First Circuit Rejects Post-Data Breach Indemnification Claims Against Technology Vendor

The First Circuit recently affirmed a District of Massachusetts decision granting summary judgment in litigation arising from a 2018 data breach involving protected health information (PHI). In Axis Insurance Co. v. Barracuda Networks, Inc., the court held that the plaintiff could not establish equitable indemnification or contractual liability under Massachusetts law. The decision reinforces limits on downstream vendor liability in data breach litigation and further solidifies the District of Massachusetts—and the First Circuit—as a leading forum for resolving complex privacy and cybersecurity disputes.

The Zoll Data Breach and its Class Action Aftermath

Zoll Medical Corporation and its subsidiary received email and electronic messaging services from Fusion LLC. Fusion relied on Barracuda’s email archiving technology pursuant to an agreement that required Fusion to include specific limitation-of-liability and indemnification provisions in its customer contracts.

Fusion did not include those provisions in its hosting agreement with Zoll. After a data breach at Barracuda exposed Zoll’s customer data, Zoll settled a class action brought by affected customers.

Zoll then initiated arbitration against Fusion and separately sued Barracuda in the District of Massachusetts. Fusion intervened and asserted its own claims.

District Court Holds Independent Contractor Relationships Do Not Support Equitable Indemnification for Breach-Related Losses

On the pleadings, the district court dismissed most claims, allowing only Zoll’s equitable indemnification claim and Fusion’s claims for breach of contract and breach of the covenant of good faith and fair dealing to proceed.

Following discovery, Barracuda moved for summary judgment. The district court granted the motion in full. It held that:

• Zoll could not pursue equitable indemnification because its relationship with Barracuda did not give rise to derivative or vicarious liability.
• Fusion’s breach of contract claim failed because Fusion did not satisfy a condition precedent by omitting required contractual protections in its customer agreement with Zoll.
• The implied covenant of good faith and fair dealing did not create rights that were absent from the parties’ contract.

Zoll and Fusion assigned their remaining claims to Axis Insurance Company, which appealed.

First Circuit Clarifies Limits on Vendor Liability and Rejects Post-Breach Risk Reallocation

On de novo review, the First Circuit affirmed, agreeing that no claim could survive summary judgment under Massachusetts law. The court emphasized that the dispositive issues were legal, not factual, and could be resolved by reference to the parties’ contractual relationships and settled indemnification principles.

First, the court rejected Axis’s equitable indemnification claim. Applying Massachusetts precedent, the court reiterated that equitable indemnification is available only if the party seeking indemnity is held vicariously or derivatively liable for the wrongful acts of another. Because Zoll and Barracuda operated as independent contractors several steps removed from one another, Zoll’s liability to its customers was not derivative of Barracuda’s conduct. The absence of a qualifying legal relationship was fatal to the indemnification claim, regardless of the alleged role Barracuda’s technology played in the breach.

Second, the court affirmed dismissal of the breach of contract claim based on Fusion’s failure to satisfy a condition precedent in the agreement. The agreement expressly required Fusion to include specified limitation-of-liability and indemnification provisions in its customer contracts. It was undisputed that Fusion did not do so in its agreement with Zoll. The court held that this foreclosed any claim that Barracuda breached their agreement.

The court also rejected Axis’s waiver and estoppel arguments. Axis argued that Barracuda waived the condition precedent by failing to exercise its contractual audit rights. The court disagreed, emphasizing that the agreement conferred a discretionary right to audit, not an affirmative obligation. The agreement’s anti-waiver provision further confirmed that inaction could not operate as a waiver. On that basis, the court resolved the waiver issue as a matter of law at summary judgment.

Finally, the court affirmed dismissal of the claim for breach of the implied covenant of good faith and fair dealing. The court reiterated that the covenant cannot be used to create substantive rights that do not exist under the contract itself. Because Fusion had no contractual entitlement to indemnification or breach-related remedies in the absence of compliance with contractual conditions, the implied covenant could not supply those rights after the fact.

Key Takeaway: Ruling Reinforces Contract-Centered Approach to Cybersecurity Risk

Taken together, the First Circuit’s analysis reflects a contract-centered approach to allocating responsibility for data breach losses. The First Circuit made clear that equitable indemnification is a narrow remedy tied to specific vicarious or derivative relationships. It is not a mechanism for reallocating risk after a breach occurs.

The decision reflects the growing concentration of privacy and data breach litigation in the District of Massachusetts and, by extension, before the First Circuit. As these cases comprise an increasing share of the docket, the court has emerged as a national leader in resolving complex cybersecurity disputes.