Delaware Court Dismisses Insurers’ Claims Against Blackbaud

In a landmark decision for cybersecurity litigations, a Delaware state court recently ruled in favor of Blackbaud, Inc., dismissing two notable lawsuits lodged by Travelers Casualty and Surety Company of America and Philadelphia Indemnity Insurance Company. The legal actions were focused on seeking compensation for expenses incurred during a 2020 ransomware attack that significantly impacted non-profit and educational sectors. Travelers and Philadelphia Indemnity, who had reimbursed their insureds for various breach-related costs, including legal expenses and credit monitoring, found their claims denied on the grounds of insufficient subrogation claims and contract breach allegations. Judge Kathleen M. Miller, presiding over the case, made her judgment on April 3, 2025, effectively ending the litigation at the trial court level and marking a significant victory for Blackbaud in this high-profile cyberattack incident.

This case surfaced following a ransomware attack on Blackbaud in 2020 that compromised a quarter of its clients. Despite the breach occurring in February, it went undetected until May, when Blackbaud decided to pay a ransom to secure the deletion of stolen data. Initial company statements downplayed the severity, assuring that sensitive customer data, such as donor bank account numbers and Social Security numbers, were untouched. However, subsequent disclosures revealed that this sensitive information had, in fact, been accessed by malicious actors, adding to the controversy. The insurers argued that according to the 'Solutions Agreements' with each insured organization, Blackbaud was mandated to operate under 'commercially reasonable' security protocols and to notify clients within 72 hours if a breach occurred. The contracts also stipulated obligations for Blackbaud to mitigate any adverse effects stemming from such breaches while adhering to applicable legal requirements.

Nonetheless, the court found the insurers' complaints lacking solid foundation, both procedurally and substantively. A major issue was the generalized nature of the complaints which aggregated the claims without specifying the unique breaches or expenses individual insureds might have encountered, obstructing Blackbaud's ability to defend effectively. Judge Miller emphasized that to successfully allege a subrogation claim, plaintiffs needed to lay out a clear factual basis that highlighted specific details about each insured’s data, privacy laws applicable, and breach response obligations necessary for each case. Without these details, the court ruled that the claims were baseless for judicial process. Additionally, the court judged that the insurers did not establish a direct causal link between Blackbaud's supposed security failings and the claimed costs by insureds. The contractual clause cited by plaintiffs, obligating Blackbaud to lessen harm after a breach, was interpreted as non-specific to individualized investigations, thereby appearing as an unreasonable imposition of liability for all breach incidents.

Another deciding factor was the contractual terms concerning risk allocation between Blackbaud and their clients, which included limitations on liability and the exclusion of consequential losses. This played a crucial role in the court's decision, given the insurers’ attempts to reclassify their expenses to bypass these contractual limitations. The ruling drew a sharp distinction between this case and a federal case, Aspen American Insurance Co. v. Blackbaud, Inc., where specific allegations and regulatory obligations were documented, highlighting a critical need for precision in multi-insured claims concerning cyber incidents. This ruling acts as an instructive example for insurers pursuing similar subrogation claims, emphasizing the necessity of detailed insured-specific facts and considerations regarding technology contract limitations. For cyber insurers, this dismissal may influence future policy wording, claims management, and recoupment strategies as the landscape of data breach litigations grows more intricate and challenging to navigate.