Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Trustwave Holdings, Inc. v. Beazley Insurance Company Inc.

Superior Court of Delaware

September 30, 2019


          Submitted: June 27, 2019

         Upon Counter-Defendant and Third-Party Defendants' Motion to Dismiss, GRANTED, in part, and DENIED, in part.

          Jody Barillare, Esquire (argued), Beth Herrington, Esquire (pro hac vice), Zachary Ryan Lazar, Esquire (pro hac vice), Morgan, Lewis & Bockius, LLP, Wilmington, Delaware, Attorneys for Plaintiff.

          Michael C. Heyden, Esquire (argued), Scott Schmookler (pro hac vice), Gordon Rees Scully Mansukhani, LLP, Wilmington, Delaware, Attorneys for Defendants.




         Plaintiff Trustwave Holdings, Inc. brings this declaratory judgment action against Defendants Beazley Insurance Company, Inc., and Lexington Insurance Company (together with Beazley, "Insurers"), seeking the Court's pronouncement that Trustwave has no obligation to indemnify the Insurers in connection with the Insurers' payment to a non-party insured, Heartland Payment Systems, with whom Trustwave was contracted to provide cyber security risk assessment services. The Insurers' payment related to a substantial data breach that Heartland sustained in 2009, and Heartland's consequent liability to other nonparties.

         The Insurers answered the Complaint, and filed Counterclaims against Trustwave, as well as Third-Party Claims against Trustwave Corporation, and AmbironTrustwave, Ltd. (collectively with Trustwave Holdings and Trustwave Corporation, the "Trustwave Entities"), [1] alleging that Trustwave Entities provided inadequate services and asserting a total of eighteen claims in five causes of action: Breach of Contract, Breach of Express Warranty, Negligent Misrepresentation, Gross Negligence, and Indemnification.

         Now before the Court is Trustwave Entities' Motion to Dismiss the Insurers' Counterclaims and Third-Party Claims. Trustwave Entities argue all Insurers' claims are barred by the statute of limitations, that their Gross Negligence claims fail to state a claim, and that their Breach of Express Warranty claims are duplicative of their contract claims.


         Because of the current procedural posture, the Court herein summarizes the facts as averred in the Insurers' Answer, Counterclaims, and Third-Party Claims.

         A. The Parties.

         Trustwave Entities are in the business of inspecting, certifying, and validating clients' adherence to certain data security regulations-the so-called Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures ("PCI DSS"). Specifically, Trustwave Entities assess the security risks of customers' networks and systems, recommend security control measures, determine compliance with PCI DSS, and issue certificates of compliance accordingly.[2]Certification of PCI DSS compliance is a commercial necessity for companies like Heartland that process electronic payment transactions.

         Between 2005[3] and 2007, Heartland engaged Trustwave Entities to provide periodic evaluations, certifications and reports regarding PCI DSS compliance and cybersecurity.[4] The engagement was memorialized through two agreements: the "Trustwave Preferred Sales Agent Agreement" dated February 18, 2005 (the "2005 Agreement"), and the Compliance Validation Services Agreement and its Addendum dated December 17, 2007 (the "2007 Agreement").[5]

         Under those agreements, Trustwave Entities tested and assessed the security and vulnerability of Heartland's systems and networks. After each test, Trustwave Entities issued a report certifying that Heartland's systems were compliant with PCI DSS standards.[6]

         B. 2009 Data Breach and Settlements of Litigations.

         In January 2009, Heartland discovered a serious security breach that had resulted in the theft and exfiltration of approximately 100 million credit and debit card numbers issued by more than 650 financial service companies (the "2009 Data Breach").[7] The breach was caused by code maliciously installed on Heartland's payment processing systems; those systems collect cardholders' information.[8] Code making Heartland's systems vulnerable to the malware was installed in 2007. The malware itself was installed in 2008.[9] Both the vulnerability and the malware rendered Heartland's systems noncompliant with PCI DSS, but Trustwave Entities improperly certified the compliance of Heartland's affected systems while performing services pursuant to their contractual relationship.[10]

         Following the 2009 Data Breach, various federal and state agencies, credit card brands, [11] financial institutions, and consumers brought a number of individual and class action claims against Heartland.[12] Many of those claims were ultimately consolidated in the Southern District of Texas (the "Multi-District Litigation").[13] The Multi-District Litigation eventually resolved on March 3, 2015, when the action was dismissed with prejudice.[14]

         Visa, one of Heartland's customers, had detected and suspected Heartland's systems' security prior to the 2009 Data Breach.[15] Visa retained Verizon Business, a third-party consulting firm, to conduct an investigation to evaluate Heartland's systems. Verizon Business issued its investigative report on February 21, 2009.[16]

         After the 2009 Data Breach, Heartland reached settlement agreements with Visa for $60 million on January 7, 2010, and MasterCard (another Heartland customer) for $41.4 million on May 19, 2010.[17]

         Including these settlements, the Multi-District Litigation, and all other litigation and settlements related to the 2009 Data Breach, Heartland incurred losses of more than $148 million in claims, attorney's fees, costs, and other expenses.[18]

         C. The Insurance Payment and This Action Ensues.

         Heartland was insured by Beazley and Lexington. Lexington was the primary insurer with a policy limit of $20 million; Beazley provided excess insurance of $10 million.[19] Following the 2009 Data Breach, Beazley and Lexington reimbursed Heartland for their respective full policy limits, i.e., a total of $30 million, by the end of 2010.[20] Each of them entered into a release agreement (collectively, the "Release Agreements") with Heartland, pursuant to which Heartland fully and finally released Insurers from all potential costs and liabilities in connection with the 2009 Data Breach, while the Insurers paid Heartland $30 million in accordance with policy limits.[21]

         In February of 2018, counsel for the Insurers demanded indemnification of $30 million (the total amount reimbursed to Heartland) from Trustwave based on Trustwave's allegedly inadequate service in assessing the security risks of Heartland's systems during 2007 and 2008.[22]

         Four months later, in June 2018, Trustwave brought this action for a declaration that Trustwave is not liable to indemnify the Insurers. The Insurers initially sought to dismiss or stay the action on jurisdictional grounds.[23] They later voluntarily withdrew that motion, [24] and filed an Answer with Affirmative Defenses, Counterclaims, and a Third-Party Complaint ("Counterclaims and Third-Party Claims") against Trustwave Entities.[25] Those claims' filing date is deemed to be February 23, 2018.[26]

         Now before the Court is Trustwave Entities' Motion to Dismiss the Counterclaims and Third-Party Claims.[27]

         D. Standard of Review

         '"A defense predicated on a statute of limitations may be brought by motion to dismiss when the complaint itself shows that the action was not brought within the statutory period.'"[28] Superior Court Civil Rule 12(b)(6) provides that one on defense to any action-be it initiating, counter, or third-party-may bring a motion to dismiss if the complaint invoking that action fails "to state a claim upon which relief can be granted."[29] On a motion to dismiss, the Court must:

(1) accept all well-pleaded factual allegations as true,
(2) accept even vague allegations as "well pleaded" if they give the opposing party notice of the claim,
(3) draw all reasonable inferences in favor of the non-moving party, and
(4) [not dismiss the claims] unless the non-moving party would not be entitled to recover under any reasonably conceivable set of circumstances.[30]

         If the Court determines the complainant may recover after engaging that form of review, then the Court must deny the motion to dismiss.[31]


         As a threshold matter, the parties do not dispute that all eighteen of the Insurers' Counterclaims and Third Party Claims are subject to Delaware's statute of limitations.[32] Accordingly, the Court applies Delaware law.

         Relying on Delaware's statute of limitations, Trustwave Entities seek to dismiss the Counterclaims and Third-Party Claims in their entirety, arguing that they are time-barred and no tolling exceptions apply. According to Trustwave Entities, the Insurers reimbursed Heartland and entered the Release Agreements in 2010, but sat silently and waited for nine years before asserting their claims, while not once notifying Trustwave Entities during the pendency of the several litigations that arose from the 2009 Data Breach.[33]

         The Insurers insist that the statutes of limitations were tolled by the Multi-District Litigation, and their claims did not accrue until that action was finally resolved on March 3, 2015. Thus, they say, their February 2018 Counterclaims and Third-Party Claims are timely.[34]

         Delaware has a three-year statute of limitations for both tort and contract claims.[35] Accrual of either generally begins at the time of the "wrongful act, " which itself varies depending on the kind of claim:

For breach of contract claims, the wrongful act is the breach, and the cause of action accrues at the time of breach. For tort claims, the wrongful act is a tortious act causing injury, and the cause of action accrues at the time of injury. Where the claim is one for indemnification or contribution for damages paid to a third party, a cause of action accrues only after the party seeking indemnification has made payment to the third party.[36]

         Delaware law recognizes that limitations periods are "draconian" in nature.[37] These limitations are both harsh and strict-harsh in that they arbitrarily establish jurisdictional prerequisites for initiating or maintaining suit[38] and strict in that it is not even within a court's power to extend the limitations period out of notions of fair play.[39] Instead, on a showing that an action was initiated outside the statute of limitations, the plaintiff bears the burden of pleading facts from which application of a recognized tolling doctrine can be reasonably inferred.[40]

         To determine if a claim is time-barred, the Court examines three things for each individual claim:[41] (i) the accrual date for the cause of action; (ii) whether the statute of limitations has been tolled; and (iii) assuming a tolling exception applies, when the claimant was on inquiry notice.[42]

         A. Prejudice From Delay is Irrelevant.

         At argument, Trustwave Entities repeatedly complained of prejudice to their ability to defend in this litigation due to the passage of time.[43] At common law, litigants had the power to bring suit at any time, no matter how remotely the right first accrued.[44] Recognizing the potential for abuse that ability accorded plaintiffs, the statute of limitations was created to "restrain" plaintiff s power in courts of law.[45]In courts of equity, the doctrine of laches[46] supplants and replaces the statute of limitations, [47] serving the same purpose of protecting a litigant from suits unfairly brought after an unreasonable delay.[48] Prejudice from the delay, and an inquiry into a plaintiffs offsetting justification for delaying, are central to laches analysis.[49]

         Trustwave Entities' argument is in essence that the Insurers knew they would be seeking the $30 million based on their insurance payouts, and could have instituted suit for that sum long ago, irrespective of technical accrual dates. They go on that Insurers' failure to do so unfairly lured Trustwave Entities into believing no suit would be forthcoming and weakened Trustwave's ability to mount its best and most vigorous defense on the merits.

         This is an equitable argument of laches, appropriate for consideration in the Court of Chancery-not here. This is a court of law-not equity.[50] So here, the statute of limitations applies-not laches.[51] And the action is barred if and only if the Insurers failed to satisfy the statute of limitations. Prejudice or lack thereof is irrelevant.

         B. All of Insurers' Claims Are Subrogation Claims In Nature.

         So are the Insurers' Counterclaims and Third-Party Claims barred by the statutes of limitations?

         Insurers assert a total of eighteen counts, three of which are contractual indemnification claims, and the remaining fifteen counts are claims for (i) breach of contract, (ii) breach of express warranty, (iii) negligent misrepresentation, and (iv) gross negligence (collectively, the "non-indemnification claims").

         All of the non-indemnification claims recite similar allegations: that Trustwave Entities failed to properly identify, assess, and report the security risks in Heartland's networks and systems. Those alleged failures, Insurers suggest, were violative of Trustwave Entities' contractual obligations, and fell short of the standard of ordinary care.[52]

         The three indemnification counts are based on the 2005 Agreement and 2007 Agreement wherein Trustwave Entities contractually covenanted to indemnify Heartland for certain third-party claims and suits.[53]

         The Insurers now assert these eighteen claims as Heartland's subrogees, seeking recovery "in an amount in excess of $30 million dollars for the liabilities, damages, remediation costs, fees and other consequential damages they sustained, and for any such other or further relief as the Court deems equitable and just."[54]

         A subrogee insurer "steps into the shoes of its insureds."[55] The insurer "takes the rights of its insureds, and therefore may proceed with the same claims that the [insured] would have been able to assert."[56] However, the subrogee "may not enjoy greater rights than those of its subrogors."[57] As such, the statute of limitations applied to the Insurers is that applicable to Heartland's own injuries, which the Insurers now raise vicariously.

         C. Non-Indemnification Claims Are Time-Barred.

         With respect to the Insurers' breach-of-contract and breach-of-express warranty claims, Trustwave Entities posit those causes of action accrued on or before April 10, 2008. That was the date of breach, they say, because that is when Trustwave Entities issued the last compliance certificate. As to the negligent misrepresentation and gross negligence claims, Trustwave Entities aver that those causes of action accrued on or before May 14, 2008, i.e., the date of injury when the malicious code was allegedly installed.[58]

         Trustwave Entities further contend that even if some tolling exception applied, Heartland (thus, by subrogation, the Insurers) was on inquiry notice no later than February 21, 2009, when the Heartland Investigation Report was issued.[59]

         The Insurers make a blanket objection to the accrual dates, claiming that all the claims are tolled by the Multi-District Litigation.[60]

         As a start, the Court declines to accept that all-encompassing objection. Because when engaging a statute of limitations analysis, the Court must consider each claim individually. And the Court must, as to each individually, determine: (i) its accrual date; (ii) any tolling mechanism ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.