October 30, 2013
FIRST BANK OF DELAWARE, INC., Plaintiff,
FIDELITY AND DEPOSIT COMPANY OF MARYLAND, Defendant.
Submitted: September 23, 2013
Lisa C. McLaughlin, Esquire, Phillips, Goldman & Spence, P.A., William J. Carter, Esquire (argued), Kelly M. Lippincott, Esquire, Carr Maloney P.C., Attorneys for Plaintiff.
William R. Firth, III, Esquire, Anthony R. Twardowski, Esquire (argued), Philip A. Magen, Esquire, Zarwin, Baum, DeVito, Kaplan, Schaer & Toddy, P.C., Attorneys for Defendant.
Mary M. Johnston, Judge
Plaintiff First Bank of Delaware ("First Bank") filed this suit on August 26, 2011. First Bank alleges two counts of breach of contract. First Bank's claims arise from Defendant Fidelity and Deposit Company of Maryland's ("Fidelity") denial of coverage for assessments First Bank paid to Visa and to MasterCard.
The parties filed cross-motions for summary judgment on June 28, 2013. First Bank moves for summary judgment on the grounds that its losses were covered under Section 4 (Electronic Risk Liability) of the insurance policy it purchased from Fidelity. Fidelity moves for summary judgment on the grounds that the policy does not cover First Bank's losses under Section 3 (Entity Liability) or Section 4 (Electronic Risk Liability). This case originally was scheduled for trial on September 23, 2013. The parties agreed to have the case resolved by dispositive motions.
The primary issue in this case is whether First Bank's insurance policy provides coverage for losses incurred in connection with a data breach incident. Fidelity issued the D & O SelectPlus Insurance Policy ("Policy") to First Bank for the period from April 19, 2009 to April 19, 2010. Fidelity denied coverage for the losses under both Section 3 (Entity Liability) and Section 4 (Electronic Risk Liability).
First Bank provides various banking services, including debit card transaction processing. First Bank entered into contracts with Visa and MasterCard on May 17, 2005 and June 30, 2005, respectively, to provide debit card transaction processing services. These agreements designated First Bank as a principal member of the Visa and MasterCard networks. As a principal member, First Bank was required to comply with all Visa and MasterCard operating rules. First Bank was required by both Visa and MasterCard to ensure its agents and merchants were in compliance with the Payment Card Industry Data Security Standard ("PCI DSS").
First Bank had a relationship with a company then known as Transend, LLC ("Transend") for certain card transactions. Transend had a similar relationship with Data Access Systems ("DAS"). Transend introduced First Bank to DAS. First Bank provided DAS with access to the Visa and MasterCard networks.
To access the networks, DAS needed a both a "switch" and a Bank Identification Number ("BIN"). "Switch" is an industry term for a computer system capable of routing transactions through the respective networks from one financial institution member to another for card authorization, account debiting, transferring funds, and payment. DAS owned and operated a switch. First Bank provided DAS with First Bank's BIN. DAS used First Bank's BIN to access the VISA and MasterCard networks and complete card transactions. First Bank could not process the transactions without DAS's computer system, and DAS could not access the Visa and MasterCard networks without First Bank's BIN.
First Bank was liable for any losses or expenses caused by its agents under the Visa and MasterCard agreements designating First Bank as a principal member of the networks. First Bank's agreements with the two credit card companies also stated that principal members would be held liable for any transactions arising from the use of the BINs.
DAS's web server terminal was hacked on or about May 17, 2008. The hackers gained access to debit card numbers and the corresponding personal identification numbers. Millions of dollars of unauthorized withdrawals were taken from customer accounts as a result of the data breach. DAS hired VeriSign, a computer forensics firm, to investigate the hacking. VeriSign concluded that DAS was not in compliance with PDI DSS, the security standard required by the Visa and MasterCard agreements.
Visa notified First Bank by letter on October 30, 2009 of First Bank's Account Data Compromise Recovery ("ADCR") liability in connection with the data breach incident. The ADCR was separated into two categories, Operating Expenses and Magnetic Stripe Counterfeit Fraud. Operating Expenses are "those expenses associated with things like blocking or monitoring or reissuing cards that were compromised." Visa assessed against First Bank a $151, 539.20 charge for Operating Expenses. Magnetic Stripe Counterfeit Fraud "compensates issuers for a portion of their fraud losses and assesses the acquirer that's involved." Visa assessed against First Bank $1, 236, 839.99 for Magnetic Stripe Counterfeit Fraud. First Bank paid both of these amounts in full.
MasterCard notified First Bank on January 25, 2010 of an issuer cost reimbursement assessment of $88, 216. This assessment is for "reimbursements to issuers whose cards were involved in a data compromise event for additional costs the issuer suffered related to special monitoring for fraud or reissuing cards." MasterCard notified First Bank on July 15, 2009 of a $100, 000 non-compliance assessment. First Bank was issued the noncompliance assessment for violating MasterCard Rule 5.10, requiring proper security for stored account data. The non-compliance assessment amount is not part of this case. Both parties agree it is excluded from coverage. First Bank paid both of the MasterCard assessments.
Fidelity denied coverage for the MasterCard assessments on July 23, 2010. Fidelity denied coverage for the Visa assessments on January 12, 2011. First Bank contends in its Complaint that the Visa and MasterCard assessments are covered under either Section 3 (Entity Liability) or Section 4 (Electronic Risk Liability). First Bank moves for summary judgment under Coverage Section 4. Fidelity contends that First Bank's losses are not covered by the Policy because the assessments do not meet the precise language in the Policy definitions. In the event the Court finds that the assessments are covered under the language in the Policy, Fidelity contends that Policy exclusions bar coverage.
First Bank filed this action, asserting two counts of breach of contract as a result of Fidelity's denial of coverage. First Bank seeks monetary damages as well as attorneys' fees and costs associated with the investigation of the Visa and MasterCard losses and prosecution of this action. First Bank and Fidelity filed cross-motions for summary judgment on June 28, 2013. The Court heard argument on the motions on September 23, 2013. This is the Court's opinion on these motions.
STANDARD OF REVIEW
Motion for Summary Judgment
Summary judgment is granted only if the moving party establishes that there are no genuine issues of material fact in dispute and judgment may be granted as a matter of law. All facts are viewed in a light most favorable to the non-moving party. Summary judgment may not be granted if the record indicates that a material fact is in dispute, or if there is a need to clarify the application of law to the specific circumstances. When the facts permit a reasonable person to draw only one inference, the question becomes one for decision as a matter of law. If the non-moving party bears the burden of proof at trial, yet "fails to make a showing sufficient to establish the existence of an element essential to that party's case, " then summary judgment may be granted against that party.
Where the parties have filed cross-motions for summary judgment, and have not argued that there are genuine issues of material fact, "the Court shall deem the motions to be the equivalent of a stipulation for decision on the merits based on the record submitted with the motions." If there is any genuine issue of material fact, neither party's motion will be granted. In the absence of a genuine issue of material fact, one of the parties is entitled to judgment as a matter of law.
The parties agree that if coverage exists under Section 4 of the Policy, there can be no coverage under Section 3. Section 3 bars coverage for any entity claim made against First Bank "for any electronic publishing wrongful act or arising from a loss event as defined in Coverage Section 4."
In an insurance coverage action, the insured has the burden to prove that the insurance policy's provisions cover the claimed loss. The burden then shifts to the insurer to prove that an exclusion applies. Finally, the burden shifts back to the insured to prove an exception to the exclusion applies.
Relevant Section 4 Provisions
First Bank moves for summary judgment under Section 4 (Electronic Risk Liability) of the Policy. Section 4.1 provides:
The Insurer will pay on behalf of the Insured all loss resulting from any electronic risk claim first made against the Insured during the policy period or the extended reporting period, if applicable, (1) for an electronic publishing wrongful act or (2) that arises out of a loss event.
Section 4.111(G)(1) of the Policy defines "Electronic Risk Claim" as "a written demand for monetary damages or nonmonetary relief." Section 4.III(L)(1) defines a "Loss Event" as including "any unauthorized use of, or unauthorized access to electronic data or software with a computer system." Section 4.111(B) defines a "Computer System" as:
(1) computers with related peripheral components, including storage components wherever located;
(3) terminal devices; and
(4) related communication networks including the internet, used by the Company or used to transact business on behalf of the Company.
Contentions of the Parties
First Bank's Motion for Summary Judgment focuses exclusively on First Bank's right to coverage under Section 4. First Bank contends that Fidelity is in breach of contract by denying coverage of the Visa and MasterCard assessments under Section 4. First Bank contends that Section 4 covers the Visa assessments of $151, 539.20 for Operating Expenses and $1, 236, 839.99 for Magnetic Stripe Counterfeit Fraud, as well as the MasterCard issuer cost reimbursement assessment of $88, 216. First Bank argues that the DAS computer system was used to transact business on behalf of First Bank, as required by the Policy language.
Fidelity contends that First Bank's losses are not Electronic Risk Claims because the losses do not arise from a "Loss Event" as defined in the Policy. A defined "Loss Event" requires that a Computer System be used "to transact business on behalf of First Bank. Fidelity contends that the DAS computer system in which the data breach occurred was not used to transact business on behalf of First Bank and therefore the associated losses are not covered under Section 4.
Electronic Risk Claim
An Electronic Risk Claim, as defined in the Policy, includes "a written demand for monetary damages or nonmonetary relief." Visa notified First Bank by letter dated October 30, 2009, of First Bank's Account Data Compromise Recovery ("ADCR") liability of $1, 388, 379.19 for failure to comply with Visa's Rules and Regulations. The Visa Bylaws provide that to "sponsor" a member means "to assume responsibility for that member's performance or non-performance in accordance with the Certificate of Incorporation, Bylaws and Operating Regulations." A "sponsored member" is defined as "any member whose right to participate in the Corporations Payment System is pursuant to the sponsorship of another member . . ., "
DAS accessed the Visa network through First Bank's BIN, creating a sponsor relationship. It is undisputed that both Visa and MasterCard required sponsored members to be in compliance with PCI DSS. It is also undisputed that First Bank failed to ensure that DAS was compliant. The Court finds that the Visa assessment of $1, 388, 379.19 meets the first requirement as an Electronic Risk Claim under the Policy definition because the assessment is a written demand for monetary damages.
MasterCard notified First Bank by letter dated January 25, 2010 of an issuer cost reimbursement assessment of $88, 216. Under the terms of the MasterCard agreement, First Bank is a "Class A Member" that can allow others to participate indirectly in the MasterCard system as "Affiliate Members." MasterCard Rule 3.2.2 requires a Class A Member that sponsors an Affiliate Member to ensure that the Affiliate Member complies with all applicable standards. The Class A Member is liable under Rule 3.2.2 for compliance failures of the Affiliate Member. The January 25, 2010 notification states that the assessment will be debited from First Bank's account on February 14, 2010. The Court finds that the MasterCard assessment of $88, 216 also meets the initial qualification as an Electronic Risk Claim under the Policy definition.
For purposes of this case, to be covered under the Policy, the Electronic Risk Claim must have arisen out of a "Loss Event." The Policy defines "Loss Event" as including "any unauthorized use of, or unauthorized access to electronic data or software with a computer system." A "Computer System" must have been "used by the Company or used to transact business on behalf of the Company." The ultimate issue is whether the computer system was used "on behalf of First Bank.
The data breach giving rise to this suit originated with DAS's web server terminal, which was hacked on or around May 17, 2008. It is uncontested that First Bank does not own DAS's web server terminal.
First Bank contends that DAS's computer system was used to transact business on First Bank's behalf. First Bank's business included earning revenue from the card transactions processed through its BINs. Because First Bank did not own a "switch, " the only way First Bank could transact its Visa and MasterCard card processing business was through the computer systems of third parties with whom it shared its BINs.
Fidelity contends that DAS's computers were not used "on behalf of First Bank. Fidelity argues that DAS processed the Visa and MasterCard transactions on behalf of DAS itself, its customer merchants, and Transend (with whom DAS had a contract). Fidelity supports its argument with three main points: (1) that First Bank has not provided a written agreement to explain what DAS did on behalf of First Bank; (2) that First Bank was not provided any services by DAS; and (3) that First Bank's relationship with DAS was indirect, through Transcend. Fidelity clarified at oral argument that a formal agreement between First Bank and DAS is not required, but contends that the lack of an agreement supports Fidelity's position.
An insurance contract is "interpreted in a common sense manner, giving effect to all provisions so that a reasonable policyholder can understand the scope and limitation of coverage." "When the language of an insurance contract is clear and unequivocal, a party will be bound by its plain meaning." "'On behalf of is generally understood to mean conducting oneself to benefit or support another party or acting in the interest of or as the representative of another party."
The Court finds that DAS's computers were used to transact business on behalf of First Bank. DAS's computers were used to conduct card transactions. Part of First Bank's business is earning fees through card transactions. When a card transaction is processed through a member bank's BIN, the member receives a fee. First Bank earned a portion of its non-interest income from the fees associated with its membership in the Visa and MasterCard networks. In First Bank's relationship with DAS, DAS's computer system and First Bank's BIN were both required for either party to benefit from the card transactions. The Court finds that DAS's computer system performing card transactions with First Bank's BIN qualifies as transacting business on behalf of First Bank.
The Court does not read the phrase "on behalf of to require that DAS's computer system be used to primarily benefit First Bank. The Court finds that DAS's computer system was used to benefit multiple parties, including First Bank.
First Bank, as the insured party, has the burden to show coverage exists under the Policy. The Court finds that First Bank has met its initial burden of proving that coverage exists under Section 4. First Bank's losses qualify as Electronic Risk Claims. First Bank's Electronic Risk Claims arose out of the Loss Event of unauthorized access or use of electronic data. The relevant Computer System was used to transact business on behalf of First Bank.
Section 4 Exclusion M
Section 4 contains a list of exclusions from coverage. Exclusion M provides that the Insurer shall not be liable for any claim against the insured "based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data or in any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number."
Fidelity, as the insurer, bears the burden to prove the elements of the Policy exclusion. If Fidelity meets this burden, the burden shifts to First Bank, the insured, to prove that an exception to the exclusion applies.
Fidelity contends Exclusion M applies and therefore Fidelity is not liable for First Bank's losses. Fidelity argues that the Visa and MasterCard assessments are excluded from coverage because the assessments arise from the fraudulent use of data by the hackers. Fidelity supports this argument by citing Pacific Insurance Company v. Liberty Mutual Insurance Company.
Pacific Insurance involved an insurance dispute resulting from two separate railroad crossing accidents. Two wrongful death suits were filed, which later settled, but a coverage dispute remained. James Julian, Inc. ("Julian"), the construction company, purchased insurance policies from Liberty Mutual Insurance Company ("Liberty"). The insurance policies provided coverage for additional organizations named by Julian, "but only with respect to liability arising out of [Julian's] operations." Consolidated Rail Corporation ("Conrail"), a railroad owner and operator, was insured under the Liberty policies. The issue before the Court was "whether the coverage Conrail seeks is based on liability arising out of Julian's operations." The Delaware Supreme Court interpreted the phrase "arising out of to require "some meaningful linkage between the two conditions imposed in the contract, " and noted that the phrase should be broadly construed. The Delaware Supreme Court found that because one theory in the complaints alleged "a meaningful linkage between Julian's operations and Conrail's liability, " the requirement that the liability must arise out of Julian's operations was satisfied.
Fidelity argues that there is a meaningful link between the hackers' fraudulent use of the breached data and the Visa and MasterCard assessments. DAS's computer system was breached, and the data obtained was fraudulently used to make unauthorized withdrawals. Visa and MasterCard incurred costs associated with this fraudulent use of credit cardholder data. First Bank assumed liability for these costs in its agreements with Visa and MasterCard. Fidelity concludes that the Visa and MasterCard assessments arise from the fraudulent use of data as contemplated by Exclusion M. Therefore, Fidelity is not liable for these losses.
The Court finds that Fidelity met its initial burden of proving that Exclusion M applies. The Court is satisfied that the fraudulent use of data and subsequent Visa and MasterCard assessments are meaningfully linked in a way that qualifies as "arising from" under Exclusion M.
While Fidelity argues that the assessments arose from the fraudulent use of data, First Bank argues that the assessments are based on First Bank's failure to ensure that DAS was PCI DSS compliant. The Court finds that First Bank's failure to ensure PCI DSS compliance may qualify as a parallel basis for the assessments.
Fidelity has met its initial burden of demonstrating that Exclusion M applies. Therefore, the burden shifts back to First Bank to prove that an exception to the exclusion applies. First Bank contends that Exclusion M does not apply because: (1) Exclusion M is unintelligible and ambiguous; and (2) application would render coverage illusory.
The principles of insurance policy interpretation differ depending on whether the language in the policy is clear or ambiguous. "A court should read policy provisions so as to avoid ambiguities, if the plain language of the contract permits." "Where the language of an insurance policy is clear and unequivocal, the parties are to be bound by its plain meaning." Where the language in an insurance policy is ambiguous, it is construed in favor of the insured. Ambiguous policy language is construed strongly against the insurer because the insurer drafted the policy language at issue. Delaware courts have held that an insurance policy is ambiguous when it is "reasonably or fairly susceptible of different interpretations or may have two or more different meanings." However, an "insurance contract is not ambiguous simply because the parties do not agree on its proper construction."
First Bank contends that Exclusion M does not apply because it is unintelligible and ambiguous. At issue is the use of the word "or" between the clause ending with "of any data" and the clause beginning with "in any credit." First Bank argues that this sentence construction creates ambiguity as to what is and what is not covered under the Policy. First Bank argues that this ambiguity should be construed against the insurer as the drafter of the Policy.
The Court finds that Exclusion M is somewhat unclear grammatically. Nevertheless, it is clear that the first half of the clause — "based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data" — is intended to exclude the "fraudulent use" of data, however fraud occurs. For purposes of resolving the issues raised in this case, the Court can focus on the first half of the clause because the "or" is disjunctive.
The Court finds that Exclusion M cannot reasonably be interpreted to have a meaning other than excluding the fraudulent use of data. The Court finds that in the context of this case, no relevant ambiguity exists in Exclusion M. In the absence of ambiguity, a policy provision is given its plain meaning and will not be construed in favor of the insured.
Delaware courts consistently have held that contracts shall be "interpreted in a way that does not render any provisions 'illusory or meaningless.'" In Alstrin v. St. Paul Mercury Insurance Company, the Court held that it was not appropriate to apply an exclusion where the effect would be that there would be "little or nothing left to that coverage." At issue in Alstrin was the deliberate fraud exclusion in a directors and officers insurance policy. Applying the exclusion would have eviscerated coverage for securities claims, which are one of the most common types of claims against directors and officers. The Alstrin Court noted: "The fact that some limited amount of coverage might survive the . . . exclusion is not sufficient grounds to apply an exclusion that is irreconcilable with the coverage grant itself, because no one purchasing a policy . . . would intend to purchase such restricted coverage."
First Bank contends that the application of Exclusion M renders the coverage grant illusory. First Bank argues that coverage for unauthorized use and unauthorized access to data in the definition of "Loss Event" includes claims resulting from the fraudulent use of data. First Bank notes the difficulty of finding an example of unauthorized use or access that does not contain some element of fraud. First Bank relies upon Alstrin for the proposition that the court should consider the "reasonable expectations" of the insured when interpreting the Policy.
Fidelity asserted at oral argument that "fraudulent, " as used in Exclusion M, is distinct from "unauthorized" in the definition of a Loss Event. Fidelity's distinction is that "unauthorized" is broader and covers unintentional and mistaken use or access. Fidelity contends that the two provisions can be reconciled to provide coverage for losses resulting from the non-fraudulent unauthorized use of data.
Courts must consider the reasonable expectations of the insurance policy purchaser. This doctrine must be reconciled with the principle of contract interpretation requiring that unambiguous language be given its plain meaning.
The Court finds that the language in Exclusion M is unambiguous in its attempt to exclude coverage for the fraudulent use of data. The Court finds that Fidelity has met its burden to prove the elements of the exclusion by showing a meaningful link between the fraudulent use of data and the claims at issue. However, when the burden shifts back to First Bank to prove that Exclusion M should not be applied, the Court considers that a grant of coverage should not be swallowed by an exclusion. The principle that a grant of coverage should not be rendered illusory protects the reasonable expectations of the purchaser.
The Court finds that applying Exclusion M would swallow the coverage granted under Section 4.III(L)(1) for "any unauthorized use of, or unauthorized access to electronic data . . . with a computer system." It is theoretically possible that an example of non-fraudulent unauthorized use of data exists. However, in the context of this Policy, all unauthorized use could be, to some extent, fraudulent. The abstract possibility of some coverage surviving the fraud exclusion is not sufficient to persuade the Court to apply an exclusion that is almost entirely irreconcilable with the Loss Event coverage. The Court finds that First Bank met its burden to prove that an exception prevents the application of Exclusion M.
First Bank has met its initial burden of demonstrating that the Policy language in Section 4 provides coverage for the $1, 236, 839.99 and $151, 539.20 Visa assessments, and the $88, 216 MasterCard assessment. The assessments are defined Electronic Risk Claims, arising out of a defined Loss Event, and DAS computers were used "on behalf of First Bank.
In turn, Fidelity has demonstrated that Exclusion M applies, by showing that the assessments "arise from" the fraudulent use of data. First Bank's failure to ensure PCI DSS compliance also may be a basis for the assessments.
However, the Court is persuaded that First Bank has met its burden of proving that an exception exists that precludes application of Exclusion M. The Court finds that Exclusion M (for fraud) would render illusory the coverage for unauthorized data use.
THEREFORE, First Bank's Motion for Summary Judgment is hereby GRANTED. First Bank is entitled to damages in the amount of $1, 000, 000.[*] Fidelity's Motion for Summary Judgment is hereby DENIED. Because the Court has found no genuine issue of material fact, and has relied on cross-motions for summary judgment, Fidelity's Motion to Strike Plaintiffs Expert Witnesses is hereby DENIED AS MOOT.
The parties shall confer to present an implementing order for the Court's consideration by November 15, 2013. If the parties cannot agree as to a draft form of order, the Court will consider competing forms of order submitted by November 22, 2013.
IT IS SO ORDERED.