(STL.News) – In mid-July, Blackbaud, a software provider used by a significant portion of the nonprofit community, reported a ransomware attack that took place in May 2020 and resulted in the acquisition of data by cybercriminals. According to public statements, Blackbaud claims that it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” but, to date, has not announced any concrete substantiation of this claim. It is generally difficult to “prove” that a cybercriminal that has acquired sensitive data has deleted it, and absent affirmative proof, one should treat that data as “acquired” or breached under Vermont’s laws.
The Attorney General’s Office (AGO) is encouraged by how quickly users of Blackbaud’s software have moved to ensure compliance with Vermont and other states’ Security Breach Notice Acts by issuing notices to their customers, donors, and others. This Q & A attempts to address some issues that have arisen and provides suggestions based on information that is currently publicly available. The details of this incident, however, may develop over time.