Attorney General Kris Mayes on Thursday announced that her office, along with 49 other state attorneys general, has reached a settlement with software company Blackbaud for its deficient data security practices and for its response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States.

Under the settlement, Blackbaud has agreed to overhaul its data security and data breach notification practices and make a $49.5 million payment to states.

Arizona will receive more than $1.8 million from the settlement.

“In today’s digital world, companies must stringently safeguard data to ensure consumer privacy,” Mayes shared in a press release. “Bad actors will stop at nothing to exploit vulnerabilities, and it is incumbent upon companies like Blackbaud to be proactive, transparent, and accountable in their cybersecurity measures. The significant settlement we’ve reached not only holds Blackbaud accountable for past deficiencies but also ensures that consumers are better protected moving forward.”

Thursday’s settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, data breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law.