Blackbaud: The Writings on the Blackbaud: Lessons from the FTC's First Standalone Section 5 Unfairness Claim

By Gaurav Lalsinghani, J.D. Candidate, 2025 In February 2024, the Federal Trade Commission (FTC) broke new ground by bringing its first-ever standalone Section 5 unfairness claims for unreasonable data retention and misleading breach notifications. The agency's enforcement action against Blackbaud-a cloud software provider serving nonprofits, healthcare organizations, and educational institutions-marked a significant expansion of the Commission's approach to data security enforcement. Now, a year later, organizations are still grappling with the material consequences of heightened scrutiny and uncertainty over where the Commission's regulatory focus will shift next. The FTC's Complaint Against Blackbaud The FTC's complaint against Blackbaud stemmed from a 2020 data breach in which an attacker allegedly exploited an end user's login credentials to infiltrate the company's databases. The attacker navigated Blackbaud's servers undetected for nearly three months until the company identified a suspicious login on a backup server. By then, the attacker had already exfiltrated vast amounts of sensitive customer data. After discovering the breach, Blackbaud received a ransom demand for the stolen data. The company ultimately paid 24 Bitcoin -valued at approximately $235,000 each-in exchange for the attacker's assurance that the data would be deleted. The FTC alleged that Blackbaud's lax encryption practices worsened the impact of the breach. According to the complaint , Blackbaud permitted customers to store Social Security numbers and bank account details in unencrypted fields, allowed customers to upload unprotected attachments containing sensitive personal data, and failed to encrypt its database backups. Compounding these security failures, Blackbaud also neglected to enforce its own data retention policies, retaining consumer data long past any legitimate business need. As a result, the FTC argued that some of the stolen information should have been securely destroyed years prior. Beyond its security deficiencies, the FTC's complaint raised concerns about Blackbaud's response to the breach. Following what the Commission described as an "exceedingly inadequate" internal investigation, Blackbaud misrepresented the breach's scope and severity in its notification to customers, assuring them that "the cybercriminal did not access credit card information, bank account information, or Social Security numbers" and that "no action [was] required." Yet, as Blackbaud continued its post-breach review, it became evident that the attacker had, in fact, stolen sensitive financial and personal data . Despite this discovery, Blackbaud did not disclose the full extent of the breach until three months later . These actions and omissions and inaction, according to the FTC, misled Blackbaud's customers into believing they were not required to notify their own consumers, ultimately leaving those affected unaware of their exposure. Breaking New Ground: Section 5 Unfairness Claims Without a Deception Component The FTC's reliance on standalone Section 5 unfairness claims in its complaint, rather than its more commonly used deception authority, marking a significant shift from its standard approach. Traditionally, the FTC has pursued data security cases under its deception prong , alleging that companies have misrepresented their cybersecurity practices. In Blackbaud, however, the FTC argued that the software provider's actions were inherently unfair , as they resulted in substantial consumer harm that could have been prevented through proper data retention policies and timely, accurate breach disclosures. The FTC's foray into new regulatory territory sent shockwaves throughout the market, reshaping compliance expectations. The complaint sparked questions about what qualifies as an unreasonable data retention practice and how aggressively companies should implement data minimization strategies. It also raised concerns about what breach notification standards were sufficient-should companies prioritize timely but incomplete disclosures, or is a delayed yet fully accurate notice preferable? A Cautionary Tale: Settlement and Lesson Learned Blackbaud's swift settled , but the agreement left many critical questions unanswered. Under the terms of the finalized settlement order, Blackbaud must establish a data retention schedule and delete any data no longer necessary for providing its products and services. The company is also prohibited from misrepresenting its data security and retention policies. Additionally, Blackbaud must develop, implement, and maintain a comprehensive information security program to address the deficiencies identified in the FTC's original complaint. Though the settlement did not include a financial penalty , it does require Blackbaud to notify the Commission if the company experiences another reportable data breach. The Blackbaud case is a clear warning shot to companies that failure to implement sound data governance and transparent breach response processes could lead to regulatory scrutiny. Companies can no longer afford to take a reactive approach to data retention and incident response. Instead, proactive data minimization, well-documented security policies, and transparent breach disclosures should be core components of a company's compliance strategy. Even as administrative priorities change, Blackbaud's experience serves as a crucial lesson: Data security is not just an IT issue -it's a legal and compliance imperative.