Delaware High Court Rescues Cyber Insurers’ Subrogation Claims

The Delaware Supreme Court has re-opened the door for cyber insurers to pursue recovery of claims payments they made to their insureds who took matters into their own hands after their data hosting company allegedly failed to adequately respond to a ransomware attack.

In July 2020, a cyber attacker accessed software and data hosting firm Blackbaud Inc.’s system for several months and exfiltrated confidential customer data from its servers. The attacker threatened to publish the data unless Blackbaud paid a ransom.

After the attack, dozens of Blackbaud’s customers contended that, even though their sensitive customer data resided on Blackbaud’s servers, Blackbaud shifted the investigative burden and remediation efforts onto them. Blackbaud gave them a “toolkit” with instructions to complete their own investigations.

Blackbaud’s clients said they lost faith Blackbaud would address the harm and reimburse them for their losses. Dissatisfied with the company’s response to the cyberattack, they conducted their own investigations and remediation and made claims against their own insurance policies for those expenses.

Four insurers provided insurance coverage to 97 of Blackbaud’s educational and non-profit clients for cyber and criminal incidents like data breaches. Philadelphia Indemnity paid more than $600,000 to its insureds. Travelers Casualty and Surety paid more than $1.5 million. Acadia Insurance Co. and Union Insurance Co. are also parties in the case.

Later, acting as subrogees/assignees of their insureds, the insurers filed suit against Blackbaud, alleging breach of contract and negligence.

Lower Court Blocks

The subrogation efforts by the insurers were blocked, however, when a Superior Court dismissed their complaints with prejudice. The lower court found that the insurers failed to allege factual support for each Blackbaud client’s claims; instead they pled the insureds’ claims in the aggregate. The lower court further found that the insurers failed to plead that Blackbaud was the proximate cause of their losses.

The insurers appealed, arguing that nothing in Delaware law prohibits aggregated pleading of subrogation claims and that, at the motion to dismiss stage, they were not required to link the alleged damages to any specific contract term.

This week the Delaware Supreme Court took the insurers’ side, reversing the Superior Court and remanding the case.

Contract Breach and Pleadings

The Blackbaud contracts were governed by the substantive law of New York and the pleading requirements were governed by Delaware law. The state’s high court ruled that, contrary to what the Superior Court found, the insurers satisfied both New York contact law governing the policies and Delaware’s standards on pleadings.

Under New York law, a breach of contract claim has four elements: “the existence of a contract, the plaintiff’s performance under the contract, the defendant’s breach, and resulting damages.”

The Supreme Court commented that even though the insurers touched each base for a breach of contract claim under New York law, the Superior Court dismissed their claims. The Supreme Court found that the insurers —standing in the shoes of their insureds—met the pleading requirements to state a breach of contract claim under New York law.

The high court noted that the insurers identified each of Blackbaud’s contractual duties and how Blackbaud allegedly breached those contractual provisions.

The insureds alleged that prior to the data breach, Blackbaud ignored warning signs that its cybersecurity measures and obsolete servers exposed it to an attacks. Blackbaud also allegedly ignored an analyst’s warnings about vulnerabilities due to remote desktop access.

Also, the insurers alleged the insureds suffered damages as a result of the breach. These included costs related to retaining computer forensics firms; outside counsel; printing and mailing firms to send notifications; and credit monitoring required under various laws and expected by federal regulators.

According to the Superior Court, pleading the insureds’ claims in the aggregate would make it difficult for Blackbaud to defend against the claims. The lower court also said that it would be unreasonable to interpret a mitigation provision in Blackbaud’s contracts as imposing “strict liability” on Blackbaud for every data breach.

The Supreme Court was not persuaded that Blackbaud was at a disadvantage in defending against the allegations.

Blackbaud, the high court continued, wanted more detail about how each insured responded to the data breach and the expenses each incurred. Those details were not needed to state a claim; they can be explored in discovery, the high court said. After discovery aimed at each insured, Blackbaud would be able to amend its answer and assert new defenses specific to each insured. And if the insurers claimed damages for losses that are capped by, or not covered by, the agreements, Blackbaud could move for summary judgment on those losses.

Under New York law, the defendant’s breach must be a “substantial factor” in producing the damage. The insurers pled that Blackbaud breached multiple information security promises in the agreements. The insurers contended that the insureds had no choice but “to fill the void and handle the fallout from Blackbaud’s failures.”

The high court said a reasonable factfinder could find these breaches were the proximate cause of the insureds’ investigation and remedial expenses. “Once a plaintiff has alleged facts raising a reasonable inference that damages were caused by the defendant, damages may be pled generally,” the high court added.

In July 2020, Blackbaud revealed the breach on its website, telling customers that “no action is required on your end because no personal information about your constituents was accessed.” In August it dismissed concerns over data as hypothetical. In a September 2020 Form 8-K filing, Blackbaud stated that “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.”

In 2023, Blackbaud agreed to pay a $3 million fine to the Securities and Exchange Commission to resolve charges that the company made misleading disclosures about the cyber security attacks. Blackbaud also paid $49 million to resolve state law claims brought by the attorneys general of all 50 states.