A Delaware trial judge on Wednesday dismissed two lawsuits brought by a combined seven insurance companies against a data-hosting application service to recover costs paid to nonprofit organizations affected by a 2020 ransomware attack.
Delaware Superior Court judge said Travelers Casualty and Surety Co. of America v. Blackbaud Inc. And Philadelphia Indemnity Insurance Company et al. vs. Blackbaud Inc. The insurer failed to adequately state a breach of contract claim against Charleston, South Carolina-based Blackbaud.
Insurers provided policies to at least 104 nonprofit organizations that were affected by the ransomware attack on Blackbaud. They paid the claims submitted by the nonprofits and sued Blackbaud to recover the amount they paid as well as attorneys’ fees.
Blackbaud sought dismissal, arguing that the insurers lacked standing to file the suit and failed to allege viable claims.
The judge said in the decision that according to a Harvard Business Review article, 83% of organizations experienced more than one data breach in 2022.
“Thus, the fact that a data breach occurred, and that the insured incurred expenses, is not alone sufficient to state a claim,” the decision said.
The judge also said that Travelers, Philadelphia Indemnity and other insurers are unable to state negligence and gross negligence claims against Blackbaud because Delaware does not impose a common law duty to protect confidential information.
“The insurers argue that simply by the amount of confidential data stored by Blackbaud, the fact that it suffered a data breach at a time when it was at increased risk of attack constitutes gross negligence. However, this conclusive allegation is inadequate,” the ruling said.
Representatives of the parties did not respond to requests for comment.