Table of Contents >> Show >> Hide
- What Happened: The Blackbaud Cyber Event in Plain English
- The Ruling: Where the Insurers’ Case Ran Into a Wall
- Why This Is Bigger Than Blackbaud
- The Vendor Contract Gaps That Wreck Cyber Recovery
- Gap #1: “Commercially reasonable” security with no measurable standards
- Gap #2: Vague incident-notification duties
- Gap #3: No obligation to provide what you need for notifications
- Gap #4: Liability caps that don’t match cyber reality
- Gap #5: Consequential-damages waivers that swallow response costs
- Gap #6: No indemnity for third-party privacy claims (or a very narrow one)
- Gap #7: Subrogation-unfriendly language and anti-assignment clauses
- Specific Example: When Contract Specificity Changes the Outcome
- How to “Insurance-Proof” Your Vendor Agreements
- A Fast Procurement Checklist (Because Nobody Has Time)
- What Insurers and Brokers Should Take From This
- Conclusion: Your Vendor Contract Is Part of Your Incident Response Plan
- Experiences From the Field: What Organizations Commonly Run Into After a Vendor-Linked Breach
- Experience 1: The first 72 hours are a contract scavenger hunt
- Experience 2: The cost pile grows faster than the fact pile
- Experience 3: “Consequential damages” becomes the phrase everyone hates
- Experience 4: Insurance pays, but recovery is an uphill climb
- Experience 5: Renewals become “contract rehab” projects
If you’ve ever signed a vendor contract without reading the “Limitations of Liability” section, congratulations:
you are statistically normal. Unfortunately, cyber incidents don’t care about statistics. They care about paperwork.
And one recent set of court rulings tied to the 2020 Blackbaud ransomware event put a bright, blinking spotlight on a
truth risk managers, brokers, and in-house counsel have been muttering for years:
your cyber claim may be real, your costs may be real, but your vendor contract might make recovery… not real.
The big takeaway isn’t “never trust vendors” (you’d have to go live in a cabin with a rotary phone).
The takeaway is simpler and more useful: vendor contracts often contain gaps that swallow cyber lossesespecially
when insurers later try to recoup payouts through subrogation. The Blackbaud rulings show how those gaps can turn a clean,
logical “they caused it, they pay it” story into a legal shrug.
What Happened: The Blackbaud Cyber Event in Plain English
Blackbaud is a major provider of fundraising and donor-management tools used by nonprofits, schools, healthcare systems,
and other mission-driven organizations. In 2020, a ransomware attacker accessed certain Blackbaud environments, and data
tied to thousands of customer organizations was affected. Blackbaud later disclosed the incident publicly and provided
customers information and a “toolkit” to help them assess whether they needed to notify individuals or regulators.
For the organizations that relied on Blackbaud, the immediate crisis wasn’t just “did data leave the building?”
It was also “what data,” “whose data,” and “what laws now apply?” Those questions trigger a very expensive chain reaction:
forensic investigation, specialized legal advice, breach notification analysis, customer communications, call centers,
credit monitoring, and sometimes regulatory reporting. In cyber terms, this is the “response-cost snowball.”
Why this matters to cyber claims
Cyber insurance often helps cover response costs. But insurers (and insureds) frequently assume that if a vendor’s security
failure contributed to a breach, the vendor will reimburse those costsor the insurer can pursue reimbursement later.
That assumption collides with a hard reality: vendor contracts can block recovery even when the incident is undeniable.
The Ruling: Where the Insurers’ Case Ran Into a Wall
After paying claims related to response costs, insurers sued Blackbaud as subrogees of their insured customers (meaning:
stepping into the insureds’ shoes to pursue the insureds’ rights). The court dismissed the insurers’ amended complaints
(with prejudice at the trial level) for multiple reasons thatwhen translated out of legalesesound like a contract
negotiation checklist.
1) “You can’t lump everyone together”
The insurers attempted to pursue many subrogation claims at once. The court faulted the pleadings for failing to provide
insured-specific factual allegationssuch as what data each insured stored, what obligations that data triggered, and
how exactly the vendor’s alleged contract breach caused the particular expenses.
2) “Show me the causal chain”
It wasn’t enough to say “breach happened” and “money was spent.” The pleadings needed a tighter link between specific
contractual duties and the response costs. If the contract did not clearly require the vendor to pay for the type of
work performed (like broad post-incident legal research across jurisdictions), the claim struggled to get traction.
3) “Your contract may call these costs ‘consequential’”
Many vendor agreements contain waivers of consequential damages and tight caps on liability. In cyber disputes,
a big fight is whether response costs are “direct” damages (potentially recoverable) or “consequential” damages
(often waived). The Blackbaud contracts at issue contained risk-allocation language that became central to the dispute.
4) “Assignment and consent clauses can complicate who can sue”
Some contracts restrict assignment of rights without the vendor’s consent. That matters when an insurer tries to recover
deductibles or pursue certain rights that depend on valid assignment. If the contract says “no assignment without written
consent,” that sentence can turn into a full-blown litigation trapdoor.
The headline lesson: even when insurers pay legitimate cyber claims, subrogation is only as strong as the underlying
customer-vendor contractand courts can be unforgiving when pleadings don’t map each insured’s facts to each contractual term.
Why This Is Bigger Than Blackbaud
Blackbaud is a useful case study because it sits at the intersection of three trends:
- Vendor dependency: organizations outsource critical systems to SaaS and managed providers.
- Ransomware economics: response costs can dwarf the actual ransom demand.
- Insurance scrutiny: carriers are under pressure to control severity and seek recovery where possible.
Put those together and you get a new normal: contracts that once lived quietly in procurement folders now matter in
claim outcomes. Not because courts suddenly love reading Master Service Agreementsbut because cyber losses increasingly
flow through third-party relationships.
The Vendor Contract Gaps That Wreck Cyber Recovery
Let’s talk about the usual suspectsthe clauses that look harmless during onboarding and look catastrophic during incident response.
Gap #1: “Commercially reasonable” security with no measurable standards
“Commercially reasonable security” sounds comforting until you try to prove what it means. Without a defined baseline
(for example, specific controls, audit frameworks, or clear service commitments), the argument becomes a battle of
experts and adjectives.
Fix: tie security obligations to concrete requirements: encryption expectations, MFA, logging/monitoring,
vulnerability management timelines, access controls, and secure development practices. You don’t need to write a novel,
but you do need something a judge can recognize as a commitment rather than a vibe.
Gap #2: Vague incident-notification duties
Many contracts promise notice “promptly” or “as soon as practicable,” sometimes with a timeline (like 72 hours).
But they often fail to define what notice includesscope, indicators, impacted systems, data elements, and the vendor’s
level of confidence. In practice, customers can receive an early message that’s technically “notice” but operationally useless.
Fix: require structured notice elements: what happened, when it was discovered, what systems are affected,
what data categories may be involved, what steps are being taken, and when the next update will arrive.
Gap #3: No obligation to provide what you need for notifications
Notification obligations often depend on whether protected data was accessed and which individuals were impacted.
If the vendor controls key logs and data inventories but does not commit to providing actionable reporting,
the customer may be forced to investigate independentlyexpensive, slow, and messy.
Fix: build in cooperation duties: log preservation, forensic support, timely reporting, and the ability
to identify impacted individuals when feasible. If your organization is regulated (healthcare, education, finance),
make sure the contract speaks directly to those obligations.
Gap #4: Liability caps that don’t match cyber reality
A common structure is “fees paid in the last X months” or a small fixed cap. For many SaaS products, the annual spend is
tiny compared to breach response costs. That means the contract can convert a seven-figure incident into a five-figure recovery.
Fix: negotiate a higher cap for security incidents, or at least carve out certain losses:
regulatory fines (where insurable), breach notification costs, credit monitoring, and third-party claims. If the vendor won’t move
the cap, consider requiring higher insurance limits and stronger cooperation terms so you’re not left holding the bill.
Gap #5: Consequential-damages waivers that swallow response costs
Vendors often disclaim “indirect, special, incidental, consequential” damages. In cyber disputes, the vendor may argue that
forensic consulting, legal review, notification analysis, and remediation are “consequential” because they arise as downstream
effects of the incident, not as direct failure-to-deliver fees.
Fix: define certain cyber-related costs as recoverable “direct” damages for purposes of the agreement,
or explicitly exclude them from the consequential-damages waiver. This is one of the most importantand most overlookedmoves.
Gap #6: No indemnity for third-party privacy claims (or a very narrow one)
If your customers, donors, students, or patients sue you after a vendor-related breach, you want the vendor contract to address
who carries that litigation risk. Many vendor agreements offer limited indemnity (often just for IP infringement) and dodge
privacy claims entirely.
Fix: pursue indemnification for third-party claims arising from the vendor’s security failure or breach of
confidentiality obligations. At minimum, insist on defense cooperation and cost-sharing triggers.
Gap #7: Subrogation-unfriendly language and anti-assignment clauses
Cyber insurance works best when the insured can transfer or share rights needed to pursue recovery. But contracts can restrict
assignment, require vendor consent, or contain procedural hurdles that make subrogation slow, expensive, or impossible.
Fix: negotiate an exception allowing assignment to insurers for subrogation and recovery efforts, or at least
a “consent not unreasonably withheld” standard. If that’s not possible, coordinate expectations with your insurer before signing.
Specific Example: When Contract Specificity Changes the Outcome
Not all Blackbaud-related litigation has looked the same. One key contrast discussed in the Delaware opinion involved a healthcare
system whose agreements included more detailed post-breach obligations (including cooperation tied to regulated data handling).
When the contract spells out what the vendor must provide after a breachand the customer can identify the regulations driving
response stepsthe causation story can look very different.
Translation: specificity is leverage. If your contract requires the vendor to deliver certain breach-related
reports, to cooperate in mitigation, and to support regulated notifications, it’s easier to argue that the customer’s response
costs were not optional panic spendingthey were a foreseeable, contract-linked necessity.
How to “Insurance-Proof” Your Vendor Agreements
The goal is not to turn every vendor into your insurer. The goal is to make sure your contract doesn’t silently sabotage
the very recovery pathways your organization and carrier will rely on.
Build a cyber appendix that procurement can actually use
A separate security exhibit or cyber addendum can work better than jamming everything into the main agreement. It can include:
- Security controls baseline: MFA, encryption, access reviews, logging, patch timelines.
- Incident response cooperation: evidence preservation, timelines for updates, named points of contact.
- Notification support: data element mapping, impacted individual identification where feasible.
- Cost allocation: which costs the vendor covers, which are shared, which are excluded (clearly).
- Audit rights: reasonable security assessments, third-party reports, and remediation commitments.
Align definitions with how claims are paid
Cyber policies talk about “privacy events,” “security failures,” “breach response costs,” and “regulatory proceedings.”
Vendor contracts talk about “confidential information,” “security breaches,” and “limitation of liability.”
If those definitions don’t align, your claim can be covered while your recovery action is not.
Practical move: define “Security Incident” and “Breach Response Costs” in the contract using language that
mirrors how your organization spends money during an incident: forensic services, legal counsel, notification analysis, mailing,
call center support, credit monitoring, and required reporting. Clarity up front reduces arguing later.
Require insurance that matches the exposure
If a vendor won’t move on liability caps, the next best lever is insurance requirements. Many organizations ask for a certificate
of insurance and call it a day. That’s like buying a parachute and never checking if it opens.
Consider requirements for:
- Cyber liability coverage with realistic limits for the data volumes involved.
- Tech E&O if the vendor’s performance failures can cause business harm.
- Contractual liability coverage for the indemnities the vendor is giving you.
- Notice of cancellation and minimum policy terms that prevent coverage “oopsies.”
A Fast Procurement Checklist (Because Nobody Has Time)
Before you sign (or renew) a vendor contract that touches personal or sensitive data, ask these questions:
- What security controls are requiredspecifically, not poetically?
- How quickly must the vendor notify us, and what must that notice include?
- Does the vendor commit to preserving logs and evidence for investigations?
- Will the vendor provide reporting that supports our legal notification duties?
- Are breach response costs definedand are any carved out of the consequential-damages waiver?
- Is the liability cap remotely proportional to the risk?
- Is there an indemnity for third-party privacy claims tied to vendor failure?
- Are assignment/subrogation rights blocked without vendor consent?
- What insurance does the vendor carry, and are limits high enough for our data volume?
- Do we have audit/report rights (SOC reports, penetration testing summaries, remediation timelines)?
- Is there a clear incident-response workflow with named contacts and update cadence?
- Does the contract address subcontractors (“fourth parties”) and where data is stored/processed?
What Insurers and Brokers Should Take From This
The Blackbaud rulings are also a note to carriers: if you want subrogation to be a meaningful tool in cyber,
you may need to underwrite the contract environment more aggressivelyor help insureds improve it.
Underwriting: ask contract questions that predict recovery
- Do critical vendors cap liability below plausible response costs?
- Are consequential-damages waivers broad enough to swallow incident expenses?
- Do anti-assignment clauses block recovery efforts?
- Do contracts require cooperation and reporting after a breach?
Claims: document the “why” of response spending
Courts tend to care whether expenses are tethered to a dutycontractual, statutory, or regulatory.
In a vendor-triggered incident, that means preserving a clear record: what data was at issue, what laws applied,
what the vendor did (or did not do), and why the insured’s spending was necessary rather than discretionary.
Conclusion: Your Vendor Contract Is Part of Your Incident Response Plan
The Blackbaud rulings don’t say cyber insurance is pointless, or that vendors always escape responsibility.
They say something more useful and actionable:
when cyber losses happen through third-party systems, the contract is the mapand many maps have missing roads.
If you want better outcomes, treat vendor terms like security controls. Negotiate them, test them, and revisit them.
The best time to fix your consequential-damages waiver is before an incidentnot while your team is living off iced coffee
and adrenaline and your general counsel is Googling “what is proximate cause” at 2:00 a.m.
Ultimately, the goal is resilience: contracts that support rapid response, fair cost allocation, and realistic pathways
for recoverywhether that recovery is your own, your insurer’s, or both.
Experiences From the Field: What Organizations Commonly Run Into After a Vendor-Linked Breach
The legal rulings make headlines, but the day-to-day experiences are where the real lessons live. Below are patterns that
organizations commonly report after a breach tied to a key software or service vendor. These are not “war stories” for drama’s
sakethey’re practical snapshots of how contract gaps show up in real operations.
Experience 1: The first 72 hours are a contract scavenger hunt
When an incident notice arrives, teams often assume the vendor will provide a detailed explanation quickly. What frequently happens
instead is a short email that confirms “an event occurred,” plus a promise of updates. Internally, leadership wants answers immediately:
what data, what systems, what time window, what risk level, and what we should tell stakeholders. Meanwhile, the privacy team asks:
“Do we have a contractual right to logs? A right to compel a report? A right to approve messaging?” If the contract is vague,
the organization winds up negotiating basic cooperation in the middle of the crisiswhen leverage is lowest and urgency is highest.
Experience 2: The cost pile grows faster than the fact pile
Incident response spending starts before certainty arrives. Organizations bring in forensic firms to validate the scope, outside counsel
to interpret state breach-notification laws, and communications support to prepare messaging. One of the most common frustrations is
that bills become real before facts do. If the vendor’s investigation focuses on file names, metadata, or limited logs (rather than
file contents), the customer may still be unable to confirm whether sensitive data was involved. That uncertainty forces conservative,
defensive decision-makingmore analysis, more legal review, more notification planning. Later, when someone tries to allocate costs,
the vendor may argue those expenses were “optional” or “overcautious.” The customer argues they were necessary to comply with legal duties.
This is exactly where clear contract language can prevent endless second-guessing.
Experience 3: “Consequential damages” becomes the phrase everyone hates
Many organizations discover the harshest surprise in a single paragraph: the contract’s damages waiver. They may have assumed that
response costslike forensic work, call centers, and lettersare plainly recoverable if the vendor failed to meet its security commitments.
Then the vendor points to a waiver of consequential damages and a liability cap tied to subscription fees. Suddenly, the conversation
shifts from “what happened?” to “what category of damages is this?” Operational teams find that maddening because the costs feel
straightforward: money spent to clean up a mess. Legal teams know that classification drives outcomes. The experience is usually the same:
weeks of debate, expensive outside counsel analysis, and a realization that the most expensive part of an incident might be arguing
about who should pay for the expensive part of the incident.
Experience 4: Insurance pays, but recovery is an uphill climb
Cyber insurance can be a lifeline for response costs. But when the insurer explores recovery against the vendor, the insurer inherits
the customer’s contract limitations. If the agreement is thin on post-breach duties, capped tightly, and restrictive about assignment,
the recovery pathway may narrow dramatically. That can create tension: the insured feels it did the right thing by responding quickly,
while the insurer feels recovery should be possible in principle but is blocked in practice. The best outcomes tend to happen when
insureds and carriers align early on documentation: capturing what data was involved, which laws were triggered, what the vendor provided,
what the vendor refused or couldn’t provide, and why the insured’s spending was required. In other words: the incident becomes a story,
and good recovery needs a story with receipts.
Experience 5: Renewals become “contract rehab” projects
After a major vendor-linked incident, organizations often change how they buy. Procurement starts asking for security exhibits, breach
cooperation clauses, and higher insurance limits. Counsel asks for carve-outs so cyber response costs aren’t swallowed by a damages waiver.
Risk teams push for audit rights and clearer timelines. Vendors sometimes resist (especially if they’ve standardized their agreements),
but incidents create internal momentum. The organizations that improve fastest are the ones that treat these changes as routine operational
hygienelike patching serversnot as one-time legal fights. Over time, that shift reduces chaos during incidents and improves claim outcomes,
because everyone knows what the contract promises when the worst happens.