By Michael Loney

April 25 - (The Insurer) - A Delaware state court judge has dismissed amended complaints from insurers looking to recover expenses paid to insureds related to a ransomware attack on Blackbaud.

The Superior Court of the State of Delaware dismissed the insurers’ original complaint in March last year because they failed to identify any contractual terms or allege how they were breached.

Travelers Casualty and Surety Company of America filed an amended complaint, as did Philadelphia Indemnity Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company and Union Insurance Company as subrogees of their respective insureds.

The plaintiffs sought recovery of expenses they paid to their insureds for investigations, providing notifications to constituents, and credit monitoring, after Blackbaud suffered the ransomware attack.

Blackbaud provided the insureds software solutions to manage their donors’ personal identifying information.

The judge on April 3 granted Blackbaud’s motion to dismiss the cases.

“A subrogee stands in the shoes of the subrogor,” Judge Kathleen Miller wrote in her ruling. “Because the subrogee is entitled to no greater rights than the subrogor and the subrogee’s claim is subject to the same defenses as the subrogor’s, a plaintiff must allege the factual basis for the subrogor’s underlying claim to properly allege a subrogation claim.”

Miller continued that a complaint must include specific allegations supported by facts for each element of the claim.

“Pleading the insureds’ claims in the aggregate, as plaintiffs do, fails to provide the required factual support for any insured’s claim and does not adequately allege a subrogation claim,” she wrote.

“Even if pleading a multi-subrogor claim in the aggregate was sufficient, the amended complaints fail to adequately plead proximate cause because they fail to link the alleged damages to any contract term,” she continued.

The amended complaints alleged that after the data breach the insureds could not “rely” on Blackbaud’s investigation and, as a result, they incurred expenses to conduct their own investigations of their obligations under applicable privacy laws.

But the judge said: “To plead proximate cause, plaintiffs rely on a contractual term that required Blackbaud to mitigate negative consequences of a data breach. But when read in context, plaintiffs’ interpretation of the Blackbaud contract … is not reasonable.”

She ruled that plaintiffs’ reliance on conclusory allegations of misrepresentations is also insufficient to adequately plead proximate cause.

The amended complaints alleged that the insureds investigated what data they stored, but the judge said they did not identify the data stored by each.

“The amended complaints merely contain blanket allegations that various types of data may have been stored by various insureds,” she said.

“Without providing the factual information for each insured’s claim, Blackbaud, and the court, cannot assess whether the subrogor-insureds have a valid claim against Blackbaud.”

Blackbaud, which offers data hosting services, was hit by the ransomware attack in early 2020, and subsequently notified its customers of the incident.

The insureds, which were more than 100 nonprofit companies, incurred $2.1mn in expenses that were reimbursed by the insurers.

Blackbaud was the subject of an enforcement action by the Federal Trade Commission alleging lax security, while the company also paid a $3mn penalty to the Securities and Exchange Commission.

In addition, in October 2023 Blackbaud reached a $49.5mn settlement with the attorneys general of 49 states and the District of Columbia.

SUBROGATION ‘STILL REALLY DIFFICULT’

The issue of subrogation in cyber was discussed at the Professional Liability Underwriting Society’s cyber insurance symposium in New York in March.

Christine Flammer, who at the time was with Axa XL but has since joined Old Republic’s new cyber unit as chief claims officer, said that “subrogation is definitely still really difficult”.

“We’ve seen it work more often in the last couple of years,” she said. “When I first started out, subrogation was not something that was discussed at all. But I think as we’re having this more connected relationship with vendors, it is something that insurance companies and the insureds are looking (to) to offset the payments and offset their risk.”

Flammer highlighted the challenges in the cyber market around implementation of liabilities as well as the complicated relationships between vendors.

“Especially if it's an ongoing critical vendor, how hard are you really going to be able to push to get the money back on that and to get them to pony up for an issue that they in essence created?” she asked.

“But we have seen successes.”

Flammer suggested that the easiest scenario in which to pursue subrogation claims would involve a healthcare organisation which had a business associate agreement with a managed service provider, whereby the MSP would be at fault and had violated the agreement.

On the same panel, Jeremy Gittler, who leads Resilience’s global claims team, added: “If things are done correctly, you shouldn't have to even pursue subrogation.

“Ideally, you would have the proper contract buttoned up with your supplier before there's even an issue,” he said.

Eric Allen, North American CUO, cyber and technology, at Axis Insurance, added: “I would say it's a slippery slope from a carrier perspective, because if you have enough scale you're likely in a position where you're going to subrogate against one of your own clients, and that's a sticky area you don't really want to get into.”

He added that a broader question too is whether carriers can even subrogate because it is fairly standard in the cyber market to waive subrogation rights within the insurance contract.