In today’s digital world, data breaches due to vendor failures are becoming increasingly common, often resulting in costly fallout. While insurance can provide a safety net, the interaction between cyber insurance and vendor contracts is crucial for effective recovery and risk management. Vendor contracts should not be treated as mere formalities but as vital frameworks that contain specific, detailed provisions regarding data security obligations to ensure accountability and minimize vulnerabilities.
Attempts to recoup costs from vendors following cybersecurity events increasingly underscore the critical importance of detailed contracts that clearly define cybersecurity obligations and responsibilities. This issue is also becoming a focal point during cyber insurance policy renewals. Weak subrogation cases, where insurers have covered policyholders for incidents caused by vendors but later struggle to recover those costs, have prompted insurers to adopt more aggressive underwriting practices and heightened scrutiny during renewals. Insurers are now asking about contracts between policyholders and their third-party vendors as part of the underwriting process, making inquiries to assess potential exposure. Consequently, policyholders must prioritize precise and enforceable contractual provisions with vendors—not only to enhance their chances of recovering costs after an incident but also to facilitate smoother cyber insurance renewals and potentially secure more favorable policy terms.
The Blackbaud 2020 ransomware incident illustrates the significant challenges policyholders may face in cyber incident disputes when vendor contracts are vague or poorly defined, limitations that can severely restrict recovery options and hinder efforts to recoup losses. In this case, several nonprofit and higher education organizations insured by Travelers and Philadelphia Indemnity incurred substantial costs related to investigating and mitigating the incident. While the insurers initially covered these expenses, they later filed lawsuits against Blackbaud to recover the amounts paid, alleging breach of contract and negligence in an effort to recover their payments.
However, in Travelers Casualty and Surety Co. of America v. Blackbaud Inc., C.A. No. N22C-12-130 KMM and Philadelphia Indemnity Insurance Co. v. Blackbaud Inc., C.A. No. N22C-12-141 KMM, the insurers were ultimately unable to recover from Blackbaud. The court dismissed their claims, finding that the insurers failed to provide sufficient factual detail to support allegations of breach of contract or negligence. Specifically, the court noted that the insurers did not clearly identify the contractual provisions within the vendor contracts that would establish a direct link between the ransomware incident and Blackbaud’s obligation to indemnify the policyholders for their incurred costs.
To prevent these risks, policyholders should focus on enhancing recovery by considering the following proactive measures:
- Contract Review: Include specific, enforceable cybersecurity standards in vendor contracts.
- Indemnity Provisions: Ensure vendor contracts require the vendor to cover costs incurred by the company related to the breach.
- Breach Notification: The vendor contracts should contain clear timelines, cooperation clauses, and audit rights as it pertains to notifying a breach.
- Cyber Insurance Alignment: Consult with an insurance professional to understand coverage obligations under cyber insurance policy and vendor agreements to confirm there are no gaps in coverage or ambiguous language as to what is covered.
It is equally important for policyholders to understand the measures to take after a breach. Following a breach, policyholders must take decisive action to support insurance claims and facilitate recovery from vendors. This involves meticulously documenting all aspects of the incident, including keeping detailed records of:
- Incident Response Steps: record the action taken as a result of the breach, including the timing for such response.
- Third-Party Communications: maintain comprehensive logs of all interactions with vendors and third parties involved in the breach.
- Costs Incurred: compile detailed records for all expenses related to legal fees, IT services, forensic analysis, notification processes, and credit monitoring efforts to maximize recovery.
Cyber risk is a shared responsibility between cyber policies and vendor or third-party contracts. However, the legal system may not always hold third parties accountable. Thus, policyholders should not rely solely on insurance or vendors. Rather, the focus should be on proactive risk management and reactive risk management which put the insured in the best position for coverage.
Search
Recent Posts
Categories
- Advertising & Marketing
- Bankruptcy
- Class Action
- Competition/Antitrust
- Consumer Protection
- Corporate Governance
- Environmental
- General
- Health Care
- Insurance
- IP
- Labor and Employment
- Mergers & Acquisitions
- Patent Infringement
- Patents
- Privacy & Cybersecurity
- Product Liability
- Real Estate
- Regulatory
- Regulatory
- Technology & E-Commerce
Tags
- 29 C.F.R. § 785.48
- 396-r
- 3D Printer
- 3D Printing
- A. Todd Brown
- A.S. Research (ASR)
- Aaron P. Simpson
- Accountability
- Administrative Exemption
- Advertisers
- Advertising
- Advertising Claims
- Advertising Guidelines
- Advertising Idea
- Agency Guidance
- Agency Principles
- AI
- AI Interviewing Platforms
- AI Technology Reviews
- Algorithmic Accountability Act
- Align
- Americans with Disabilities Act
- Americans with Disabilities Act (ADA)
- Andrea DeField
- Ann Marie Buerkle
- Annual Reports
- anti-aging
- Anti-Discrimination
- APEX Agreement
- Arbitration
- Arbitration Agreements
- Arizona
- Arkansas
- Arthritis
- Artificial Intelligence
- Artificial Intelligence (AI)
- Asbestos
- Assembly Bill 51 (AB 51)
- ATDS
- Australia
- Auto-renewals
- Automatic Telephone Dialing System (ATDS)
- Automobile
- Automotive Body Parts Association (ABPA)
- Back to Work Emergency Ordinance
- biased endorsements
- Biden Administration
- Biometric Data
- Biometric Information
- Biometric Information Privacy Act (BIPA)
- BIPA
- Bitcoin
- Blockchain
- Board Diversity Disclosure
- Boards of Directors
- Bonuses
- Braille
- Branding
- Breach
- Breach of Contract
- Business Interruption
- Business Interruption Loss
- Businessowner’s Insurance
- California
- California Assembly Bill 2011
- California Employment Laws
- California Fair Employment and Housing Act
- California False Claims Act
- California Labor Code
- California Senate Bill 6
- California’s Unfair Competition Law
- CAMS
- Canada
- Cannabis
- CBD
- CBP
- CCPA
- Celebrity Endorsers
- Center for Disease Control (CDC)
- CFIUS
- CGL
- Chatbot
- Children’s Advertising
- Children’s Advertising Review Unit
- Children’s Online Privacy Protection Act (COPPA)
- China
- Christopher J. Dufek
- Christopher W. Hasbrouck
- Christy Kiely
- Class Action
- Class Actions
- Clawback
- Click-to-Cancel
- Climate Change
- clinical trials
- Collective Action
- Colorado
- Commercial General Liability
- Commercial Leasing
- Commercial Messaging
- Commercial Products
- Commodity Futures Trading Commission
- Compliance
- Confidentiality
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Advertising
- Consumer Data
- Consumer Financial Protection Bureau
- Consumer Fraud
- consumer loyalty program
- Consumer Product Safety Act
- Consumer Products
- Consumer Products Safety Commission (CPSC)
- Consumer Protection
- Consumer Review Fairness Act of 2016 (CRFA)
- Consumer Reviews
- Consumer Rights
- Contamination
- Contract Law
- Controlled Substance Act
- Cookies
- Cookware
- COPPA
- Copyright
- Coronavirus/COVID-19
- Corp Fin
- Corporate Governance
- Corporate Reporting
- Corporate Sustainability
- Corporate Transparency Act (CTA)
- Costco
- Counterfeit Goods
- Counterfeit Goods Seizure Act of 2019
- CPPA
- CPRA
- CPSA
- CPSC
- Crack House Statute
- CRFA
- Crypto
- Cryptocurrency
- CSPA
- Cuba
- Currency
- Customs and Border Protection
- Cyber
- Cyber Coverage
- D&O
- D&O policies
- D. Andrew Quigley
- Damages
- Data Breach
- Davidson
- Deceptive Advertising
- DEI
- Delaware
- DEP
- Department of Justice
- Department of Labor
- Development Impact Fee
- Digital Assets
- digital currency
- Disclosures
- Distribution
- Division of Corporation Finance
- Dodd-Frank
- DOJ
- DOL
- Duty to Defend
- Duty to Indemnify
- e-liquid products
- Eddie Bauer
- EEOC
- Electric Vehicles
- Eleventh Circuit
- Emily Burkhardt Vicente
- Employee Rights
- Endorsement
- Endorsement Guides
- Endorsement Notice
- Endorsements
- endorser monitoring requirements
- Enforcement
- Environmental Impact
- Environmental Protection Agency
- Environmental Protection Agency (EPA)
- EPA
- Epidemic
- ESG
- ESG Disclosure
- EU Regulation
- European Union
- European Unitary Patent
- EV Charging
- Exceptions
- Exclusions
- Executive Order
- Executive Orders
- Exercise Machines
- Extended Producer Responsibility (EPR)
- FAA
- Fair Labor Standards Act
- Fair Labor Standards Act (FLSA)
- fair use
- False Advertising
- False Advertising Claims
- False Advertising Law
- False Claims Act
- Family Leave Policies
- FAR
- FCC
- FCRA
- FDA
- Federal Acquisition Regulations
- Federal Arbitration Act (FAA)
- Federal Communications Commission
- Federal Contractors
- Federal Contracts
- Federal District Court
- Federal Government Contractor
- Federal Trade Commission
- Federal Trade Commission (FTC)
- FFDCA
- FIFRA
- Fifth Circuit
- Final Rule
- Financial Technology
- FinCEN
- FinHub
- Fireworks
- First Amendment
- Fixing America’s Surface Transportation (FAST) Act
- Florida
- Florida House of Representatives (HB 963) and Florida Senate (SB 1670)
- Florida Legislature
- FLSA
- FLSA/Wage & Hour
- food delivery
- Food Safety
- Form 10-K
- Formaldehyde Standards for Composite Wood Products Act of 2010
- fractional interests
- Franchise
- Frederic Chang
- Free Trials
- FTC
- FTC Act
- Gavin Newsom
- GDPR
- General Liability
- Geoffrey B. Fehling
- Georgia
- Gift Cards
- GoodRx
- Gramm-Leach-Bliley (GLB) Act
- Green
- Green Guides
- Greenhouse Gas
- Gun Safety
- Hart-Scott-Rodino
- Hart-Scott-Rodino (HSR)
- Hashtag
- Hawaii
- Health Care
- Health Claims
- Hedge Fund
- HIPAA
- hoverboards
- human capital
- Human Rights
- Illinois
- Illinois Artificial Intelligence Video Interview Act (the Illinois Act)
- Illinois Biometric Information Privacy Act (BIPA)
- Indiana
- Indoor Mall
- Influencer Marketing
- Infringement
- initial public offerings (IPOs)
- Injury
- Insurance
- Insurance Loss
- Insurance Provider
- Intellectual Property
- Intellectual Property Licenses in Bankruptcy Act
- Interest Rate
- International
- International Trade Commission
- International Trade Commission (ITC)
- Internet
- Inventorship
- investigation
- INVISALIGN
- Iowa
- IP
- Ireland
- IT
- ITC
- iTERO
- Junk Fees
- Katherine Miller
- Kurt A. Powell
- Kurt G. Larkin
- Labeling Rules
- Labor
- Labor Code Private Attorneys General Act of 2004 (PAGA)
- Labor Organizing
- Labor Unions
- Land Use
- Landlord
- Latin America
- Lautenberg Act
- Lawsuit Reform Alliance of New York (LRANY)
- Lead
- Lease
- Legislation
- Leveraged Loans
- Liability Insurance Policy
- Liberty Insurance Corporation
- Liberty Mutual Fire Insurance Company
- LIBOR Discontinuation
- liquidity
- Litigation
- Live Chat
- Lost Profits
- Lost Sales
- Louisiana
- M&A
- Made in the USA
- Made in USA
- MagicSleeve
- Magnuson-Moss Warranty Act
- Magnuson-Moss Warranty Act (MMWA)
- Maine
- Malcolm C. Weiss
- Manufacturing
- Marketing Claims
- Maryland
- Massachusetts
- Matthew T. McLellan
- Maya M. Eckstein
- MD&A
- Medtail
- Membership cancellation
- Metaverse
- MeToo Movement
- Mexico
- Michael J. Mueller
- Michael S. Levine
- Minimum Wage
- Minnesota
- Minnesota Pollution Control Agency (MPCA)
- Misclassification
- Mislabeling
- Mission Product Holdings
- Missouri
- Mobile
- Mobile App
- Multi-Family Housing Development
- Multi-Level Marketing Program (MLM)
- NAA
- NAD
- NASA
- Nasdaq
- National Advertising Division
- National Advertising Division (NAD)
- National Advertising Review Board
- National Labor Relations Act
- National Labor Relations Board
- National Products Inc.
- National Retail Federation
- Natural Disaster
- Nebraska
- Negligence Claims
- Neil K. Gilman
- Network Outage
- Nevada
- New Jersey
- New York
- NHTSA
- NIL rights
- Ninth Circuit
- NLRA
- NLRB
- no-action request
- Non-Compete
- Non-Exempt
- non-fungible token (NFT)
- North Carolina
- Nutrition Labels
- Obama Administration
- Occupational Safety and Health Administration (OSHA)
- Occurrence
- Office of Labor Standards Enforcement
- Ohio
- Oklahoma
- Online Cash Providers
- Online Retailer
- Online Reviews
- Opioids
- Oregon
- Overboarding
- Overtime
- Overtime Exemptions
- Ownership
- Packaging
- PAGA
- Pandemic
- Patent
- Patent Infringement
- Patents
- Paul T. Moura
- Pay Ratio
- Pay-To-Play Rankings
- Penalty
- Pennsylvania
- Personal and Advertising Injury
- Personal Data
- Personal Information
- Personally Identifiable Information
- Pesticides
- PFAS
- Physical Loss or Damage
- Policy
- price gouging
- Primary and Umbrella Policies
- Privacy
- Privacy Guidelines
- Privacy Policy
- Privacy Protections
- Procurement
- Product Liability
- Product Packaging
- Prohibition on Sale
- Property Insurance
- Property Rights
- Proposed Legislation
- Proposition 65
- Proxy Access
- proxy materials
- Proxy Statements
- Public Companies
- Purdue Pharma
- Randall S. Parks
- Ransomware
- Real Estate
- Recall
- Recalls
- Recording
- Regulation
- Regulation S-K
- Restaurants
- Restrictive Covenants
- Retail
- Retail Developers
- Retail Development
- Retail Industry Leaders Association
- Retail Litigation Center
- Rounding
- Rulemaking
- Ryan A. Glasgow
- Sales Tax
- Salesforce
- SD8 coins
- SEC
- SEC Disclosure
- Second Circuit
- Section 337
- Section 365
- Secure and Fair Enforcement Banking Act of 2019 (“SAFE Banking Act”)
- Securities
- Securities and Exchange Commission
- Securities and Exchange Commission (SEC)
- security checks
- Senate
- Senate Data Handling Report
- Sergio F. Oehninger
- Service Contract Act (SCA)
- Service Interruption
- Service Provider
- SHARE
- Shareholder
- Shareholder Proposals
- Sign-In Wrap Agreement
- Slogan
- Smart Contracts
- Social Media
- Social Media Influencers
- Software
- South Carolina
- South Dakota
- Special purpose acquisition companies (SPACs)
- Sponsors and Gifting
- Sponsorship
- State Attorneys General
- State Legislation
- Store Closures
- Subscription Services
- Substantiation
- Substantiation Notice
- Supplier
- Supply Chain
- Supply contracts
- Supreme Court
- Sustainability
- Syed S. Ahmad
- Synovia
- Targeted Advertising
- Tax
- TCCWNA
- TCPA
- Technology
- Technology Innovation
- Telemarketing
- Telephone Consumer Protection Act
- Telephone Consumer Protection Act (TCPA)
- Tempnology LLC
- Tenant
- Tennessee
- Terms and Conditions
- Texas
- The Fair Credit Reporting Act (FCRA)
- Third-Party
- Thomas R. Waskom
- Title VII
- Tokenization
- Tokens
- Toxic Chemicals
- Toxic Substances Control Act
- Toxic Substances Control Act (TSCA)
- Trade Dress
- Trademark
- Trademark Infringement
- Trademark Trial and Appeal Board (TTAB)
- TransUnion
- Travel
- Trump Administration
- TSCA
- TSCA Title VI
- U.S. Department of Justice
- U.S. Department of Labor
- U.S. Food and Drug Administration
- U.S. House of Representatives
- U.S. Patent and Trademark Office
- Umbrella Liability
- Union
- Union Organizing
- United Specialty Insurance Company
- Unmanned Aircraft
- Unruh Civil Rights Act
- UPSTO
- US Chamber of Commerce
- US Customs and Border Protection (CBP)
- US Environmental Protection Agency (EPA)
- US International Trade Commission (ITC)
- US Origin Claims
- US Patent and Trademark Office
- US Patent and Trademark Office (USPTO)
- US Supreme Court
- USDA
- USPTO
- Utah
- Varidesk
- Vendor
- Vermont
- Virginia
- Volatile Organic Compound (VOC) Emissions
- W. Jeffery Edwards
- Wage and Hour
- Walter J. Andrews
- Warranties
- Warranty
- Washington
- Washington DC
- WCAG
- Web Accessibility
- Website
- Website Accessibility
- Weight Loss
- Wiretap
- Wiretapping
- World Health Organization (WHO)
- Wyoming
- Year In Review
- Zoning
- Zoning Conversion
- Zoning Ordinances
- Zoning Regulations
Authors
- Gary A. Abelev
- Alexander Abramenko
- Yaniel Abreu
- Syed S. Ahmad
- Brandon Bell
- Fawaz A. Bham
- Michael J. “Jack” Bisceglia
- Jeremy S. Boczko
- Brian J. Bosworth
- Shannon S. Broome
- Samuel L. Brown
- Tyler P. Brown
- Melinda Brunger
- Jimmy Bui
- M. Brett Burns
- Olivia G. Bushman
- Matthew J. Calvert
- Grant H. Cokeley
- Abigail Contreras
- Eric S. Crusius
- Alexandra B. Cunningham
- Merideth Snow Daly
- Javier De Luna
- Timothy G. Decker
- Andrea DeField
- John J. Delionado
- Stephen P. Demm
- Mayme Donohue
- Nicholas Drews
- Christopher J. Dufek
- Robert T. Dumbacher
- M. Kaylan Dunn
- Chloe Dupre
- Frederick R. Eames
- Maya M. Eckstein
- Rob Edwards
- Tara L. Elgie
- Clare Ellis
- Latosha M. Ellis
- Juan C. Enjamio
- Kelly L. Faglioni
- Ozzie A. Farres
- Geoffrey B. Fehling
- Hannah Flint
- Erin F. Fonté
- Kevin E. Gaunt
- Andrew G. Geyer
- Armin Ghiam
- Neil K. Gilman
- Ryan A. Glasgow
- Tonya M. Gray
- Meredith Gregston
- Elisabeth R. Gunther
- Steven M. Haas
- Kevin Hahm
- Jason W. Harbour
- Jeffrey L. Harvey
- Christopher W. Hasbrouck
- Eileen Henderson
- Gregory G. Hesse
- Kirk A. Hornbeck
- Rachel E. Hudgins
- Mark Ingram
- Jamie Zysk Isani
- Nicole R. Johnson
- Roland M. Juarez
- Suzan Kern
- Jason J. Kim
- Scott H. Kimpel
- Elizabeth King
- Andrew S. Koelz
- Leslie W. Kostyshak
- Perie Reiko Koyama
- Torsten M. Kracht
- Brad Kuntz
- Kurt G. Larkin
- Tyler S. Laughinghouse
- Matthew Z. Leopold
- Michael S. Levine
- Ashley Lewis
- Abigail M. Lyle
- Maeve Malik
- Eric R. Markus
- Brandon Marvisi
- John Gary Maynard, III
- Aubrianna L. Mierow
- Gray Moeller
- Reilly C. Moore
- Michael D. Morfey
- Ann Marie Mortimer
- Michael J. Mueller
- J. Drei Munar
- Marcus E. Nelson
- Matthew Nigriny
- Justin F. Paget
- Christopher M. Pardo
- Randall S. Parks
- Katherine C. Pickens
- Gregory L. Porter
- Robert T. Quackenboss
- D. Andrew Quigley
- Michael Reed
- Shawn Patrick Regan
- Jonathan D. Reichman
- Kelli Regan Rice
- Patrick L. Robson
- Amber M. Rogers
- Natalia San Juan
- Katherine P. Sandberg
- Arthur E. Schmalz
- Daniel G. Shanley
- Madison W. Sherrill
- Kevin V. Small
- J.R. Smith
- Bennett Sooy
- Daniel Stefany
- Hak Stepanyan
- Katherine Tanzola
- Javaneh S. Tarter
- Jessica N. Vara
- Emily Burkhardt Vicente
- Mark R. Vowell
- Gregory R. Wall
- Thomas R. Waskom
- Malcolm C. Weiss
- Holly H. Williamson
- Samuel Wolff
- Steven L. Wood
- Jingyi “Alice” Yao
- Jessica G. Yeshman