RegImpact
ftcenforcement· Published 2/13/2024

Blackbaud, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

What this rule actually says

The FTC settled a case against Blackbaud (a major data management company) for failing to secure customer data and misleading people about their security practices. The core issue: Blackbaud stored sensitive information—like medical records, financial data, and ID numbers—then got hacked because of poor security. They also told customers their data was safe when it wasn't. This consent order forces Blackbaud to actually secure data and stop making false claims about security.

Who it applies to

  • If you collect or store customer data (names, emails, payment info, health records, hiring data), this applies to you
  • If you're in the US, this applies. The FTC enforces this nationwide
  • If you make claims about security or privacy ("encrypted," "secure," "HIPAA-compliant"), this applies
  • Specific use cases that trigger this: AI medical scribes storing patient notes, hiring assistants processing resumes/background checks, support chatbots storing conversation logs or customer info
  • Out of scope: If you don't actually store any user data yourself (e.g., you only process requests in real-time with no retention), this is less relevant—but you still can't lie about what you do

The rule doesn't require specific technology. It requires honest practices: reasonable security for whatever data you hold, truthfulness about what you're doing with it, and actual ability to delete data if requested.

What founders need to do

  1. Audit what data you collect and store (1-2 days). List every piece of user information your app touches—even if it's "just" conversation logs. Be honest about retention.
  1. Document your actual security practices (2-3 days). Don't claim military-grade encryption if you're using standard cloud storage. Document what you actually do: encryption in transit, access controls, regular backups, incident response plan.
  1. Fix your messaging (1 day). Review your website, ToS, and marketing. Remove or reword any security claims that overstate what you actually do. "Encrypted" is fine if true; "unhackable" is not.
  1. Implement basic security hygiene (ongoing). Use strong passwords/SSO for admin access, enable MFA, patch software regularly, keep logs of who accesses what. This doesn't require hiring a security team.
  1. Prepare a data breach response plan (1 day). Write down: who you'd notify, how quickly, what you'd say. Actually following it if breached is what matters.

Bottom line

Act now if you store customer data and make any security claims—audit and align them with reality, or tone down the claims.