It also drew a flurry of litigation after Blackbaud paid the ransom and then downplayed the seriousness of the event. The nonprofit software company agreed to pay California $6.75 million and not to make misleading statements about its data protection. In October, Blackbaud agreed to pay 49 states and the District of Columbia $49.5 million to settle a separate action and has paid $3 million to the SEC. The cases mean Blackbaud blew through its insurance coverage and was on the hook for the rest of the expenses. In the cases, Blackbaud did not admit to any wrongdoing. However, the FTC announcement was the most stinging descriptions saying Blackbaud failed to monitor hacker attempts to breach its networks, segment data to prevent them from easily accessing its networks and databases, ensure unneeded data tis deleted, adequately implement multifactor authentication, and test, review and assess its security controls. It also allowed employees to use default, weak, or identical passwords, according to the FTC.