Trustwave Holdings v. Beazley Ins. Co.

• Decision Date: 30 September 2019
• Docket Number: C.A. No. N18C-06-162 PRW CCLD
• Parties: TRUSTWAVE HOLDINGS, INC. Plaintiff, v. BEAZLEY INSURANCE COMPANY, INC., and LEXINGTON INSURANCE COMPANY Defendants. BEAZLEY INSURANCE COMPANY, INC., and LEXINGTON INSURANCE COMPANY Counter-Plaintiffs/Third-Party Plaintiffs, v. TRUSTWAVE HOLDINGS, INC., TRUSTWAVE CORPORATION, and AMBIRONTRUSTWAVE, LTD. Counter-Defendants/Third-Party Defendants.
• Court: Superior Court of Delaware

TRUSTWAVE HOLDINGS, INC. Plaintiff, v. BEAZLEY INSURANCE COMPANY, INC.,and LEXINGTON INSURANCE COMPANY Defendants.

BEAZLEY INSURANCE COMPANY, INC.,and LEXINGTON INSURANCE COMPANY Counter-Plaintiffs/Third-Party Plaintiffs, v. TRUSTWAVE HOLDINGS, INC.,

TRUSTWAVE CORPORATION,

and AMBIRONTRUSTWAVE, LTD. Counter-Defendants/Third-Party Defendants.

C.A. No. N18C-06-162 PRW CCLD

SUPERIOR COURT OF THE STATE OF DELAWARE

Submitted: June 27, 2019

September 30, 2019

Upon Counter-Defendant and Third-Party Defendants' Motion to Dismiss, GRANTED, in part, and DENIED, in part.

MEMORANDUM OPINION AND ORDER

Jody Barillare, Esquire (argued), Beth Herrington, Esquire (pro hac vice), Zachary Ryan Lazar, Esquire (pro hac vice), Morgan, Lewis & Bockius, LLP, Wilmington, Delaware, Attorneys for Plaintiff.

Michael C. Heyden, Esquire (argued), Scott Schmookler (pro hac vice), Gordon Rees Scully Mansukhani, LLP, Wilmington, Delaware, Attorneys for Defendants.

WALLACE, J.

I. INTRODUCTION

Plaintiff Trustwave Holdings, Inc. brings this declaratory judgment action against Defendants Beazley Insurance Company, Inc., and Lexington Insurance Company (together with Beazley, "Insurers"), seeking the Court's pronouncement that Trustwave has no obligation to indemnify the Insurers in connection with the Insurers' payment to a non-party insured, Heartland Payment Systems, with whom Trustwave was contracted to provide cyber security risk assessment services. The Insurers' payment related to a substantial data breach that Heartland sustained in 2009, and Heartland's consequent liability to other nonparties.

The Insurers answered the Complaint, and filed Counterclaims against Trustwave, as well as Third-Party Claims against Trustwave Corporation, and AmbironTrustwave, Ltd. (collectively with Trustwave Holdings and Trustwave Corporation, the "Trustwave Entities"),¹ alleging that Trustwave Entities provided inadequate services and asserting a total of eighteen claims in five causes of action: Breach of Contract, Breach of Express Warranty, Negligent Misrepresentation, Gross Negligence, and Indemnification.

Now before the Court is Trustwave Entities' Motion to Dismiss the Insurers' Counterclaims and Third-Party Claims. Trustwave Entities argue all Insurers' claims are barred by the statute of limitations, that their Gross Negligence claims fail to state a claim, and that their Breach of Express Warranty claims are duplicative of their contract claims.

II. FACTUAL AND PROCEDURAL BACKGROUND

Because of the current procedural posture, the Court herein summarizes the facts as averred in the Insurers' Answer, Counterclaims, and Third-Party Claims.

A. THE PARTIES.

Trustwave Entities are in the business of inspecting, certifying, and validating clients' adherence to certain data security regulations—the so-called Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures ("PCI DSS"). Specifically, Trustwave Entities assess the security risks of customers' networks and systems, recommend security control measures, determine compliance with PCI DSS, and issue certificates of compliance accordingly.² Certification of PCI DSS compliance is a commercial necessity for companies like Heartland that process electronic payment transactions.

Between 2005³ and 2007, Heartland engaged Trustwave Entities to provide periodic evaluations, certifications and reports regarding PCI DSS compliance and cybersecurity.⁴ The engagement was memorialized through two agreements: the "Trustwave Preferred Sales Agent Agreement" dated February 18, 2005 (the "2005 Agreement"), and the Compliance Validation Services Agreement and its Addendum dated December 17, 2007 (the "2007 Agreement").⁵

Under those agreements, Trustwave Entities tested and assessed the security and vulnerability of Heartland's systems and networks. After each test, Trustwave Entities issued a report certifying that Heartland's systems were compliant with PCI DSS standards.⁶

B. 2009 DATA BREACH AND SETTLEMENTS OF LITIGATIONS.

In January 2009, Heartland discovered a serious security breach that had resulted in the theft and exfiltration of approximately 100 million credit and debit card numbers issued by more than 650 financial service companies (the "2009 DataBreach").⁷ The breach was caused by code maliciously installed on Heartland's payment processing systems; those systems collect cardholders' information.⁸ Code making Heartland's systems vulnerable to the malware was installed in 2007. The malware itself was installed in 2008.⁹ Both the vulnerability and the malware rendered Heartland's systems noncompliant with PCI DSS, but Trustwave Entities improperly certified the compliance of Heartland's affected systems while performing services pursuant to their contractual relationship.¹⁰

Following the 2009 Data Breach, various federal and state agencies, credit card brands,¹¹ financial institutions, and consumers brought a number of individual and class action claims against Heartland.¹² Many of those claims were ultimately consolidated in the Southern District of Texas (the "Multi-District Litigation").¹³The Multi-District Litigation eventually resolved on March 3, 2015, when the action was dismissed with prejudice.¹⁴

Visa, one of Heartland's customers, had detected and suspected Heartland's systems' security prior to the 2009 Data Breach.¹⁵ Visa retained Verizon Business, a third-party consulting firm, to conduct an investigation to evaluate Heartland's systems. Verizon Business issued its investigative report on February 21, 2009.¹⁶

After the 2009 Data Breach, Heartland reached settlement agreements with Visa for $60 million on January 7, 2010, and MasterCard (another Heartland customer) for $41.4 million on May 19, 2010.¹⁷

Including these settlements, the Multi-District Litigation, and all other litigation and settlements related to the 2009 Data Breach, Heartland incurred losses of more than $148 million in claims, attorney's fees, costs, and other expenses.¹⁸

C. THE INSURANCE PAYMENT AND THIS ACTION ENSUES.

Heartland was insured by Beazley and Lexington. Lexington was the primary insurer with a policy limit of $20 million; Beazley provided excess insurance of $10 million.¹⁹ Following the 2009 Data Breach, Beazley and Lexington reimbursed Heartland for their respective full policy limits, i.e., a total of $30 million, by the end of 2010.²⁰ Each of them entered into a release agreement (collectively, the "Release Agreements") with Heartland, pursuant to which Heartland fully and finally released Insurers from all potential costs and liabilities in connection with the 2009 Data Breach, while the Insurers paid Heartland $30 million in accordance with policy limits.²¹

In February of 2018, counsel for the Insurers demanded indemnification of $30 million (the total amount reimbursed to Heartland) from Trustwave based on Trustwave's allegedly inadequate service in assessing the security risks of Heartland's systems during 2007 and 2008.²²

Four months later, in June 2018, Trustwave brought this action for a declaration that Trustwave is not liable to indemnify the Insurers. The Insurers initially sought to dismiss or stay the action on jurisdictional grounds.²³ They later voluntarily withdrew that motion,²⁴ and filed an Answer with Affirmative Defenses, Counterclaims, and a Third-Party Complaint ("Counterclaims and Third-Party Claims") against Trustwave Entities.²⁵ Those claims' filing date is deemed to be February 23, 2018.²⁶

Now before the Court is Trustwave Entities' Motion to Dismiss the Counterclaims and Third-Party Claims.²⁷

D. STANDARD OF REVIEW

"'A defense predicated on a statute of limitations may be brought by motion to dismiss when the complaint itself shows that the action was not brought within the statutory period.'"²⁸ Superior Court Civil Rule 12(b)(6) provides that one ondefense to any action—be it initiating, counter, or third-party—may bring a motion to dismiss if the complaint invoking that action fails "to state a claim upon which relief can be granted."²⁹ On a motion to dismiss, the Court must:

(1) accept all well-pleaded factual allegations as true,

(2) accept even vague allegations as "well pleaded" if they give the opposing party notice of the claim,

(3) draw all reasonable inferences in favor of the non-moving party, and

(4) [not dismiss the claims] unless the non-moving party would not be entitled to recover under any reasonably conceivable set of circumstances.³⁰

If the Court determines the complainant may recover after engaging that form of review, then the Court must deny the motion to dismiss.³¹

III. DISCUSSION

As a threshold matter, the parties do not dispute that all eighteen of the Insurers' Counterclaims and Third Party Claims are subject to Delaware's statute of limitations.³² Accordingly, the Court applies Delaware law.

Relying on Delaware's statute of limitations, Trustwave Entities seek to dismiss the Counterclaims and Third-Party Claims in their entirety, arguing that they are time-barred and no tolling exceptions apply. According to Trustwave Entities, the Insurers reimbursed Heartland and entered the Release Agreements in 2010, but sat silently and waited for nine years before asserting their claims, while not once notifying Trustwave Entities during the pendency of the several litigations that arose from the 2009 Data Breach.³³

The Insurers insist that the statutes of limitations were tolled by the Multi-District Litigation, and their claims did not accrue until that action was finally resolved on March 3, 2015. Thus, they say, their February 2018 Counterclaims and Third-Party Claims are timely.³⁴

Delaware has a three-year statute of limitations for both tort and contract claims.³⁵ Accrual of either generally begins at the time of the "wrongful act," which itself varies depending on the kind of claim:

For breach of contract claims, the wrongful act is the breach, and the cause of action accrues at the time of breach. For tort claims, the wrongful act is a

...