SEC-Blackbaud Enforcement Showcases Two Emerging Trends

On March 9, 2023, the Securities and Exchange Commission (SEC) reached a $3 million settlement with Blackbaud–a client relationship management (CRM) service provider–reflecting two trends in SEC’s enforcements which data controllers and data processors should watch.

Trend #1: The enforcement action is the most recent in a series of SEC settlements for matters NOT being reported to senior management. In this situation, what was NOT reported was a cybersecurity incident, which, in turn, led to the filing of a fraudulent disclosure.

Trend #2: The Blackbaud enforcement action reflects the SEC’s growing willingness to sanction companies for hypothetical risks, where no breach has happened, but where the circumstances could possibly lead to one.

The significance of these should not be overlooked or discounted.

In Trend #1, the SEC is holding management responsible for NOT having been made aware of something; the implication being that management has a responsibility to make sure that what should be reported to them is reported to them. This is particularly applicable to data security and cybersecurity issues that are swept under the rug by operational staff.

Trend #2 is equally game-changing, insofar as the SEC has shown its willingness to hold an organization responsible for allowing risks to exist…even where nothing bad has happened. Rolling the dice based on the low probability of an incident is no longer an acceptable strategy. How many organizations take risks with data, allowing the risk to continue simply because it hasn’t come back to bite them?