Court Rulings Shape Subrogation Rights in Cybersecurity Breaches: Key Cases Define Vendor Liability
Two recent court decisions Axis Insurance Company v. Barracuda Networks, Inc. (2025) and Travelers Casualty and Surety Company of America v. Blackbaud, Inc. (2026) have clarified the limits of insurers’ subrogation rights against vendors following data breaches, with outcomes hinging on contractual relationships and legal standing.
Axis v. Barracuda: No Privity, No Subrogation
In Axis v. Barracuda, the U.S. First Circuit Court of Appeals ruled on November 20, 2025, that insurer Axis could not pursue subrogation against Barracuda Networks after a breach exposed Zoll Medical Corporation’s customer data. The case stemmed from a 2023 incident where Barracuda’s email archiving service, used by Zoll’s vendor Fusion LLC, was compromised. Zoll settled a class-action lawsuit from affected customers and sought recovery from Fusion and Barracuda.
The court rejected Axis’s equitable indemnification claim, finding no direct or vicarious contractual relationship between Zoll and Barracuda only a chain of independent contracts (Zoll-Fusion, Fusion-Barracuda). Without privity, the court ruled that equitable indemnification, a narrow remedy, could not reallocate risk post-breach. The First Circuit also dismissed Axis’s breach-of-contract claim, affirming that Fusion failed to meet a contractual condition precedent (a liability-limiting provision) and that Barracuda’s lack of audit obligations did not waive this defense. Similarly, Axis’s claim for breach of the covenant of good faith failed, as Fusion had not negotiated protections for breach scenarios.
Travelers v. Blackbaud: Direct Contracts Enable Subrogation
In contrast, the Delaware Supreme Court ruled on February 13, 2026, in Travelers v. Blackbaud that insurers could proceed with subrogation claims against the software provider. Blackbaud, which provided donor management services to nonprofits, suffered a 2020 ransomware attack but offered clients only a self-remediation "toolkit" instead of direct support. Insurers, including Travelers, covered their policyholders’ incident response costs (legal fees, notifications, credit monitoring) and sued Blackbaud for recovery.
The lower court dismissed the case, citing insufficiently pleaded aggregate claims under New York law. However, the Delaware Supreme Court overturned the decision, finding that the insurers had adequately alleged breach of contract. Unlike Axis, the insureds had direct contracts with Blackbaud, giving insurers standing to pursue subrogation. The court emphasized that Blackbaud could address individual claims through discovery, and that foreseeable breach-related costs (e.g., remediation expenses) constituted recoverable damages.
Key Takeaways: Contracts Determine Liability
The rulings underscore a critical distinction: subrogation claims against vendors require a direct contractual relationship between the insured and the breached party. In Axis, the lack of privity doomed the claim, while Travelers succeeded because the insureds’ contracts with Blackbaud established clear liability pathways. Both decisions reinforce that:
- Equitable indemnification is unavailable without a direct or derivative contractual link.
- Breach-of-contract claims hinge on compliance with contractual terms, including conditions precedent.
- Aggregate subrogation may proceed if insurers plead sufficient facts, as seen in Travelers.
The cases signal that cyber insurers and policyholders must scrutinize vendor contracts for liability clauses, indemnification rights, and subrogation waivers to mitigate exposure in breach scenarios.
Source: https://www.carriermanagement.com/features/2026/04/22/287107.htm
Blackbaud cybersecurity rating report: https://www.rankiteo.com/company/blackbaud
Barracuda cybersecurity rating report: https://www.rankiteo.com/company/barracuda-networks
ZOLL Medical Corporation cybersecurity rating report: https://www.rankiteo.com/company/zoll-medical-corporation
"id": "BLABARZOL1776911191",
"linkid": "blackbaud, barracuda-networks, zoll-medical-corporation",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Yes',
'industry': 'Healthcare',
'name': 'Zoll Medical Corporation',
'type': 'Corporation'},
{'industry': 'IT Services',
'name': 'Fusion LLC',
'type': 'Vendor'},
{'industry': 'Cybersecurity',
'name': 'Barracuda Networks, Inc.',
'type': 'Vendor'},
{'customers_affected': 'Yes',
'industry': 'Software (Nonprofit Management)',
'name': 'Blackbaud, Inc.',
'type': 'Vendor'},
{'customers_affected': 'Yes',
'industry': 'Nonprofit',
'name': 'Nonprofits using Blackbaud',
'type': 'Organizations'}],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable information '
'(PII)',
'type_of_data_compromised': ['Customer data',
'Donor management data']},
'description': 'Two recent court decisions (Axis Insurance Company v. '
'Barracuda Networks, Inc. (2025) and Travelers Casualty and '
'Surety Company of America v. Blackbaud, Inc. (2026)) have '
'clarified the limits of insurers’ subrogation rights against '
'vendors following data breaches, with outcomes hinging on '
'contractual relationships and legal standing.',
'impact': {'data_compromised': 'Customer data (Zoll Medical Corporation), '
'donor management data (nonprofits)',
'legal_liabilities': ['Class-action settlements',
'Regulatory scrutiny'],
'operational_impact': 'Class-action lawsuits, incident response '
'costs, credit monitoring',
'systems_affected': ['Email archiving service (Barracuda)',
'Donor management software (Blackbaud)']},
'investigation_status': 'Closed (court rulings issued)',
'lessons_learned': 'Subrogation claims against vendors require a direct '
'contractual relationship between the insured and the '
'breached party. Equitable indemnification is unavailable '
'without privity. Breach-of-contract claims hinge on '
'compliance with contractual terms, including conditions '
'precedent.',
'post_incident_analysis': {'corrective_actions': ['Strengthen vendor '
'contracts with liability '
'clauses',
'Ensure direct contractual '
'relationships for '
'subrogation rights'],
'root_causes': ['Lack of direct contractual '
'privity (Axis v. Barracuda)',
'Insufficient breach response '
'support (Blackbaud)']},
'ransomware': {'data_encryption': 'Yes (Blackbaud incident)'},
'recommendations': 'Cyber insurers and policyholders must scrutinize vendor '
'contracts for liability clauses, indemnification rights, '
'and subrogation waivers to mitigate exposure in breach '
'scenarios.',
'references': [{'source': 'Axis Insurance Company v. Barracuda Networks, Inc. '
'(2025)'},
{'source': 'Travelers Casualty and Surety Company of America '
'v. Blackbaud, Inc. (2026)'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuits',
'Subrogation claims']},
'response': {'remediation_measures': ['Self-remediation toolkit (Blackbaud)']},
'title': 'Court Rulings on Subrogation Rights in Cybersecurity Breaches: Axis '
'v. Barracuda and Travelers v. Blackbaud',
'type': ['Data Breach', 'Ransomware']}