HB Ad Slot
HB Mobile Ad Slot
SEC Notice to Public Companies: Less-than-forthcoming Breach Disclosures Can Cost You
Tuesday, March 14, 2023

Just ahead of the expected April release of the final SEC cybersecurity regulations, the SEC has fined Blackbaud, a donor data management platform used widely by nonprofits, $3 million dollars for "misleading disclosures" in connection with a 2020 ransomware attack that impacted more than 13,000 customers.  

Blackbaud told customers the incident did not compromise bank account information and Social Security numbers when, according to the SEC, security and communications personnel knew the information was accessed and did not communicate that information to senior management.   Absent the critical information, senior management responsible for disclosure left the full disclosure out of its quarterly report and, according to the SEC, "misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical."   

Not all data breaches -- ransomware attacks or otherwise -- rise to the level of materiality that could trigger a disclosure in SEC reporting.   However, disclosure controls and procedures should certainly have pushed the accurate information about the compromise of personal information up the chain for such analysis and could have saved Blackbaud a tidy sum of money.

As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins