Delaware Supreme Court Reverses, Holds Cyber Insurers Sufficiently Pled Collective Subrogation Claim Resulting from Data Breach

Reversing the decision below, the Delaware Supreme Court held that a group of cyber liability insurers sufficiently pled a complaint for subrogation based on breach of contract. Travelers Cas. & Sur. Co. of Am. v. Blackbaud, Inc., 2026 WL 410048 (Del. Feb. 13, 2026). In so finding, the court determined that insurers may plead subrogation claims in the aggregate and that the complaint sufficiently pled facts raising a reasonable inference of proximate cause.

The insurers provided cyber insurance to several education and non-profit insureds that used the defendant software company’s data hosting services. After the defendant software provider suffered a ransomware attack, it initially told the insureds that none of their clients’ personal information was accessed by the cybercriminals, filing a Form 10-Q characterizing the theft of sensitive information as merely hypothetical.

Shortly thereafter, however, the defendant software provider disclosed that the cybercriminals may have accessed personal information, such as bank account information and social security numbers. As a result of the defendant’s alleged failure to properly address the cyberattack and conduct an adequate investigation, the insureds were required to undertake their own response efforts, incurring costs such as legal counsel, computer forensics, and notice obligations. The insurers then filed a collective subrogation action, alleging that the defendant software provider breached its contracts with the insureds. After the Superior Court dismissed the insurers’ complaint with prejudice, they appealed.

In reversing, the Delaware Supreme Court held that the insurers sufficiently pled their breach of contract action under Delaware’s pleading requirements. Specifically, the court determined that the fact that the insurers pled their subrogation claim against the software provider in the aggregate did not change the fact that they sufficiently pled that their insureds had a contract with the defendant, complied with their obligations under the contract, had the contract breached by defendant, and were subsequently damaged by such breach. The Supreme Court rejected the Superior Court’s reasoning that, by pleading their subrogation claim in the aggregate, the insurers failed to adequately plead with respect to each individual insured the facts of the data breach, the specific obligations the insured had to satisfy, and the types of expenses each insured allegedly incurred. Rather, the Supreme Court ruled that the insurers only needed to identify their insureds and the shared commonalities between them that could satisfy the pleading requirement. The specifics as to each insured were a matter for discovery.

The Supreme Court also held that the insurers adequately pled proximate cause. The complaint alleged that the defendant software provider breached multiple provisions in the contracts and shifted the mitigating responsibilities onto the insureds, thus forcing them to incur costs to investigate and remediate the damage caused by the data breach. Because these allegations raised a reasonable inference that the insureds’ damages were proximately caused by the defendant’s breach, the court held that the insurers sufficiently pled this element.