A Delaware state court has dismissed two lawsuits brought by Travelers Casualty and Surety Company of America and Philadelphia Indemnity Insurance Company against software provider Blackbaud, Inc., rejecting the insurers’ efforts to recoup breach-related costs they paid to nonprofit and educational institutions after a 2020 ransomware attack.
In an April 3, 2025 decision, Judge Kathleen M. Miller of the Superior Court of Delaware ruled that both amended complaints failed to state viable subrogation claims or adequately plead breach of contract. The dismissal, issued with prejudice, ends the case at the trial level and marks a notable win for Blackbaud in a high-profile dispute arising from one of the most widely reported nonprofit-sector cyberattacks in recent years.
The plaintiffs, which included Travelers and a group of insurers affiliated with Philadelphia Indemnity, reimbursed their insureds for expenses following the breach, including costs of forensic investigations, legal counsel, constituent notifications, and credit monitoring. Their insureds—more than 100 nonprofit and educational organizations across 35 states and the District of Columbia—used Blackbaud’s software to manage donor and constituent information. The insurers asserted that Blackbaud’s deficient cybersecurity practices and delayed, misleading breach notifications forced their insureds to take costly remedial action, which the insurers then covered under cyber and crime insurance policies.
In 2020, Blackbaud suffered a ransomware attack that affected a quarter of its customer base. The breach occurred in February but went undetected until May. The company paid a ransom in exchange for deletion of the stolen data. Initially, Blackbaud publicly stated that sensitive information such as donor bank account numbers and Social Security numbers had not been accessed. However, it later acknowledged that such data had, in fact, been compromised for some customers.
The insurers claimed that under the “Solutions Agreements” between Blackbaud and each insured, the company was obligated to safeguard confidential data using “commercially reasonable” measures and to notify customers within 72 hours of discovering a breach. The contracts also required Blackbaud to mitigate any negative consequences resulting from a security breach and to comply with applicable laws and regulations.
But the court found the insurers’ complaints insufficient on multiple grounds. First, the subrogation claims were not supported by specific factual allegations tied to individual insureds. The plaintiffs aggregated the claims of all insureds and alleged only general categories of data that might have been compromised and expenses that might have been incurred. According to the court, this approach deprived Blackbaud of a fair opportunity to assess or defend against each subrogated claim.
“To properly allege a subrogation claim,” Judge Miller wrote, “a plaintiff must allege the factual basis for the subrogor’s underlying claim.” The amended complaints failed to identify what data any specific insured had stored, whether that data had been impacted by the breach, what privacy laws applied, or what breach response obligations were triggered for each.
Second, the court held that the insurers failed to establish proximate cause between Blackbaud’s alleged breaches and the insureds’ expenses. The plaintiffs relied on a contractual provision obligating Blackbaud to mitigate harm resulting from a breach, but the court rejected their interpretation that this created an obligation to conduct individualized investigations or determine each customer’s legal duties. It noted that this clause applied to all breaches, including those not caused by any fault on Blackbaud’s part, and found it unreasonable to read the contract as imposing strict liability in all breach scenarios, especially in light of the contract’s express risk allocation.
“Blackbaud agreed with each Insured to a risk allocation in the event of a breach of contract or a tort claim, including a data breach,” the court noted. That allocation included a limitation of liability provision capping damages and excluding indirect or consequential losses—terms the insurers sought to circumvent by framing the expenses as direct contractual damages.
The plaintiffs also alleged that their insureds could not reasonably rely on Blackbaud’s investigation, prompting them to undertake their own. The court rejected this as well, observing that the contracts contained no clause granting insureds the right to rely on Blackbaud’s breach analysis, nor any allegation that the insurers’ investigations were actually caused by the July 2020 notice.
The court drew a sharp distinction between this case and Aspen American Insurance Co. v. Blackbaud, Inc., a federal case that involved a single insured—Trinity Health Corporation—and included allegations of specific regulatory obligations, contract terms, and impacted data. In contrast, the Delaware complaints failed to allege that any of the insureds had data that triggered a statutory notice requirement or that they received the supplemental disclosures issued after Blackbaud updated the scope of the breach.
Because the amended complaints were the plaintiffs’ second attempt and still failed to meet the applicable pleading standards, the court dismissed both actions with prejudice. Judge Miller did not reach the remaining arguments related to damages limitations, enforceability under New York law, or contractual anti-assignment provisions.
The decision serves as a cautionary tale for insurers pursuing multi-insured subrogation claims in the cyber context. It underscores the importance of pleading insured-specific facts, especially when asserting derivative rights under contracts. It also highlights the protective strength of vendor-side limitations of liability in technology contracts—particularly clauses that exclude consequential damages and cap recoverable losses.
For cyber insurers, the ruling may prompt reconsideration of policy design, claims handling, and recovery strategies. As data breach events become more frequent and complex, the legal standards for recouping losses from third-party vendors are proving to be equally demanding.
