Delaware Court Dismisses Insurers’ Subrogation Action Against Software Provider Over Ransomware Payouts
The Superior Court of Delaware, applying Delaware law, has dismissed two lawsuits filed by nine insurance companies seeking to recover amounts they paid under cyber liability policies from a software company whose customers included the carriers’ insureds because the complaints’ allegations were “vague and conclusory.” Travelers Cas. & Sur. Co. of Am. v. Blackbaud, Inc., 2024 WL 1298762 (Del. Super. Ct. Mar. 27, 2024).
A software company was the target of a ransomware attack and notified certain customers of the incident. Several customers reported the matter to their insurers and obtained coverage for investigation and remediation expenses. The insurers, acting as subrogees, sued the software company to recover costs and attorneys’ fees. The software company moved to dismiss the lawsuits for lack of standing and also for failure to state claims for breach of contract and negligence. The court granted the motion to dismiss and entered judgment on the pleadings in favor of the software company.
On the issue of standing, the software company asserted that the complaints did not adequately allege an injury-in-fact because the damages were “self-inflicted costs” to “avoid some unidentified consequences for the Insureds’ failing to comply with some unidentified legal obligations.” Because the court determined that “the challenge to standing is closely related to the defendant’s challenge to the merits of the claim,” it did not determine standing separately but rather addressed the issue as part of its ruling on the motion to dismiss for failure to state a claim.
The court ruled that the complaints failed to state a claim for breach of contract because they did not make specific factual allegations to show that the insureds had entered into contracts with the software company. For example, the insurers “did not attach the contracts . . . to the complaints or their briefs,” and “[t]he provisions to which the Insurers cite are not in all the contracts.” The court also observed that, while “the complaints allege that [the software company] failed to remove unused and obsolete data containing the Insureds’ information, they do not allege how this was a breach of the contracts or if it was, which of the . . . contracts were breached.” The court stated that “the fact that a data breach occurred and the insureds incurred expenses, alone, is not sufficient to state a claim” for breach of contract.
The court also dismissed the insurers’ negligence claims because, while the complaints alleged that the insureds were required to comply with various laws and regulations, the insurers never identified the source of the alleged duty owed to the insureds. Specifically, the complaints “do not allege facts of what duty was breached or what act breached the duty,” nor did the complaints “allege facts supporting the allegation that [the software company] was grossly negligent.”
Authors
- Special Counsel