US SEC sues ransomware victim for misleading disclosures

On March 9, 2023, the US Securities and Exchange Commission (SEC) announced an enforcement action against Blackbaud Inc. for making allegedly misleading disclosures about a 2020 ransomware attack. Blackbaud provides donor data management software to non-profit organizations. Blackbaud settled the matter by agreeing to pay US$3 million.

According to the SEC Order, on May 14, 2020, Blackbaud suffered a ransomware attack that resulted in unauthorized access and exfiltration of sensitive customer information. This information consisted of over one million files concerning more than 13,000 customers. On July 16, 2020, Blackbaud informed their clients that the threat actor did not access donor bank account information or social security numbers. A few days later, however, the company's technology and customer relations personnel learned otherwise. None of those employees informed senior management responsible for the public disclosure. As a result, the SEC alleged that the company failed to maintain adequate disclosure controls and procedures.

In August 2020, Blackbaud filed its Form 10-Q. The portion of the public filing describing the scope of the attack merely stated that "the cybercriminal removed a copy of a subset of data." The disclosure failed to mention that the exfiltrated data included bank account information and social security numbers. The SEC also took issue with Blackbaud's cybersecurity risk disclosure, which referred to the risk of experiencing data compromises in hypothetical terms. Specifically, the company's risk disclosure stated, "[a] compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties." It was not until more than six weeks later that the company filed a Form 8-K disclosing for the first time that the threat actor may have accessed some bank account information, social security numbers and passwords.

This enforcement action follows the trend of increased SEC scrutiny of whether and how companies publicly disclose ransomware events. Indeed, the SEC emphasized in its press release about the matter that "[p]ublic Companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so." Whether a ransomware attack or other cybersecurity compromise requires public disclosure is a highly fact-specific and complex analysis. Companies would be well-served to have protocols in place that identify the immediate steps to be taken in the event of a cybersecurity compromise, which should include involving the individuals who can assess whether there are any disclosure obligations.