Axis Insurance Co. v. Barracuda Networks, Inc.: Relationship-Based Limits on Equitable Indemnity and Waiver-by-Silence in Cybersecurity Supply Chains

Axis Insurance Co. v. Barracuda Networks, Inc.: Relationship-Based Limits on Equitable Indemnity and Waiver-by-Silence in Cybersecurity Supply Chains

I. Introduction

The First Circuit’s decision in Axis Insurance Company v. Barracuda Networks, Inc. (No. 24‑1920, Nov. 20, 2025) is a significant appellate treatment of:

  • Equitable indemnification under Massachusetts law;
  • Contractual conditions precedent, waiver, and estoppel; and
  • The implied covenant of good faith and fair dealing

in the context of a modern data-breach dispute involving a multi-tiered IT service supply chain.

The case arises out of a 2018 data breach at Barracuda Networks, Inc. (“Barracuda”) that exposed protected health information (“PHI”) belonging to patients of Zoll Services LLC, a subsidiary of Zoll Medical Corporation (together, “Zoll”). Zoll had contracted with Fusion, LLC (“Fusion”) for data-hosting and email services; Fusion, in turn, relied on an Original Equipment Manufacturer (“OEM”) agreement with Barracuda (through corporate predecessors) to provide the underlying email archiving technology.

After the breach, Zoll faced a class action by its customers and settled. Its insurer, Axis Insurance Company (“Axis”), stepped into the shoes of Zoll (as assignee) and Fusion (as subrogee), and pursued Barracuda on theories of:

  1. Equitable indemnification (based on Zoll’s liability to its customers);
  2. Breach of contract (Fusion’s OEM agreement with Barracuda); and
  3. Breach of the implied covenant of good faith and fair dealing.

The district court granted summary judgment to Barracuda on all remaining claims. The First Circuit affirmed, issuing a detailed opinion that clarifies and, in some respects, sharpens several strands of Massachusetts law.

The core precedential contributions of this opinion are:

  • Reaffirming that equitable indemnification under Massachusetts law is tightly confined to legally recognized vicarious-liability relationships, not merely factual causation in a service chain;
  • Holding that a party’s mere failure to exercise a discretionary audit right—especially in the presence of an anti-waiver clause—does not waive a condition precedent or estop that party from invoking it; and
  • Limiting the implied covenant of good faith and fair dealing to protecting rights actually conferred by contract, not creating retroactive data-breach protections that were not bargained for.

II. Factual and Procedural Background

A. The Contractual Chain: OEM, Hosting Agreement, and HIPAA BAA

The relationships among the parties arose through a classic layered service model:

  • Fusion–Barracuda OEM Agreement. Fusion (through its predecessor, Apptix) entered into an OEM agreement with Barracuda (through its predecessor, Sonian). Under this OEM, Fusion could resell Barracuda’s email archiving services to Fusion’s own customers.
    • The OEM required Fusion to include in its customer contracts specified limitation-of-liability and indemnification provisions favorable to Barracuda.
    • The OEM also gave Barracuda a contractual audit right to examine “all applicable books and records relating to the services provided by Barracuda.”
    • The OEM contained an anti-waiver provision: Barracuda’s failure or delay in exercising any right or remedy would not operate as a waiver.
  • Fusion–Zoll Hosting Agreement. Zoll contracted with Fusion for electronic messaging and email services (the “Hosting Agreement”). Notably, this Hosting Agreement did not include the OEM-required limitation-of-liability or indemnification terms.
  • Zoll–Fusion HIPAA Business Associate Agreement (BAA). Separate from the Hosting Agreement, Zoll and Fusion entered into a BAA under HIPAA. Fusion agreed to:
    • Use appropriate safeguards to protect PHI; and
    • Ensure that any subcontractor/vendor receiving PHI agreed to equivalent restrictions and safeguards.
    There was no evidence that Fusion ever ensured Barracuda’s compliance with the BAA.

B. The 2018 Data Breach and Downstream Liability

In 2018, Barracuda suffered a data breach that exposed Zoll’s customers’ PHI to an unauthorized third party. Zoll’s affected customers brought a class action lawsuit against Zoll, which Zoll resolved via settlement; Zoll paid damages to class members.

As a result, Axis—as Zoll’s insurer—ultimately bore the loss and sought to shift (or share) that loss upstream onto Barracuda, both directly and via Fusion.

C. Litigation, Arbitration, and the Surviving Claims

In 2020, Zoll:

  • Initiated arbitration proceedings against Fusion; and
  • Filed the present federal lawsuit against Barracuda in the District of Massachusetts.

Fusion intervened in the federal action and asserted its own claims against Barracuda. The district court dismissed most claims, but allowed three to proceed:

  • Zoll’s claim for equitable indemnification against Barracuda;
  • Fusion’s claim for breach of the OEM contract; and
  • Fusion’s claim for breach of the implied covenant of good faith and fair dealing.

Through subsequent arbitration and settlements, Zoll and Fusion assigned their claims to Axis (Zoll as assignee, Fusion through subrogation). Axis was substituted as plaintiff in 2022.

After discovery, Barracuda moved for summary judgment on all remaining claims. The district court granted the motion, and Axis appealed.

III. Summary of the First Circuit’s Holding

The First Circuit, reviewing de novo, affirmed summary judgment for Barracuda on each claim:

  1. Equitable Indemnification (Zoll’s claim). Massachusetts equitable indemnification requires that the indemnitee be held derivatively or vicariously liable for another’s wrongdoing, which in turn depends on a qualifying legal relationship (employer–employee, principal–agent, manufacturer–retailer, certain independent-contractor scenarios, etc.). Zoll and Barracuda had no such relationship; in fact, Barracuda was, at most, an “independent contractor’s independent contractor.” Therefore, Zoll (and thus Axis) could not obtain equitable indemnity from Barracuda.
  2. Breach of Contract (Fusion’s claim). Fusion indisputably failed to satisfy a condition precedent in the OEM—namely, including specified liability and indemnity provisions in its customer contracts. Axis argued that Barracuda had waived this condition by failing to exercise its audit rights, or was estopped from invoking it. The court held:
    • Waiver requires clear, decisive, and unequivocal conduct; mere inaction or silence—especially where there is no duty to act—does not suffice, and the OEM’s anti-waiver clause reinforced this conclusion.
    • Estoppel requires a representation and reasonable reliance; “estoppel by silence” exists only where there is a duty to speak, which Barracuda did not have. Fusion remained responsible for its own compliance. Thus, no waiver or estoppel, and the breach of contract claim failed.
  3. Breach of the Implied Covenant (Fusion’s claim). The implied covenant of good faith and fair dealing cannot create rights or duties beyond the contract’s express terms. The OEM provided Fusion a non-exclusive license to market and resell Barracuda’s services, but did not give Fusion any specific rights in the event of a data breach (e.g., notice rights, indemnification, or particular forms of cooperation). Axis therefore could not use the implied covenant to retrofit such rights into the OEM. Moreover, the alleged bad faith primarily concerned Barracuda’s conduct toward Zoll (with whom Barracuda had no contract), and the remaining allegation (furnishing data in JSON format) did not show bad faith toward Fusion.

IV. Detailed Analysis

A. Equitable Indemnification and the Requirement of a Vicarious-Liability Relationship

1. The Massachusetts Doctrine: Indemnity as a Response to Vicarious Liability

The court begins from well-established Massachusetts authority defining equitable (or common-law) indemnity. In Elias v. Unisys Corp., 573 N.E.2d 946 (Mass. 1991), the Supreme Judicial Court stated that indemnity:

“allows someone who is without fault, [but] compelled by operation of law to defend himself against the wrongful act of another, to recover from the wrongdoer the entire amount of his loss.”

This is not a broad “fairness” doctrine. As the court underscores, Massachusetts has long restricted equitable indemnity to situations where the indemnitee is held derivatively or vicariously liable for another’s act.

The canonical articulation appears in Decker v. Black & Decker Mfg. Co., 449 N.E.2d 641 (Mass. 1983), which the First Circuit quotes and heavily relies upon:

“This right to indemnity is limited to those cases in which the would-be indemnitee is held derivatively or vicariously liable for the wrongful act of another.”

Derivative or vicarious liability presupposes that the law imposes responsibility on one party for the act of another because of a specific legal relationship. Classic Massachusetts examples cited by the court include:

  • Employer–employee (respondeat superior), as in Elias;
  • Principal–agent, as in Chapman v. Bernard’s Inc., 198 F.R.D. 575 (D. Mass. 2001);
  • Manufacturer–retailer in products cases, as in Santos v. Chrysler Corp., 715 N.E.2d 47 (Mass. 1999), and Fireside Motors, Inc. v. Nissan Motor Corp., 479 N.E.2d 1386 (Mass. 1985);
  • Certain independent-contractor scenarios, such as Garbincius v. Boston Edison Co., 621 F.2d 1171 (1st Cir. 1980), where the principal can still be vicariously liable under recognized rules.

In those cases, the indemnitee has done nothing wrong personally but is legally answerable for the wrongdoing of another, purely because of the relationship. Indemnity then operates to shift the loss back to the true wrongdoer.

This approach is reinforced by older Massachusetts decisions quoted by the court:

  • Leonard v. Blake, 10 N.E.2d 469 (Mass. 1937), where a mother’s liability was “derivative” and based solely on an agency relationship with her negligent daughter; and
  • Hollywood Barbecue Co. v. Morse, 50 N.E.2d 55 (Mass. 1943).

The policy rationale is explicit: the law sometimes imposes vicarious liability on one party—to give injured plaintiffs another “fund” from which to recover—but tempers the harshness to that blameless party by recognizing a corresponding right to indemnity.

2. Why the Zoll–Barracuda Relationship Fails the Vicarious-Liability Test

Axis tried to frame Zoll’s liability as “derivative” of Barracuda’s wrongdoing in a factual sense: Zoll was sued because the PHI was breached at Barracuda’s systems. But the court draws a clear distinction between:

  • Being factually “downstream” in a chain of causation; and
  • Being legally vicariously liable because of a recognized relationship.

The record showed:

  • Zoll contracted with Fusion (Hosting Agreement);
  • Fusion contracted with Barracuda (OEM);
  • Neither the OEM nor the Hosting Agreement established any direct contractual relationship between Zoll and Barracuda.

Moreover, both the OEM (Fusion–Barracuda) and the Hosting Agreement (Zoll–Fusion) characterized their respective relationships as independent-contractor relationships. None addressed the Zoll–Barracuda link at all. The court emphasizes that even if Zoll–Barracuda could somehow be characterized as an independent-contractor relationship (which is itself a stretch), that status alone does not suffice to create vicarious liability. The opinion cites Lyon v. Morphew, 678 N.E.2d 1306, 1310 (Mass. 1997), for the proposition that independent-contractor status generally precludes vicarious liability.

Indeed, the court goes further: Barracuda is not even Zoll’s independent contractor; Barracuda is “an independent contractor’s independent contractor”. Zoll hired Fusion; Fusion hired Barracuda. That additional remove only makes the absence of a qualifying legal relationship clearer.

Axis did not contend that Zoll and Barracuda were in any of the recognized relationships (employer–employee, principal–agent, manufacturer–retailer, etc.) nor that any special doctrine of vicarious liability applied. As the district court had observed (and the First Circuit quotes), “Axis makes no claim that Zoll was anything more than an independent contractor and never claimed that derivative liability existed in spite of the independent contractor status.”

Thus, while Zoll may have been sued “because of” events at Barracuda, that factual connection does not meet the doctrinal requirement that Zoll’s liability be legally derivative of Barracuda’s conduct by operation of law based on their relationship. Without such a relationship, equitable indemnity is categorically unavailable.

3. Axis’s Misreading of Decker and Its Progeny

Axis tried to argue that Decker and subsequent cases did not make the nature of the relationship dispositive, but instead allowed indemnity wherever the factual pattern showed that one party’s liability arose from another’s wrongdoing. The First Circuit bluntly rejects this reading.

The opinion reaffirms that Decker expressly limits equitable indemnity to cases in which the would-be indemnitee is held vicariously liable, and that vicarious liability itself is tethered to specific legal-relationship categories. The court notes that Axis’s preferred reading would essentially obliterate that limiting language, turning indemnity into a general loss-spreading tool whenever a party can argue it is “less at fault” or “downstream” of another wrongdoer.

The court reviews Axis’s cited cases—Fireside Motors, Ferreira v. Chrysler Group LLC, 13 N.E.3d 561 (Mass. 2014), and Fraco Prods., Ltd. v. Bostonian Masonry Corp., 995 N.E.2d 1125 (Mass. App. Ct. 2013)—and finds them all grounded squarely in Decker’s principle. In each, the indemnitee’s liability was derivative of a recognized relationship (e.g., manufacturer–dealer or upstream–downstream actors in a product distribution chain). They do not support an expansion of indemnity beyond these guarded categories.

Accordingly, the First Circuit’s reading of Massachusetts law is unambiguous: no equitable indemnity absent a qualifying vicarious-liability relationship.

4. Implications for Data-Breach and IT Supply-Chain Litigation

This holding has concrete implications in modern cyber and cloud-service arrangements, which are often multi-layered:

  • A covered entity (like Zoll) contracts with a service provider (Fusion).
  • The provider in turn uses sub-vendors (Barracuda) for specialized services (e.g., email archiving).
  • PHI or other sensitive data passes down this chain.

When a data breach occurs at a downstream vendor, upstream entities—often closest to the consumer or patient—tend to face the class actions, regulatory inquiries, and reputational harm. They may look to equitable indemnity to shift the loss to the party whose systems were compromised.

This decision sharply restricts that avenue under Massachusetts law:

  • Being “blameless but sued” is not enough; one must be vicariously liable in a recognized sense for the other’s act.
  • The existence of HIPAA BAAs between some parties does not, by itself, create the type of relationship that supports common-law indemnity.
  • Insurers stepping in via subrogation (like Axis) cannot circumvent this by recharacterizing factual causation as “derivative liability.”

Practically, entities in Zoll’s position who want recourse against a downstream vendor in the event of a data breach must secure it contractually—via express indemnification, additional-insured clauses, or detailed risk-allocation provisions—rather than relying on open-ended equitable doctrines.

B. Conditions Precedent, Waiver, and Estoppel in the OEM Agreement

1. The Condition Precedent and Its Effect

Under the OEM, Fusion’s right to hold Barracuda to certain obligations was conditioned on Fusion including specific limitation-of-liability and indemnity language in its customer contracts. The district court, at an earlier stage, held that Fusion did not satisfy this condition precedent because its Hosting Agreement with Zoll lacked the required provisions. Axis did not contest that ruling on appeal.

The non-fulfillment of a condition precedent normally means that the corresponding obligations of the other contracting party (here, Barracuda) do not arise. Axis therefore advanced two doctrines to neutralize the condition:

  1. Waiver—Barracuda allegedly waived the condition by failing to exercise its audit right; and
  • Estoppel—Barracuda’s years of inaction supposedly induced Fusion to believe that it was in compliance, so Barracuda should be barred from invoking the condition.

    • 2. Summary Judgment and the Waiver Question

    Axis argued that waiver is typically a question for the factfinder and that the district court “usurped” the jury’s role by resolving waiver on summary judgment. The First Circuit explains why that is incorrect.

    Citing Bachorz v. Miller-Forslund, 703 F.3d 27, 32 (1st Cir. 2012), and Massachusetts authority, the court notes:

    • Waiver is indeed often a fact question, but it can be resolved on summary judgment if the relevant evidence is “clear, unequivocal and undisputed.”
    • Summary judgment turns on whether there is a “genuine” dispute of material fact—i.e., whether a rational factfinder could find for the nonmoving party based on the evidence, as articulated in Garside v. Osco Drug, Inc., 895 F.2d 46 (1st Cir. 1990) and Celotex Corp. v. Catrett, 477 U.S. 317 (1986).

    Here, the facts relevant to waiver were undisputed:

    • The OEM gave Barracuda a contractual right (but not duty) to audit Fusion’s books and records, which Axis claimed included customer contracts.
    • Barracuda did not exercise this audit right with respect to Fusion’s customer contracts.
    • The OEM contained a clear anti-waiver provision.

    With the facts fixed, the only question was a legal one: whether Barracuda’s silence and non-use of the audit right, in light of the anti-waiver provision, constituted waiver of the condition precedent. That is properly decided on summary judgment.

    3. Waiver: Silence, Anti-Waiver Clauses, and the Need for Clear Intent

    Under Massachusetts law, as summarized by the court:

    • A party can waive a condition precedent it benefits from, see American Title Insurance Co. v. East West Financial, 16 F.3d 449 (1st Cir. 1994);
    • But waiver requires an express or implied manifestation of intent to relinquish the right, such that there is “no other reasonable explanation” for the conduct, see KACT, Inc. v. Rubin, 819 N.E.2d 610, 616 (Mass. App. Ct. 2004);
    • The conduct must be “clear, decisive and unequivocal,” see Paterson-Leitch Co. v. Mass. Mun. Wholesale Elec. Co., 840 F.2d 985, 992 (1st Cir. 1988) (quoting D. Federico Co. v. Commonwealth, 415 N.E.2d 855 (Mass. App. Ct. 1981));
    • The burden of proving waiver lies with the party asserting it, see Dunkin’ Donuts v. Panagakos, 5 F. Supp. 2d 57, 61 (D. Mass. 1998).

    Axis pointed only to:

    • Barracuda’s audit right under the OEM; and
    • Barracuda’s longstanding failure to exercise that right regarding Fusion’s customer contracts.

    The court concludes this is insufficient as a matter of law. Relying on both Massachusetts cases and Williston on Contracts, the panel explains:

    • “Mere silence, acquiescence, or inactivity is insufficient to show a waiver of contract rights when there is no duty to speak or act.”
    • “Forbearance to assert or insist on a right does not, by itself, constitute a waiver.”

    Critically, Barracuda held a right, not an obligation to audit: it was free to choose whether to exercise that right. Its inaction is equally consistent with:

    • Preserving the right (and the condition precedent); or
    • Relinquishing it.

    Because the conduct is equally consistent with both explanations, it cannot meet the “clear, decisive, and unequivocal” standard for waiver.

    The OEM’s anti-waiver clause further undercuts Axis’s theory. While Massachusetts law (e.g., M.J.G. Props., Inc. v. Hurley, 537 N.E.2d 165 (Mass. App. Ct. 1989)) recognizes that anti-waiver provisions are not absolutely dispositive—parties can still waive rights despite such clauses—they are powerful evidence that the parties intended that inaction would not constitute waiver. Here, the anti-waiver clause aligns with, and reinforces, the conclusion that Barracuda’s non-use of its audit rights did not amount to a waiver.

    Axis thus failed to carry its burden of showing waiver; summary judgment on that issue was proper.

    4. Estoppel: No Duty to Speak, No Representation, No Reliance

    Axis argued in the alternative that Barracuda should be estopped from invoking the condition precedent, because its failure to exercise its audit right supposedly led Fusion to believe that it was in compliance and to refrain from further changes to its customer contracts.

    Under Massachusetts law, as stated in Bongaards v. Millen, 793 N.E.2d 335 (Mass. 2003), equitable estoppel requires:

    1. A representation intended to induce reliance;
    2. Reasonable reliance by the other party; and
    3. Detriment as a consequence of that reliance.

    Axis tried to characterize Barracuda’s longstanding silence as a “representation” of compliance. But the court rejects this for a key reason: estoppel by silence exists only when the silent party had a legal duty to speak. The court cites Marsh v. S.M.S. Co., 194 N.E. 97 (Mass. 1935), for this proposition.

    Here:

    • The OEM permitted Barracuda to audit but did not require it to do so;
    • Fusion, not Barracuda, was responsible for ensuring its own compliance with the OEM’s conditions.

    Thus:

    • Barracuda had no duty to audit Fusion’s customer contracts; and
    • Silence in the absence of such a duty cannot amount to a representation or basis for estoppel.

    Accordingly, Barracuda was not estopped from relying on the unmet condition precedent to defeat Axis’s breach-of-contract claim.

    5. Practical Consequences for OEM/Reseller and Cybersecurity Contracts

    The decision has several practical lessons for technology vendors, resellers, and their insurers:

    • Conditions precedent must be taken seriously.
      Resellers (like Fusion) that are required to propagate certain clauses (e.g., limitations of liability or indemnities) into customer contracts must actually do so if they want to preserve upstream contractual recourse. Failure can be fatal.
    • Audit rights are discretionary protections, not duties.
      A vendor’s failure to audit a reseller’s compliance does not typically waive contractual conditions, especially where an anti-waiver clause is present.
    • Anti-waiver clauses matter.
      While not absolutely conclusive, they strongly support the argument that silence and forbearance do not equal waiver.
    • Insurers cannot readily re-cast inaction as waiver or estoppel.
      Subrogated insurers pointing to long-term patterns of inaction will still need to show clear, unequivocal conduct or a duty to speak. Mere acquiescence is insufficient.

    C. The Implied Covenant of Good Faith and Fair Dealing

    1. Scope of the Covenant Under Massachusetts Law

    Massachusetts law implies a covenant of good faith and fair dealing in every contract. As stated in Anthony’s Pier Four, Inc. v. HBC Associates, 583 N.E.2d 806 (Mass. 1991), the covenant ensures that:

    neither party shall do anything that will have the effect of destroying or injuring the right of the other party to receive the fruits of the contract.

    But the covenant has important limits:

    • It prevents one party from obstructing the other’s performance or undermining the benefits explicitly or implicitly promised in the contract.
    • It does not create new substantive rights or duties beyond the contract itself. As Ayash v. Dana-Farber Cancer Institute, 822 N.E.2d 667, 684 (Mass. 2005), and Uno Restaurants, Inc. v. Boston Kenmore Realty Corp., 805 N.E.2d 957, 964 (Mass. 2004), emphasize, the covenant “cannot be invoked to create rights and duties not otherwise provided for in the existing contractual relationship.”
    • Its scope is “only as broad as the contract that governs the particular relationship.” Ayash, 822 N.E.2d at 684.

    The First Circuit also invokes Lohnes v. Level 3 Communications, Inc., 272 F.3d 49 (1st Cir. 2001), where the court found no breach of the covenant when the defendant was not contractually bound to provide a particular form of notice. The covenant could not manufacture that duty.

    2. What Fusion Bargained For in the OEM—and What It Did Not

    Applied to the OEM, the court notes:

    • The OEM primarily granted Fusion a non-exclusive license to market and resell Barracuda’s email services to Fusion’s customers.
    • The contract did not include:
      • Specific promises of indemnity or reimbursement to Fusion in the event of a data breach at Barracuda;
      • Detailed incident-response duties (e.g., particular timing, content, or format of breach notifications directed to Fusion); or
      • Contractual protections tailored to HIPAA or PHI, at least as to Fusion’s rights vis-à-vis Barracuda.

    Fusion could, in theory, have negotiated for such clauses. But it did not.

    Axis nonetheless attempted to use the implied covenant to argue that Barracuda:

    • Was slow in providing breach information;
    • Provided data in a “virtually unusable” format;
    • Interfered with Zoll’s investigators; and
    • Misrepresented details of the breach.

    Axis characterized these as conduct depriving Fusion of the benefit of its bargain. The First Circuit disagrees. Because the OEM did not entitle Fusion to specific breach-related rights, the covenant cannot be used to retrofit such rights after the fact. As the court observes, the implied covenant cannot “substitute for [Fusion’s] failure to negotiate” such terms.

    3. Why Axis’s Evidence Does Not Show a Breach of the Covenant

    Even assuming arguendo that Fusion had some contractually-based expectations post-breach, the court examines Axis’s factual allegations and finds them wanting.

    • Conduct directed at Zoll, not Fusion.
      Most of Axis’s allegations (slow information, interference with investigators, misrepresentation) concern Barracuda’s dealings with Zoll. But:
      • Barracuda had no contract with Zoll; and
      • The implied covenant only governs conduct within a contractual relationship.
      Conduct toward a third party cannot, by itself, demonstrate a breach of the covenant owed to Fusion.
    • JSON format of data.
      Axis also claimed that Barracuda provided breach data in a “virtually unusable format”—JSON. But Fusion’s own witnesses testified that:
      • They did not request the data in any alternative format;
      • It was “not difficult” to decode; and
      • JSON was standard for that type of data.
      On this record, providing data in JSON neither frustrated Fusion’s ability to resell services nor destroyed Fusion’s entitlement to the fruits of the OEM. It is not evidence of bad faith.

    The court concludes that Barracuda’s actions did not frustrate the OEM’s central purpose—enabling Fusion to market and resell Barracuda’s email services. Absent a contractual right to specific breach-handling protections, there is no basis for a covenant claim.

    4. Practical Lessons for Cyber and Cloud Contracts

    The decision underscores a recurring theme:

    • If a reseller or service integrator wants specific breach-related rights—timely and tailored incident reporting, cooperation, format and structure of data exports, indemnification for regulatory or class-action exposure—those must be expressly negotiated and written into the contract.
    • The implied covenant will not retroactively supply such protections merely because a breach occurs and the relationship is complicated or high-stakes.
    • Conduct that might look “unhelpful” or “uncooperative” in a crisis is not automatically a breach of good faith unless it impairs a contractual right or undermines the express fruits of the agreement.

    For insurers, the case serves as a caution against attempting to stretch the implied covenant to create coverage-aligned outcomes when the underlying contracts are silent or unfavorable.

    V. Complex Concepts Simplified

    For ease of reference, this section translates key legal concepts used in the opinion into more accessible terms.

    1. Equitable (Common-Law) Indemnity

    Equitable indemnity allows a party who did nothing wrong but was held liable because of another’s act (e.g., an employer liable for an employee’s negligence) to recover from that other, truly at-fault party.

    In Massachusetts, this is strictly limited to situations where:

    • The indemnitee is legally responsible for another’s conduct (vicariously or derivatively); and
    • A recognized relationship (employer–employee, principal–agent, manufacturer–retailer, etc.) justifies that responsibility.

    2. Vicarious or Derivative Liability

    Vicarious liability is when the law makes you liable for someone else’s wrongful act, not because you personally did anything wrong, but because of your legal relationship to that person. Examples:

    • An employer is liable when an employee injures someone in the course of employment.
    • A principal is liable for actions taken by an agent within the scope of the agency.

    This is different from merely being causally affected by someone else’s conduct.

    3. Independent Contractor vs. Employee

    • An employee is controlled in detail by the employer (tasks, methods, hours), and the employer is usually vicariously liable for the employee’s negligence.
    • An independent contractor has more autonomy in how work is done. The hiring party typically is not vicariously liable for the contractor’s negligence, subject to limited exceptions.

    Here, the contracts labeled Fusion and Barracuda (and their relationships with Zoll) as independent contractors, not employees or agents. That labeling, together with the actual structure, undercut any claim of vicarious liability.

    4. Condition Precedent

    A condition precedent is something that must happen before a party’s contractual duty arises. If the condition is not met, the duty never kicks in.

    In this case:

    • The OEM required Fusion to include certain limitation-of-liability and indemnification clauses in its customer contracts.
    • Fusion did not do so in its contract with Zoll.
    • Therefore, Barracuda’s corresponding obligations conditioned on that inclusion were never triggered.

    5. Waiver

    Waiver is when a party voluntarily gives up a known contractual right. Under Massachusetts law:

    • It can be express (stated clearly) or implied (shown by conduct);
    • But implied waiver must be proven by clear, decisive, and unequivocal conduct indicating an intent to relinquish the right.

    Simply not enforcing a right, especially when there is no duty to enforce it, usually does not amount to waiver—especially when the contract explicitly says that inaction does not waive rights (an anti-waiver clause).

    6. Estoppel

    Estoppel prevents someone from asserting a right if:

    1. They made a representation (sometimes by conduct) that induced the other party to rely on it;
    2. The other party reasonably relied on that representation; and
    3. The other party suffered harm because of that reliance.

    Estoppel by silence arises only where the silent party had a duty to speak. If there was no such duty, silence is not a representation, and estoppel does not apply.

    7. Anti-Waiver Clause

    An anti-waiver clause states that a party’s failure or delay in enforcing any right does not mean it has waived that right. Such clauses are not absolute shields, but they strongly support the argument that sporadic or prolonged inaction does not waive terms of the contract.

    8. HIPAA Business Associate Agreement (BAA)

    A BAA is a contract under HIPAA between a covered entity (such as a healthcare provider) and a “business associate” (a contractor that handles PHI). It requires the associate to:

    • Safeguard PHI; and
    • Ensure its own subcontractors with access to PHI follow similar safeguards.

    Importantly, the BAA in this case was between Zoll and Fusion. There was no evidence Fusion required Barracuda to sign a comparable agreement directly. Nor did the BAA, by itself, create a direct legal relationship between Zoll and Barracuda adequate to support equitable indemnity.

    9. JSON Format

    JSON is a commonly used, machine-readable data format. In this case, Barracuda provided breach-related data in JSON. Fusion’s witnesses said the format was standard and not difficult to decode. That undercut Axis’s claim that providing JSON was evidence of bad faith or of depriving Fusion of any contractual “fruit.”

    10. Summary Judgment

    Summary judgment is a procedural device that allows a court to decide a case (or part of it) without trial if there is:

    • No genuine dispute of material fact; and
    • The moving party is entitled to judgment as a matter of law.

    The nonmoving party must show enough evidence on each essential element of its claim such that a reasonable jury could rule in its favor. Unsupported assertions in briefs, or disputes that are not material to the legal issue, do not prevent summary judgment.

    VI. Broader Impact and Future Directions

    The First Circuit’s opinion is important not only as a resolution of the parties’ dispute but as guidance for future litigation and contracting in the data-security and IT-services space.

    1. Narrow Path for Equitable Indemnity in Data-Breach Chains

    Entities that directly face consumer or patient claims after a data breach—such as healthcare providers, financial institutions, or consumer-facing technology firms—cannot assume that they will be able to shift their loss to upstream or downstream vendors under equitable-indemnity theories. Unless their liability to the plaintiff is clearly vicarious and arises from a recognized relationship, Massachusetts law provides no indemnity right, regardless of the technical origin of the breach.

    Insurers and risk managers should accordingly focus on:

    • Drafting robust contractual indemnities;
    • Ensuring vertical alignment of cybersecurity obligations through the chain; and
    • Tracking the contractual relationships sufficiently to identify entities with whom direct contractual risk allocation is necessary.

    2. Contract Design: Conditions, Audit Rights, and Anti-Waiver Provisions

    From a drafting perspective, the decision underscores:

    • The enforceability of conditions precedent where a party’s rights depend on the other side adopting particular customer-facing clauses.
    • The protective value of audit rights as tools (not duties) for monitoring compliance, without converting non-enforcement into waiver.
    • The utility of anti-waiver clauses to avoid arguments that routines of inaction or lenient practice have silently modified contract rights.

    At the same time, vendors should recognize that a deliberate, documented pattern of ignoring or contradicting contractual terms could, in other contexts, still support waiver or estoppel, despite an anti-waiver clause. The present case simply confirms that mere inaction, in a setting with no duty to act, is not enough.

    3. The Limited Role of the Implied Covenant in Cyber Incidents

    Post-breach disputes often feature claims that counterparties failed to act cooperatively, transparently, or quickly. This decision reinforces that:

    • The implied covenant of good faith is not a default “best practices” clause for data-breach response.
    • It protects only those rights and expectations that can reasonably be derived from the explicit contract.
    • Absent express language, courts will hesitate to read in obligations such as:
      • Providing data in a specific format;
      • Engaging with third-party investigators on behalf of another party’s customer; or
      • Indemnifying against downstream litigation.

    The message is clear: entities must contract for the incident-response behavior they want, rather than rely on broad notions of good faith to fill in the gaps later.

    VII. Conclusion

    Axis Insurance Co. v. Barracuda Networks, Inc. reinforces several key principles of Massachusetts law and applies them in a modern cybersecurity context:

    • Equitable indemnity remains tightly relationship-based.
      A party cannot obtain indemnity merely because it is “blameless” and suffered loss due to another’s wrongdoing. There must be a recognized vicarious-liability relationship (such as employer–employee or principal–agent) linking the parties.
    • Silence and non-use of a discretionary audit right do not constitute waiver.
      Where a party has a right (not a duty) to audit, its failure to exercise that right, particularly in the presence of an anti-waiver clause, does not waive conditions precedent or support estoppel absent a duty to speak.
    • The implied covenant of good faith and fair dealing cannot re-write cybersecurity risk allocation.
      It ensures that each party receives the benefit of its bargain, but it does not supply unbargained-for data-breach response rights or indemnities. Alleged “uncooperative” behavior must be measured against actual contractual rights.

    For parties structuring complex IT and data-security arrangements—and for insurers underwriting them—the opinion is a pointed reminder that formal legal relationships and explicit contract terms, not broad equitable doctrines, ultimately control who bears the financial brunt of a data breach.

    Case Details

    Year: 2025
    Court: Court of Appeals for the First Circuit

    Comments