Only California was not named in the settlement. That’s just part of the expense. In 2020, Blackbaud said it paid an undisclosed amount of  ransom to the attackers who intruded into its systems. The nonprofit software company also agreed earlier this year to pay the SEC $3 million. Blackbaud exhausted its insurance, which covers $50 million with a $250,000 deductible. Its SEC filings previously said it expected a net pre-tax expense of $20 million to $30 million in cash outlays for 2023, but that was before the litigation settlement, and it also faces a number of class-action suits. The SEC said the problem was that Blackbaud publicly stated the incident affected more than 13,000 customers when, in fact, that number was a quarter of those were impacted. The agency also quoted a Blackbaud statement from July 16, 2020, which said, "The ransomware attacker did not access donor bank account information or Social Security numbers." However, within days of that, Blackbaud determined that this information had been accessed. But the company’s technology and customer relations personnel did not communicate this information to senior management "because the company failed to maintain disclosure controls and procedures," according to the SEC. The company agreed to a cease-and-desist order with the SEC and agreed with the states to comply with applicable laws and not make misleading statements about the issues involved, along with improving cybersecurity programs and tools.