A Settlement that Brings No Consequences
I'm normally not surprised when there's a settlement between the government and a for profit corporation regarding some type of illegal activity. Very infrequently does anyone actually go to jail for corporate malfeasance. Just look at the banking scandal of 2007 through 2011 and the fact that nobody seemed to really get into individual trouble at all. But the recent announcement of the SEC (Security and Exchange Commission) regarding Blackbaud and the breach from 2020 even mystifies me.
Nearly three years ago, Blackbaud announced a three-month-old data breach that allowed data from thousands of nonprofits, millions of individuals, to be copied and removed from their online platform. Making things worse, it appeared people at Blackbaud had known about it for some time and had not commented publicly or to their clients. Blackbaud downplayed the whole incident for months before finally announcing through an SEC filing that an immense amount of data had been compromised. This caused nonprofits from around the world immense hassles and reputational costs while trying to explain to their donors that their data had been compromised BUT that the local nonprofit wasn't in any way at fault. The problem was that many donors didn't view it that way because they never had heard of Blackbaud---just the nonprofit that had to notify them.
After a 3 year investigation, the SEC announced its penalty of $3 million in fines and Blackbaud paid the money without admitting or denying the findings.
Why did the SEC even bother?
Blackbaud is a $3 billion company with revenues of more than $1 billion annually. $3 million to them is like a dollar and a half to me. And while Blackbaud is not out of the woods because of the customers and nonprofits that are still suing the organization, the SEC's feckless nature provides no sense that it was a serious issue. It's almost like it was pushed under the blanket so no one could see it.
The only way that a company of that size is going to take things seriously is as if the consequences are so severe, in this case fines in the hundreds of millions of dollars, they never allow something of this nature to occur in the first place because the costs are so great. The damage done by Blackbaud to many small nonprofits is truly hard to quantify. But it appears that Blackbaud is off the naughty list with the Security and Exchange Commission---with a polite “don't do that again."