Travelers Casualty and Surety Company of America v. Blackbaud, Inc.

CourtSuperior Court of Delaware
DecidedMarch 27, 2024
DocketN22C-12-130 KMM N22C-12-141 KMM
StatusPublished

This text of Travelers Casualty and Surety Company of America v. Blackbaud, Inc. (Travelers Casualty and Surety Company of America v. Blackbaud, Inc.) is published on Counsel Stack Legal Research, covering Superior Court of Delaware primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Travelers Casualty and Surety Company of America v. Blackbaud, Inc., (Del. Ct. App. 2024).

Opinion

IN THE SUPERIOR COURT OF THE STATE OF DELAWARE

TRAVELERS CASUALTY AND ) SURETY COMPANY OF AMERICA, ) ) Plaintiff, ) C.A. No. N22C-12-130 KMM ) v. ) ) BLACKBAUD, INC. ) ) Defendant. ) ___________________________________ ) ) PHILADELPHIA INDEMNITY ) INSURANCE COMPANY, GREAT ) AMERICAN INSURANCE COMPANY, ) GREAT AMERICAN SPIRIT ) INSURANCE COMPANY, GREAT ) C.A. No. N22C-12-141 KMM AMERICAN ALLIANCE INSURANCE ) COMPANY, ACADIA INSURANCE ) COMPANY, UNION INSURANCE ) COMPANY, ) ) Plaintiffs, ) ) v. ) ) BLACKBAUD, INC., ) ) Defendant. )

Date Submitted: January 9, 2024 Date Decided: March 27, 2024 Blackbaud, Inc.’s Motion to Dismiss and Motion for Judgment on the Pleadings GRANTED.

MEMORANDUM OPINION AND ORDER

Wade A. Adams, Esquire, Law Offices of Wade A. Adams, III, 111 Continental Drive Suite 309, Newark, Delaware 19713; Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, 301 E. Germantown Pike, 3 rd Floor, East Norriton, Pennsylvania 19401, Attorneys for Plaintiff Travelers Casualty and Surety Company of America.

Lisa C. McLaughlin, Esquire, Todd L. Goodman, Esquire, Phillips, McLaughlin & Hall, P.A., 1200 North Broom Street, Wilmington, Delaware 19806; Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, 301 East Germantown Pike, 3rd Floor, East Norriton, Pennsylvania 19401, Attorneys for Plaintiffs Philadelphia Indemnity Insurance Company, Great American Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company, Acadia Insurance Company, and Union Insurance Company.

John P. DiTomo, Esquire, Emily C. Friedman, Esquire, Morris, Nichols, Arsht & Tunnell LLP, 1201 North Market Street, Wilmington, Delaware 19801; Sarah Fulton Hutchins, Esquire (argued), Parker Poe Adams & Bernstein LLP, 620 South Tyron Street, Suite 800, Charlotte, North Carolina 28202; Corri A. Hopkins, Esquire, Parker Poe Adams & Bernstein LLP, 301 Fayetteville Street, Suite 1400, Raleigh, North Carolina 27601, Attorneys for Defendant Blackbaud, Inc.

Miller, J. Introduction

Blackbaud, Inc. (“Blackbaud”) is an application service provider that offers

data hosting services to its customers, including nonprofit entities. In early 2020,

Blackbaud was the target of a ransomware attack and later notified customers of the

incident. In response to the notice, it is alleged, several nonprofit-customers were

required to undertake investigative and remediation steps to comply with “numerous

state and federal statutes and regulations.” Relevant here, certain nonprofits were

covered by insurance policies issued by Travelers Casualty and Surety Company of

America (“Travelers”), or Philadelphia Indemnity Insurance Company, Great

American Spirit Insurance Company, Great American Alliance Insurance Company,

or Union Insurance Company (collectively, “Philadelphia Indemnity”1 and with

Travelers, the “Insurers”).

The Insurers paid the claims of their nonprofit-insureds for these investigative

and remediation steps. As subrogees, Travelers and Philadelphia Indemnity each

filed an action against Blackbaud for breach of contract and negligence, seeking to

recover the amounts paid to their insureds, plus an award of attorneys’ fees. The

actions are essentially identical, except for the identities of the Insurers and the

1 Great American Insurance Company (“GAIC”) is also a named plaintiff. However, plaintiffs’ counsel agreed that GAIC did not insure any of the non-profits at issue here. Therefore, judgment is entered against GAIC.

1 insureds, and the amount sought. Therefore, the cases are being addressed together

here.

Blackbaud filed an amended answer to each complaint and moved to dismiss,

arguing that the Insurers lacked standing because they failed to allege a concrete

harm; that is, the Insurers do not assert that any of the insureds’ information was

accessed or misused. To be sure, courts around the country have come to different

conclusions on standing where a plaintiff received notice that its data may have been

the subject of an attack, but it had not suffered actual misuse of its data.2 The Court

does not need to make a determination of standing under these cases because under

Delaware law, where, as here, the challenge to standing is closely related to the

defendant’s challenge to the merits of the claim, standing will be addressed under

Rule 12(b)(6).

While Delaware’s pleading standard is minimal, conclusory allegations are

not sufficient. The Insurers’ breach of contract claims are based on circular and

conclusory allegations. Essentially, their contract claims rests on the theory that

2 See In re Marriott Int’l, Inc. Customer Data Security Breach Litig., 440 F. Supp. 3d 447, 458 (D. Md. 2020) (noting that the Sixth, Seventh and Ninth Circuits found that increased risk of future harm was sufficient to establish an injury-in-fact while the Fourth Circuit came to the opposite conclusion); Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022) (finding that a plaintiff asserting a substantial risk of future harm or fraud from a data breach can satisfy concreteness if it is alleged that the substantial risk also caused a current harm); Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144, at *4 (Del. Super. Jan. 21, 2021) (finding that mitigation costs were not a concrete injury to confer standing on plaintiff whose data may have been accessed but no actual harm was alleged).

2 Blackbaud agreed to safeguard data stored on its servers in compliance with industry

standards, a data breach occurred, and therefore, Blackbaud breached its contractual

duties. As recognized by the court in Strom v. Paytime, Inc. in 2015, “[t]here are

only two types of companies left in the United States, according data security

experts: ‘those that have been hacked and those that don’t know they’ve been

hacked.’”3 According to Harvard Business Review, in 2022, 83% of organizations

experienced more than one data breach.4 Thus, the fact that a data breach occurred

and the insureds incurred expenses, alone, is not sufficient to state a claim.

The Insurers’ negligence claims fair no better. While they allege that the

expenses were incurred because the insureds were required to comply with various

laws and regulations, the Insurers never identify the source of the alleged duty owed

to the insureds. Their failure to do so is fatal to the negligence claims.

As discussed below, the complaints fail to state a claim and therefore, under

Rule 12(b)(6) and (c), judgment is entered in Blackbaud’s favor.

Background

I. The Parties

Travelers issued insurance policies to 79 educational institutions and

nonprofit entities5 (the “Travelers Insureds”).

3 90 F. Supp. 3d 359, 360 (M.D. Pa. 2015). 4 https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach 5 Travelers Complaint (D.I. 1) (“Travelers Com.”), ¶ 6.

3 Philadelphia Indemnity plaintiffs issued insurance policies to 25 educational

institutions and nonprofit entities (the “Philadelphia Indemnity Insureds” and with

the Travelers Insureds, the “Insureds”).6

The policies provided coverage for certain cyber, criminal, and related

incidents.7 The Insureds are scattered in approximately 35 different states or the

District of Columbia. The Insurers’ principal places of business are in Pennsylvania,

Ohio, Maine, or Mississippi.

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Reilly Ex Rel. Pluemacher v. Ceridian Corp.
664 F.3d 38 (Third Circuit, 2011)
Clapper v. Amnesty International USA
133 S. Ct. 1138 (Supreme Court, 2013)
Gloucester Holding Corp. v. U.S. Tape & Sticky Products, LLC
832 A.2d 116 (Court of Chancery of Delaware, 2003)
Browne v. Robb
583 A.2d 949 (Supreme Court of Delaware, 1990)
Abry Partners V, L.P. v. F & W Acquisition LLC
891 A.2d 1032 (Court of Chancery of Delaware, 2006)
Russell v. K-Mart Corp.
761 A.2d 1 (Supreme Court of Delaware, 2000)
Travelers Indemnity Co. v. Lake
594 A.2d 38 (Supreme Court of Delaware, 1991)
Ramunno v. Cawley
705 A.2d 1029 (Supreme Court of Delaware, 1998)
Appriva Shareholder Litigation Co. v. Ev3, Inc.
937 A.2d 1275 (Supreme Court of Delaware, 2007)
Deuley v. DynCorp International, Inc.
8 A.3d 1156 (Supreme Court of Delaware, 2010)
SIGA Technologies, Inc. v. PharmAthene, Inc.
67 A.3d 330 (Supreme Court of Delaware, 2013)
Patriarch Partners, LLC v. Zohar CDO 2003-1, LLC
165 A.3d 288 (Supreme Court of Delaware, 2017)
J.L. v. Barnes
33 A.3d 902 (Superior Court of Delaware, 2011)
Atkinson v. Mobil Oil Corp.
205 A.D.2d 719 (Appellate Division of the Supreme Court of New York, 1994)
Downey Farms Development Corp. v. Town of Cornwall Planning Board
20 Misc. 3d 566 (New York Supreme Court, 2008)
Storm v. Paytime, Inc.
90 F. Supp. 3d 359 (M.D. Pennsylvania, 2015)
Jennifer Clemens v. Execupharm Inc
48 F.4th 146 (Third Circuit, 2022)

Cite This Page — Counsel Stack

Bluebook (online)
Travelers Casualty and Surety Company of America v. Blackbaud, Inc., Counsel Stack Legal Research, https://law.counselstack.com/opinion/travelers-casualty-and-surety-company-of-america-v-blackbaud-inc-delsuperct-2024.