{"id":195173,"date":"2026-03-12T10:26:00","date_gmt":"2026-03-12T14:26:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/delaware-supreme-court-expands-cyber-liability-exposure-for-saas-managed-service-providers-shumaker-loop-kendrick-llp\/"},"modified":"2026-03-12T10:45:11","modified_gmt":"2026-03-12T14:45:11","slug":"delaware-supreme-court-expands-cyber-liability-exposure-for-saas-managed-service-providers-shumaker-loop-kendrick-llp","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/delaware-supreme-court-expands-cyber-liability-exposure-for-saas-managed-service-providers-shumaker-loop-kendrick-llp\/","title":{"rendered":"Delaware Supreme Court Expands Cyber Liability Exposure for SaaS & Managed Service Providers | Shumaker, Loop & Kendrick, LLP"},"content":{"rendered":"

Delaware Supreme Court Expands Cyber Liability Exposure for SaaS & Managed Service Providers | Shumaker, Loop & Kendrick, LLP<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/delaware-supreme-court-expands-cyber-2724618\/<\/a><\/p>\n

Publish Date: 2026-03-12 10:26:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

What the Blackbaud decision means for managed service providers (MSPs) and the clients who rely on them<\/p>\n

A recent decision by the Delaware Supreme Court in Travelers Casualty and Surety Company of America v. Blackbaud, Inc. materially shifts the litigation landscape for cybersecurity incidents involving Software as a Service (SaaS) providers and MSPs.<\/p>\n

Key takeaways:<\/p>\n

\tLower pleading burden for plaintiffs (including insurers)
\n\tLess emphasis on proximate cause at early stages
\n\tAggregated claims allowed across multiple customers
\n\tHigher litigation costs and increased settlement pressure
\n\tExpanded expectations around what constitutes “commercially reasonable” cybersecurity<\/p>\n

Bottom line: Cyber incidents are now significantly more likely to survive early dismissal and proceed into expensive discovery.<\/p>\n

What Happened<\/p>\n

Blackbaud, a SaaS provider hosting sensitive donor data, experienced a ransomware attack exposing highly sensitive personal and financial information.<\/p>\n

Its customers (nonprofits and educational institutions):<\/p>\n

\tConducted their own investigations
\n\tIncurred legal, forensic, and notification costs
\n\tSubmitted claims to their insurers<\/p>\n

The insurers then:<\/p>\n

\tPaid millions in claims
\n\tSued Blackbaud as subrogees and assignees<\/p>\n

The trial court dismissed the claims twice.<\/p>\n

The Delaware Supreme Court reversed, holding that the insurers had adequately pled a breach of contract claim and could proceed.<\/p>\n

1. Why This Case Matters (Especially for MSPs)<\/p>\n

This decision is not just about Blackbaud\u2014it is about how courts will treat cyber risk allocation across vendors and customers going forward.<\/p>\n

Aggregated Claims Are Now Fair Game<\/p>\n

What the Court Said<\/p>\n

The Court allowed insurers to:<\/p>\n

\tBring claims on behalf of 97 customers
\n\tUse common allegations
\n\tAvoid individualized pleadings at the outset<\/p>\n

Why This Matters<\/p>\n

For MSPs and SaaS providers, a single incident can now result in:<\/p>\n

For Customers<\/p>\n

The easier path to recovery is through:<\/p>\n

\tInsurance
\n\tCoordinated litigation<\/p>\n

This significantly increases claim scale and leverage.<\/p>\n

2. Proximate Cause Is No Longer a Barrier at the Pleading Stage<\/p>\n

The Critical Shift<\/p>\n

The lower court dismissed the case for failure to tightly link:<\/p>\n

\tSpecific contract provisions \u2192 specific damages<\/p>\n

The Supreme Court rejected that approach.<\/p>\n

The New Standard<\/p>\n

The Court held:<\/p>\n

\tProximate cause is typically a fact question
\n\tPlaintiffs only need to show a reasonable inference of causation
\n\tDetailed causation analysis can wait until discovery or trial<\/p>\n

Why This Is a Big Deal<\/p>\n

This is one of the most important aspects of the decision:<\/p>\n

Plaintiffs no longer need to prove exactly how each failure caused each dollar loss at the motion to dismiss stage. Instead, they can allege, “Your security failures led to our response costs.”<\/p>\n

Practical Impact<\/p>\n

\tMore cases survive dismissal
\n\tDiscovery costs increase significantly
\n\tSettlement pressure rises earlier<\/p>\n

For MSPs: You will be forced into fact-intensive litigation sooner<\/p>\n

For customers: Lower barrier to pursue recovery<\/p>\n

3. “Commercially Reasonable Security” is Getting Defined\u2014by Courts<\/p>\n

The Court relied heavily on alleged failures that are increasingly viewed as baseline cybersecurity expectations.<\/p>\n

The opinion highlights failures such as:<\/p>\n

\tNot storing sensitive data on obsolete, unpatched servers
\n\tLack of multi-factor authentication (MFA)
\n\tFailure to encrypt sensitive data
\n\tIgnoring internal security warnings
\n\tWeak access controls enabling lateral movement
\n\tExcessive data retention
\n\tFailure to implement security patches
\n\tInadequate incident response planning<\/p>\n

Emerging Legal Standard for MSPs & SaaS Providers<\/p>\n

Courts are implicitly defining “commercially reasonable security” to include the following baseline expectations:<\/p>\n

\tMFA (especially for remote\/admin access)
\n\tEncryption of sensitive data (at rest and in transit)
\n\tPatch management and vulnerability remediation
\n\tNetwork segmentation and access controls
\n\tLogging, monitoring, and detection capabilities
\n\tFormal incident response plans
\n\tData minimization and retention controls<\/p>\n

These are no longer “best practices”\u2014they are becoming litigation benchmarks.<\/p>\n

4. Litigation Costs Will Increase\u2014Significantly<\/p>\n

Because of this decision:<\/p>\n

Cases Will:<\/p>\n

\tSurvive motions to dismiss
\n\tMove into expensive discovery
\n\tRequire:<\/p>\n

\t\tForensic analysis
\n\t\tExpert testimony
\n\t\tContract-by-contract evaluation<\/p>\n

For MSPs:<\/p>\n

\tDefense costs increase, even in weak cases
\n\tInsurance carriers more likely to:<\/p>\n

\t\tSubrogate
\n\t\tAggressively pursue recovery<\/p>\n

For Customers:<\/p>\n

\tGreater leverage in:<\/p>\n

\t\tVendor disputes
\n\t\tContract renegotiations
\n\t\tClaims recovery<\/p>\n

5. Courts Are Rejecting “Burden Shifting” to Customers<\/p>\n

A key factual theme:<\/p>\n

Blackbaud:<\/p>\n

\tProvided a “toolkit”
\n\tInstructed customers to:<\/p>\n

\t\tInvestigate
\n\t\tNotify
\n\t\tRemediate on their own<\/p>\n

The Court viewed this negatively.<\/p>\n

Implication<\/p>\n

MSPs and SaaS providers cannot simply push incident response downstream.<\/p>\n

If your contracts or practices:<\/p>\n

\tShift responsibility without support
\n\tDelay disclosure
\n\tProvide incomplete information<\/p>\n

You may:<\/p>\n

\tStrengthen causation arguments against you
\n\tIncrease liability exposure<\/p>\n

6. What This Means for Contracts<\/p>\n

For MSPs \/ SaaS Providers<\/p>\n

You should revisit:<\/p>\n

Security Commitments<\/p>\n

\tAvoid vague “commercially reasonable” language without definition
\n\tAlign contractual obligations with actual capabilities<\/p>\n

Limitation of Liability<\/p>\n

\tEnsure:<\/p>\n

\t\tClear caps
\n\t\tCyber-specific carve-outs
\n\t\tExclusions for consequential damages<\/p>\n

Incident Response Obligations<\/p>\n

\tClearly define:<\/p>\n

\t\tRoles
\n\t\tTimelines
\n\t\tResponsibilities<\/p>\n

Data Retention<\/p>\n

\tLimit retention to:<\/p>\n

\t\tNecessary business purposes
\n\t\tDefined timeframes<\/p>\n

For Customers of MSPs<\/p>\n

You should:<\/p>\n

\tDemand:<\/p>\n

\t\tSpecific security controls (MFA, encryption, etc.)<\/p>\n

Final Takeaways<\/p>\n

The Blackbaud decision signals a clear trend:<\/p>\n

Courts are:<\/p>\n

\tLowering procedural barriers
\n\tIncreasing scrutiny of cybersecurity practices
\n\tAllowing claims to proceed based on systemic failures<\/p>\n

The New Reality<\/p>\n

For MSPs and SaaS providers:<\/p>\n

“If you experience a breach, expect to litigate\u2014deeply and expensively.”<\/p>\n

For customers:<\/p>\n

“You have stronger legal footing to recover costs from your vendors.”<\/p>\n

Key Risk Themes Moving Forward<\/p>\n

\tAggregated, multi-customer litigation
\n\tReduced importance of proximate cause at early stages
\n\tExpansion of “reasonable security” expectations
\n\tIncreased insurer-driven recovery actions
\n\tHigher litigation and settlement costs<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Delaware Supreme Court Expands Cyber Liability Exposure for SaaS & Managed Service Providers | Shumaker,…<\/p>\n","protected":false},"author":1,"featured_media":195174,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.7704_1514.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,27],"class_list":["post-195173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195173"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=195173"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195173\/revisions"}],"predecessor-version":[{"id":195175,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195173\/revisions\/195175"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/195174"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=195173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=195173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=195173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}