Submitted: September 23, 2013
Lisa C. McLaughlin, Esquire, Phillips, Goldman & Spence, P.A., William J. Carter, Esquire (argued), Kelly M. Lippincott, Esquire, Carr Maloney P.C., Attorneys for Plaintiff.
William R. Firth, III, Esquire, Anthony R. Twardowski, Esquire (argued), Philip A. Magen, Esquire, Zarwin, Baum, DeVito, Kaplan, Schaer & Toddy, P.C., Attorneys for Defendant.
Mary M. Johnston, Judge
Plaintiff First Bank of Delaware ("First Bank") filed this suit on August 26, 2011. First Bank alleges two counts of breach of contract. First Bank's claims arise from Defendant Fidelity and Deposit Company of Maryland's ("Fidelity") denial of coverage for assessments First Bank paid to Visa and to MasterCard.
The parties filed cross-motions for summary judgment on June 28, 2013. First Bank moves for summary judgment on the grounds that its losses were covered under Section 4 (Electronic Risk Liability) of the insurance policy it purchased from Fidelity. Fidelity moves for summary judgment on the grounds that the policy does not cover First Bank's losses under Section 3 (Entity Liability) or Section 4 (Electronic Risk Liability). This case originally was scheduled for trial on September 23, 2013. The parties agreed to have the case resolved by dispositive motions.
The primary issue in this case is whether First Bank's insurance policy provides coverage for losses incurred in connection with a data breach incident. Fidelity issued the D & O SelectPlus Insurance Policy ("Policy") to First Bank for the period from April 19, 2009 to April 19, 2010. Fidelity denied coverage for the losses under both Section 3 (Entity Liability) and Section 4 (Electronic Risk Liability).
First Bank provides various banking services, including debit card transaction processing. First Bank entered into contracts with Visa and MasterCard on May 17, 2005 and June 30, 2005, respectively, to provide debit card transaction processing services. These agreements designated First Bank as a principal member of the Visa and MasterCard networks. As a principal member, First Bank was required to comply with all Visa and MasterCard operating rules. First Bank was required by both Visa and MasterCard to ensure its agents and merchants were in compliance with the Payment Card Industry Data Security Standard ("PCI DSS").
First Bank had a relationship with a company then known as Transend, LLC ("Transend") for certain card transactions. Transend had a similar relationship with Data Access Systems ("DAS"). Transend introduced First Bank to DAS. First Bank provided DAS with access to the Visa and MasterCard networks.
To access the networks, DAS needed a both a "switch" and a Bank Identification Number ("BIN"). "Switch" is an industry term for a computer system capable of routing transactions through the respective networks from one financial institution member to another for card authorization, account debiting, transferring funds, and payment. DAS owned and operated a switch. First Bank provided DAS with First Bank's BIN. DAS used First Bank's BIN to access the VISA and MasterCard networks and complete card transactions. First Bank could not process the transactions without DAS's computer system, and DAS could not access the Visa and MasterCard networks without First Bank's BIN.
First Bank was liable for any losses or expenses caused by its agents under the Visa and MasterCard agreements designating First Bank as a principal member of the networks. First Bank's agreements with the two credit card companies also stated that principal members would be held liable for any transactions arising from the use of the BINs.
DAS's web server terminal was hacked on or about May 17, 2008. The hackers gained access to debit card numbers and the corresponding personal identification numbers. Millions of dollars of unauthorized withdrawals were taken from customer accounts as a result of the data breach. DAS hired VeriSign, a computer forensics firm, to investigate the hacking. VeriSign concluded that DAS was not in compliance with PDI DSS, the security standard required by the Visa and MasterCard agreements.
Visa notified First Bank by letter on October 30, 2009 of First Bank's Account Data Compromise Recovery ("ADCR") liability in connection with the data breach incident. The ADCR was separated into two categories, Operating Expenses and Magnetic Stripe Counterfeit Fraud. Operating Expenses are "those expenses associated with things like blocking or monitoring or reissuing cards that were compromised." Visa assessed against First Bank a $151, 539.20 charge for Operating Expenses. Magnetic Stripe Counterfeit Fraud "compensates issuers for a portion of their fraud losses and assesses the acquirer that's involved." Visa assessed against First Bank $1, 236, 839.99 for Magnetic Stripe Counterfeit Fraud. First Bank paid both of these amounts in full.
MasterCard notified First Bank on January 25, 2010 of an issuer cost reimbursement assessment of $88, 216. This assessment is for "reimbursements to issuers whose cards were involved in a data compromise event for additional costs the issuer suffered related to special monitoring for fraud or reissuing cards." MasterCard notified First Bank on July 15, 2009 of a $100, 000 non-compliance assessment. First Bank was issued the noncompliance assessment for violating MasterCard Rule 5.10, requiring proper security for stored account data. The non-compliance assessment amount is not part of this case. Both parties agree it is excluded from coverage. First Bank paid both of the MasterCard assessments.
Fidelity denied coverage for the MasterCard assessments on July 23, 2010. Fidelity denied coverage for the Visa assessments on January 12, 2011. First Bank contends in its Complaint that the Visa and MasterCard assessments are covered under either Section 3 (Entity Liability) or Section 4 (Electronic Risk Liability). First Bank moves for summary judgment under Coverage Section 4. Fidelity contends that First Bank's losses are not covered by the Policy because the assessments do not meet the precise language in the Policy definitions. In the event the Court finds that the assessments are covered under the language in the Policy, Fidelity contends that Policy exclusions bar coverage.
First Bank filed this action, asserting two counts of breach of contract as a result of Fidelity's denial of coverage. First Bank seeks monetary damages as well as attorneys' fees and costs associated with the investigation of the Visa and MasterCard losses and prosecution of this action. First Bank and Fidelity filed cross-motions for summary judgment on June 28, 2013. The Court heard argument on the motions on September 23, 2013. This is the Court's opinion on these motions.
STANDARD OF REVIEW
Motion for Summary Judgment
Summary judgment is granted only if the moving party establishes that there are no genuine issues of material fact in dispute and judgment may be granted as a matter of law. All facts are viewed in a light most favorable to the non-moving party. Summary judgment may not be granted if the record indicates that a material fact is in dispute, or if there is a need to clarify the application of law to the specific circumstances. When the facts permit a reasonable person to draw only one inference, the question becomes one for decision as a matter of law. If the non-moving party bears the burden of proof at trial, yet "fails to make a showing sufficient to establish the existence of an element essential to that party's case, " then summary judgment may be granted against that party.
Where the parties have filed cross-motions for summary judgment, and have not argued that there are genuine issues of material fact, "the Court shall deem the motions to be the equivalent of a stipulation for decision on the merits based on the record submitted with the motions." If there is any genuine issue of material fact, neither party's motion will be granted. In the absence of a ...