Blackbaud Inc. Agrees to Pay $3 Million to Settle Misleading Disclosure Charges

The Securities and Exchange Commission (SEC) announced today that Blackbaud Inc., a South Carolina-based public company specializing in donor data management software for non-profit organizations, has agreed to pay a $3 million penalty after making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. The SEC’s order found that Blackbaud initially stated that no bank account information or social security numbers were accessed by the attacker, when in fact personnel had already learned this was not the case. This material information was not communicated to senior management, causing quarterly reports filed with the SEC in August of 2020 to omit this crucial information and misleadingly characterize the risk of an attacker obtaining such sensitive donor information as hypothetical. As a result, the SEC charged Blackbaud with violations of Sections 17(a)(2) and 17(a)(3) of the 1933 Securities Act and Section 13(a) of the 1934 Securities Exchange Act and Rules 12b-20, 13a-13, and 13a-15(a) pursuant to their failure to adequately disclose material information. Blackbaud has agreed to the civil penalty without admitting or denying any wrong doing and also agreed to cease and desist from further violations. The SEC investigation was conducted with the assistance of the Federal Trade Commission as well as the Offices of the Attorneys General for the States of Indiana and Vermont.