On July 22, Rhode Island School of Design reported they had suffered a data breach through their cloud supplier, Blackbaud. Seven days later, the BBC reported that a spokesperson from the UK Information Commissioner’s Office (ICO) confirmed that 125 UK organizations had also notified them that their data had been impacted in Blackbaud’s data breach.
The list of those impacted by this breach continues to grow. It may include other charities, universities, schools and healthcare providers in the U.S., UK and other regions where Blackbaud operates. Has your organization been affected, or could you be exposed to the risk of a third-party breach like this?
Blackbaud is a U.S. cloud computing provider offering a variety of cloud and outsourced Customer Relationship Management (CRM) services to its international client base. In May, Blackbaud identified that they had a security breach and were the victim of a successful ransomware attack resulting in data leakage of their client’s customer data. They reportedly took approximately two months to notify many affected charities, universities, and other organizations who shared data with them. Historically ransomware incidents focused on encrypting files until a ransom was paid and did not attract a major concern regarding data exposure and notification. However, attackers have expanded their modus operandi to include data extraction and threats to disclose victims’ data publicly attracting further data privacy concerns and notification requirements.
Through their website on July 16, Blackbaud reported that while a breach took place, they have stopped a ransomware incident, a ransom was paid, and they have attempted to gain assurances from their attackers that data stolen has been deleted.
The attack raises several concerns for Blackbaud, its clients and their stakeholders including:
- Were clients notified quickly enough to allow notification to their own customers?
- What real impact could this have to individuals whose data was leaked?
- Given the potential type of data subjects involved, often donors, fundraisers and alumni, could this lead to further attacks targeting them in the future?
- Will the cyber criminals keep to their word and delete the data?
- What level of reliance can organizations place on partners like Blackbaud who maintain well recognized and established security compliance frameworks, and more importantly what else should they be doing to manage their own third-party supplier risk?
- Has EU personal data been transferred to a U.S. supplier, exposing parties to source country as well as U.S. federal and state laws’ notification requirements?
- While there is a strong business case for outsourcing non-essential business services, organizations need to validate which companies they choose and how their security and privacy risks are continuously being managed. Those specifically contracted with Blackbaud or other suppliers should consider taking straight forward, but strategic steps to minimize impacts to their business.
- Fully understand data sets that might be potentially impacted by a third-party breach, validate them with existing data inventory and identify individuals whose sensitive data could be exposed.
- Review existing contracts with Blackbaud and suppliers and assess risks for potential remediation including data protection and provisions for prompt data loss notification.
- Deploy dark web monitoring activities on customer data to minimize impacts of data breach risk and identify potential threats early in the attack life cycle.
- Establish a robust third-party assurance activity to manage risk throughout the agreement lifecycle.
- Carry out data inventory assessments, revalidate U.S. suppliers and review existing Standard Contractual Clauses (SCC) per recommendations from the Schrem II judgment by the Court of Justice of the European Union relating to UK, EU and European Economic Area (EEA) organizations sharing data with third-parties in the U.S.
- Push to virtually extend governance, risk and compliance management frameworks into the supplier’s operations for strategic partners, to the extent they will allow for it being part of key decisions relating to the handling of data breach incidents involving your customer data.
- Understand the extent to which data has been shared throughout the lifecycle of the relationship including: what type of data is involved, how long it is kept for, whose data it is, what measures are in place to protect it and what reporting is required should things go wrong?
How Ankura Can Help
While business services can be outsourced and the digital transformation into the cloud will continue, organizations cannot outsource the inherited ownership and associated risk. Ultimately, they will still be legally responsible and accountable to their customers and their data. Ankura is currently assisting many clients in matters substantially similar to the Blackbaud data breach with incident response, forensics investigations, third-party assurance, and data privacy matters.
Ankura has collaborated with clients to assess the extent of a breach by analyzing data and reporting on the visibility of records affected by data losses. Whilst this is often done in response to a breach, we encourage organizations to gain visibility of their potential third-party liability well before an incident takes place. In doing so, they can gain greater visibility over the type of data that is being shared, are better prepared to respond should an incident take place and can take appropriate actions to ensure the third party is protecting their customers in the right way.
Our wider offerings include
- Industry leading techniques to quickly evaluate and mitigate incidents on premises and in the cloud.
- Crisis handling and response while leveraging endpoint detection, user behavior and threat analytics to contain and eradicate incidents.
- Best in class solutions for independent data mining of Personally Identifiable Information (PII), Protected Health Information (PHI) and sensitive data assisting with reporting and notification requirements.
- Discovery of structured and unstructured data
- Support criminal/civil litigation efforts, regulatory proceedings, and confidential investigations
- Legally defensible outcomes that answer our clients’ most complex questions
- Cross-border data privacy operational and advisory support including: data mapping, EU-US Privacy Shield solution, and data transfer strategy
- GDPR, CCPA, and other privacy regulatory program assessment and development
- Third-party Assurance
- Defining third-party assurance strategy, policies and procedures.
- Operating third-party risk management service including independent risk assessments, onsite and offsite reviews and reporting.
- Cloud provider security assessments and advisory.
- Multi-sourced technical collections, dark web data, and specialized threat intelligence adding context and efficiency to investigations and proactive services.
- Open and closed source collections and analysis that discover and assess exposure risk and threat actors impacting our clients.
- Digital media forensic and cybersecurity practitioners qualified as expert witnesses.
- Investigative analysis, internet technologies and computer forensics expertise tested in courts.
- Providing qualified expert opinions on reasonable cyber security practices.
© Copyright 2020. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.