Judge tosses insurers’ fights with data-hosting app service

A Delaware trial judge Wednesday dismissed two suits brought by a combined seven insurers against a data-hosting application service to recover costs they paid to nonprofit organizations affected by a 2020 ransomware attack.

The Delaware Superior Court judge said in Travelers Casualty and Surety Co. of America v. Blackbaud Inc. and Philadelphia Indemnity Insurance Co. et al. v. Blackbaud Inc. that the insurers failed to sufficiently state a claim for breach of contract against Charleston, South Carolina-based Blackbaud.

The insurers provided policies to at least 104 nonprofit organizations that were affected by the ransomware attack on Blackbaud. They paid the claims submitted by the nonprofits and sued Blackbaud to recover the amounts they paid as well as attorneys fees.

Blackbaud moved for dismissal, arguing that the insurers lacked standing to bring the lawsuits and that they failed to allege viable claims.

The judge noted in the ruling that according to a Harvard Business Review article, 83% of organizations experienced more than one data breach in 2022.

“Thus, the fact that a data breach occurred, and the insureds incurred expenses, alone is not sufficient to state a claim,” the ruling said.

The judge also said Travelers, Philadelphia Indemnity and the other insurers were unable to state claims for negligence and gross negligence against Blackbaud because Delaware does not impose a common law duty to protect confidential information.

“The insurers argue that merely by the amount of confidential data stored by Blackbaud, the fact that it suffered a data breach when it was at a heightened risk of attack, constitutes gross negligence. This conclusory allegation, however, is insufficient,” the ruling said.

Representatives for the parties did not respond to requests for comment.