TRUSTWAVE HOLDINGS, INC. Plaintiff,
BEAZLEY INSURANCE COMPANY, INC., and LEXINGTON INSURANCE COMPANY Defendants. BEAZLEY INSURANCE COMPANY, INC., and LEXINGTON INSURANCE COMPANY Counter-Plaintiffs/ Third-Party Plaintiffs,
TRUSTWAVE HOLDINGS, INC., TRUSTWAVE CORPORATION, and AMBIRONTRUSTWAVE, LTD. Counter-Defendants/ Third-Party Defendants.
Submitted: June 27, 2019
Counter-Defendant and Third-Party Defendants' Motion to
Dismiss, GRANTED, in part, and DENIED, in
Barillare, Esquire (argued), Beth Herrington, Esquire (pro
hac vice), Zachary Ryan Lazar, Esquire (pro hac vice),
Morgan, Lewis & Bockius, LLP, Wilmington, Delaware,
Attorneys for Plaintiff.
Michael C. Heyden, Esquire (argued), Scott Schmookler (pro
hac vice), Gordon Rees Scully Mansukhani, LLP, Wilmington,
Delaware, Attorneys for Defendants.
MEMORANDUM OPINION AND ORDER
R. WALLACE, JUDGE.
Trustwave Holdings, Inc. brings this declaratory judgment
action against Defendants Beazley Insurance Company, Inc.,
and Lexington Insurance Company (together with Beazley,
"Insurers"), seeking the Court's pronouncement
that Trustwave has no obligation to indemnify the Insurers in
connection with the Insurers' payment to a non-party
insured, Heartland Payment Systems, with whom Trustwave was
contracted to provide cyber security risk assessment
services. The Insurers' payment related to a substantial
data breach that Heartland sustained in 2009, and
Heartland's consequent liability to other nonparties.
Insurers answered the Complaint, and filed Counterclaims
against Trustwave, as well as Third-Party Claims against
Trustwave Corporation, and AmbironTrustwave, Ltd.
(collectively with Trustwave Holdings and Trustwave
Corporation, the "Trustwave Entities"),
alleging that Trustwave Entities provided inadequate services
and asserting a total of eighteen claims in five causes of
action: Breach of Contract, Breach of Express Warranty,
Negligent Misrepresentation, Gross Negligence, and
before the Court is Trustwave Entities' Motion to Dismiss
the Insurers' Counterclaims and Third-Party Claims.
Trustwave Entities argue all Insurers' claims are barred
by the statute of limitations, that their Gross Negligence
claims fail to state a claim, and that their Breach of
Express Warranty claims are duplicative of their contract
FACTUAL AND PROCEDURAL BACKGROUND
of the current procedural posture, the Court herein
summarizes the facts as averred in the Insurers' Answer,
Counterclaims, and Third-Party Claims.
Entities are in the business of inspecting, certifying, and
validating clients' adherence to certain data security
regulations-the so-called Payment Card Industry Data Security
Standard Requirements and Security Assessment Procedures
("PCI DSS"). Specifically, Trustwave Entities
assess the security risks of customers' networks and
systems, recommend security control measures, determine
compliance with PCI DSS, and issue certificates of compliance
accordingly.Certification of PCI DSS compliance is a
commercial necessity for companies like Heartland that
process electronic payment transactions.
and 2007, Heartland engaged Trustwave Entities to provide
periodic evaluations, certifications and reports regarding
PCI DSS compliance and cybersecurity. The engagement was
memorialized through two agreements: the "Trustwave
Preferred Sales Agent Agreement" dated February 18, 2005
(the "2005 Agreement"), and the Compliance
Validation Services Agreement and its Addendum dated December
17, 2007 (the "2007 Agreement").
those agreements, Trustwave Entities tested and assessed the
security and vulnerability of Heartland's systems and
networks. After each test, Trustwave Entities issued a report
certifying that Heartland's systems were compliant with
PCI DSS standards.
2009 Data Breach and Settlements of Litigations.
January 2009, Heartland discovered a serious security breach
that had resulted in the theft and exfiltration of
approximately 100 million credit and debit card numbers
issued by more than 650 financial service companies (the
"2009 Data Breach"). The breach was caused by code
maliciously installed on Heartland's payment processing
systems; those systems collect cardholders'
information. Code making Heartland's systems
vulnerable to the malware was installed in 2007. The malware
itself was installed in 2008. Both the vulnerability and the
malware rendered Heartland's systems noncompliant with
PCI DSS, but Trustwave Entities improperly certified the
compliance of Heartland's affected systems while
performing services pursuant to their contractual
the 2009 Data Breach, various federal and state agencies,
credit card brands,  financial institutions, and consumers
brought a number of individual and class action claims
against Heartland. Many of those claims were ultimately
consolidated in the Southern District of Texas (the
"Multi-District Litigation"). The
Multi-District Litigation eventually resolved on March 3,
2015, when the action was dismissed with
one of Heartland's customers, had detected and suspected
Heartland's systems' security prior to the 2009 Data
Breach. Visa retained Verizon Business, a
third-party consulting firm, to conduct an investigation to
evaluate Heartland's systems. Verizon Business issued its
investigative report on February 21, 2009.
the 2009 Data Breach, Heartland reached settlement agreements
with Visa for $60 million on January 7, 2010, and MasterCard
(another Heartland customer) for $41.4 million on May 19,
these settlements, the Multi-District Litigation, and all
other litigation and settlements related to the 2009 Data
Breach, Heartland incurred losses of more than $148 million
in claims, attorney's fees, costs, and other
The Insurance Payment and This Action Ensues.
was insured by Beazley and Lexington. Lexington was the
primary insurer with a policy limit of $20 million; Beazley
provided excess insurance of $10 million. Following the
2009 Data Breach, Beazley and Lexington reimbursed Heartland
for their respective full policy limits, i.e., a
total of $30 million, by the end of 2010. Each of them
entered into a release agreement (collectively, the
"Release Agreements") with Heartland, pursuant to
which Heartland fully and finally released Insurers from all
potential costs and liabilities in connection with the 2009
Data Breach, while the Insurers paid Heartland $30 million in
accordance with policy limits.
February of 2018, counsel for the Insurers demanded
indemnification of $30 million (the total amount reimbursed
to Heartland) from Trustwave based on Trustwave's
allegedly inadequate service in assessing the security risks
of Heartland's systems during 2007 and
months later, in June 2018, Trustwave brought this action for
a declaration that Trustwave is not liable to indemnify the
Insurers. The Insurers initially sought to dismiss or stay
the action on jurisdictional grounds. They later
voluntarily withdrew that motion,  and filed an Answer with
Affirmative Defenses, Counterclaims, and a Third-Party
Complaint ("Counterclaims and Third-Party Claims")
against Trustwave Entities. Those claims' filing date
is deemed to be February 23, 2018.
before the Court is Trustwave Entities' Motion to Dismiss
the Counterclaims and Third-Party Claims.
Standard of Review
defense predicated on a statute of limitations may be brought
by motion to dismiss when the complaint itself shows that the
action was not brought within the statutory
period.'" Superior Court Civil Rule 12(b)(6)
provides that one on defense to any action-be it initiating,
counter, or third-party-may bring a motion to dismiss if the
complaint invoking that action fails "to state a claim
upon which relief can be granted." On a motion
to dismiss, the Court must:
(1) accept all well-pleaded factual allegations as true,
(2) accept even vague allegations as "well pleaded"
if they give the opposing party notice of the claim,
(3) draw all reasonable inferences in favor of the non-moving
(4) [not dismiss the claims] unless the non-moving party
would not be entitled to recover under any reasonably
conceivable set of circumstances.
Court determines the complainant may recover after
engaging that form of review, then the Court must deny the
motion to dismiss.
threshold matter, the parties do not dispute that all
eighteen of the Insurers' Counterclaims and Third Party
Claims are subject to Delaware's statute of
limitations. Accordingly, the Court applies Delaware
on Delaware's statute of limitations, Trustwave Entities
seek to dismiss the Counterclaims and Third-Party Claims in
their entirety, arguing that they are time-barred and no
tolling exceptions apply. According to Trustwave Entities,
the Insurers reimbursed Heartland and entered the Release
Agreements in 2010, but sat silently and waited for nine
years before asserting their claims, while not once notifying
Trustwave Entities during the pendency of the several
litigations that arose from the 2009 Data
Insurers insist that the statutes of limitations were tolled
by the Multi-District Litigation, and their claims did not
accrue until that action was finally resolved on March 3,
2015. Thus, they say, their February 2018 Counterclaims and
Third-Party Claims are timely.
has a three-year statute of limitations for both tort and
contract claims. Accrual of either generally begins at
the time of the "wrongful act, " which itself
varies depending on the kind of claim:
For breach of contract claims, the wrongful act is the
breach, and the cause of action accrues at the time of
breach. For tort claims, the wrongful act is a tortious act
causing injury, and the cause of action accrues at the time
of injury. Where the claim is one for indemnification or
contribution for damages paid to a third party, a cause of
action accrues only after the party seeking indemnification
has made payment to the third party.
law recognizes that limitations periods are
"draconian" in nature. These limitations are
both harsh and strict-harsh in that they arbitrarily
establish jurisdictional prerequisites for initiating or
maintaining suit and strict in that it is not even within
a court's power to extend the limitations period out of
notions of fair play. Instead, on a showing that an action
was initiated outside the statute of limitations, the
plaintiff bears the burden of pleading facts from which
application of a recognized tolling doctrine can be
determine if a claim is time-barred, the Court examines three
things for each individual claim: (i) the accrual date for
the cause of action; (ii) whether the statute of limitations
has been tolled; and (iii) assuming a tolling exception
applies, when the claimant was on inquiry
Prejudice From Delay is Irrelevant.
argument, Trustwave Entities repeatedly complained of
prejudice to their ability to defend in this litigation due
to the passage of time. At common law, litigants had the
power to bring suit at any time, no matter how remotely the
right first accrued. Recognizing the potential for abuse that
ability accorded plaintiffs, the statute of limitations was
created to "restrain" plaintiff s power in courts
of law.In courts of equity, the doctrine of
laches supplants and replaces the statute of
limitations,  serving the same purpose of protecting a
litigant from suits unfairly brought after an unreasonable
delay. Prejudice from the delay, and an inquiry
into a plaintiffs offsetting justification for delaying, are
central to laches analysis.
Entities' argument is in essence that the Insurers knew
they would be seeking the $30 million based on their
insurance payouts, and could have instituted suit for that
sum long ago, irrespective of technical accrual dates. They
go on that Insurers' failure to do so unfairly lured
Trustwave Entities into believing no suit would be
forthcoming and weakened Trustwave's ability to mount its
best and most vigorous defense on the merits.
an equitable argument of laches, appropriate for
consideration in the Court of Chancery-not here. This is a
court of law-not equity. So here, the statute of limitations
applies-not laches. And the action is barred if and only if
the Insurers failed to satisfy the statute of limitations.
Prejudice or lack thereof is irrelevant.
All of Insurers' Claims Are Subrogation Claims In
the Insurers' Counterclaims and Third-Party Claims barred
by the statutes of limitations?
assert a total of eighteen counts, three of which are
contractual indemnification claims, and the remaining fifteen
counts are claims for (i) breach of contract, (ii) breach of
express warranty, (iii) negligent misrepresentation, and (iv)
gross negligence (collectively, the "non-indemnification
the non-indemnification claims recite similar allegations:
that Trustwave Entities failed to properly identify, assess,
and report the security risks in Heartland's networks and
systems. Those alleged failures, Insurers suggest, were
violative of Trustwave Entities' contractual obligations,
and fell short of the standard of ordinary
three indemnification counts are based on the 2005 Agreement
and 2007 Agreement wherein Trustwave Entities contractually
covenanted to indemnify Heartland for certain third-party
claims and suits.
Insurers now assert these eighteen claims as Heartland's
subrogees, seeking recovery "in an amount in excess of
$30 million dollars for the liabilities, damages, remediation
costs, fees and other consequential damages they sustained,
and for any such other or further relief as the Court deems
equitable and just."
subrogee insurer "steps into the shoes of its
insureds." The insurer "takes the rights of
its insureds, and therefore may proceed with the same claims
that the [insured] would have been able to
assert." However, the subrogee "may not
enjoy greater rights than those of its
subrogors." As such, the statute of limitations
applied to the Insurers is that applicable to Heartland's
own injuries, which the Insurers now raise vicariously.
Non-Indemnification Claims Are Time-Barred.
respect to the Insurers' breach-of-contract and
breach-of-express warranty claims, Trustwave Entities posit
those causes of action accrued on or before April 10, 2008.
That was the date of breach, they say, because that
is when Trustwave Entities issued the last compliance
certificate. As to the negligent misrepresentation and gross
negligence claims, Trustwave Entities aver that those causes
of action accrued on or before May 14, 2008, i.e.,
the date of injury when the malicious code was
Entities further contend that even if some tolling exception
applied, Heartland (thus, by subrogation, the Insurers) was
on inquiry notice no later than February 21, 2009, when the
Heartland Investigation Report was issued.
Insurers make a blanket objection to the accrual dates,
claiming that all the claims are tolled by the Multi-District
start, the Court declines to accept that all-encompassing
objection. Because when engaging a statute of limitations
analysis, the Court must consider each claim individually.
And the Court must, as to each individually, determine: (i)
its accrual date; (ii) any tolling mechanism ...