SEC Filing | Blackbaud

View:

Download DOC

Download PDF

Download XLS

Download XBRL

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of the
Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): February 1, 2024

Blackbaud, Inc.

(Exact name of registrant as specified in its charter)

Delaware	000-50600	11-2617163
(State or other jurisdiction of incorporation)	(Commission File Number)	(IRS Employer ID Number)

65 Fairchild Street, Charleston, South Carolina 29492

(Address of principal executive offices) (Zip Code)

Registrant’s telephone number, including area code: (843) 216-6200

Check the appropriate box below if the Form 8‐K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
☐	Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐	Soliciting material pursuant to Rule 14a‐12 under the Exchange Act (17 CFR 240.14a‐120
☐	Pre‐commencement communications pursuant to Rule 14d‐2(b) under the Exchange Act (17 CFR 240.14d‐2(b))
☐	Pre‐commencement communications pursuant to Rule 13e‐4(c) under the Exchange Act (17 CFR 240.13e‐4(c))

Securities Registered Pursuant to Section 12(b) of the Act:

Title of Each Class	Trading Symbol(s)	Name of Each Exchange on which Registered
Common Stock, $0.001 Par Value	BLKB	Nasdaq Global Select Market
Preferred Stock Purchase Rights	N/A	Nasdaq Global Select Market

Indicate by check mark whether the registrant is an emerging growth company as defined in as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b‐2 of the Securities Exchange Act of 1934 (§240.12b‐2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 8.01.

Other Events.

On February 1, 2024, the U.S. Federal Trade Commission (the “FTC”) announced its approval of a settlement with Blackbaud, Inc. (the “Company”) relating to the previously announced 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). When finalized, this settlement will fully resolve the previously disclosed FTC investigation relating to the Security Incident, which is further described in the FTC’s complaint and proposed order.

Under the terms of the FTC’s proposed order, the Company has agreed to certain conditions, which are reflected in their entirety in the FTC’s proposed order. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment.

The Company has agreed to the FTC’s proposed order without admitting or denying any of the allegations in the FTC’s complaint, except as expressly stated otherwise in the FTC’s proposed order.

The foregoing description is qualified in its entirety by reference to the full text of the form of the FTC’s proposed order attached hereto as Exhibit 99.2 and incorporated by reference herein.

Item 9.01

Financial Statements and Exhibits

(d) Exhibits

Exhibit No.	Description

99.1	Press release dated February 2, 2024 announcing the FTC’s proposed order.
99.2	Form of FTC’s proposed order.
104	Cover page Interactive Data File (embedded within the Inline XBRL document).

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

		BLACKBAUD, INC.

Date	February 2, 2024	/s/ Anthony W. Boor
		Anthony W. Boor
		Executive Vice President and Chief Financial Officer
		(Principal Financial and Accounting Officer)

Exhibit 99.1

PRESS RELEASE

Blackbaud Reaches Agreement with the Federal Trade Commission Related to 2020 Security Incident

Charleston, S.C. (February 2, 2024) — Blackbaud (NASDAQ: BLKB), the leading provider of software for powering social impact, announced a settlement with the U.S. Federal Trade Commission (the “FTC”) related to its 2020 security incident. When finalized, this settlement will fully resolve the previously disclosed matter with the FTC.

“We are pleased to resolve this matter with the FTC,” said Mike Gianoni, president and CEO, Blackbaud. “Protecting our customers’ and their constituents’ privacy will always be of paramount importance to Blackbaud, and we continue to strengthen our cybersecurity and compliance programs with the goal of improving our resilience in an ever-changing threat landscape.”

Blackbaud has not been fined by the FTC and is not otherwise required to make any payment as part of this settlement. In entering into this settlement, Blackbaud has neither admitted nor denied any of the allegations made by the FTC, whether in the FTC’s complaint or its associated press release. Additional details can be found in Blackbaud’s Form 8-K filed today with the Securities and Exchange Commission.

About Blackbaud

Blackbaud (NASDAQ: BLKB) is the leading software provider exclusively dedicated to powering social impact. Serving the nonprofit and education sectors, companies committed to social responsibility and individual change makers, Blackbaud’s essential software is built to accelerate impact in fundraising, nonprofit financial management, digital giving, grantmaking, corporate social responsibility and education management. With millions of users and over $100 billion raised, granted or managed through Blackbaud platforms every year, Blackbaud’s solutions are unleashing the potential of the people and organizations who change the world. Blackbaud has been named to Newsweek’s list of America’s Most Responsible Companies, Quartz’s list of Best Companies for Remote Workers, and Forbes’ list of America’s Best Employers. A remote-first company, Blackbaud has operations in the United States, Australia, Canada, Costa Rica and the United Kingdom, supporting users in 100+ countries. Learn more at www.blackbaud.com or follow us on Twitter, LinkedIn, Instagram and Facebook.

Media Inquiries

media@blackbaud.com

Forward-looking Statements

Except for historical information, all of the statements, expectations, and assumptions contained in this news release are forward-looking statements that involve a number of risks and uncertainties, including statements regarding expected benefits of products and product features. Although Blackbaud attempts to be accurate in making these forward-looking statements, it is possible that future circumstances might differ from the assumptions on which such statements are based. In addition, other important factors that could cause results to differ materially include the following: general economic risks; uncertainty regarding increased business and renewals from existing customers; continued success in sales growth; management of integration of acquired companies and other risks associated with acquisitions; risks associated with successful implementation of multiple integrated software products; the ability to attract and retain key personnel; risks associated with management of growth; lengthy sales and implementation cycles, particularly in larger organization; technological changes that make our products and services less competitive; and the other risk factors set forth from time to time in the SEC filings for Blackbaud, copies of which are available free of charge at the SEC’s website at www.sec.gov or upon request from Blackbaud’s investor relations department. All Blackbaud product names appearing herein are trademarks or registered trademarks of Blackbaud, Inc.

Exhibit 99.2

UNITED STATES OF AMERICA

BEFORE THE FEDERAL TRADE COMMISSION

COMMISSIONERS:

Lina M. Khan, Chair

Rebecca Kelly Slaughter

Alvaro M. Bedoya

In the Matter of

BLACKBAUD, INC., a corporation

DECISION AND ORDER

DOCKET NO.

DECISION

The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and practices of the Respondent named in the caption. The Commission’s Bureau of Consumer Protection (“BCP”) prepared and furnished to Respondent a draft Complaint. BCP proposed to present the draft Complaint to the Commission for its consideration. If issued by the Commission, the draft Complaint would charge the Respondent with violations of the Federal Trade Commission Act.

Respondent and BCP thereafter executed an Agreement Containing Consent Order (“Consent Agreement”). The Consent Agreement includes: (1) statements by Respondents that it neither admits nor denies any of the allegations in the draft Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction; and (2) waivers and other provisions as required by the Commission’s Rules.

The Commission considered the matter and determined that it had reason to believe that Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect. The Commission accepted the executed Consent Agreement and placed it on the public record for a period of thirty (30) days for the receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order. The parties agree that this Order resolves all allegations in the Complaint:

Page 1 of 14

Findings

1.	Respondent Blackbaud, Inc. (“Blackbaud”) a Delaware corporation with its principal place of business at 65 Fairchild Street, Charleston, South Carolina 29492.

2.	The Commission has jurisdiction over the subject matter of this proceeding and over the Respondent, and this proceeding is in the public interest.

ORDER

Definitions

“Covered Incident” means any incident that results in Respondent notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.

“Covered Information” means information from or about an individual consumer stored by Respondent’s customers within Respondent’s product databases including: (a) a first and last name: (b) a home or physical address; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a mobile or other telephone number; (e) a driver’s license or other government-issued identification number; (f) date of birth; or (g) bank account, credit card, or debit card information.

3.	“Delayed Update Customers” are Respondent’s customers to whom Respondent makes updates available but who do not automatically implement such updates due to the complexity of Respondent’s customers implementing such updates into Respondent’s customers’ environments and business practices.

4.	“Delete” “Deleted” or “Deletion” means to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

5.	“Respondent” means Blackbaud, Inc., a Delaware corporation, and its successors and assigns.

Provisions

I. Prohibition against Misrepresentations about Privacy and Security

IT IS ORDERED that Respondent, Respondent’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication:

Page 2 of 14

A.	The extent to which Respondent maintains, uses, Deletes, or discloses any Covered Information;

B.	The extent to which Respondent protects the privacy, security, availability, confidentiality, or integrity of any Covered Information; or

C.	The extent of any Covered Incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of Covered Information.

II. Mandated Data Deletion

IT IS FURTHER ORDERED that Respondent must:

Within 90 days after the Order Effective Date, Delete or destroy Respondent customer backup files containing Covered Information that is not being retained in connection with providing products or services to Respondent’s customers unless otherwise requested by Respondent’s customers, and provide a written statement to the Commission, pursuant to the Provision entitled Compliance Reports and Notices, confirming that all such data has been Deleted or destroyed, specifically enumerating which types of information were Deleted or destroyed; and

B.	Refrain from maintaining any Covered Information not necessary for the purpose(s) for which such information is stored and/or maintained by Respondent.

Provided, however, that any Covered Information that any Respondent is otherwise required to Delete or destroy pursuant to this provision may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation. In each written statement to the Commission required by this provision, such Respondent shall describe in detail any Covered Information that Respondent retains on any of these bases and the specific government agency, law, regulation, court order, or other legal obligation that prohibits Respondent from deleting or destroying such information. Within thirty (30) days after the obligation to retain the information has ended, Respondent shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has deleted or destroyed such information.

III. Data Retention Limits

IT IS FURTHER ORDERED that Respondent, in connection with the storage, maintenance, use, or disclosure of, or provision of access to, Covered Information, must:

Page 3 of 14

Within 90 days of the Order Effective Date, document, make publicly available on its website(s), and adhere to a retention schedule for Respondent customer backup files containing Covered Information, setting forth: (1) the purpose or purposes for which Covered Information is maintained by Respondent; (2) the specific business needs for Respondent retaining such Covered Information; and (3) a set timeframe for Deletion of Covered Information that precludes indefinite retention of any Covered Information. For clarity, the requirements of this Provision III.A shall additionally apply to the databases containing the Covered Information of former customers and customers who migrate to a different Respondent product; and

Within 90 days after the Order Effective Date, provide a written statement to the Commission, pursuant to the Provision entitled Compliance Report and Notices, describing the retention schedule for Respondent customer backup files containing Covered Information made publicly available on its website(s).

IV. Mandated Information Security Program

IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly, or indirectly in connection with the maintenance, use, or disclosure of, or provision of access to, Covered Information, must, within ninety (90) days of the Order Effective Date, establish and implement, and thereafter maintain, a comprehensive information security program that protects the security, confidentiality, and integrity of such Covered Information (“Information Security Program”). Delayed Update Customers are exempt from the initial 90- day timing requirement, but Respondent will assist Delayed Update Customers, upon their approval, to update their software in a timely manner. To satisfy this requirement, Respondent must, at a minimum:

A.	Document in writing the content, implementation, and maintenance of the Information Security Program;

Provide the written Information Security Program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;

C.	Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;

Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Covered Information that could result in: (1) the unauthorized storage, maintenance, alteration, use, or disclosure of, or provision of access to, Covered Information; or (2) the misuse, loss, theft, and unauthorized alteration, destruction, or other compromise of Covered Information;

Page 4 of 14

Design, implement, maintain, and document safeguards within Respondent’s control that control for the internal and external risks Respondent identifies to the security, confidentiality, or integrity of Covered Information identified in response to sub- Provision D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk, and the likelihood that the risk could be realized and result in: (1) the unauthorized storage, maintenance, use, or disclosure of, or provision of access to, Covered Information; or (2) the misuse, loss, theft, and unauthorized alteration, destruction, or other compromise of Covered Information. Such safeguards must also include:

A written information security policy and accompanying written standards or procedures that describe, at a minimum: (a) how Respondent implements each of the safeguards identified in this sub-Provision; and (b) how Respondent assesses and enforces compliance with these safeguards and any other controls it identifies in the policy and accompanying standards and procedures;

Standards, procedures, and policy provisions mandating security education that address internal or external risks Respondent identifies under sub-Provision D of this Provision, and that includes, at a minimum: (a) training for Respondent’s employees about Respondent’s security policy, standards, and procedures, including the requirements of this Order and the process for submitting complaints and concerns, to be conducted when an employee begins employment or takes on a new role, and on at least an annual basis thereafter; and (b) training in secure software development principles, including secure engineering and defensive programming concepts, for developers, engineers, system administrators, and other employees that design, implement, and operate Respondent’s products or services or that are otherwise responsible for the security of Covered Information;

Policy provisions and, to the extent possible, technical measures requiring Respondent’s employees or contractors, or third parties to secure any accounts with access to a Respondent’s information technology infrastructure by: (a) using strong, unique passwords; and (b) preventing password reuse and password rotation through implementing appropriate tools;

Requiring multi-factor authentication methods for all employees and contractors of Respondent and its affiliates in order to access any assets (including databases) storing Covered Information. Such multi-factor authentication methods for all employees and contractors of Respondent and its affiliates shall not include telephone or SMS-based authentication methods and must be resistant to phishing attacks. Respondent may use widely adopted industry authentication options that provide at least equivalent security as the multi-factor authentication options required by this sub-Provision, if approved in writing by the Commission;

Page 5 of 14

Requiring multi-factor authentication methods for all Respondent’s customers, except for those customers who use enterprise single sign on solutions within their organizations to access Respondent products and for Delayed Update Customers. However, Respondent shall make available an update for multi-factor authentication methods for Delayed Update Customers;

Technical measures, standards, procedures, and policy provisions to: (a) log and monitor access to repositories of Covered Information; (b) limit access to Covered Information by, at a minimum, limiting Respondent employee and service provider access to what is needed to perform that employee’s or service provider’s job function; (c) grant and audit varying levels of access based on an employee’s need to know; and (d) periodically monitor and terminate employee and contractor accounts following inappropriate usage or termination of employment;

Technical measures, standards, procedures, and policy provisions to control access to Respondent’s customer databases containing Covered Information, including, at a minimum: (a) for Respondent’s and its affiliates’ employees and contractors, restrictions of inbound connections to those originating from approved IP addresses, such as corporate VPN; (b) requiring connections to be authenticated and encrypted; and (c) periodic audits of account permissions;

Technical measures, standards, procedures, and policy provisions relating to Covered Information which: (a) monitor and log transfers or exfiltration of Covered Information from Respondent’s network boundaries; (b) monitor and log data security events and other anomalous activity; and (c) verify the effectiveness of monitoring and logging;

Technical measures to safeguard against unauthorized access to Covered Information, including: (a) an intrusion prevention or detection system; (b) file integrity monitoring tools; (c) data loss prevention tools; (d) properly configured firewalls; and (e) properly configured physical or logical segmentation of networks, systems and databases;

Page 6 of 14

10.	Authentication procedures designed to prevent one customer’s credentials from accessing another customer’s data or other unauthorized areas in Respondent’s networks;

11.	Technical measures, procedures, and policy provisions to systematically inventory assets (including databases) storing Covered Information and Delete Respondent customer backup files containing Covered Information that is no longer necessary;

12.

Encryption of, at a minimum, fields in Respondent’s products designed to store Social Security numbers, passport numbers, tax ID information, driver’s license or other government-issued identification numbers; bank account, credit card, or debit card information, dates of birth associated with a consumer, Medical Information associated with a consumer, and user account credentials on Respondent’s computer networks, including but not limited to cloud storage;

13.

Technical measures, procedures, and policy provisions to address the maintenance of any new type of information related to consumers that was not being maintained as of the issuance data of this Order, including: (a) the purposes or purposes for which the new information is maintained; (b) the specific business needs for maintaining the new information; and (c) encryption of sensitive consumer information; and

14.	Enforcing policies and procedures consistent with this Order designed to ensure the timely investigation of data security events and the timely remediation of critical and high-risk security vulnerabilities relating to Covered Information.

Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Covered Information, and modify the Information Security Program based on the results;

Test and monitor the effectiveness of the safeguards specified in this Provision at least once every twelve (12) months and promptly (not to exceed 30 days) following a Covered Incident and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability scanning of Respondent’s network(s) containing Covered Information once every four months and promptly (not to exceed 30 days) after a Covered Incident, and penetration testing of Respondent’s network(s) containing Covered Information at least once every twelve (12) months and promptly (not to exceed 30 days) after a Covered Incident;

Select and retain service providers capable of safeguarding Covered Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Covered Information; and

Page 7 of 14

Evaluate and adjust the Information Security Program in light of any material changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in sub- Provision IV.D of this Order, or any other circumstances that Respondent knows or has reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.

V. Information Security Assessments by a Third Party

IT IS FURTHER ORDERED that, in connection with compliance with Provision IV of this Order titled Mandated Information Security Program, Respondent must obtain initial and biennial assessments (“Assessments”):

The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment: and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessor on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney product protection, attorney-client privilege, statutory exemption, or any similar claim. Respondent may satisfy the requirements to obtain Assessments through the use of assessments that are also intended to meet the requirements of other regulatory mandates to which Respondent is subject, provided that such assessments meet the requirements of the Information Security Program set forth in this Order.

For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in their sole discretion.

C.	The reporting period for the Assessments must cover: (1) at least the first 180 days after the Information Security Program is established for the initial Assessment; and (2) each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.

Page 8 of 14

Each Assessment must, for the entire assessment period: (1) determine whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order, titled Mandated Information Security Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of sub-Provisions IV.A-I; (3) identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program; (4) address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and (5) identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s management, and state the number of hours that each member of the Assessor’s assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision IV of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.

The initial Assessment must be completed within one hundred and twenty (120) days after the end of the reporting period for the initial Assessment. Each subsequent biennial Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No. 2023181.” All subsequent biennial Assessments must be retained by Respondent until the order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.

VI. Cooperation with Third Party Information Security Assessor

IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with any Assessment required by Provision V of this Order titled Information Security Assessments by a Third Party, must:

Page 9 of 14

A.	Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.

Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets that maintain Covered Information so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope; and

Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s: (1) determination of whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.

VII. Annual Certification

IT IS FURTHER ORDERED that Respondent must:

One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from Respondent’s Chief Information Security Officer responsible for Respondent’s Information Security Program that: (1) Respondent has established, implemented, and maintained the requirements of this Order; (2) Respondent is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.

Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud, FTC File No. 2023181.”

Page 10 of 14

VIII. Covered Incident Reports

IT IS FURTHER ORDERED that, within ten (10) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondent must submit a report to the Commission. The report must include, to the extent possible:

A.	The date, estimated date, or estimated date range when the Covered Incident occurred;

B.	A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known;

C.	A description of each type of information that was affected by the Covered Incident;

D.	The number of Respondent’s customers affected by the Covered Incident;

E.	The acts that Respondent has taken to date to remediate the Covered Incident and protect Covered Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident; and

F.	A representative copy of any materially different notice sent by Respondent to its customers, or to any U.S. federal, state, or local government entity.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Blackbaud Inc, FTC File No. 2023181.”

IX. Order Acknowledgements

IT IS FURTHER ORDERED that Respondent obtain acknowledgments of receipt of this Order:

A.	Respondent, within 10 days after the Order Effective Date, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

For 20 years after issuance of this Order, Respondent must deliver a copy of this Order to: (1) all principals, officers, and directors; (2) all employees having managerial responsibilities for cybersecurity, privacy, and the collection, use, or disclosure of Covered Information, and all agents and representatives who participate in cybersecurity, privacy, and the collection, use, or disclosure of Covered Information; and (3) any business entity resulting from any change in structure as set forth in Provision X.

Page 11 of 14

Delivery must occur within 10 days of the Order Effective Date for current personnel. For all others, delivery must occur before they assume their responsibilities.

C.	From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order.

X. Compliance Reporting

IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:

One year after issuance of this Order, Respondent must submit a compliance report, sworn under penalty of perjury. Respondent must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (b) identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Respondent is in compliance with each Provision of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

For 20 years after issuance of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

C.	Respondent must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within 14 days of its filing.

Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ” and supplying the date, signatory’s full name, title (if applicable), and signature.

Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Blackbaud, Inc.”

Page 12 of 14

XI. Recordkeeping

IT IS FURTHER ORDERED that Respondent must create certain records for 20 years after issuance of the Order and retain each such record for 5 years. Specifically, Respondent must create and retain the following records:

A.	Accounting records showing the revenues from all goods or services sold;

B.	Personnel records showing, for each person providing services relating to Covered Information, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;

C.	Records of all consumer complaints regarding security, privacy, or identity theft related to Covered Information whether received directly or indirectly, such as through a third party, and any response;

D.	All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission; and

E.	A copy of each widely disseminated, unique advertisement or other marketing material that references or otherwise relates to Respondent’s privacy and data security practices.

XII. Compliance Monitoring

IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance with this Order:

Within 14 days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.

For matters concerning this Order, the Commission is authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview any employee or other person affiliated with Respondent who has agreed to such an interview. The person interviewed may have counsel present.

Page 13 of 14

The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

XIII. Order Effective Dates

IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order (the “Order Effective Date”). This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:

A.	Any Provision in this Order that terminates in less than 20 years;

B.	This Order’s application to any Respondent that is not named as a defendant in such complaint; and

C.	This Order if such complaint is filed after the Order has terminated pursuant to this Provision.

Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission.

April J. Tabor

Secretary

SEAL:

ISSUED:

Page 14 of 14