IN THE SUPERIOR COURT OF THE STATE OF DELAWARE
TRAVELERS CASUALTY AND ) SURETY COMPANY OF AMERICA, ) ) Plaintiff, ) C.A. No. N22C-12-130 KMM ) v. ) ) BLACKBAUD, INC. ) ) Defendant. ) ___________________________________ ) ) PHILADELPHIA INDEMNITY ) INSURANCE COMPANY, GREAT ) AMERICAN INSURANCE COMPANY, ) GREAT AMERICAN SPIRIT ) INSURANCE COMPANY, GREAT ) C.A. No. N22C-12-141 KMM AMERICAN ALLIANCE INSURANCE ) COMPANY, ACADIA INSURANCE ) COMPANY, UNION INSURANCE ) COMPANY, ) ) Plaintiffs, ) ) v. ) ) BLACKBAUD, INC., ) ) Defendant. )
Date Submitted: January 9, 2024 Date Decided: March 27, 2024 Blackbaud, Inc.’s Motion to Dismiss and Motion for Judgment on the Pleadings GRANTED.
MEMORANDUM OPINION AND ORDER
Wade A. Adams, Esquire, Law Offices of Wade A. Adams, III, 111 Continental Drive Suite 309, Newark, Delaware 19713; Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, 301 E. Germantown Pike, 3 rd Floor, East Norriton, Pennsylvania 19401, Attorneys for Plaintiff Travelers Casualty and Surety Company of America.
Lisa C. McLaughlin, Esquire, Todd L. Goodman, Esquire, Phillips, McLaughlin & Hall, P.A., 1200 North Broom Street, Wilmington, Delaware 19806; Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, 301 East Germantown Pike, 3rd Floor, East Norriton, Pennsylvania 19401, Attorneys for Plaintiffs Philadelphia Indemnity Insurance Company, Great American Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company, Acadia Insurance Company, and Union Insurance Company.
John P. DiTomo, Esquire, Emily C. Friedman, Esquire, Morris, Nichols, Arsht & Tunnell LLP, 1201 North Market Street, Wilmington, Delaware 19801; Sarah Fulton Hutchins, Esquire (argued), Parker Poe Adams & Bernstein LLP, 620 South Tyron Street, Suite 800, Charlotte, North Carolina 28202; Corri A. Hopkins, Esquire, Parker Poe Adams & Bernstein LLP, 301 Fayetteville Street, Suite 1400, Raleigh, North Carolina 27601, Attorneys for Defendant Blackbaud, Inc.
Miller, J. Introduction
Blackbaud, Inc. (“Blackbaud”) is an application service provider that offers
data hosting services to its customers, including nonprofit entities. In early 2020,
Blackbaud was the target of a ransomware attack and later notified customers of the
incident. In response to the notice, it is alleged, several nonprofit-customers were
required to undertake investigative and remediation steps to comply with “numerous
state and federal statutes and regulations.” Relevant here, certain nonprofits were
covered by insurance policies issued by Travelers Casualty and Surety Company of
America (“Travelers”), or Philadelphia Indemnity Insurance Company, Great
American Spirit Insurance Company, Great American Alliance Insurance Company,
or Union Insurance Company (collectively, “Philadelphia Indemnity”1 and with
Travelers, the “Insurers”).
The Insurers paid the claims of their nonprofit-insureds for these investigative
and remediation steps. As subrogees, Travelers and Philadelphia Indemnity each
filed an action against Blackbaud for breach of contract and negligence, seeking to
recover the amounts paid to their insureds, plus an award of attorneys’ fees. The
actions are essentially identical, except for the identities of the Insurers and the
1 Great American Insurance Company (“GAIC”) is also a named plaintiff. However, plaintiffs’ counsel agreed that GAIC did not insure any of the non-profits at issue here. Therefore, judgment is entered against GAIC.
1 insureds, and the amount sought. Therefore, the cases are being addressed together
here.
Blackbaud filed an amended answer to each complaint and moved to dismiss,
arguing that the Insurers lacked standing because they failed to allege a concrete
harm; that is, the Insurers do not assert that any of the insureds’ information was
accessed or misused. To be sure, courts around the country have come to different
conclusions on standing where a plaintiff received notice that its data may have been
the subject of an attack, but it had not suffered actual misuse of its data.2 The Court
does not need to make a determination of standing under these cases because under
Delaware law, where, as here, the challenge to standing is closely related to the
defendant’s challenge to the merits of the claim, standing will be addressed under
Rule 12(b)(6).
While Delaware’s pleading standard is minimal, conclusory allegations are
not sufficient. The Insurers’ breach of contract claims are based on circular and
conclusory allegations. Essentially, their contract claims rests on the theory that
2 See In re Marriott Int’l, Inc. Customer Data Security Breach Litig., 440 F. Supp. 3d 447, 458 (D. Md. 2020) (noting that the Sixth, Seventh and Ninth Circuits found that increased risk of future harm was sufficient to establish an injury-in-fact while the Fourth Circuit came to the opposite conclusion); Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022) (finding that a plaintiff asserting a substantial risk of future harm or fraud from a data breach can satisfy concreteness if it is alleged that the substantial risk also caused a current harm); Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144, at *4 (Del. Super. Jan. 21, 2021) (finding that mitigation costs were not a concrete injury to confer standing on plaintiff whose data may have been accessed but no actual harm was alleged).
2 Blackbaud agreed to safeguard data stored on its servers in compliance with industry
standards, a data breach occurred, and therefore, Blackbaud breached its contractual
duties. As recognized by the court in Strom v. Paytime, Inc. in 2015, “[t]here are
only two types of companies left in the United States, according data security
experts: ‘those that have been hacked and those that don’t know they’ve been
hacked.’”3 According to Harvard Business Review, in 2022, 83% of organizations
experienced more than one data breach.4 Thus, the fact that a data breach occurred
and the insureds incurred expenses, alone, is not sufficient to state a claim.
The Insurers’ negligence claims fair no better. While they allege that the
expenses were incurred because the insureds were required to comply with various
laws and regulations, the Insurers never identify the source of the alleged duty owed
to the insureds. Their failure to do so is fatal to the negligence claims.
As discussed below, the complaints fail to state a claim and therefore, under
Rule 12(b)(6) and (c), judgment is entered in Blackbaud’s favor.
Background
I. The Parties
Travelers issued insurance policies to 79 educational institutions and
nonprofit entities5 (the “Travelers Insureds”).
3 90 F. Supp. 3d 359, 360 (M.D. Pa. 2015). 4 https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach 5 Travelers Complaint (D.I. 1) (“Travelers Com.”), ¶ 6.
3 Philadelphia Indemnity plaintiffs issued insurance policies to 25 educational
institutions and nonprofit entities (the “Philadelphia Indemnity Insureds” and with
the Travelers Insureds, the “Insureds”).6
The policies provided coverage for certain cyber, criminal, and related
incidents.7 The Insureds are scattered in approximately 35 different states or the
District of Columbia. The Insurers’ principal places of business are in Pennsylvania,
Ohio, Maine, or Mississippi.
Blackbaud is a Delaware corporation, with its principal place of business in
South Carolina.
II. Factual Background
The complaints allege that prior to May 2020, each of the Insureds contracted
with Blackbaud and “stored and maintained databases of important and private
information and documents” on Blackbaud’s servers. Between February 7, 2020
and May 20, 2020, Blackbaud experienced a ransomware attack in which attackers
“gained access to numerous” Insureds’ “information and/or materials.”8 Blackbaud
notified the Insureds of the breach on July 16, 2020.9
6 Philadelphia Indemnity Complaint (D.I. 1) (“Phila. Com.”), ¶¶ 4, 7, 10, 13. 7 Phila. Com., ¶ 14; Travelers Com., ¶ 4. 8 Travelers Com., ¶ 16; Phila. Com., ¶ 25. 9 Travelers Com., ¶ 17; Phila. Com., ¶ 26.
4 As a result of “these circumstances, as well as legal requirements governing
such circumstances” the Insureds had to undertake their own investigations in order
to comply with “applicable laws” and “numerous state and federal statutes and
regulations.”10 Compliance with these “various laws” required the Insureds to:
a. retain legal experts to assess and comply with their legal obligations; b. retain computer experts to investigate the data breach as required under law and expected by regulators; c. retain firms to draft, translate, print, and mail letters required under data breach notification laws and expected by regulators; d. take other steps to respond to third-party inquiries, as expected by regulators; and/or e. incur other costs for those parties whose data or materials they were maintaining, as required under various state laws and expected by regulators.11
The Insureds made claims under their policies with the Insurers for these
expenses, which are described as crisis management, remediation expenses, and
related additional expenses (the “Expenses”), which total more than $2.1 million.
The Insurers paid their Insureds’ respective claims for the Expenses. Under
the corresponding polices, each Insurer was subrogated to the rights of its Insureds
to pursue claims the Insureds may have against Blackbaud. Thus, the Insurers, as
subrogees, are plaintiffs in the actions.
10 Travelers Com., ¶¶ 19, 21; Phila. Com., ¶¶ 28-30. 11 Travelers Com., ¶ 22; Phila. Com., ¶ 31.
5 III. Claims Asserted
A. Breach of Contract
According to the complaints, each Insured entered into an agreement with
Blackbaud prior to the data breach in which Blackbaud agreed that it would maintain
commercially reasonable security procedures and standards, and commercially
reasonable security breach protocols and procedures, including notifying the Insured
within 72 hours of discovery of a breach. Blackbaud allegedly also agreed:
a. not to disclose [the Insureds’] confidential information or materials to unauthorized third-parties; b. to implement and maintain safeguards against threats or hazards to [the Insureds’] confidential information and materials; and/or c. to protect against unauthorized access to (or use of) [the Insureds’] confidential information.12
Finally, Blackbaud agreed to perform these obligations “in a professional
manner in accordance with industry standards.”13
Blackbaud is alleged to have breached these agreements by failing to: (i)
“adequately protect” the Insureds’ “confidential information and materials”; (ii)
“properly and adequately determine whether Blackbaud [] was susceptible to a data
breach;” (iii) “maintain and monitor its own data security programs for intrusions;”
(iv) “employ commercially reasonable security measures;” (v) “heed vendor
announcements regarding the sunset of certain databases;” (vi) “remove old unused
12 Travelers Com., ¶ 27; Phila. Com., ¶ 36. 13 Travelers Com., ¶ 31; Phila. Com., ¶ 40.
6 and obsolete data containing [the Insureds’] information” or encrypt such
information; and (vi) failing to employ commercially reasonable security measures
in accordance with industry standards.14
Finally, Blackbaud is alleged to have breached the agreements by “allowing
access to and then disseminating” the Insureds’ “confidential information and
materials to third parties and permitting them to copy, reproduce and transfer such”
confidential information.15
As a result of these alleged breaches, the Insurers seek to recover the Expenses
from Blackbaud.
B. Tort Claims
Philadelphia Indemnity plaintiffs assert a negligence claim and both
complaints assert a gross negligence claim.16 The claims are essentially identical,
except that the gross negligence claims assert that Blackbaud’s conduct was
intentional and in reckless disregard of the consequences. Seeking to recover the
same damages as the contract claims (i.e., the Expenses), the Insurers assert the same
allegations against Blackbaud as they asserted in the breach of contract claims.
14 Travelers Com., ¶ 32; Phil. Com., ¶ 42. 15 Travelers Com., ¶ 33; Phil. Com., ¶ 43. 16 The Travelers complaint also asserts a count for misrepresentation. However, Travelers advised the Court that it is withdrawing that claim.
7 IV. Procedural Background
In each case, Blackbaud filed a Motion to Dismiss under Rule 12(b)(1) and a
Motion for Judgment on the Pleadings under Rule 12(c). Blackbaud argues that the
complaints should be dismissed under Rule 12(b)(1) because the Insurers lack
standing to bring these claims. Even if the Insurers have standing, Blackbaud asserts
that judgment should be entered in its favor under Rule 12(c) because the complaints
fail to state a claim.
Analysis
I. Standing
A. The Parties’ Contentions
Blackbaud argues that the Insurers lack standing because the complaints do
not adequately allege an injury-in-fact. Blackbaud attacks the complaints as
conclusory and vague, asserting that the alleged damages are self-inflicted costs the
Insureds allegedly incurred to avoid some unidentified consequences for the
Insureds’ failing to comply with some unidentified legal obligations. Relying on
Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013), Reilly v. Cerdian Corp., 664
F.3d 38 (3d Cir. 2011), and Abernathy v. Brandywine Urology Consultants, P.A.,
2021 WL 211144 (Del. Super. Jan. 21, 2021), Blackbaud argues that the Insurers
have not alleged a certainly impending injury because the Insureds’ damages are too
8 speculative. Stated differently, the Insurers do not allege damages that necessarily
flow from the alleged breaches.
The Insurers counter that the Insureds incurred concrete damages. While not
in the complaints, the Insurers argue that the Insureds stored personal information of
their donors on Blackbaud’s servers. Once the Insureds received notice of a data
breach from Blackbaud, the Insurers argue, the Insureds were required to investigate
to comply with data breach notification laws and “regulators expectations.” The
Insurers do not identify any particular law with which the Insureds were required to
comply or whose expectations they were attempting to satisfy (or why). The Insurers
assert in their briefs that each state has data breach laws, and the Insureds were
required to comply with such laws not only where the Insureds are located, but also
in the many resident-states of the various donors. These laws vary greatly. For
example, the Insurers cite to some states’ laws which require notification when
personal information such as social security number, driver’s license number, health
insurance information, or financial information have been accessed. Some states’
laws require notification when there has been an unauthorized access to the
information, while others require notification only where data has been exfiltrated.17
17 Answering brief in Travelers (D.I. 24) (“T-AB”), pp. 13-15; Answering brief in Philadelphia Indemnity (D.I. 16) (“P-AB”), pp. 13-15.
9 Finally, some states require notification only if there is a risk of harm to the
individuals.
Because compliance with these laws is mandatory, the Insurers argue, the
Insureds were required to conduct investigations and comply with their obligations
under the state-specific laws.18 To conduct the investigations and comply with these
laws, the Insureds had to hire forensic experts and lawyers. As a result of the
investigations, some Insureds hired firms to send notices and respond to inquiries
from impacted individuals and state regulators. The costs associated with these
activities form the basis of the Insurers’ damages, i.e., the Expenses.19
B. Standing Standard of Review
“Standing” refers to the right of a person to invoke jurisdiction of the Court to
redress its grievance. “The issue of standing is concerned ‘only with the question of
who is entitled to mount a legal challenge and not with the merits of the subject
matter of the controversy.’”20
18 The Insurers argued that if claims such as the claim asserted here are not permitted, it would set bad public policy because companies would be less likely to comply with the law if they are not certain that they will be reimbursed for expenses incurred in responding to a data breach notice. P-AB, p. 17; T-AB, p. 17. The Court disagrees. Companies should be incentivized to comply with the law simply because they are required to do so. 19 The Insurers argued that even if the Expenses are not “damages”, the Insurers would be entitled to at least nominal damages for the breach of contract claim and thus, based on this alone, they have standing. The Insurers, however, are not seeking nominal damages for a breach. Thus, this argument is not persuasive and therefore, is rejected. 20 Albence v. Higgin, 295 A.3d 1065, 1086 (Del. 2022) (emphasis in original) (citation omitted).
10 Delaware generally follows the federal courts’ requirements for establishing
Article III standing, but is not bound by the federal rules of justiciability.21 Unlike
the federal courts where “standing may be subject to stated constitutional limits,”
Delaware applies the “concept of standing as a matter of self-restraint to avoid the
rendering of advisory opinions at the behest of parties who are ‘mere
intermeddlers.’”22 “Consequently, Delaware’s courts may hear cases and
controversies that the federal courts cannot.”23
The party invoking the jurisdiction of the Court has the burden of establishing
its standing, which requires a plaintiff to show that: “(i) the plaintiff has suffered an
‘injury-in-fact,’ i.e., a concrete and actual invasion of a legally protected interest; (ii)
there is a causal connection between the injury and the conduct complained of; and
(iii) it is likely the injury will be redressed by a favorable court decision.”24
When a defendant argues that the Court would not have authority to grant the
requested relief to any plaintiff, standing is analyzed under Rule 12(b)(1).25
However, where “the issue of standing is so closely related to the merits, a motion
21 Id. 22 Id. (cleaned up). 23 Id.; Continental Auto. Sys., Inc. v. Nokia Corp., 2023 WL 1370523, at *6 (Del. Ch. Jan. 31, 2023) (“a showing that satisfies the Article III requirements will establish standing under Delaware law. Failing to satisfy the requirements for Article III standing means that a court must determine whether standing nevertheless exists under Delaware law.”). 24 Albence, 295 A.3d at 1086 (citations omitted). 25 In re Covid-Related Restrictions on Religious Services, 302 A.3d 464, 478 (Del. Super. 2023).
11 to dismiss based on lack of standing is properly considered under Rule 12(b)(6)
rather than Rule 12(b)(1).”26
C. Discussion
The parties spend much time discussing cases that address standing in
“typical” data breach cases, in which individuals’ or entities’ own data has been
compromised.27 In Reilly (3d Cir. 2011) and Abernathy (Del. Super.), the courts
ruled that where hackers potentially gained access to personal or financial
information but there were no allegations that plaintiffs’ information was accessed
and improperly used, the speculative threat of future improper use, without more,
was insufficient to confer standing on the plaintiffs.
In Clemens v. ExecuPharm Inc.28 (relied on by the Insurers), the Third Circuit
clarified that a hacking victim does not necessarily need to wait until the data is
actually misused to gain standing. If a plaintiff can show a substantial risk of future
harm which has caused additional current harm, a plaintiff has alleged a concrete
injury and thus, established standing.29
26 Appriva S’holder Litig. Co., LLC v. EV 3, Inc., 937 A.2d 1275, 1285-86 (Del. 2007); In re Covid- Related Restrictions, 302 A.3d at 478 (when the defendant is arguing that the court cannot grant relief to a plaintiff in a particular case because this particular plaintiff has not pleaded an essential element of the claim, the motion is properly decided under Rule 12(b)(6).). 27 This is understandable because the complaints allege that the Insureds’ information had been impacted by the breach. The Insurers did not reveal that it was the Insureds’ donors’ information at issue until they filed their answering briefs. 28 48 F.4th 146 (3d Cir. 2022). 29 Id. at 155-56.
12 While not a data breach case, in Clapper v. Amnesty Int’l USA,30 the claimants,
attorneys and organizations whose work (they alleged) required them to engage in
communications with foreign nationals which may be subject to surveillance under
Foreign Intelligence Surveillance Act of 1978 (“FISA”), challenged the
constitutionality of section 1881a of the act. The Supreme Court ruled that the
claimants lacked standing because they could not show that there was an injury-in-
fact as there was no imminent threat to interception of their communications with
foreign nationals. The claimants’ fear of communication interception was found to
be highly speculative because before any communications could be intercepted,
several safeguard and procedural hurdles would have to be cleared, including an
Article III judge concluding that the proposed inception was consistent with Fourth
Amendment protections.31
These cases, focusing on the potential for future harm, are not helpful in
analyzing whether the Insurers have standing. The Insurers are not asserting some
future harm from the exfiltration of any particular data. Rather, upon receiving a
data breach notice, the Insureds (or at least some of them) supposedly had an
obligation to investigate and notify third parties of the Blackbaud data breach. The
expenses associated with this process is what the Insurers are seeking to recover.
30 Clapper, 568 U.S. 398 (2013). 31 Id. at 428-31.
13 Because Blackbaud’s challenge to the complaints focuses on the lack of
factual allegations supporting the elements of the claims asserted, the challenges will
be analyzed in the context of Rule 12 (b)(6).
Under Rule 12(b)(6), the Court: accepts as true all well-pled factual
allegations; credits vague allegations as “well pleaded” if they give the opposing
party notice of the claim; draws all reasonable inferences in favor of the non-moving
party; and denies dismissal if there is a reasonably conceivable32 set of circumstances
of recovery on the claim.33 Delaware’s pleading standard is “minimal,” but the
liberal construction afforded to a claimant does not “extend to ‘conclusory
allegations that lack specific supporting factual allegations.’”34 Accordingly, the
Court should dismiss a complaint if the plaintiff fails to make “specific allegations
supporting each element of a claim or if no reasonable interpretation of the alleged
facts reveals a remediable injury.”35
32 Blackbaud argues that the Insurers must provide “plausible” allegations to avoid dismissal. Blackbaud’s Opening Brief in Travelers (“B-T OB”) (D.I. 19), pp. 15, 22; Blackbaud’s Opening Brief in Philadelphia Indemnity (“B-PI OB”) (D.I. 14), pp. 15, 22. The Delaware pleading standard, however, is a more liberal “reasonably conceivable” standard, which the Court applies to the complaints. Cent. Mortg. Co. v. Morgan Stanley Mortg. Cap. Holdings LLC, 27 A.3d 531, 535, 536-37, n.13 (Del. 2011) (the “‘conceivability’ standard is more akin to ‘possibility,’ while the federal ‘plausibility’ standard falls somewhere beyond mere ‘possibility’ but short of ‘probability.’”). 33 Cent. Mortg. Co., 27 A.3d at 535. 34 Id. at 536-37, n.13; Surf’s Up Legacy Partners, LLC v. Virgin Fest, LLC, 2021 WL 117036, at *6 (Del. Super. Jan. 13, 2021) (quoting Ramunno v. Cawley, 705 A.2d 1029, 1034 (Del. 1998)). 35 Axogen Corp. v. Integra LifeSciences Corp., 2021 WL 5903306, at *2 (Del. Super. Dec. 13, 2021) (citing Surf’s Up Legacy Partners, LLC, 2021 WL 117036, at *6).
14 II. Motion for Judgment on the Pleadings
A. Choice-of-Law
i. The Parties’ Contentions
Blackbaud tests the validity of the Insurers’ claims under Delaware law, as
there was no indication in the complaints that any other law might apply.
The Insurers object to the application of Delaware law, arguing that the Court
must first determine which state’s law applies before determining whether the
complaints sufficiently plead the claims. To determine whether the complaints state
a claim without first conducting a choice-of-law analysis, the Insurers assert, “would
be premature” and would ignore the states that have “more relevant jurisdictional
contacts.” The Insurers do not suggest any particular state’s law that should apply
but survey multiple states’ laws, without any analysis as to why they might apply
On their contract claims, the Insurers assert in their briefs that “all contracts
identified to date” between Blackbaud and the Insureds provide that they are
governed by New York law.36 The Insurers do not allege that New York law should
apply to their contract claims, but assert that they should be entitled to proceed to
discovery.
36 P-AB p. 7; T-AB p. 8.
15 Blackbaud responds that the complaints are so vague and conclusory that the
Court should apply Delaware law. Additionally, New York law is not in conflict
with Delaware law on the claims, and therefore, Delaware law applies in any event.
ii. Choice-of-Law Standards
The first step in a choice-of-law analysis under Delaware law is determine
whether there is an actual conflict. To do so, Delaware courts “answer a single and
simple inquiry: does the application of the competing laws yield the same result?”37
If yes, there is a “false” conflict and Delaware law will apply.38 If the answer is no,
for tort claims, Delaware will then determine which jurisdiction has the most
significant relationship, utilizing the factors set forth in Section 145 of the
Restatement (Second) of Conflicts, and apply that state’s law.39
Where the parties agreed to the application of a state’s law in their contract,
Delaware courts are “strongly inclined” to respect the parties’ freedom of contract
and enforce the contract provision unless there is a strong overriding public policy
37 In re CVS Opioid Ins. Litig., 2022 WL 3330427, at *8 (Del. Super. Aug. 12, 2022) (citations omitted). 38 Dueley v. Dyncorp Int’l, Inc., 8 A.3d 1156, 1161 (Del. 2010). 39 Travelers Indemn. Co. v. Lake, 594 A.2d 38 (Del. 1991); Stillwater Mining Co. v. Nat’l Union Fire Ins. Co. of Pittsburg, Pa., 2021 WL 6068046, at *7 (Del. Super. Dec. 22, 2021). The court considers the following relevant contacts, as provided in Section 145: (a) the place where the injury occurred; (b) the place where the conduct causing the injury occurred; (c) the domicil, residence, nationality, place of incorporation and place of business of the parties; and (d) the place where the relationship, if any, between the parties is centered. Travelers Indemn. Co., 594 A.2d at 47. These contacts are to be evaluated according to their relative importance with respect to the particular issue. Id.
16 interest at play.40 “[W]ith very limited exceptions, [Delaware] courts will enforce
the contractual scheme that the parties have arrived at through their own self-
ordering, both in recognition of a right to self-order and to promote certainty of
obligations and benefits.”41
iii. Analysis
In their briefs, the Insurers admit that the contracts they have been able to
locate thus far contain a New York choice-of-law provision. Curiously, the Insurers
then argue that this choice-of-law provision has no bearing on the motions.
Blackbaud argues that if New York law does not apply, Delaware law should
be applied here because the Insurers chose this forum, and they provided no choice-
of-law analysis.
The Insurers have provided no reason why the Court should not apply New
York law to the breach of contract claims. Whether New York or Delaware law
applies, the result would be the same because these states’ laws are not in conflict.
Whether New York law would apply to the tort claims may depend on the
scope of the choice-of-law provision.42 Some choice-of-law provisions are broad
40 Wind Point P’ners VII-A, L.P. v. Insight Equity A.P. X Co., LLC, 2020 WL 5054791, at *18 (Del. Super. Aug. 17, 2020). 41 Id. (citation omitted). If the contract does not contain a choice-of-law provision, Delaware courts will apply the Restatement (Second) of Conflicts § 188. SIGA Tech., Inc. v. PharmAthene, Inc., 67 A.3d 330, 342 (Del. 2013). 42 Relying on Abry Partners V L.P. v. F&W Acquisition LLC, 891 A.2d 1032 (Del. Ch. Feb. 14, 2006), Blackbaud argues that a contractual choice-of-law provision will apply to tort claims as well. The court’s ruling in Abry Partners, however, was limited to tort claim arising out of a
17 enough to cover tort claims that arise out of the parties’ relationship.43 The Insurers
did not give the Court the benefit of reviewing the contractual language because they
have not submitted a copy of the contracts (or even an exemplar) to the Court.
Under a tort choice-of-law analysis, the Court would have to weigh the four
Restatement factors. There are cases where the determination of choice-of-law is
premature without the benefit of some discovery,44 but where, as here, the
complaints contain such vague and conclusory allegations that the most basic
elements of the claims are not supported by basic factual allegations, the Court is
going to apply Delaware law. Otherwise, a plaintiff could allege conclusory
allegations, which do not satisfy Rule 8’s pleading standards and be permitted to
proceed to discovery. Before a plaintiff is permitted to proceed to discovery, it must
first satisfy the minimal obligations of Rule 8.
challenge to the enforcement of the contract. The tort claims here would need to be analyzed separately from the contract claims. 43 See Gloucester Holdings Corp. v. US Tape and Sticky Products, LLC, 832 A.2d 116, 124 (Del. Ch. 2003) (a choice-of-law provision that provides the chosen state’s law applies to claims that arise out of or relate to the agreement are broad enough to apply to tort claims, whereas a clause that applies to the “rights of the parties” will not extend to tort claims); ETC Northeast Pipeline, LLC v. Associated Electric & Gas Ins. Svs. Ltd., 2023 WL 6441815, at *2 (Del. Super. Sept. 5, 2023) (recognizing that New York law provides that a contractual choice-of-law provision that applies to disputes “relating to” the contract is broad enough to apply to tort claims). 44 See Soares v. Continental Motors, Inc., 2021 WL 6015701, at *1, 11 (Del. Super. Dec. 17, 2021) (finding that further discovery was required before a choice-of-law determination was appropriate).
18 B. Rule 12(c) Standard of Review
Under Superior Court Rule 12(c),45 the Court is required to accept as true the
well-pled facts alleged in the complaint and draw all reasonable inferences in favor
of the non-moving party.46 The Court will not, however, “rely upon conclusory
allegations … [and] neither inferences nor conclusions of fact unsupported by
allegations of specific facts … are accepted as true.”47
C. Breach of Contract
Blackbaud asserts that the contract claims fail for at least three reasons: (i) the
Insurers failed to identify the contracts at issue or the specific contract provisions
that were allegedly breached; (ii) the complaints allege no facts supporting the
conclusory allegations that the contracts were breached; and (iii) the complaints fail
to identify a cognizable harm.
45 Rule 12(c) provides: After the pleadings are closed but within such time as not to delay the trial, any party may move for judgment on the pleadings. If, on a motion for judgment on the pleadings, matters outside the pleadings are presented to and not excluded by the Court, the motion shall be treated as one for summary judgment and disposed of as provided in Rule 56, and all parties shall be given reasonable opportunity to present all material made pertinent to such a motion by Rule 56. 46 Festival Fun Parks, LLC v. MS Leisure Co., 2023 WL 8714994, at *4 (Del. Super. Dec. 18, 2023). 47 Id. (citation omitted); Bay Point Capital P’ners L.P. v. Fitness Recovery Holdings, LLC, 2021 WL 5578705, at *4 (Del. Super. Nov. 30, 2021) (“The Court accords the party opposing a Rule 12(c) motion the same benefits as a party defending a motion to dismiss under Rule 12(b)(6)”).
19 The Insurers counter that the complaints identify the contractual provisions at
issue. Quoting the complaints, the Insurers assert that the following contract
provisions were breached:
- “to not disclose Plaintiffs’ insured’s confidential information or materials to unauthorized third-parties;” - “to implement and maintain safeguards against threats or hazards to Plaintiffs’ insureds’ confidential information and materials;” - “to protect against unauthorized access to (or use of) Plaintiffs’ insureds’ confidential information.” - “[to] maintain commercially reasonable information security procedures and standards.” - “it had implemented commercially reasonable policies and procedures addressing potential security breaches, including the reporting to each insured (within 72 hours of discovery) of any security breach.” - “to indemnify and defend the insureds against any third-party claims arising from its gross negligence or willful misconduct.” - “performance … in a professional manner in accordance with industry standards.”48
Blackbaud is alleged to have breached these provisions by failing to:
“properly and adequately determine whether Blackbaud was susceptible to a data breach;” “properly maintain and monitor its own data security programs for intrusions;” “remove old unused and obsolete data containing the insured’s information and materials, or to encrypt such information;” “heed vendor announcements regarding the sunset of certain databases, leaving client information on older databases that were more vulnerable to cyberattack;” and “employ commercially reasonable security measures that met industry standards.”49
48 Travelers Com. ¶¶ 27-31; Phila. Com. ¶¶ 36-40. 49 Travelers Com. ¶ 32; Phila. Com. ¶ 42.
20 The Insurers argue that they have alleged cognizable damages because the
Expenses were incurred in complying with “mandatory legal requirements.”50
ii. Analysis
To adequately plead a claim for breach of contract, a plaintiff must allege “(1)
the existence of a contract; (2) that the contract was breached; and (3) damages
suffered as a result of the breach.”51 Each element must be supported by specific
factual allegations; conclusory statements are insufficient.52 Additionally, generally
referring to a contract will not sustain a claim. “A party must identify the particular
contractual terms that were breached.”53
The Insurers assert breach of contract claims as subrogees for 104 Insureds.
The Insureds are alleged to have entered into “agreements” and “contracts” with
Blackbaud. The Insurers did not attach the contracts (or even an exemplar) to the
complaints or their briefs. The provisions to which the Insurers cite are not in all the
contracts. As the Insurers admit in their answering briefs, they do not even have all
50 P-AB, p. 22; T-AB, p. 22. 51 Khushaim v. Tullow Inc., 2016 WL 3594752, at *3 (Del. Super. June 27, 20216); Patriarch P’ners LLC v. Zohar CDO 2003-1 LLC, 2017 WL 2643972, at *1, n.3, 165 A.3d 288 (TABLE) (Del. 2017) (same) (applying New York law). 52 Festival Fun Park, 2023 WL 8714994, at *4. 53 Marydale Preservation Associates, LLC v. Leon N. Weiner & Associates, Inc., 2022 WL 4446275, at *17 (Del. Super. Sept. 23, 2022); Clifden Futures, LLC v. Man Financial, Inc., 858 N.Y.S.2d 580, 583-84 (N.Y. Sup. Ct. 2008) (“The pleadings must be sufficiently particular to give the court and [the] parties notice of the transaction, occurrences, or series of transactions or occurrences, intended to be prove as well as the material elements of each cause of action or defense.” (quoting Atkins v. Mobil Oil Corp., 614 N.Y.S.2d 36 (2d Dep’t 1994) (citation omitted)).
21 the contracts under which they are suing. The Insurers state that “all the contracts
identified to date” between the Insureds and Blackbaud contained a New York
choice-of-law provision.54 Thus, the Insurers’ conclusory allegations that each
Insured entered into a contract containing the promises alleged is insufficient to
satisfy the pleading requirements.
“At the pleading stage of a written contract dispute, Rule 8 requires the
plaintiff to take the basic and customary step of producing the agreement and citing
the provisions alleged to have been breached. Failure to do so ‘is not a technical
foot fault; it reflects, instead, a fundamental failure to give the [defendant] fair notice
of the claim asserted against [him] as required by [] Rule 8.’”55
The complaints also fail to allege specific facts supporting the allegations that
the contracts were breached. The complaints assert certain promises that some
contracts may contain, such as to implement and maintain safeguards against threats
or hazards, to use procedures and standards to protect against security breaches in
accordance with industry standards, and to protect against unauthorized access to
confidential information. But the complaints do not allege facts of how these alleged
promises were breached.56 The complaints allege in conclusory fashion that
54 P-AB, p. 7; T-AB, p. 8. 55 Enzolytics, Inc. v. Empire Stock Transfer Inc., 2023 WL 2543952, at *3 (Del. Ch. Mar. 16, 2023) (quoting Ryan v. Buckeye P’ners, L.P., 2022 WL 389827, at *6 (Del. Ch. Feb. 9, 2022), aff’d, 285 A.3d 459 (Del. 2022) (TABLE)). 56 The complaints also allege that Blackbaud agreed in the contracts to indemnify the Insureds from liability from third-parties. Phila. Com., ¶ 39; Travelers Com., ¶ 30. But the complaints
22 Blackbaud failed to maintain and monitor its systems and failed to use commercially
reasonable security measures, but the Insurers never describe what those standards
are or why Blackbaud’s conduct failed to meet those standards.57 For example, the
complaints allege “Blackbaud breached its agreements and its duties by failing to
comply with its obligations under its contracts, as well as under certain statutes and
regulations, before, during and after the incident.”58 This circular allegation is
insufficient. The complaints never identify the statutes and regulations under which
Blackbaud had obligations and never identify what “regulators’ expectations” they
supposedly had to comply with or why such compliance was even necessary.
Although the complaints allege that Blackbaud failed to remove unused and
obsolete data containing the Insureds’ unidentified information, they do not allege
how this was a breach of the contracts or if it was, which of the 104 contracts were
breached. Similarly, Blackbaud is alleged to have failed to heed “vendor
announcements” regarding certain databases. But again, the complaints are devoid
of any factual allegations that Blackbaud was required to heed these unidentified
contain no factual allegations that any Insured was subjected to (or even threatened with) a third- party claim. Similarly, the complaints allege that Blackbaud “may have failed” to name one or more of the Insureds as an “additional insured” on Blackbaud’s insurance policies as “possibly required” under “one or more of its contracts.” Phila. Com., ¶ 32; Travelers Com., ¶ 23. Neither of these assertions is supported by factual allegations. Accordingly, the complaints fail to state a claim based on these alleged breaches. 57 Phila. Com., ¶ 24; Travelers Com., ¶ 15 (“a third party was able to readily bypass Blackbaud’s substandard security” and deploy ransomware); Phila. Com., ¶ 18; Travelers Com., ¶ 27 (“Blackbaud failed to maintain adequate security”). 58 Phila. Com., ¶ 29; Travelers Com., ¶ 20.
23 vendor announcements and even if so, how this alleged failure resulted in a breach
of contractual duties.
Essentially, the complaints allege there were contracts which required
Blackbaud to protect unidentified information belonging to unidentified persons, a
data breach occurred resulting in the attackers “gaining access to numerous
[Insureds’] data, information and/or materials” and therefore the Insurers conclude,
Blackbaud breached the contracts. This is insufficient. Indeed, as the Insurers admit,
not even all of the Insureds (or their donors’) had their information accessed.
Further, the complaints fail to sufficiently allege that the breaches were the
proximate cause of the alleged damages (the Expenses). The complaints allege that
the Insureds stored “important and private information and documents” on
Blackbaud’s servers, that the hackers gained access to “numerous [I]nsureds’ data,
information and/or material” and as a result of “these circumstances, as well as legal
requirements governing such circumstances,” the Insureds had to undertake their
own investigations.59 Because the Insureds had to comply with “these various laws,”
they incurred the Expenses. However, the Insurers never identify these “various
laws.” As the Insurers acknowledge in the answering briefs, data breach laws “differ
greatly.”60 The statutes’ requirements depend on the type of information was
59 Phila. Com., ¶¶ 28, 30; Travelers Com., ¶¶ 19, 21 (“The [I]nsureds were required to comply with numerous state and federal statute and regulations…”). 60 P-AB, p. 13; T-AB, p. 13.
24 breached; some may require notifications, some may not.61 Additionally, some
states require notification where there has been an unauthorized access and others
require notification only when there is a risk of harm to the individual.62 The Insurers
cite examples of Kansas (requiring notification if the breach involved social security
numbers, driver’s license number, or financial information)63 and California
(requiring reporting if health insurance or biometric data is accessed)64 but the
Insurers do not show how these state’s laws have any application here.
Moreover, the Insurers failed to allege facts to show that the Expenses
incurred by any of the 104 Insureds in reviewing legal requirements (and/or sending
notices) were proximately caused by Blackbaud’s breach of contract. The
complaints do not identify the type of information that allegedly triggered the legal
obligation to conduct an investigation65 or that information stored by the Insureds
belonged to third-parties. The Insureds allegedly hired legal experts to review
applicable laws to determine whether the Insureds had to take further action and
61 Some states require notice if there has been accessed to defined personal information, while others require notification only if the personal information has been exfiltrated. P-AB, p. 14; T- AB, p. 14. 62 P-AB, p. 14; T-AB, p. 15, citing Conn. Gen. Stat. § 36a-701(b)a(1) and Ala Code § 8-38-6(a). 63 P-AB, p. 13; T-AB, p. 14, citing Kan. Stat. § 50-7a01(g). 64 Id., citing Cal. Civ. Code § 1798.82(h). 65 The answering briefs assert that the Insureds hired forensic experts to “determine what type of data was breached, whose data it was, where the individual owners of such data resided, and what was done with the data.” P-AB, p. 16; T-AB, p. 16.
25 some of the 104 Insureds were required to provide notices.66 However, other than
the timing of this legal review, the complaints do not allege facts to show that but
for the breach, the legal expenses would not have been incurred. The Insureds may
have undertaken this work after receiving a breach notice, but the timing alone is
insufficient.
Without supporting facts, the conclusory allegations in the complaints fail to
state a claim for breach of contract.
D. Negligence
Blackbaud argues that the Insurers’ tort claims fail for three reasons: (i) the
complaints fail to plead the existence of a legal duty; (ii) the Insurers failed to plead
negligence with particularity; and (iii) the negligence claims are barred under the
economic loss doctrine or due to impermissible bootstrapping.
Citing no authority, the Insurers counter that there is no requirement to plead
the existence of a legal duty. Even if such a requirement exists, the Insurers argue,
their allegation that Blackbaud undertook the obligation to protect information
known to be confidential and “protected under the law” and had the “common law
duty to properly safeguard” the information, is sufficient. The Insurers again raise
66 P-AB, p. 16; T-AB, p. 17 (the Insureds “paid legal experts to interpret the [I]nsureds’ obligations … pursuant to the various state data breach notification laws …. Some [of the Insureds] then incurred expenses complying with their legal obligations ….”).
26 the argument that the Court cannot decide whether the complaints state a claim
without first making a choice-of-law determination as the claims they assert are valid
under some states’ laws and not barred by the economic loss doctrine.
The Insurers also argue that they have satisfied the particularity requirement
by pleading that “Blackbaud knowingly undertook an obligation to protect
information and materials of third-parties and the [I]nsureds known to be
confidential and protected under the law, and in turn took on a common law duty to
properly safeguard and protect such information and materials.”67
To state a claim for negligence, a plaintiff must allege (i) a duty that is owed
to plaintiff; (ii) defendant breached that duty; and (iii) as a proximate cause of the
breach, plaintiff suffered damages.68 Gross negligence is a higher standard of
negligence, representing an extreme departure from the standard of care. 69 “When
evaluating whether a defendant’s conduct constitutes gross negligence, this Court
conducts an assessment of the ‘reasonableness of a defendant’s actions given the
conditions at that time and not whether hindsight would shed more light upon
whether any conditions could have served as red flags.’”70
67 Phila. Com., ¶ 46; Travelers Com., ¶ 38. 68 Russell v. K-Mart Corp., 761 A.2d 1, 5 (Del. 2000). The standard is the same under New York law. See Solomon v. City of New York, 499 N.Y.2d 392 (N.Y. Sup. Ct. 1985). 69 Browne v. Robb, 583 A.2d 949, 953 (Del. 1990). 70 Ward v. Del. State Police, 2022 WL 351205, at *7 (Del. Super. Feb. 4, 2022) (citation omitted); J.L. v. Barnes, 33 A.3d 902, n.77 (Del. Super. 2011) (“In order for a plaintiff to plead gross
27 Under Rule 9(b), allegations of negligence must be plead with particularity.
“The purpose of the Rule’s particularity requirement is to: ‘(1) provide defendants
with enough notice to prepare a defense; (2) prevent plaintiffs from using complaints
as fishing expeditions to unearth wrongs to which they had no prior knowledge; and
(3) preserve a defendant’s reputation and goodwill against baseless claims.’”71
Generally, a claim of negligence or gross negligence satisfies Rule 9(b) when it
advises the defendant “‘(1) what duty, if any, was breached; (2) who breached it; (3)
what act or failure to act breached the duty; and (4) the party upon whom the act was
performed.’”72 While Delaware courts apply a more relaxed standard of particularity
when the factual information is in the opposing party’s possession,73 a complaint
cannot rely on conclusory allegations.
To state a claim, the Insurers must identify the duty allegedly owed by
Blackbaud. Blackbaud informed the Court that it found no Delaware case
negligence with the requisite particularity, the plaintiff must articulate ‘facts that suggest a wide disparity between the process [ ] used ... and that which would have been rational.’”) (citation omitted). 71 Cantatore v. Univ. of Del., 2021 WL 2745107, at *2 (Del. Super. June 30, 2021) (citation omitted). 72 Greenfield for Ford v. Budget of Del. Inc., 2017 WL 729769, at *2 (Del. Super. Feb 22, 2017) (quoting Murphy v. Bayhealth Med. Ctr., 2006 WL 509544, at *3 (Del. Super. Jan. 9, 2006) (citation omitted)); See also Rinaldi v. Iomega Corp., 1999 WL 1442014, at *7 (Del. Super. Sept. 3, 1999) (“When pleading negligence, plaintiffs have to meet the heightened standard of Rule 9(b), and must specify a duty, a breach of the duty, who breached the duty, what act or failure to act caused the breach, and the party who acted.”) (emphasis added). 73 Morra v. 700 Marvel Road Operations, LLC, 2023 WL 5406163, at *4 (Del. Super. Aug. 21, 2023).
28 recognizing a common law duty to protect confidential information.74 The Insurers
responded that just because Blackbaud was unable to find any such case, does not
mean that no such duty exists.75 That may be true, but the Insurers do not identify a
Delaware (or New York) common law duty.
The Insurers assert that a common law duty to protect confidential information
is recognized under Massachusetts law and South Carolina law, where a class action
is pending against Blackbaud arising out of the data breach. The South Carolina
court, however, applied South Carolina law at the motion to dismiss stage because,
as here, the parties did not have or present facts sufficient for the court to conduct a
choice-of-law analysis.76 Thus, at this stage of the cases, the South Carolina case
supports the application of Delaware law, not South Carolina law. The South
Carolina court, applying a lex loci delicti choice-of-law analysis, later determined
that Massachusetts law applied to the data breach case.77 Of course, Delaware
applies the Restatement (Second) of Conflicts choice-of-law analysis. Therefore,
the Court is not persuaded that Massachusetts law should apply.
74 T-OB, p. 26; P-OB, p. 26. 75 P-AB, p. 24; T-AB, p. 24. 76 In re Blackbaud, Inc. Customer Data Breach Litig., 567 F. Supp. 3d 667, 676-77 (D.S.C. 2021) (“Because it is presently unclear where the [data] breach occurred, the court will apply South Carolina law with respect to Plaintiffs’ common law claims for negligence, gross negligence, and negligence per se.”). 77 In re Blackbaud, Inc. Customer Data Breach Litig., 2022 WL 2314714 (D.S.C. June 28, 2022).
29 Even if a common law duty exists, the complaints fail to plead the negligence
claims with particularity. Just as they did in the breach of contract claims, the
complaints plead the negligence claims in conclusory fashion. The complaints
allege that Blackbaud failed to: (i) remove obsolete data; (ii) adequately determine
that it was susceptible to an attack; (iii) maintain and monitor its security programs;
(iv) heed vendors’ announcements; and (v) employ commercially reasonable
security measures that met industry standards. The complaints do not allege facts of
what duty was breached or what act breached the duty. Again, the complaints
essentially allege that an attack occurred and therefore Blackbaud must have been
negligent.
Further, the complaints fail to allege facts supporting the allegation that
Blackbaud was grossly negligent. The Insurers argue that merely by the amount of
confidential data stored by Blackbaud, the fact that it suffered a data breach when it
was at a heightened risk of attack, constitutes gross negligence.78 This conclusory
allegation, however, is insufficient.
Finally, just as with the contract claims, the complaints fail to allege facts to
support the conclusion that the damages (the Expenses) were the proximate result of
the alleged breaches.
78 P-AB, p. 27; T-AB, p. 27.
30 Accordingly, the complaints fail to state a claim for negligence, let alone gross
negligence.
Conclusion
The complaints fail to state a claim for breach of contract, negligence, or gross
negligence. Therefore, the Court need not address whether the negligence claims
are barred by the economic loss doctrine or bootstrapping. Similarly, the Court need
not address whether the Insurers properly asserted a claim for attorneys’ fees.
Because the complaints failure to state a claim under Rule 12(b)(6), judgment
on the pleadings is entered in favor of Blackbaud.
IT IS SO ORDERED.
/s/Kathleen M. Miller Kathleen M. Miller, Judge