Data Retention and Destruction Lessons From FTC’s Blackbaud Case

Effective data disposal and retention policies are key to organizations’ ability to provide adequate security and privacy protection to consumers’ sensitive data. In the FTC’s announcement of its recent settlement with Blackbaud over claims stemming from a 2020 ransomware attack, it said, “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers.” This article examines the circumstances of the breach and the settlement terms, and offers lessons for companies on how to structure data retention and destruction practices, including what to incorporate in their policies. See our two-part series on safeguards for proper disposal of hardware: “Risks and Examiner Expectations” (Feb. 26, 2020), and “Effective Inventories, Policies and Due Diligence” (Mar. 4, 2020).

To read the full article

Continue reading your article with a CSLR subscription.