In a recent case in the Fifth Circuit, a retail merchant sought to establish that its D&O insurer was required to provide a defense to a data breach-related claim that had been brought against the merchant. The appellate court held that the trial court erred in granting the insurer’s motion for judgment on the pleadings and ruling that the policy’s contractual liability exclusion precluded coverage. The ruling, which suggests at least the possibility of coverage under the D&O policy for at least some of the claims against the merchant, raises a number of important issues, as discussed below. The Fifth Circuit’s June 25, 2018 opinion in the case can be found here. A July 11, 2018 memo from the Crowell & Moring law firm about the decision can be found here.
Spec’s Family Partners is a specialty retail merchant based in Houston. In order to be able to accept credit card payments, Spec’s entered a Merchant Agreement for credit card payment processing services with First Data Merchant Services.
Between October 2012 and February 2014, Spec’s credit card network was hacked. The hacks resulted in First Data having to reimburse banks associated with fraudulent transactions.
In two separate letters sent to Spec’s, First Data demanded payment for credit card related fines. The letters advised Spec’s that First Data had established Reserve Accounts in order to fund the payment of fines and related costs. Both letters stated that the Reserve Accounts had been established in compliance with Spec’s indemnification obligation under the Merchant Agreement. The letters also alleged Spec’s negligence in not complying with the Payment Card Industry (PCI) data security requirements and included a number of other demands including documentation and security compliance as well as the completion of a number of forms.
Spec’s submitted the First Data letters to its D&O insurer as a claim. The insurer initially denied coverage in reliance on its policy’s contractual liability exclusion, but later provided Spec’s with a defense subject to a reservation of rights. The insurer and Spec’s entered a Defense Funding Agreement in connection with the insurer’s provision of the defense.
To try to recover the money First Data was holding in the Reserve Accounts, Spec’s filed a lawsuit against First Data. This lawsuit was referred to as the Tennessee lawsuit. The D&O insurer refused to pay the expenses associated with the Tennessee litigation on the grounds that expenses incurred in pursuit of an affirmative claim were not defense expenses.
In response, Spec’s filed a coverage action against the insurer asserting, among other things, claims for breach of contract and for breach of the Defense Funding Agreement. The insurer filed a motion in Spec’s coverage lawsuit for judgment on the pleadings, arguing that coverage for the underlying claims was precluded by the policy’s contractual liability. The district court granted the insurer’s motion, finding that the claims arose out of the Merchant Agreement between Spec’s and First Data.
The D&O policy’s contractual liability exclusion (Exclusion N) provides that the insurance provide under the policy does not apply to “Loss on account of any Claim made against any Insured directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract or agreement.”
The June 25, 2018 Opinion
In a June 25, 2018 unpublished per curiam opinion, a three-judge panel of the Fifth Circuit reversed the district court’s ruling and remanded the case to the district court for further proceedings.
In finding that the district court erred in granting the insurer’s motion for judgment on the pleadings, the appellate court said that “the pleadings, viewed in the light most favorable to Spec’s do not unequivocally show Exclusion N excused [the insurer’s] duty to defend under any set of facts or possible theory.” The allegations “when construed liberally and in the light most favorable to Spec’s, implicate theories of negligence and general contract law that imply Spec’s liability for the assessments separate and apart from any obligations” under the Merchant Agreement.
The appellate court said further that the district court’s conclusion that the claims against Spec’s arise only out of the merchant’s contractual liability to First Data under the Merchant Agreement “rewrites the allegations, ignoring statements in the demand letters that do not depend upon the Merchant Agreement, such as Spec’s negligence in not complying with Payment Card Industry Data Security requirements and demands for a type of non-monetary relief not contemplated by the Merchant Agreement.”
Finally, the appellate court also ruled that the district court had erred in granting the insurer’s motion for judgment on the pleadings with respect to Spec’s claim that the insurer had breached the Defense Funding Agreement by refusing the pay the expenses Spec’s incurred in the Tennessee litigation. The appellate court noted that the insurer had not mentioned the Defense Funding Agreement in its motion for judgment the pleading and had argued only that the amounts were not covered under the policy. The appellate court ruled that the district court’s dismissal of the breach of the Defense Funding Agreement claims was “improper.”
I think it is important to note that while the Fifth Circuit did reverse the district court, the appellate court did not actually make an affirmative finding that any part of First Data’s claim against Spec’s is covered. The appellate court concluded only that there were allegations in the demand letters which, when construed in a light most favorable to Spec’s (as the court must due in consideration of a motion for judgment on the pleadings), at least potentially may not be precluded from coverage under the contractual liability exclusion, making the entry of judgement in the insurer’s favor erroneous.
That caveat notwithstanding, the appellate court did recognize the possibility that at least a portion of First Data’s claims against Spec’s might be covered, which in turn raises the possibility that that the D&O insurer might be obligated to provide Spec’s with a defense.
There is an odd thing about all of this that should be mentioned at this point. That is – why are we talking about D&O insurance? Why aren’t we talking about coverage under Spec’s cyber liability policy? Though cyber liability policies also have contractual liability exclusions, the exclusions in many cyber policies have carve backs preserving coverage for Payment Card Industry (PCI) assessments. All I can figure is that Spec’s must not have had a cyber policy. Or maybe its cyber policy’s contractual liability exclusion does not have the PCI assessments carve back.
Whatever the reason may be, Spec’s – perhaps like many others in comparable situations – looked to other coverages to try to find insurance for the data breach related expenses and liabilities. The Fifth Circuit’s ruling in this case at least raises the possibility that companies might be able to look to their D&O insurance policies for cyber breach exposures.
Of course, the possibility here depended entirely on how the demand letters from First Data had been worded and on what claims had been asserted. Under different circumstances, a data processing firm’s demands relating to PCI assessments might refer only to indemnifications owing under the merchant services agreement, which would more obviously be precluded under the contractual liability exclusion.
There is a further caveat about this opinion. Because it was issued as an unpublished per curiam opinion, under the Fifth Circuit’s rules, the opinion “is not precedent” — although under Fed. R. App. Proc. 32, it may still be cited for whatever persuasive value it may have.
One final thought. As I have traveled around speaking at various conferences in recent years, I have often been asked whether D&O insurers are putting anything specific in their policies addressing or restricting coverage for data breach-related claims. The answer is that — up to this point at least — the insurers have not. If insurers were to wake up one day and find that the policies are being called upon to address data breach-related PCI assessment-related claims, we might quickly find the insurers putting some form of exclusion on their policies. I suspect most insurers would feel pretty strongly that these kinds of losses, if insurable at all, belong under cyber policies, not D&O insurance policies.