DonorPerfect recently experienced a cybersecurity data breach that compromised personally identifiable information (PII). We are aware that some of our school clients use DonorPerfect to track and manage gifts and donations. As a result, our attorneys want you to be aware of this situation, and know how to address it if your school is one of the affected organizations.
We are currently gathering additional information about the DonorPerfect breach. Based on what we know to date, it appears that the compromised PII includes financial account information of donors, particularly if check images were retained in the DonorPerfect online file storage system. Such financial account information has been posted for sale on the dark web.
It appears that DonorPerfect is not offering to notify affected individuals about the breach. Rather, DonorPerfect is providing each affected organization with a list of the organization’s compromised files, and then letting the organization identify who the compromised individuals are and decide whether to notify them. DonorPerfect also is providing affected organizations with a form letter to use for such notification, though that form may not be appropriate for all circumstances or compliant with all breached notification laws. Finally, it appears that DonorPerfect is offering to provide affected individuals with credit and identity monitoring and restoration services, though it is offering to do so in a manner that is atypical in this situation.
We understand that cybersecurity data breaches by vendors can be confusing and frustrating. If you learn that your school has been affected by this incident or if you have any questions about the data breach, please feel free to contact our attorneys below:
Cameron G. Shilling
Director, McLane Middleton
Chair of Cybersecurity and Privacy Group
(603) 628-1351 | cameron.shilling@mclane.com
Brian B. Garrett
Director, McLane Middleton
Chair of the firm’s Education Law Practice Group
(603) 334-6934 | brian.garrett@mclane.com