entry was posted on Wednesday, May 29, 2024 and is filed under Privacy and Data Protection Updates, Internet Law News.

Related articles

Privacy & Cybersecurity

Disparity between California’s Privacy Laws and Class Action

The enactment of the California Consumer Privacy Act (“CCPA”) in 2019 strengthened certain privacy protections for consumers. The CCPA protects consumers by requiring businesses to “inform consumers as to the...

Read Article

Privacy & Cybersecurity

U.S. Privacy and Data Protection | Insights |

In 2023, Washington State enacted a first-of-its-kind health privacy law known as the Washington My Health My Data Act (WMHMDA). This sweeping new privacy-focused law seeks to protect data that...

Read Article

Privacy & Cybersecurity

4 Ways to Protect Your Crypto

If you own any cryptocurrency, it's important to take steps to protect it from hackers and other bad actors. Here are four ways to do so. Use Two-Factor Authentication for...

Read Article

Privacy & Cybersecurity

CCPA v. CPRA – Privacy Laws Compared

The California Consumer Privacy Act (CCPA) is still relatively new, and now there is another expansive privacy law in California, the California Privacy Rights Act (CPRA). In November 2020, California...

Read Article
Get the help you need.

We offer legal advice on a wide range of online topics

Get legal help now

Not seeing what you’re looking for?

Submit your case in 3 minutes and get legal help fast.

Submit your case online


Give us a call
Join our mailing list

Stay ahead of legal matters

The internet moves fast. We'll keep you informed.