Opinion
C. A. N22C-12-130 KMM N22C-12-141 KMM
03-27-2024
TRAVELERS CASUALTY AND SURETY COMPANY OF AMERICA, Plaintiff, v. BLACKBAUD, INC. Defendant. PHILADELPHIA INDEMNITY INSURANCE COMPANY, GREAT AMERICAN INSURANCE COMPANY, GREAT AMERICAN SPIRIT INSURANCE COMPANY, GREAT AMERICAN ALLIANCE INSURANCE COMPANY, ACADIA INSURANCE COMPANY, UNION INSURANCE COMPANY, Plaintiffs, v. BLACKBAUD, INC., Defendant.
Wade A. Adams, Esquire, Law Offices of Wade A. Adams, III, Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, Attorneys for Plaintiff Travelers Casualty and Surety Company of America. Lisa C. McLaughlin, Esquire, Todd L. Goodman, Esquire, Phillips, McLaughlin &Hall, P.A., Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, Attorneys for Plaintiffs Philadelphia Indemnity Insurance Company, Great American Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company, Acadia Insurance Company, and Union Insurance Company. John P. DiTomo, Esquire, Emily C. Friedman, Esquire, Morris, Nichols, Arsht &Tunnell LLP, Sarah Fulton Hutchins, Esquire (argued), Parker Poe Adams &Bernstein LLP, Corri A. Hopkins, Esquire, Parker Poe Adams &Bernstein LLP, Attorneys for Defendant Blackbaud, Inc.
Date Submitted: January 9, 2024
Blackbaud, Inc.'s Motion to Dismiss and Motion for Judgment on the Pleadings GRANTED.
Wade A. Adams, Esquire, Law Offices of Wade A. Adams, III, Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, Attorneys for Plaintiff Travelers Casualty and Surety Company of America.
Lisa C. McLaughlin, Esquire, Todd L. Goodman, Esquire, Phillips, McLaughlin &Hall, P.A., Kenneth T. Levine, Esquire (argued), de Luca Levine LLC, Attorneys for Plaintiffs Philadelphia Indemnity Insurance Company, Great American Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company, Acadia Insurance Company, and Union Insurance Company.
John P. DiTomo, Esquire, Emily C. Friedman, Esquire, Morris, Nichols, Arsht &Tunnell LLP, Sarah Fulton Hutchins, Esquire (argued), Parker Poe Adams &Bernstein LLP, Corri A. Hopkins, Esquire, Parker Poe Adams &Bernstein LLP, Attorneys for Defendant Blackbaud, Inc.
MEMORANDUM OPINION AND ORDER
KATHLEEN M. MILLER, JUDGE
Introduction
Blackbaud, Inc. ("Blackbaud") is an application service provider that offers data hosting services to its customers, including nonprofit entities. In early 2020, Blackbaud was the target of a ransomware attack and later notified customers of the incident. In response to the notice, it is alleged, several nonprofit-customers were required to undertake investigative and remediation steps to comply with "numerous state and federal statutes and regulations." Relevant here, certain nonprofits were covered by insurance policies issued by Travelers Casualty and Surety Company of America ("Travelers"), or Philadelphia Indemnity Insurance Company, Great American Spirit Insurance Company, Great American Alliance Insurance Company, or Union Insurance Company (collectively, "Philadelphia Indemnity" and with Travelers, the "Insurers").
Great American Insurance Company ("GAIC") is also a named plaintiff. However, plaintiffs' counsel agreed that GAIC did not insure any of the non-profits at issue here. Therefore, judgment is entered against GAIC.
The Insurers paid the claims of their nonprofit-insureds for these investigative and remediation steps. As subrogees, Travelers and Philadelphia Indemnity each filed an action against Blackbaud for breach of contract and negligence, seeking to recover the amounts paid to their insureds, plus an award of attorneys' fees. The actions are essentially identical, except for the identities of the Insurers and the insureds, and the amount sought. Therefore, the cases are being addressed together here.
Blackbaud filed an amended answer to each complaint and moved to dismiss, arguing that the Insurers lacked standing because they failed to allege a concrete harm; that is, the Insurers do not assert that any of the insureds' information was accessed or misused. To be sure, courts around the country have come to different conclusions on standing where a plaintiff received notice that its data may have been the subject of an attack, but it had not suffered actual misuse of its data. The Court does not need to make a determination of standing under these cases because under Delaware law, where, as here, the challenge to standing is closely related to the defendant's challenge to the merits of the claim, standing will be addressed under Rule 12(b)(6).
See In re Marriott Int'l, Inc. Customer Data Security Breach Litig., 440 F.Supp.3d 447, 458 (D. Md. 2020) (noting that the Sixth, Seventh and Ninth Circuits found that increased risk of future harm was sufficient to establish an injury-in-fact while the Fourth Circuit came to the opposite conclusion); Clemens v. ExecuPharm Inc., 48 F.4th 146 (3d Cir. 2022) (finding that a plaintiff asserting a substantial risk of future harm or fraud from a data breach can satisfy concreteness if it is alleged that the substantial risk also caused a current harm); Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144, at *4 (Del. Super. Jan. 21, 2021) (finding that mitigation costs were not a concrete injury to confer standing on plaintiff whose data may have been accessed but no actual harm was alleged).
While Delaware's pleading standard is minimal, conclusory allegations are not sufficient. The Insurers' breach of contract claims are based on circular and conclusory allegations. Essentially, their contract claims rests on the theory that Blackbaud agreed to safeguard data stored on its servers in compliance with industry standards, a data breach occurred, and therefore, Blackbaud breached its contractual duties. As recognized by the court in Strom v. Paytime, Inc. in 2015, "[t]here are only two types of companies left in the United States, according data security experts: 'those that have been hacked and those that don't know they've been hacked.'" According to Harvard Business Review, in 2022, 83% of organizations experienced more than one data breach. Thus, the fact that a data breach occurred and the insureds incurred expenses, alone, is not sufficient to state a claim.
90 F.Supp.3d 359, 360 (M.D. Pa. 2015).
https://hbr.org/2023/05/the-devastatmg-busmess-impacts-of-a-cyber-breach
The Insurers' negligence claims fair no better. While they allege that the expenses were incurred because the insureds were required to comply with various laws and regulations, the Insurers never identify the source of the alleged duty owed to the insureds. Their failure to do so is fatal to the negligence claims.
As discussed below, the complaints fail to state a claim and therefore, under Rule 12(b)(6) and (c), judgment is entered in Blackbaud's favor.
Background
I. The Parties
Travelers issued insurance policies to 79 educational institutions and nonprofit entities (the "Travelers Insureds").
Travelers Complaint (D.I. 1) ("Travelers Com."), ¶ 6.
Philadelphia Indemnity plaintiffs issued insurance policies to 25 educational institutions and nonprofit entities (the "Philadelphia Indemnity Insureds" and with the Travelers Insureds, the "Insureds").
Philadelphia Indemnity Complaint (D.I. 1) ("Phila. Com."), ¶¶ 4, 7, 10, 13.
The policies provided coverage for certain cyber, criminal, and related incidents. The Insureds are scattered in approximately 35 different states or the District of Columbia. The Insurers' principal places of business are in Pennsylvania, Ohio, Maine, or Mississippi.
Phila. Com., ¶ 14; Travelers Com., ¶ 4.
Blackbaud is a Delaware corporation, with its principal place of business in South Carolina.
II. Factual Background
The complaints allege that prior to May 2020, each of the Insureds contracted with Blackbaud and "stored and maintained databases of important and private information and documents" on Blackbaud's servers. Between February 7, 2020 and May 20, 2020, Blackbaud experienced a ransomware attack in which attackers "gained access to numerous" Insureds' "information and/or materials." Blackbaud notified the Insureds of the breach on July 16, 2020.
Travelers Com., ¶ 16; Phila. Com., ¶ 25.
Travelers Com., ¶ 17; Phila. Com., ¶ 26.
As a result of "these circumstances, as well as legal requirements governing such circumstances" the Insureds had to undertake their own investigations in order to comply with "applicable laws" and "numerous state and federal statutes and regulations." Compliance with these "various laws" required the Insureds to:
Travelers Com., ¶¶ 19, 21; Phila. Com., ¶¶ 28-30.
a. retain legal experts to assess and comply with their legal obligations;
b. retain computer experts to investigate the data breach as required under law and expected by regulators;
c. retain firms to draft, translate, print, and mail letters required under data breach notification laws and expected by regulators;
d. take other steps to respond to third-party inquiries, as expected by regulators; and/or
e. incur other costs for those parties whose data or materials they were maintaining, as required under various state laws and expected by regulators.
Travelers Com., ¶ 22; Phila. Com., ¶ 31.
The Insureds made claims under their policies with the Insurers for these expenses, which are described as crisis management, remediation expenses, and related additional expenses (the "Expenses"), which total more than $2.1 million.
The Insurers paid their Insureds' respective claims for the Expenses. Under the corresponding polices, each Insurer was subrogated to the rights of its Insureds to pursue claims the Insureds may have against Blackbaud. Thus, the Insurers, as subrogees, are plaintiffs in the actions.
III. Claims Asserted
A. Breach of Contract
According to the complaints, each Insured entered into an agreement with Blackbaud prior to the data breach in which Blackbaud agreed that it would maintain commercially reasonable security procedures and standards, and commercially reasonable security breach protocols and procedures, including notifying the Insured within 72 hours of discovery of a breach. Blackbaud allegedly also agreed:
a. not to disclose [the Insureds'] confidential information or materials to unauthorized third-parties;
b. to implement and maintain safeguards against threats or hazards to [the Insureds'] confidential information and materials; and/or
c. to protect against unauthorized access to (or use of) [the Insureds'] confidential information.
Travelers Com., ¶ 27; Phila. Com., ¶ 36.
Finally, Blackbaud agreed to perform these obligations "in a professional manner in accordance with industry standards."
Travelers Com., ¶ 31; Phila. Com., ¶ 40.
Blackbaud is alleged to have breached these agreements by failing to: (i) "adequately protect" the Insureds' "confidential information and materials"; (ii) "properly and adequately determine whether Blackbaud [] was susceptible to a data breach;" (iii) "maintain and monitor its own data security programs for intrusions;" (iv) "employ commercially reasonable security measures;" (v) "heed vendor announcements regarding the sunset of certain databases;" (vi) "remove old unused and obsolete data containing [the Insureds'] information" or encrypt such information; and (vi) failing to employ commercially reasonable security measures in accordance with industry standards.
Travelers Com., ¶ 32; Phil. Com., ¶ 42.
Finally, Blackbaud is alleged to have breached the agreements by "allowing access to and then disseminating" the Insureds' "confidential information and materials to third parties and permitting them to copy, reproduce and transfer such" confidential information.
Travelers Com., ¶ 33; Phil. Com., ¶ 43.
As a result of these alleged breaches, the Insurers seek to recover the Expenses from Blackbaud.
B. Tort Claims
Philadelphia Indemnity plaintiffs assert a negligence claim and both complaints assert a gross negligence claim. The claims are essentially identical, except that the gross negligence claims assert that Blackbaud's conduct was intentional and in reckless disregard of the consequences. Seeking to recover the same damages as the contract claims (i.e., the Expenses), the Insurers assert the same allegations against Blackbaud as they asserted in the breach of contract claims.
The Travelers complaint also asserts a count for misrepresentation. However, Travelers advised the Court that it is withdrawing that claim.
IV. Procedural Background
In each case, Blackbaud filed a Motion to Dismiss under Rule 12(b)(1) and a Motion for Judgment on the Pleadings under Rule 12(c). Blackbaud argues that the complaints should be dismissed under Rule 12(b)(1) because the Insurers lack standing to bring these claims. Even if the Insurers have standing, Blackbaud asserts that judgment should be entered in its favor under Rule 12(c) because the complaints fail to state a claim.
Analysis
I. Standing
A. The Parties' Contentions
Blackbaud argues that the Insurers lack standing because the complaints do not adequately allege an injury-in-fact. Blackbaud attacks the complaints as conclusory and vague, asserting that the alleged damages are self-inflicted costs the Insureds allegedly incurred to avoid some unidentified consequences for the Insureds' failing to comply with some unidentified legal obligations. Relying on Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013), Reilly v. Cerdian Corp., 664 F.3d 38 (3d Cir. 2011), and Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. Super. Jan. 21, 2021), Blackbaud argues that the Insurers have not alleged a certainly impending injury because the Insureds' damages are too speculative. Stated differently, the Insurers do not allege damages that necessarily ¶ow from the alleged breaches.
The Insurers counter that the Insureds incurred concrete damages. While not in the complaints, the Insurers argue that the Insureds stored personal information of their donors on Blackbaud's servers. Once the Insureds received notice of a data breach from Blackbaud, the Insurers argue, the Insureds were required to investigate to comply with data breach notification laws and "regulators expectations." The Insurers do not identify any particular law with which the Insureds were required to comply or whose expectations they were attempting to satisfy (or why). The Insurers assert in their briefs that each state has data breach laws, and the Insureds were required to comply with such laws not only where the Insureds are located, but also in the many resident-states of the various donors. These laws vary greatly. For example, the Insurers cite to some states' laws which require notification when personal information such as social security number, driver's license number, health insurance information, or financial information have been accessed. Some states' laws require notification when there has been an unauthorized access to the information, while others require notification only where data has been exfiltrated. Finally, some states require notification only if there is a risk of harm to the individuals.
Answering brief in Travelers (D.I. 24) ("T-AB"), pp. 13-15; Answering brief in Philadelphia Indemnity (D.I. 16) ("P-AB"), pp. 13-15.
Because compliance with these laws is mandatory, the Insurers argue, the Insureds were required to conduct investigations and comply with their obligations under the state-specific laws. To conduct the investigations and comply with these laws, the Insureds had to hire forensic experts and lawyers. As a result of the investigations, some Insureds hired firms to send notices and respond to inquiries from impacted individuals and state regulators. The costs associated with these activities form the basis of the Insurers' damages, i.e., the Expenses.
The Insurers argued that if claims such as the claim asserted here are not permitted, it would set bad public policy because companies would be less likely to comply with the law if they are not certain that they will be reimbursed for expenses incurred in responding to a data breach notice. P-AB, p. 17; T-AB, p. 17. The Court disagrees. Companies should be incentivized to comply with the law simply because they are required to do so.
The Insurers argued that even if the Expenses are not "damages", the Insurers would be entitled to at least nominal damages for the breach of contract claim and thus, based on this alone, they have standing. The Insurers, however, are not seeking nominal damages for a breach. Thus, this argument is not persuasive and therefore, is rejected.
B. Standing Standard of Review
"Standing" refers to the right of a person to invoke jurisdiction of the Court to redress its grievance. "The issue of standing is concerned 'only with the question of who is entitled to mount a legal challenge and not with the merits of the subject matter of the controversy.'"
Albence v. Higgin, 295 A.3d 1065, 1086 (Del. 2022) (emphasis in original) (citation omitted).
Delaware generally follows the federal courts' requirements for establishing Article III standing, but is not bound by the federal rules of justiciability. Unlike the federal courts where "standing may be subject to stated constitutional limits," Delaware applies the "concept of standing as a matter of self-restraint to avoid the rendering of advisory opinions at the behest of parties who are 'mere intermeddlers.'" "Consequently, Delaware's courts may hear cases and controversies that the federal courts cannot."
Id.
Id. (cleaned up).
Id.; Continental Auto. Sys., Inc. v. Nokia Corp., 2023 WL 1370523, at *6 (Del. Ch. Jan. 31, 2023) ("a showing that satisfies the Article III requirements will establish standing under Delaware law. Failing to satisfy the requirements for Article III standing means that a court must determine whether standing nevertheless exists under Delaware law.").
The party invoking the jurisdiction of the Court has the burden of establishing its standing, which requires a plaintiff to show that: "(i) the plaintiff has suffered an 'injury-in-fact,' i.e., a concrete and actual invasion of a legally protected interest; (ii) there is a causal connection between the injury and the conduct complained of; and (iii) it is likely the injury will be redressed by a favorable court decision."
Albence, 295 A.3d at 1086 (citations omitted).
When a defendant argues that the Court would not have authority to grant the requested relief to any plaintiff, standing is analyzed under Rule 12(b)(1).However, where "the issue of standing is so closely related to the merits, a motion to dismiss based on lack of standing is properly considered under Rule 12(b)(6) rather than Rule 12(b)(1)."
In re Covid-Related Restrictions on Religious Services, 302 A.3d 464, 478 (Del. Super. 2023).
Appriva S'holder Litig. Co., LLC v. EV 3, Inc., 937 A.2d 1275, 1285-86 (Del. 2007); In re CovidRelated Restrictions, 302 A.3d at 478 (when the defendant is arguing that the court cannot grant relief to a plaintiff in a particular case because this particular plaintiff has not pleaded an essential element of the claim, the motion is properly decided under Rule 12(b)(6).).
C. Discussion
The parties spend much time discussing cases that address standing in "typical" data breach cases, in which individuals' or entities' own data has been compromised. In Reilly (3d Cir. 2011) and Abernathy (Del. Super.), the courts ruled that where hackers potentially gained access to personal or financial information but there were no allegations that plaintiffs' information was accessed and improperly used, the speculative threat of future improper use, without more, was insufficient to confer standing on the plaintiffs.
This is understandable because the complaints allege that the Insureds' information had been impacted by the breach. The Insurers did not reveal that it was the Insureds' donors' information at issue until they filed their answering briefs.
In Clemens v. ExecuPharm Inc. (relied on by the Insurers), the Third Circuit clarified that a hacking victim does not necessarily need to wait until the data is actually misused to gain standing. If a plaintiff can show a substantial risk of future harm which has caused additional current harm, a plaintiff has alleged a concrete injury and thus, established standing.
48 F.4th 146 (3d Cir. 2022).
Id. at 155-56.
While not a data breach case, in Clapper v. Amnesty Int'l USA, the claimants, attorneys and organizations whose work (they alleged) required them to engage in communications with foreign nationals which may be subject to surveillance under Foreign Intelligence Surveillance Act of 1978 ("FISA"), challenged the constitutionality of section 1881a of the act. The Supreme Court ruled that the claimants lacked standing because they could not show that there was an injury-in-fact as there was no imminent threat to interception of their communications with foreign nationals. The claimants' fear of communication interception was found to be highly speculative because before any communications could be intercepted, several safeguard and procedural hurdles would have to be cleared, including an Article III judge concluding that the proposed inception was consistent with Fourth Amendment protections.
Clapper, 568 U.S. 398 (2013).
Id. at 428-31.
These cases, focusing on the potential for future harm, are not helpful in analyzing whether the Insurers have standing. The Insurers are not asserting some future harm from the exfiltration of any particular data. Rather, upon receiving a data breach notice, the Insureds (or at least some of them) supposedly had an obligation to investigate and notify third parties of the Blackbaud data breach. The expenses associated with this process is what the Insurers are seeking to recover.
Because Blackbaud's challenge to the complaints focuses on the lack of factual allegations supporting the elements of the claims asserted, the challenges will be analyzed in the context of Rule 12 (b)(6).
Under Rule 12(b)(6), the Court: accepts as true all well-pled factual allegations; credits vague allegations as "well pleaded" if they give the opposing party notice of the claim; draws all reasonable inferences in favor of the non-moving party; and denies dismissal if there is a reasonably conceivable set of circumstances of recovery on the claim. Delaware's pleading standard is "minimal," but the liberal construction afforded to a claimant does not "extend to 'conclusory allegations that lack specific supporting factual allegations.'" Accordingly, the Court should dismiss a complaint if the plaintiff fails to make "specific allegations supporting each element of a claim or if no reasonable interpretation of the alleged facts reveals a remediable injury."
Blackbaud argues that the Insurers must provide "plausible" allegations to avoid dismissal. Blackbaud's Opening Brief in Travelers ("B-T OB") (D.I. 19), pp. 15, 22; Blackbaud's Opening Brief in Philadelphia Indemnity ("B-PI OB") (D.I. 14), pp. 15, 22. The Delaware pleading standard, however, is a more liberal "reasonably conceivable" standard, which the Court applies to the complaints. Cent. Mortg. Co. v. Morgan Stanley Mortg. Cap. Holdings LLC, 27 A.3d 531, 535, 536-37, n.13 (Del. 2011) (the "'conceivability' standard is more akin to 'possibility,' while the federal 'plausibility' standard falls somewhere beyond mere 'possibility' but short of 'probability.'").
Cent. Mortg. Co., 27 A.3d at 535.
Id. at 536-37, n.13; Surf's Up Legacy Partners, LLC v. Virgin Fest, LLC, 2021 WL 117036, at *6 (Del. Super. Jan. 13, 2021) (quoting Ramunno v. Cawley, 705 A.2d 1029, 1034 (Del. 1998)).
Axogen Corp. v. Integra LifeSciences Corp., 2021 WL 5903306, at *2 (Del. Super. Dec. 13, 2021) (citing Surf's Up Legacy Partners, LLC, 2021 WL 117036, at *6).
II. Motion for Judgment on the Pleadings
A. Choice-of-Law
i. The Parties' Contentions
Blackbaud tests the validity of the Insurers' claims under Delaware law, as there was no indication in the complaints that any other law might apply.
The Insurers object to the application of Delaware law, arguing that the Court must first determine which state's law applies before determining whether the complaints sufficiently plead the claims. To determine whether the complaints state a claim without first conducting a choice-of-law analysis, the Insurers assert, "would be premature" and would ignore the states that have "more relevant jurisdictional contacts." The Insurers do not suggest any particular state's law that should apply but survey multiple states' laws, without any analysis as to why they might apply here.
On their contract claims, the Insurers assert in their briefs that "all contracts identified to date" between Blackbaud and the Insureds provide that they are governed by New York law. The Insurers do not allege that New York law should apply to their contract claims, but assert that they should be entitled to proceed to discovery.
P-AB p. 7; T-AB p. 8.
Blackbaud responds that the complaints are so vague and conclusory that the Court should apply Delaware law. Additionally, New York law is not in conflict with Delaware law on the claims, and therefore, Delaware law applies in any event.
ii. Choice-of-Law Standards
The first step in a choice-of-law analysis under Delaware law is determine whether there is an actual conflict. To do so, Delaware courts "answer a single and simple inquiry: does the application of the competing laws yield the same result?"If yes, there is a "false" conflict and Delaware law will apply. If the answer is no, for tort claims, Delaware will then determine which jurisdiction has the most significant relationship, utilizing the factors set forth in Section 145 of the Restatement (Second) of Conflicts, and apply that state's law.
In re CVS Opioid Ins. Litig., 2022 WL 3330427, at *8 (Del. Super. Aug. 12, 2022) (citations omitted).
Dueley v. Dyncorp Int'l, Inc., 8 A.3d 1156, 1161 (Del. 2010).
Travelers Indemn. Co. v. Lake, 594 A.2d 38 (Del. 1991); Stillwater Mining Co. v. Nat'l Union Fire Ins. Co. of Pittsburg, Pa., 2021 WL 6068046, at *7 (Del. Super. Dec. 22, 2021). The court considers the following relevant contacts, as provided in Section 145: (a) the place where the injury occurred; (b) the place where the conduct causing the injury occurred; (c) the domicil, residence, nationality, place of incorporation and place of business of the parties; and (d) the place where the relationship, if any, between the parties is centered. Travelers Indemn. Co., 594 A.2d at 47. These contacts are to be evaluated according to their relative importance with respect to the particular issue. Id.
Where the parties agreed to the application of a state's law in their contract, Delaware courts are "strongly inclined" to respect the parties' freedom of contract and enforce the contract provision unless there is a strong overriding public policy interest at play. "[W]ith very limited exceptions, [Delaware] courts will enforce the contractual scheme that the parties have arrived at through their own selfordering, both in recognition of a right to self-order and to promote certainty of obligations and benefits."
Wind Point P'ners VII-A, L.P. v. Insight Equity A.P. X Co., LLC, 2020 WL 5054791, at *18 (Del. Super. Aug. 17, 2020).
Id. (citation omitted). If the contract does not contain a choice-of-law provision, Delaware courts will apply the Restatement (Second) of Conflicts § 188. SIGA Tech., Inc. v. PharmAthene, Inc., 67 A.3d 330, 342 (Del. 2013).
iii. Analysis
In their briefs, the Insurers admit that the contracts they have been able to locate thus far contain a New York choice-of-law provision. Curiously, the Insurers then argue that this choice-of-law provision has no bearing on the motions.
Blackbaud argues that if New York law does not apply, Delaware law should be applied here because the Insurers chose this forum, and they provided no choice-of-law analysis.
The Insurers have provided no reason why the Court should not apply New York law to the breach of contract claims. Whether New York or Delaware law applies, the result would be the same because these states' laws are not in conflict.
Whether New York law would apply to the tort claims may depend on the scope of the choice-of-law provision. Some choice-of-law provisions are broad enough to cover tort claims that arise out of the parties' relationship. The Insurers did not give the Court the benefit of reviewing the contractual language because they have not submitted a copy of the contracts (or even an exemplar) to the Court.
Relying on Abry Partners V L.P. v. F&W Acquisition LLC, 891 A.2d 1032 (Del. Ch. Feb. 14, 2006), Blackbaud argues that a contractual choice-of-law provision will apply to tort claims as well. The court's ruling in Abry Partners, however, was limited to tort claim arising out of a challenge to the enforcement of the contract. The tort claims here would need to be analyzed separately from the contract claims.
See Gloucester Holdings Corp. v. U.S. Tape and Sticky Products, LLC, 832 A.2d 116, 124 (Del. Ch. 2003) (a choice-of-law provision that provides the chosen state's law applies to claims that arise out of or relate to the agreement are broad enough to apply to tort claims, whereas a clause that applies to the "rights of the parties" will not extend to tort claims); ETC Northeast Pipeline, LLC v. Associated Electric & Gas Ins. Svs. Ltd., 2023 WL 6441815, at *2 (Del. Super. Sept. 5, 2023) (recognizing that New York law provides that a contractual choice-of-law provision that applies to disputes "relating to" the contract is broad enough to apply to tort claims).
Under a tort choice-of-law analysis, the Court would have to weigh the four Restatement factors. There are cases where the determination of choice-of-law is premature without the benefit of some discovery, but where, as here, the complaints contain such vague and conclusory allegations that the most basic elements of the claims are not supported by basic factual allegations, the Court is going to apply Delaware law. Otherwise, a plaintiff could allege conclusory allegations, which do not satisfy Rule 8's pleading standards and be permitted to proceed to discovery. Before a plaintiff is permitted to proceed to discovery, it must first satisfy the minimal obligations of Rule 8.
See Soares v. Continental Motors, Inc., 2021 WL 6015701, at *1, 11 (Del. Super. Dec. 17, 2021) (finding that further discovery was required before a choice-of-law determination was appropriate).
B. Rule 12(c) Standard of Review
Under Superior Court Rule 12(c), the Court is required to accept as true the well-pled facts alleged in the complaint and draw all reasonable inferences in favor of the non-moving party. The Court will not, however, "rely upon conclusory allegations ... [and] neither inferences nor conclusions of fact unsupported by allegations of specific facts ... are accepted as true."
Rule 12(c) provides:
After the pleadings are closed but within such time as not to delay the trial, any party may move for judgment on the pleadings. If, on a motion for judgment on the pleadings, matters outside the pleadings are presented to and not excluded by the Court, the motion shall be treated as one for summary judgment and disposed of as provided in Rule 56, and all parties shall be given reasonable opportunity to present all material made pertinent to such a motion by Rule 56.
Festival Fun Parks, LLC v. MS Leisure Co., 2023 WL 8714994, at *4 (Del. Super. Dec. 18, 2023).
Id. (citation omitted); Bay Point Capital P'ners L.P. v. Fitness Recovery Holdings, LLC, 2021 WL 5578705, at *4 (Del. Super. Nov. 30, 2021) ("The Court accords the party opposing a Rule 12(c) motion the same benefits as a party defending a motion to dismiss under Rule 12(b)(6)").
C. Breach of Contract i. The Parties' Contentions
Blackbaud asserts that the contract claims fail for at least three reasons: (i) the Insurers failed to identify the contracts at issue or the specific contract provisions that were allegedly breached; (ii) the complaints allege no facts supporting the conclusory allegations that the contracts wer breached; and (iii) the complaints fail to identify a cognizable harm.
The Insurers counter that the complaints identify the contractual provisions at issue. Quoting the complaints, the Insurers assert that the following contract provisions were breached:
- "to not disclose Plaintiffs' insured's confidential information or materials to unauthorized third-parties;"
- "to implement and maintain safeguards against threats or hazards to Plaintiffs' insureds' confidential information and materials;"
- "to protect against unauthorized access to (or use of) Plaintiffs' insureds' confidential information."
- "[to] maintain commercially reasonable information security procedures and standards."
- "it had implemented commercially reasonable policies and procedures addressing potential security breaches, including the reporting to each insured (within 72 hours of discovery) of any security breach."
- "to indemnify and defend the insureds against any third-party claims arising from its gross negligence or willful misconduct."
- "performance _ in a professional manner in accordance with industry standards."
Travelers Com. ¶¶ 27-31; Phila. Com. ¶¶ 36-40.
Blackbaud is alleged to have breached these provisions by failing to:
"properly and adequately determine whether Blackbaud was susceptible to a data breach;" "properly maintain and monitor its own data security programs for intrusions;" "remove old unused and obsolete data containing the insured's information and materials, or to encrypt such information;" "heed vendor announcements regarding the sunset of certain databases, leaving client information on older databases that were more vulnerable to cyberattack;" and "employ commercially reasonable security measures that met industry standards."
Travelers Com. ¶ 32; Phila. Com. ¶ 42.
The Insurers argue that they have alleged cognizable damages because the Expenses were incurred in complying with "mandatory legal requirements."
P-AB, p. 22; T-AB, p. 22.
ii. Analysis
To adequately plead a claim for breach of contract, a plaintiff must allege "(1) the existence of a contract; (2) that the contract was breached; and (3) damages suffered as a result of the breach." Each element must be supported by specific factual allegations; conclusory statements are insufficient. Additionally, generally referring to a contract will not sustain a claim. "A party must identify the particular contractual terms that were breached."
Khushaim v. Tullow Inc., 2016 WL 3594752, at *3 (Del. Super. June 27, 20216); Patriarch P'ners LLC v. Zohar CDO 2003-1 LLC, 2017 WL 2643972, at *1, n.3, 165 A.3d 288 (TABLE) (Del. 2017) (same) (applying New York law).
Festival Fun Park, 2023 WL 8714994, at *4.
Marydale Preservation Associates, LLC v. Leon N. Weiner & Associates, Inc., 2022 WL 4446275, at *17 (Del. Super. Sept. 23, 2022); Clifden Futures, LLC v. Man Financial, Inc., 858 N.Y.S.2d 580, 583-84 (N.Y. Sup. Ct. 2008) ("The pleadings must be sufficiently particular to give the court and [the] parties notice of the transaction, occurrences, or series of transactions or occurrences, intended to be prove as well as the material elements of each cause of action or defense." (quoting Atkins v. Mobil Oil Corp., 614 N.Y.S.2d 36 (2d Dep't 1994) (citation omitted)).
The Insurers assert breach of contract claims as subrogees for 104 Insureds. The Insureds are alleged to have entered into "agreements" and "contracts" with Blackbaud. The Insurers did not attach the contracts (or even an exemplar) to the complaints or their briefs. The provisions to which the Insurers cite are not in all the contracts. As the Insurers admit in their answering briefs, they do not even have all the contracts under which they are suing. The Insurers state that "all the contracts identified to date" between the Insureds and Blackbaud contained a New York choice-of-law provision. Thus, the Insurers' conclusory allegations that each Insured entered into a contract containing the promises alleged is insufficient to satisfy the pleading requirements.
P-AB, p. 7; T-AB, p. 8.
"At the pleading stage of a written contract dispute, Rule 8 requires the plaintiff to take the basic and customary step of producing the agreement and citing the provisions alleged to have been breached. Failure to do so 'is not a technical foot fault; it reflects, instead, a fundamental failure to give the [defendant] fair notice of the claim asserted against [him] as required by [] Rule 8.'"
Enzolytics, Inc. v. Empire Stock Transfer Inc., 2023 WL 2543952, at *3 (Del. Ch. Mar. 16, 2023) (quoting Ryan v. Buckeye P'ners, L.P., 2022 WL 389827, at *6 (Del. Ch. Feb. 9, 2022), aff'd, 285 A.3d 459 (Del. 2022) (TABLE)).
The complaints also fail to allege specific facts supporting the allegations that the contracts were breached. The complaints assert certain promises that some contracts may contain, such as to implement and maintain safeguards against threats or hazards, to use procedures and standards to protect against security breaches in accordance with industry standards, and to protect against unauthorized access to confidential information. But the complaints do not allege facts of how these alleged promises were breached. The complaints allege in conclusory fashion that Blackbaud failed to maintain and monitor its systems and failed to use commercially reasonable security measures, but the Insurers never describe what those standards are or why Blackbaud's conduct failed to meet those standards. For example, the complaints allege "Blackbaud breached its agreements and its duties by failing to comply with its obligations under its contracts, as well as under certain statutes and regulations, before, during and after the incident." This circular allegation is insufficient. The complaints never identify the statutes and regulations under which Blackbaud had obligations and never identify what "regulators' expectations" they supposedly had to comply with or why such compliance was even necessary.
The complaints also allege that Blackbaud agreed in the contracts to indemnify the Insureds from liability from third-parties. Phila. Com., ¶ 39; Travelers Com., ¶ 30. But the complaints contain no factual allegations that any Insured was subjected to (or even threatened with) a third-party claim. Similarly, the complaints allege that Blackbaud "may have failed" to name one or more of the Insureds as an "additional insured" on Blackbaud's insurance policies as "possibly required" under "one or more of its contracts." Phila. Com., ¶ 32; Travelers Com., ¶ 23. Neither of these assertions is supported by factual allegations. Accordingly, the complaints fail to state a claim based on these alleged breaches.
Phila. Com., ¶ 24; Travelers Com., ¶ 15 ("a third party was able to readily bypass Blackbaud's substandard security" and deploy ransomware); Phila. Com., ¶ 18; Travelers Com., ¶ 27 ("Blackbaud failed to maintain adequate security").
Phila. Com., ¶ 29; Travelers Com., ¶ 20.
Although the complaints allege that Blackbaud failed to remove unused and obsolete data containing the Insureds' unidentified information, they do not allege how this was a breach of the contracts or if it was, which of the 104 contracts were breached. Similarly, Blackbaud is alleged to have failed to heed "vendor announcements" regarding certain databases. But again, the complaints are devoid of any factual allegations that Blackbaud was required to heed these unidentified vendor announcements and even if so, how this alleged failure resulted in a breach of contractual duties.
Essentially, the complaints allege there were contracts which required Blackbaud to protect unidentified information belonging to unidentified persons, a data breach occurred resulting in the attackers "gaining access to numerous [Insureds'] data, information and/or materials" and therefore the Insurers conclude, Blackbaud breached the contracts. This is insufficient. Indeed, as the Insurers admit, not even all of the Insureds (or their donors') had their information accessed.
Further, the complaints fail to sufficiently allege that the breaches were the proximate cause of the alleged damages (the Expenses). The complaints allege that the Insureds stored "important and private information and documents" on Blackband's servers, that the hackers gained access to "numerous [I]nsureds' data, information and/or material" and as a result of "these circumstances, as well as legal requirements governing such circumstances," the Insureds had to undertake their own investigations. Because the Insureds had to comply with "these various laws," they incurred the Expenses. However, the Insurers never identify these "various laws." As the Insurers acknowledge in the answering briefs, data breach laws "differ greatly." The statutes' requirements depend on the type of information was breached; some may require notifications, some may not. Additionally, some states require notification where there has been an unauthorized access and others require notification only when there is a risk of harm to the individual. The Insurers cite examples of Kansas (requiring notification if the breach involved social security numbers, driver's license number, or financial information) and California (requiring reporting if health insurance or biometric data is accessed) but the Insurers do not show how these state's laws have any application here.
Phila. Com., ¶¶ 28, 30; Travelers Com., ¶¶ 19, 21 ("The [I]nsureds were required to comply with numerous state and federal statute and regulations...").
P-AB, p. 13; T-AB, p. 13.
Some states require notice if there has been accessed to defined personal information, while others require notification only if the personal information has been exfiltrated. P-AB, p. 14; TAB, p. 14.
P-AB, p. 14; T-AB, p. 15, citing Conn. Gen. Stat. § 36a-701(b)a(1) and Ala Code § 8-38-6(a).
P-AB, p. 13; T-AB, p. 14, citing Kan. Stat. § 50-7a01(g).
Id., citing Cal. Civ. Code § 1798.82(h).
Moreover, the Insurers failed to allege facts to show that the Expenses incurred by any of the 104 Insureds in reviewing legal requirements (and/or sending notices) were proximately caused by Blackbaud's breach of contract. The complaints do not identify the type of information that allegedly triggered the legal obligation to conduct an investigation or that information stored by the Insureds belonged to third-parties. The Insureds allegedly hired legal experts to review applicable laws to determine whether the Insureds had to take further action and some of the 104 Insureds were required to provide notices. However, other than the timing of this legal review, the complaints do not allege facts to show that but for the breach, the legal expenses would not have been incurred. The Insureds may have undertaken this work after receiving a breach notice, but the timing alone is insufficient.
The answering briefs assert that the Insureds hired forensic experts to "determine what type of data was breached, whose data it was, where the individual owners of such data resided, and what was done with the data." P-AB, p. 16; T-AB, p. 16.
P-AB, p. 16; T-AB, p. 17 (the Insureds "paid legal experts to interpret the [I]nsureds' obligations .. pursuant to the various state data breach notification laws ... Some [of the Insureds] then incurred expenses complying with their legal obligations ....").
Without supporting facts, the conclusory allegations in the complaints fail to state a claim for breach of contract.
D. Negligence
i. The Parties' Contentions
Blackbaud argues that the Insurers' tort claims fail for three reasons: (i) the complaints fail to plead the existence of a legal duty; (ii) the Insurers failed to plead negligence with particularity; and (iii) the negligence claims are barred under the economic loss doctrine or due to impermissible bootstrapping.
Citing no authority, the Insurers counter that there is no requirement to plead the existence of a legal duty. Even if such a requirement exists, the Insurers argue, their allegation that Blackbaud undertook the obligation to protect information known to be confidential and "protected under the law" and had the "common law duty to properly safeguard" the information, is sufficient. The Insurers again raise the argument that the Court cannot decide whether the complaints state a claim without first making a choice-of-law determination as the claims they assert are valid under some states' laws and not barred by the economic loss doctrine.
The Insurers also argue that they have satisfied the particularity requirement by pleading that "Blackbaud knowingly undertook an obligation to protect information and materials of third-parties and the [I]nsureds known to be confidential and protected under the law, and in turn took on a common law duty to properly safeguard and protect such information and materials."
Phila. Com., ¶ 46; Travelers Com., ¶ 38.
ii. Analysis
To state a claim for negligence, a plaintiff must allege (i) a duty that is owed to plaintiff; (ii) defendant breached that duty; and (iii) as a proximate cause of the breach, plaintiff suffered damages. Gross negligence is a higher standard of negligence, representing an extreme departure from the standard of care. "When evaluating whether a defendant's conduct constitutes gross negligence, this Court conducts an assessment of the 'reasonableness of a defendant's actions given the conditions at that time and not whether hindsight would shed more light upon whether any conditions could have served as red flags.'"
Russell v. K-Mart Corp., 761 A.2d 1, 5 (Del. 2000). The standard is the same under New York law. See Solomon v. City of New York, 499 N.Y.2d 392 (N.Y. Sup. Ct. 1985).
Browne v. Robb, 583 A.2d 949, 953 (Del. 1990).
Ward v. Del. State Police, 2022 WL 351205, at *7 (Del. Super. Feb. 4, 2022) (citation omitted); J.L. v. Barnes, 33 A.3d 902, n.77 (Del. Super. 2011) ("In order for a plaintiff to plead gross negligence with the requisite particularity, the plaintiff must articulate 'facts that suggest a wide disparity between the process [ ] used ... and that which would have been rational.'") (citation omitted).
Under Rule 9(b), allegations of negligence must be plead with particularity. "The purpose of the Rule's particularity requirement is to: '(1) provide defendants with enough notice to prepare a defense; (2) prevent plaintiffs from using complaints as fishing expeditions to unearth wrongs to which they had no prior knowledge; and (3) preserve a defendant's reputation and goodwill against baseless claims.'"Generally, a claim of negligence or gross negligence satisfies Rule 9(b) when it advises the defendant "'(1) what duty, if any, was breached; (2) who breached it; (3) what act or failure to act breached the duty; and (4) the party upon whom the act was performed. '" While Delaware courts apply a more relaxed standard of particularity when the factual information is in the opposing party's possession, a complaint cannot rely on conclusory allegations.
Cantatore v. Univ. of Del., 2021 WL 2745107, at *2 (Del. Super. June 30, 2021) (citation omitted).
Greenfield for Ford v. Budget of Del. Inc., 2017 WL 729769, at *2 (Del. Super. Feb 22, 2017) (quoting Murphy v. Bayhealth Med. Ctr., 2006 WL 509544, at *3 (Del. Super. Jan. 9, 2006) (citation omitted)); See also Rinaldi v. Iomega Corp., 1999 WL 1442014, at *7 (Del. Super. Sept. 3, 1999) ("When pleading negligence, plaintiffs have to meet the heightened standard of Rule 9(b), and must specify a duty, a breach of the duty, who breached the duty, what act or failure to act caused the breach, and the party who acted.") (emphasis added).
Morra v. 700 Marvel Road Operations, LLC, 2023 WL 5406163, at *4 (Del. Super. Aug. 21, 2023).
To state a claim, the Insurers must identify the duty allegedly owed by Blackbaud. Blackbaud informed the Court that it found no Delaware case recognizing a common law duty to protect confidential information. The Insurers responded that just because Blackbaud was unable to find any such case, does not mean that no such duty exists. That may be true, but the Insurers do not identify a Delaware (or New York) common law duty.
T-OB, p. 26; P-OB, p. 26.
P-AB, p. 24; T-AB, p. 24.
The Insurers assert that a common law duty to protect confidential information is recognized under Massachusetts law and South Carolina law, where a class action is pending against Blackbaud arising out of the data breach. The South Carolina court, however, applied South Carolina law at the motion to dismiss stage because, as here, the parties did not have or present facts sufficient for the court to conduct a choice-of-law analysis. Thus, at this stage of the cases, the South Carolina case supports the application of Delaware law, not South Carolina law. The South Carolina court, applying a lex loci delicti choice-of-law analysis, later determined that Massachusetts law applied to the data breach case. Of course, Delaware applies the Restatement (Second) of Conflicts choice-of-law analysis. Therefore, the Court is not persuaded that Massachusetts law should apply.
In re Blackbaud, Inc. Customer Data Breach Litig., 567 F.Supp.3d 667, 676-77 (D.S.C. 2021) ("Because it is presently unclear where the [data] breach occurred, the court will apply South Carolina law with respect to Plaintiffs' common law claims for negligence, gross negligence, and negligence per se.").
In re Blackbaud, Inc. Customer Data Breach Litig., 2022 WL 2314714 (D.S.C. June 28, 2022).
Even if a common law duty exists, the complaints fail to plead the negligence claims with particularity. Just as they did in the breach of contract claims, the complaints plead the negligence claims in conclusory fashion. The complaints allege that Blackbaud failed to: (i) remove obsolete data; (ii) adequately determine that it was susceptible to an attack; (iii) maintain and monitor its security programs; (iv) heed vendors' announcements; and (v) employ commercially reasonable security measures that met industry standards. The complaints do not allege facts of what duty was breached or what act breached the duty. Again, the complaints essentially allege that an attack occurred and therefore Blackbaud must have been negligent.
Further, the complaints fail to allege facts supporting the allegation that Blackbaud was grossly negligent. The Insurers argue that merely by the amount of confidential data stored by Blackbaud, the fact that it suffered a data breach when it was at a heightened risk of attack, constitutes gross negligence. This conclusory allegation, however, is insufficient.
P-AB, p. 27; T-AB, p. 27.
Finally, just as with the contract claims, the complaints fail to allege facts to support the conclusion that the damages (the Expenses) were the proximate result of the alleged breaches.
Accordingly, the complaints fail to state a claim for negligence, let alone gross negligence.
Conclusion
The complaints fail to state a claim for breach of contract, negligence, or gross negligence. Therefore, the Court need not address whether the negligence claims are barred by the economic loss doctrine or bootstrapping. Similarly, the Court need not address whether the Insurers properly asserted a claim for attorneys' fees.
Because the complaints failure to state a claim under Rule 12(b)(6), judgment on the pleadings is entered in favor of Blackbaud.
IT IS SO ORDERED.