Legal Analysis: Insurer Subrogation Rights Under Scrutiny

Two recent court decisions have addressed the issue of subrogation rights of insurance companies against upstream or downstream vendors that experience a data security breach: Axis Insurance Company v. Barracuda Networks, Inc. and Travelers Casualty and Surety Company. of America v. Blackbaud, Inc.

The first was decided on Nov. 20, 2025 by the U.S. First Circuit Court of Appeals. Travelers = was decided on Feb. 13, 2026 by the Delaware Supreme Court.

Axis v. Barracuda

In Axis v. Barracuda, Zoll Medical Corporation had an email service contract with Fusion LLC. Fusion, in turn, contracted with Barracuda Networks, Inc. for its email archiving technology.

Barracuda suffered a data breach, which exposed personal health information of Zoll customers who then brought a class action lawsuit against Zoll. Zoll settled those claims with its customers and then brought an arbitration claim against Fusion, with which it was in privity, and a subrogation claim against Barracuda, which lacked privity. Fusion also brought two claims against Barracuda, one for breach of contract and the other for breach of the covenant of good faith and fair dealing. As part of their arbitration and settlements, Zoll’s and Fusion’s claims against Barracuda were assigned to Axis, Fusion’s insurer.

Equitable Indemnification

Axis’s subrogation claim on behalf of Zoll asserted equitable indemnification against Barracuda. Barracuda moved for summary judgement on this claim, which the lower court granted. The First Circuit affirmed, finding that Zoll’s relationship with Barracuda was, at best, that of an “independent contractor’s independent contractor,” insofar as Zoll contracted with Fusion and Fusion contracted with Barracuda. On this basis, the court found there could be no derivative or vicarious relationship between Zoll and Barracuda because of lack of privity. Without privity, Axis’s claim for equitable indemnification against Barracuda could not stand. The court emphasized that equitable indemnification is a narrow remedy and could not be used as a mechanism for reallocating risk after the occurrence of a breach.

Breach of Contract

The lower court also granted summary judgment in favor of Barracuda on Axis’s claim for breach of contract, which the First Circuit also affirmed. Axis’s claim was based on Fusion’s assertion that Barracuda had failed to provide certain services required by Barracuda under the contract. Barracuda argued that this claim failed because Fusion did not meet a condition precedent of the contract: the inclusion of a provision limiting Barracuda’s third-party liability. Axis claimed that Barracuda had waived this defense by declining to exercise its contractual right to audit the contract. Axis further argued, in the alternative, that Barracuda was estopped from claiming no liability under the contract based on the condition precedent.

The First Circuit disagreed with Axis on both scores, stating that Fusion’s failure to meet the condition precedent barred its claim of breach of contract against Barracuda. The court found that Axis had only pointed to Fusion’s failure to audit the contract, which was insufficient to demonstrate waiver. The court stated that Axis had the burden of proving clear, decisive, and unequivocal conduct demonstrating waiver, which it failed to do.

The First Circuit further found that Barracuda was not estopped from using Fusion’s failure to meet the condition precedent as a defense to breach of contract. The court was unpersuaded by Axis’s argument that Barracuda’s failure to audit the contract led Fusion to consider itself in compliance with its contractual requirements. It stated that, where Barracuda had no duty to audit under the contract, estoppel could not be used to bar Barracuda from asserting its defense. Fusion still had a responsibility to comply with the contract and failed to do so.

Breach of the Covenant of Good Faith and Fair Dealing

Lastly, Axis pled a count against Barracuda for breach of the covenant of good faith and fair dealing. The lower court denied this claim as well, finding that Fusion could have negotiated certain contractual rights to which it would have been entitled in the event of a breach but did not do so. The First Circuit agreed, finding that Axis had failed to identify any contractual right to which it was entitled as a result of Barracuda’s breach.

Travelers Casualty and Surety v. Blackbaud

Conversely, in Travelers v. Blackbaud, the Delaware Supreme Court overturned the lower court’s dismissal of the plaintiff insurance company’s complaint, which asserted subrogation claims against the defendant software company, Blackbaud Inc., with which Travelers’ insured was in direct privity. In this matter, Blackbaud provided donor management and data hosting services to nonprofit companies, including the insured. When Blackbaud suffered a ransomware attack, it did not provide investigation and remediation services for its clients but instead provided them with a “toolkit” for self-investigation and remediation.

Blackbaud’s clients were dissatisfied with this offering and undertook their own investigation and remedies, incurring costs that were covered by their insurance companies under their cyber insurance policies. The subject insurance companies, including Travelers, paid these costs but then sued Blackbaud for subrogation.

The lower court found that the insurance companies, collectively, could not adequately plead an aggregate subrogation claim on behalf of the class action plaintiffs under New York law. They further stated that the insurance companies failed to include specific allegations based on facts in their aggregate claims. On appeal, the Delaware Supreme Court disagreed.

In a de novo review, the Delaware Supreme Court overturned the lower court’s decision, finding that the plaintiff insurance companies adequately pled all of the elements needed to allege a breach of contract claim under New York law. The court found that the aggregate pleading did not prejudice Blackbaud because, as the data holder, Blackbaud could conduct discovery regarding each claim. If the insurance companies had pled enough facts to raise a reasonable inference that damages were caused by the defendant, they could then generally plead those damages.

Analysis

It may appear that the findings in Axis and Travelers are inconsistent with each other given that the Axis court denied subrogation rights to the insurance company while the court in Travelers allowed the insurers’ subrogation claims to stand. A closer analysis of these cases, however, shows that the underlying facts and the courts’ rulings are distinguishable and therefore reconcilable. In Axis, the First Circuit found that the insurance company seeking subrogation from a downstream vendor had no claim for equitable indemnification where its insured and Barracuda had no contract from which a derivative or vicarious relationship could be asserted. Without this relationship, a claim for equitable indemnification could not survive.

In stark contrast, the Delaware Supreme Court in Travelers allowed the insurance company’s indemnification claim to survive summary judgment, finding that the insurance company adequately pled all of the elements required to allege breach of contract, including the existence of a contract between the insureds and the defendant software company. The Delaware Supreme Court specifically stated that Blackbaud did not dispute that the insurers had standing to pursue their respective insureds’ breach of contract claims against Blackbaud. Unlike the relationship between the insurance company and the downstream vendor in Axis, which was characterized as that of an independent contractor, it was undisputed that there existed a contractual relationship between the insurer’s policyholder and Blackbaud.

In sum, both rulings are consistent in that each court held that for a subrogation claim to stand, an insurer must have and adequately plead a contractual relationship between its insured and the alleged subrogee. Absent this relationship, a claim for indemnity or subrogation likely will fail in those jurisdictions where courts decide to follow the Axis decision.

In Light of Axis and Travelers

Together, post Axis and Travelers, cyber insurers should consider the following guidelines and practices:

Considering Axis, an insured may not be able to shift liability to its vendors under equitable indemnity claims. Instead, the following factors should be considered in the context of a potential subrogation claim:

• Was an enforceable contract executed with all upstream and downstream data security vendors that include robust insurance, contractual indemnity and subrogation clauses?
• Are contractual obligations clearly outlined throughout the vendor chain, explicitly stating the parties’ rights and obligations in the event of a breach?
• Is a potential subrogation claim dependent on the implied covenant of good faith?
• Are there any acts or omissions regarding specific contractual provisions, such as conditions precedent and audit rights, that could impact whether a court will allow or deny equitable relief?

From a procedural standpoint, it is essential that all elements of breach of contract be pled and adequately supported by the facts, in accordance with the applicable laws of the relevant jurisdiction, as found in Travelers.

Another takeaway from the Travelers decision is that, in the cybersecurity space, insurers may be able to make a collective claim on behalf of their policyholders. The result of this is:

• Expenses usually associated with an insured’s incident response plan with respect to cyberattacks, such as legal fees and expenses, preparation and mailing of notification letters, communication expenses, and credit monitoring will be seen as foreseeable contractual damages in vendor agreements.
• As foreseeable and reasonable costs, these expenses are arguably characterized as losses that can be shifted to third parties, reinforcing the notion that an insurer can pay out on a cyber incident claim and seek vendor recovery later.

In light of rising subrogation risk, vendor contracts should be closely scrutinized for language, such as limitations of liability and warranty provisions and subrogation waivers, which effectively push exposure away from the vendor and back to policyholders and, as appropriate, their insurers.

Bortnick is of counsel in Wilson Elser’s cybersecurity & data privacy practice. He litigates and counsels U.S. and international insurers and corporations on cyber, privacy and technology risks and exposures; D&O liability; insurance coverage; products liability; and commercial litigation. Michaud is an associate in Wilson Elser’s cybersecurity & data privacy practice. She represents businesses and individuals in cybersecurity and data privacy claims, including ransomware, business email compromises, and other privacy breach matters.