IN THE SUPERIOR COURT OF THE STATE OF DELAWARE

TRUSTWAVE HOLDINGS, INC.
Plaintiff,

V.
BEAZLEY INSURANCE COMPANY, INC.,

and LEXINGTON INSURANCE COMPANY
Defendants.

 

C.A. No. N18C-06-162 PRW
BEAZLEY INSURANCE COMPANY, INC., CCLD
and LEXINGTON INSURANCE COMPANY
Counter-Plaintiffs/

Third-Party Plaintiffs,
V.

TRUSTWAVE HOLDINGS, INC.,
TRUSTWAVE CORPORATION, and
AMBIRONTRUSTWAVE, LTD.
Counter-Defendants/
Third-Party Defendants.

Nee Nem Nee Nee” re” Nee Nee Nee Ne ee” Nee ee Nee ne ee” ee” ee Nee” ee” ee” ee” Nee”

Submitted: June 27, 2019
Decided: September 30, 2019

Upon Counter-Defendant and Third-Party Defendants’ Motion to Dismiss,
GRANTED, in part, and DENIED, in part.

MEMORANDUM OPINION AND ORDER

Jody Barillare, Esquire (argued), Beth Herrington, Esquire (pro hac vice), Zachary
Ryan Lazar, Esquire (pro hac vice), Morgan, Lewis & Bockius, LLP, Wilmington,
Delaware, Attorneys for Plaintiff.

Michael C. Heyden, Esquire (argued), Scott Schmookler (pro hac vice), Gordon
Rees Scully Mansukhani, LLP, Wilmington, Delaware, Attorneys for Defendants.

WALLACE, J.
I. INTRODUCTION

Plaintiff Trustwave Holdings, Inc. brings this declaratory judgment action
against Defendants Beazley Insurance Company, Inc., and Lexington Insurance
Company (together with Beazley, “Insurers”), seeking the Court’s pronouncement
that Trustwave has no obligation to indemnify the Insurers in connection with the
Insurers’ payment to a non-party insured, Heartland Payment Systems, with whom
Trustwave was contracted to provide cyber security risk assessment services. The
Insurers’ payment related to a substantial data breach that Heartland sustained in
2009, and Heartland’s consequent liability to other nonparties.

The Insurers answered the Complaint, and filed Counterclaims against
Trustwave, as well as Third-Party Claims against Trustwave Corporation, and
AmbironTrustwave, Ltd. (collectively with Trustwave Holdings and Trustwave
Corporation, the “Trustwave Entities”),' alleging that Trustwave Entities provided
inadequate services and asserting a total of eighteen claims in five causes of action:
Breach of Contract, Breach of Express Warranty, Negligent Misrepresentation,

Gross Negligence, and Indemnification.

 

According to the Counterclaims, Ambiron is Trustwave’s former name used between July

2005 through October 2007, and Trustwave Corporation is now Trustwave’s wholly owned
subsidiary. These entities perform their contractual obligations interchangeably. Compl. § 6;
Defs.’ Affirmative Defenses Countercls. and Third—Party Compl. [hereinafter “Countercls.”] 49
3-7.
Now before the Court is Trustwave Entities’ Motion to Dismiss the Insurers’
Counterclaims and Third-Party Claims. Trustwave Entities argue all Insurers’
claims are barred by the statute of limitations, that their Gross Negligence claims
fail to state a claim, and that their Breach of Express Warranty claims are duplicative
of their contract claims.

Il. FACTUAL AND PROCEDURAL BACKGROUND

Because of the current procedural posture, the Court herein summarizes the
facts as averred in the Insurers’ Answer, Counterclaims, and Third-Party Claims.

A. THE PARTIES.

Trustwave Entities are in the business of inspecting, certifying, and validating
clients’ adherence to certain data security regulations—the so-called Payment Card
Industry Data Security Standard Requirements and Security Assessment Procedures
(“PCI DSS”). Specifically, Trustwave Entities assess the security risks of
customers’ networks and systems, recommend security control measures, determine
compliance with PCI DSS, and issue certificates of compliance accordingly.”
Certification of PCI DSS compliance is a commercial necessity for companies like

Heartland that process electronic payment transactions.

 

2 Countercls. ff 10-11.
Between 2005? and 2007, Heartland engaged Trustwave Entities to provide
periodic evaluations, certifications and reports regarding PCI DSS compliance and
cybersecurity.* The engagement was memorialized through two agreements: the
“Trustwave Preferred Sales Agent Agreement” dated February 18, 2005 (the “2005
Agreement”), and the Compliance Validation Services Agreement and _ its
Addendum dated December 17, 2007 (the “2007 Agreement”).°

Under those agreements, Trustwave Entities tested and assessed the security
and vulnerability of Heartland’s systems and networks. After each test, Trustwave
Entities issued a report certifying that Heartland’s systems were compliant with PCI
DSS standards.®

B. 2009 DATA BREACH AND SETTLEMENTS OF LITIGATIONS.

In January 2009, Heartland discovered a serious security breach that had
resulted in the theft and exfiltration of approximately 100 million credit and debit

card numbers issued by more than 650 financial service companies (the “2009 Data

 

There is disagreement as to when Heartland began engaging Trustwave Entities.

Trustwave alleges that the engagement began in as early as October, 2004. The Insurers say the
parties’ contractual relationship commenced in 2005, and complain that Trustwave fails to provide
a copy of any 2004 contract. Compl. {J 6-8; Countercls. §] 10-11. This factual detail, however,
is insignificant to this motion’s resolution.

4 Countercls. J 10-11.
5 Id. § 12, 21-24.

: Id. Tf 16-25.
Breach”).’ The breach was caused by code maliciously installed on Heartland’s
payment processing systems; those systems collect cardholders’ information.’ Code
making Heartland’s systems vulnerable to the malware was installed in 2007. The
malware itself was installed in 2008.’ Both the vulnerability and the malware
rendered Heartland’s systems noncompliant with PCI DSS, but Trustwave Entities
improperly certified the compliance of Heartland’s affected systems while
performing services pursuant to their contractual relationship.!°

Following the 2009 Data Breach, various federal and state agencies, credit
card brands,!! financial institutions, and consumers brought a number of individual
and class action claims against Heartland.'? Many of those claims were ultimately

consolidated in the Southern District of Texas (the “Multi-District Litigation’”).'°

 

7 Id. 7 33, 41.
8 Id. Tf 34-36.
? Id.

ie Id. {ff 37-39.

i These credit card brands principally include Visa, MasterCard, Discovery, and American

Express. Jd. § 12.
B Id. ¥§ 42-43.

3 Id. 9 43.
The Multi-District Litigation eventually resolved on March 3, 2015, when the action
was dismissed with prejudice."

Visa, one of Heartland’s customers, had detected and suspected Heartland’s
systems’ security prior to the 2009 Data Breach.'° Visa retained Verizon Business,
a third-party consulting firm, to conduct an investigation to evaluate Heartland’s
systems. Verizon Business issued its investigative report on February 21, 2009.'°

After the 2009 Data Breach, Heartland reached settlement agreements with
Visa for $60 million on January 7, 2010, and MasterCard (another Heartland
customer) for $41.4 million on May 19, 2010."

Including these settlements, the Multi-District Litigation, and all other
litigation and settlements related to the 2009 Data Breach, Heartland incurred losses

of more than $148 million in claims, attorney’s fees, costs, and other expenses.!®

 

is Id. Answer 4] 13-15, 25-26; Countercls. § 51.
Is Trustwave Holdings, Inc.’s, Trustwave Corporation’s and AmbironTrustwave, Ltd.’s Mot.
to Dismiss Countercls. and Third—Party Compl. [hereinafter “Pl.’s Opening Br.”] ex. A.
[hereinafter “Heartland Investigation Report’].

7 Heartland Investigation Report, at p. 1.

M7 Pl.’s Opening Br. { 5; Ex. B to Pl.’s Opening Br. [hereafter “Visa Settlement Agreement”);

Ex. C to Pl.’s Opening Br. [hereafter “MasterCard Settlement Agreement”).

7 Countercls. 42.
C. THE INSURANCE PAYMENT AND THIS ACTION ENSUES.

Heartland was insured by Beazley and Lexington. Lexington was the primary
insurer with a policy limit of $20 million; Beazley provided excess insurance of $10
million.'? Following the 2009 Data Breach, Beazley and Lexington reimbursed
Heartland for their respective full policy limits, i.e., a total of $30 million, by the end
of 2010.2° Each of them entered into a release agreement (collectively, the “Release
Agreements”) with Heartland, pursuant to which Heartland fully and finally released
Insurers from all potential costs and liabilities in connection with the 2009 Data
Breach, while the Insurers paid Heartland $30 million in accordance with policy
limits.”!

In February of 2018, counsel for the Insurers demanded indemnification of
$30 million (the total amount reimbursed to Heartland) from Trustwave based on
Trustwave’s allegedly inadequate service in assessing the security risks of

Heartland’s systems during 2007 and 2008.”

 

ie Ex. D to Pl.’s Opening Br. (Lexington Claim and Policy Release Agreement); Ex. E to Pl.’s

Opening Br. (Beazley Claim and Policy Release Agreement).

= Countercls. {4 26, 53-55.

7 Ex. D to Pl.’s Opening Br. [hereafter “Lexington Release Agreement”]; Ex. E to Pl.’s

Opening Br. [“Beazley Release Agreement”] (collectively, the “Release Agreements”).

= Compl. § 15.
Four months later, in June 2018, Trustwave brought this action for a
declaration that Trustwave is not liable to indemnify the Insurers. The Insurers
initially sought to dismiss or stay the action on jurisdictional grounds.”?_ They later
voluntarily withdrew that motion,” and filed an Answer with Affirmative Defenses,
Counterclaims, and a Third-Party Complaint (“Counterclaims and Third-Party
Claims’) against Trustwave Entities.2? Those claims’ filing date is deemed to be
February 23, 2018.76

Now before the Court is Trustwave Entities’ Motion to Dismiss the
Counterclaims and Third-Party Claims.’

D. STANDARD OF REVIEW

“A defense predicated on a statute of limitations may be brought by motion
to dismiss when the complaint itself shows that the action was not brought within

the statutory period.’”*? Superior Court Civil Rule 12(b)(6) provides that one on

 

id Defs.’ Mot. to Dismiss and Stay (July 17, 2018) (D.I. 8).
24 Notice of Withdrawal (Nov. 9, 2018) (D.I. 41).
= Countercls. (Nov. 21, 2018) (D.I. 42).

= See Joint Stipulation and Order, Nov. 2, 2018 (D.I. 40).
a Opening Br. in Supp. of Trustwave Holdings, Inc.’s, Trustwave Corporation’s and
AmbironTrustwave, Ltd.’s Motion to Dismiss Counterclaims and Third-Party Complaint
[hereinafter “‘Pl.’s Opening Br.”] (Jan. 15, 2019) (D.I. 47).

us Lima Delta Co. v. Glob. Aerospace, Inc., 2017 WL 4461423, at *5 (Del. Super. Ct. Oct. 5,
2017), aff'd, 189 A.3d 185 (Del. 2018) (quoting Brooks v. Savitch, 576 A.2d 1329, 1330 (Del.
Super. Ct. 1989) (citing Patterson v. Vincent, 61 A.2d 416 (Del. Super. Ct. 1948)).

-g-
defense to any action—be it initiating, counter, or third-party—may bring a motion
to dismiss if the complaint invoking that action fails “to state a claim upon which
relief can be granted.””? On a motion to dismiss, the Court must:

(1) accept all well-pleaded factual allegations as true,

(2) accept even vague allegations as “well pleaded” if they give the
opposing party notice of the claim,

(3) draw all reasonable inferences in favor of the non-moving party,
and

(4) [not dismiss the claims] unless the non-moving party would not be
entitled to recover under any reasonably conceivable set of
circumstances.*°

If the Court determines the complainant may recover after engaging that form of

review, then the Court must deny the motion to dismiss.*!

 

= Del. Super. Ct. Civ. R. 12(b)(6).

= Cent. Mortg. Co. v. Morgan Stanley Mortg. Capital Hldgs. LLC, 27 A.3d 531, 535 (Del.
2011); Wilmington Sav. Fund. Soc’y, F.S.B. v. Anderson, et al., 2009 WL 597268, at *2 (Del.
Super. Ct. Mar. 9, 2009) (citing Doe v. Cahill, 884 A.2d 451, 458 (Del. 2005) (Every reasonable
factual inference will be drawn in the non-moving party’s favor.); Anderson v. Tingle, 2011 WL
3654531 (Del. Super. Ct. Aug. 15, 2011) (But the Court will “ignore conclusory allegations that
lack specific supporting factual allegations.”). And when deriving the facts and their reasonable
inferences, certain documents integral to a plaintiff, counter-plaintiff, or third-party plaintiffs
claims may be considered by the Court on a motion to dismiss. Commonwealth Land Title Ins.
Co. v. Funk, 2014 WL 8623183, *3 (Del. Super. Ct. Dec. 22, 2014) (“The Court generally may
not consider extrinsic matters when ruling on a motion to dismiss.”); Furman v. Delaware Dept.
of Transportation, 30 A.3d 771, 774 (Del. 2011) (“[T]he only two exceptions to the general rule
prohibiting consideration of extrinsic material on a motion to dismiss: (i) where an extrinsic
document is integral to a plaintiffs claim and is incorporated into the complaint by reference, and
(11) where the document is not being relied upon to prove the truth of its contents.”).

31 Spence v. Funk, 396 A.2d 967, 968 (Del. 1978).

-9-
I. DISCUSSION

As a threshold matter, the parties do not dispute that all eighteen of the
Insurers’ Counterclaims and Third Party Claims are subject to Delaware’s statute of
limitations.*? Accordingly, the Court applies Delaware law.

Relying on Delaware’s statute of limitations, Trustwave Entities seek to
dismiss the Counterclaims and Third-Party Claims in their entirety, arguing that they
are time-barred and no tolling exceptions apply. According to Trustwave Entities,
the Insurers reimbursed Heartland and entered the Release Agreements in 2010, but
sat silently and waited for nine years before asserting their claims, while not once
notifying Trustwave Entities during the pendency of the several litigations that arose
from the 2009 Data Breach.”

The Insurers insist that the statutes of limitations were tolled by the Multi-
District Litigation, and their claims did not accrue until that action was finally
resolved on March 3, 2015. Thus, they say, their February 2018 Counterclaims and

Third-Party Claims are timely.*4

 

7 See Pl.’s Opening Br. J] 8-13; Defs.’ Opp’n (Plaintiff's contention that Delaware’s statute
of limitations applies is undisputed).

= Pl.’s Opening Br. 7, 8-16.

7 Defs.’ Opp’n 4 2, 7-14.

-10-
Delaware has a three-year statute of limitations for both tort and contract
claims.*° Accrual of either generally begins at the time of the “wrongful act,” which
itself varies depending on the kind of claim:

For breach of contract claims, the wrongful act is the
breach, and the cause of action accrues at the time of
breach. For tort claims, the wrongful act is a tortious act
causing injury, and the cause of action accrues at the time
of injury. Where the claim is one for indemnification or
contribution for damages paid to a third party, a cause of
action accrues only after the party seeking indemnification
has made payment to the third party.°°

Delaware law recognizes that limitations periods are “draconian” in nature.*’
These limitations are both harsh and strict—harsh in that they arbitrarily establish

t?8 and strict in that it is

jurisdictional prerequisites for initiating or maintaining sui
not even within a court’s power to extend the limitations period out of notions of fair

play.*’ Instead, on a showing that an action was initiated outside the statute of

 

3 Del. Code Ann. tit. 10, § 8106 (2018). See also Certainteed Corp. v. Celotex Corp., 2005
WL 217032, at *5 (Del. Ch. Jan. 24, 2005) (“[The Delaware Code] provides a three-year statute
of limitations governing actions for breach of contract and actions for torts.”) (internal citations
omitted).

de Lima Delta Co., 2017 WL 4461423, at *5 (quoting Certainteed Corp., 2005 WL 217032,
at *7)).

37 Murphy v. Lucas, 2006 WL 1173893, *3 (Del. Super. Ct. Apr. 28, 2006).

a8 Scharf v. Edgcomb Corp., 864 A.2d 909, 920 (Del. 2004) (internal citations omitted);
Marvel v. Prison Industries, 884 A.2d 1065, 1067 (Del. Super. Ct. 2005) (commenting that
Delaware’s savings statute is “intended to alleviate the harsh consequences of the statue of
limitations”).

a Rash v. C. & M. Corp., 218 A.2d 670, 672 (Del. 1966).
-1ll-
limitations, the plaintiff bears the burden of pleading facts from which application
of a recognized tolling doctrine can be reasonably inferred.”

To determine if a claim is time-barred, the Court examines three things for
each individual claim:*! (i) the accrual date for the cause of action; (ii) whether the
statute of limitations has been tolled; and (iii) assuming a tolling exception applies,
when the claimant was on inquiry notice.”

A. PREJUDICE FROM DELAY IS IRRELEVANT.
At argument, Trustwave Entities repeatedly complained of prejudice to their

43

ability to defend in this litigation due to the passage of time.*” At common law,

litigants had the power to bring suit at any time, no matter how remotely the right

 

40 SPX Corp. v. Garda USA, Inc., 2012 WL 6841398, at *2 (Del. Super. Ct. Dec. 6, 2012)
(quoting Winner Acceptance Corp. v. Return on Capital Corp., 2008 WL 5352063, at *14 (Del.
Ch. Dec. 23, 2008)). Valid tolling doctrines include, for example, fraudulent concealment,
inherently unknowable injury, and equitable tolling. Certainteed Corp., 2005 WL 217032, at *7;
Wright v. Dumizo, 2002 WL 31357891, at *2-4 (Del. Super. Ct. Oct. 17, 2002) (discussing
fraudulent concealment of breach and “time of discovery” rule for “inherently unknowable”
breach.). Despite its name, “equitable tolling” is available in the Superior Court. McLeod v.
McLeod, 2012 WL 2226502, *1 (Del. June 15, 2012).

7 See generally Certainteed Corp., 2005 WL 217032, at *6 (“The statute of limitations
analysis differs for each of the subsets of claims[.]’’).

“ SPX Corp., 2012 WL 6841398, at *2; accord Certainteed Corp., 2005 WL 217032, at *7;
Winner Acceptance Corp., 2008 WL 5352063, at *14.

= E.g. Or. Arg. Tr. at 8 (“Trustwave now is becoming — — is going to be very prejudiced
because witnesses are gone, documents are gone. And until the insurers contacted Trustwave in
February of 2008, it was not even put on notice that it would become later subject to litigation’);
Id. at 31 (“[T]here is great prejudice to Trustwave by the fact that the insurers sat on their hands
for over nine years.”).

-12-
first accrued.** Recognizing the potential for abuse that ability accorded plaintiffs,
the statute of limitations was created to “restrain” plaintiffs power in courts of law.*
In courts of equity, the doctrine of laches*® supplants and replaces the statute of
limitations,*” serving the same purpose of protecting a litigant from suits unfairly
brought after an unreasonable delay.*® Prejudice from the delay, and an inquiry into
a plaintiff's offsetting justification for delaying, are central to laches analysis.”
Trustwave Entities’ argument is in essence that the Insurers knew they would
be seeking the $30 million based on their insurance payouts, and could have
instituted suit for that sum long ago, irrespective of technical accrual dates. They go

on that Insurers’ failure to do so unfairly lured Trustwave Entities into believing no

 

= IAC/InterActiveCorp v. O’Brien, 26 A.3d 174, 177 (Del. 2011) (citing Perkins v. Cartmell,
4 Del. 270, 274 (Del. Err. & App. 1845)).

= Id.

= See Reid v. Spazio, 970 A.2d 176, 182-83 (Del. 2009) (“Laches is an equitable defense
... itis generally defined as an unreasonable delay by the plaintiff in bringing suit after the plaintiff
learned of an infringement of his rights, thereby resulting in material prejudice to the defendant.”).

47 See Adams v. Jankouskas, 452 A.2d 148, 157 (Del. 1982) (“While the limitations of actions
applicable in a court of law are not controlling in equity, absent unusual circumstances, the
analogous statute of limitations will be given great weight in deciding whether the plaintiff's claim
is barred by laches.”).

48 See Hutchinson v. Fish Engineering Corp., 203 A.2d 53, 63 (Del. Ch. 1964) (“One of the
firmest of equitable principles is that one may not slumber on his rights to the detriment of another
and later attempt to assert them.”).

= See Whittington v. Dragon Group, L.L.C.,991 A.2d 1, 7-8 (Del. 2009) (“An unreasonable
delay can range from as long as several years to as little as one month. The temporal aspect of the
delay is less critical than the reasons for it. In some circumstances even a long delay might be
excused.)

-13-
suit would be forthcoming and weakened Trustwave’s ability to mount its best and
most vigorous defense on the merits.

This is an equitable argument of laches, appropriate for consideration in the
Court of Chancery—not here. This is a court of law—not equity.°? So here, the
statute of limitations applies—not laches.°! And the action is barred if and only if
the Insurers failed to satisfy the statute of limitations. Prejudice or lack thereof is
irrelevant.

B. ALL OF INSURERS’ CLAIMS ARE SUBROGATION CLAIMS IN NATURE.

So are the Insurers’ Counterclaims and Third-Party Claims barred by the
statutes of limitations?

Insurers assert a total of eighteen counts, three of which are contractual
indemnification claims, and the remaining fifteen counts are claims for (i) breach of
contract, (ii) breach of express warranty, (iii) negligent misrepresentation, and

(iv) gross negligence (collectively, the “non-indemnification claims”).

 

7 See Juras v. Bd. of Pension Trs., 1992 WL 357864, at *2 (Del. Super. Ct. Oct. 15, 1992)
(“The [Superior] Court must deal only with the law not equity.”); Kerly v. Battaglia, 1990 WL
199507, at *4 (Del. Super. Ct. Nov. 21, 1990) (describing this Court as “a court of law, not

equity”).

7 See Hart v. Miller, 119 A.2d 751, 754 (Del. Super. Ct. 1955) (“{Plaintiff] is in a Court of
law, not equity, and we are not concerned with any question of an equitable [matter] ... which a
Court of Equity might consider.”).

-14-
All of the non-indemnification claims recite similar allegations: — that
Trustwave Entities failed to properly identify, assess, and report the security risks in
Heartland’s networks and systems. Those alleged failures, Insurers suggest, were
violative of Trustwave Entities’ contractual obligations, and fell short of the standard
of ordinary care.>?

The three indemnification counts are based on the 2005 Agreement and 2007
Agreement wherein Trustwave Entities contractually covenanted to indemnify

Heartland for certain third-party claims and suits.*?

 

52 Countercls. ] 60-234. By way of example:

The Breach of Contract counterclaim (Count I) alleges “[Trustwave] . . . breached its
contractual obligations by failing to properly provide ‘Compliance Validation Services’ and to
‘conduct a third party security assessment[.]’”

The Breach of Express Warranty counterclaim (Count I) alleges “Trustwave Corporation
... failed to perform the ‘Trustwave Services and related work’ . . . because it did not properly
verify that [Heartland’s] systems and networks complied with PCI DSS and other applicable
standards.”

The Negligent Misrepresentation counterclaim (Count VID) alleges “[Trustwave] failed to
exercise ordinary care in conducting its compliance assessment and issuing its compliance letter;
[and] made false representations . . . [that] included . . . informing [Heartland] that its systems and
networks were secured and complied with PCI DSS.”

The Gross Negligence claim (Count IX) alleges “[Ambiron] . . . breached its duty by...
failing to detect and report that [Heartland]’s networks and systems were not compliant with each
and every requirement of PCI DSS . . . constituted an extreme departure from the ordinary
standards of care and constituted gross negligence.”

= Countercls. Counts IV, V, and Third—Party Cls. Count III.

-15-
The Insurers now assert these eighteen claims as Heartland’s subrogees,
seeking recovery “in an amount in excess of $30 million dollars for the liabilities,
damages, remediation costs, fees and other consequential damages they sustained,
and for any such other or further relief as the Court deems equitable and just.”**

A subrogee insurer “steps into the shoes of its insureds.”*° The insurer “takes
the rights of its insureds, and therefore may proceed with the same claims that the
[insured] would have been able to assert.”°° However, the subrogee “may not enjoy
greater rights than those of its subrogors.”°’ As such, the statute of limitations
applied to the Insurers is that applicable to Heartland’s own injuries, which the
Insurers now raise vicariously.

C. NON-INDEMNIFICATION CLAIMS ARE TIME-BARRED.

With respect to the Insurers’ breach-of-contract and breach-of-express
warranty claims, Trustwave Entities posit those causes of action accrued on or before

April 10, 2008. That was the date of breach, they say, because that is when

Trustwave Entities issued the last compliance certificate. As to the negligent

 

"i See Countercls. at WHEREFORE paragraphs following each Count.

= State Farm Fire & Casualty, Co. v. General Electric Co., 2009 WL 5177156, at *3 (Del.
Super. Ct. Dec. 1, 2009).

56 Id.

57 Td.

-16-
misrepresentation and gross negligence claims, Trustwave Entities aver that those
causes of action accrued on or before May 14, 2008, i.e., the date of injury when the
malicious code was allegedly installed.*®

Trustwave Entities further contend that even if some tolling exception applied,
Heartland (thus, by subrogation, the Insurers) was on inquiry notice no later than
February 21, 2009, when the Heartland Investigation Report was issued.

The Insurers make a blanket objection to the accrual dates, claiming that all
the claims are tolled by the Multi-District Litigation.

As a start, the Court declines to accept that all-encompassing objection.
Because when engaging a statute of limitations analysis, the Court must consider
each claim individually. And the Court must, as to each individually, determine:
(i) its accrual date; (ii) any tolling mechanism applicable to it; and (411) whether the
plaintiff was on inquiry notice of it.°!

Here, the Court finds that the breach-of-contract and breach-of-express

warranty claims arise from the allegation that Trustwave Entities failed to satisfy

 

BS Pl.’s Opening Br. 11.

=e Id. 12.

60 Defs.’ Opp’n | 9 (“[T]he Trustwave Entities wrongly argue that the Insurer’s action

accrued at the time of the cyber breach.”).

7 Certainteed Corp., 2005 WL 217032, at *6~7; SPX Corp., 2012 WL 6841398, at *2;
Winner Acceptance Corp., 2008 WL 5352063, at *14.

-17-
their contractual obligations and the attendant warranties. Those claims are subject
to a three-year statute of limitations, accruing from the time of breach.”

“Service contracts,” like those between Heartland and Trustwave Entities, are
breached when the service is due.®? Trustwave Entities were engaged to provide
security risk assessment service. That due service then was Trustwave Entities’
issuance of the certificate of compliance. So all owed contractual performance to
Heartland upon which the Insurers raise their claims was due no later than April 10,
2008. That is, therefore, the last possible accrual date for the breach-of-contract
claims.

The tort claims—i.e., the negligent misrepresentation and gross negligence
claims—accrued on the date Heartland sustained injury. The complained-of injury
is Trustwave Entities’ inadequate evaluation and incorrect security validation of
Heartland’s networks and systems. That injury was inflicted between July 24, 2007,

and March 14, 2008, when the malicious code was allegedly installed.®

 

G2 DEL. CODE ANN. tit. 10, § 8106. See Certainteed Corp., 2005 WL 217032, at *5; Lima
Delta Co., 2017 WL 4461423, at *5. (“[B]reach of contract claims . . . accrue[] at the time of
breach. [T]ort claims . . . accrue[] at the time of injury.”).

63 Wright, 2002 WL 31357891, at *2-4; Shively v. Ken—Crest Centers for Exceptional
Persons, 1998 WL 960719, at *3 (Del. Super. Ct. Nov. 19, 1998).

ee Machala v. Boehringer Ingelheim Pharm., Inc., 2017 WL 2814728, at *6 (Del. Super. Ct.
June 29, 2017) (citing Winner Acceptance Corp., 2008 WL 5352063, at *14).

= Countercls. Jf 34, 36; Heartland Investigation Report, at p. 7.

-18-
Thus, all of the non-indemnification claims “on [their] face accrued outside
the statute of limitations.”°° And Insurers, therefore, bear the burden to show
reasonable inferences exist that some tolling exception applies.®’

The Court finds no factual allegations supporting an exception sufficient to
excuse the Insurers’ untimeliness. Nothing in the Counterclaims and Third-Party
Claims suggest that Trustwave Entities “knowingly took affirmative actions” to
conceal,®* or that “the breach is inherently unknowable and [Heartland/Insurers as
subrogee] was blamelessly ignorant that the cause of action existed.”® Nor did
Insurers first file suit in come other court under the erroneous belief jurisdiction was

proper there.”

 

id SPX Corp., at *2 (quoting Winner Acceptance Corp. v. Return on Capital Corp., 2008 WL

5352063, at *14 (Del. Ch. Dec. 23, 2008)) (Carpenter, J.).
67 Id

7 Certainteed Corp., 2005 WL 217032, at *8; Machala, 2017 WL 2814728, at *6 (Del.
Super. Ct. June 29, 2017) (“Under the fraudulent concealment doctrine, the statute of limitations
is tolled if there was an affirmative act of concealment or some misrepresentation that was intended
to put a plaintiff off the trail of inquiry until such time as the plaintiff is put on inquiry notice.”)
(citation and internal quotation marks omitted).

69 Wright, 2002 WL 31357891, at *4.
70 See Owens v. Carmen Ford, Inc., 2013 WL 5496821, *2 (Del. Super. Ct. Sep. 20, 2013)

(“Where a litigant actively pursued judicial remedies by filing a defective pleading during the
statutory period, equitable tolling may be appropriate.”).

-19-
To the contrary, Heartland learned of the data compromise no later than
January 2009.7! Heartland itself publically announced the 2009 Data Breach on
February 20, 2009.” With the issuance of the Heartland Investigation Report a day
later, Heartland was certainly made aware of the maliciously installed code, the
timeline of numerous data compromising events, and their PCI DSS noncompliance
in derogation of Trustwave Entities’ prior validation.

Even if the Court found some tolling exception applied, Heartland directly
and the Insurers as subrogees were unequivocally on inquiry notice of the causes of
action no later than February 21, 2009. Accordingly, any contractual or tort claims
brought after February 21, 2012, are time-barred.

Accordingly, the Court GRANTS the Motion to Dismiss the Insurers’
Counterclaims and Third-Party Claims for (i) breach of contract; (ii) breach of

express warranty; (iii) negligent misrepresentation; and (iv) gross negligence.

 

2 By way of example, the Heartland Investigation Report states “[Heartland] became aware

of a potential problem on October 27, 2008 when a fraud analysis team from one Card Brand began
sharing reports of fraud...” and “[o]n January 12, 2008, [Heartland] discovered clear signs of a
security breach within their payment processing environment[.]” See Heartland Investigation
Report, at pp. 4-6.

R Visa Settlement Agreement § Preamble; MasterCard Settlement Agreement § Preamble.

- 20 -
D. THE INDEMNIFICATION CLAIMS ACCRUED WHEN THE MULTI-DISTRICT
LITIGATION ENDED.

The Insurers’ remaining claims for indemnification are based on the 2005
Agreement and 2007 Agreement. Specifically, the 2005 Agreement provides:
[Trustwave Indemnity]. Trustwave will indemnify, defend and
hold [Heartland] harmless from and against... Losses? .. .

incurred by [Heartland] and its affiliates .. . arising out of or
connected with any third party claim relating to:

 

* * *

(iv) Trustwave’s gross negligence or willful misconduct; or

(v) Trustwave’s breach of any representation or warranty in this
agreement.”

The 2007 Agreement states:

Indemnification. [Trustwave] shall indemnify and hold
harmless [Heartland] and its Affiliates . . . any costs, liabilities,
damages or expenses (including reasonable attorneys’ fees)
arising out of or relating to:

* * of

(iv) claims or suits attributable to breaches of the other party’s
express representations and warranties contained in the
Agreement.’°

 

7 “Losses” are defined in the 2005 Agreement as “any and all losses, liabilities, damages,

penalties, and claims, and all related costs, expenses and other charges (including all reasonable
attorneys’ fees and reasonable costs of investigation, litigation and settlement).”
m4 Countercls. § 87

» Id. 97.

-2]-
The 2005 Agreement’s unambiguous language provides for indemnification
of third-party claims relating to Trustwave Entities’ gross negligence, willful
misconduct, or breach of representations or warranties.’© Similarly, the 2007
Agreement provides for indemnification for claims or suits attributable to Trustwave
Entities’ breaches of express representations and warranties. ””

No doubt, therefore, Insurers plead indemnifiable losses.’® The question is:
When did the indemnification claim or claims arising from the Agreements’
language accrue?

A right to indemnification can exist either by common law or through
contract.”? A common law indemnity claim accrues when the indemnified party can
be confident that any claim against him has been resolved with certainty.®°
Contractual indemnification is different only in that resolution with certainty may

depend on the contract’s wording.*!

 

be Id. | 87

2 Id. ¥ 97.

B Id. J 88-89.

79 Certainteed Corp., 2005 WL 217032, at *3.
80 Id. (quoting Scharf, 864 A.2d at 919),

81 Branon v. Stein Roe Investment Counsel, LLC, 2015 WL 4710321, *4 (Del Ch. Ct. July 31,
2015) (Noble, V.C.)

-22-
The Insurers rely on select Delaware decisions, insisting that an
indemnification claim does not accrue until the underlying claim is conclusively
decided.*? In turn, they say, their indemnification claims did not accrue until the
Multi-District Litigation resolved.®

Trustwave Entities argue that indemnification claims accrue as soon as
damages are certain, namely, they are determined and recoverable.** And, because
the Insurers’ damages were determined (i.e., the total amount of $30 million) and
recoverable (i.e., against Trustwave Entities) when the Insurers entered into the
Release Agreements with Heartland, these indemnification claims accrued on the
dates of the Release Agreements.®

Trustwave Entities’ have it wrong here. True, the Insurers’ loss from their
contracts with Heartland were certain once the Release Agreements were signed and

performed. But that’s merely coincidental.®* A “bedrock principle of subrogation”

 

82 Defs.’ Opp’n Jf 7-12.

83 Id. 44 7-20.

84 Pl.’s Reply 4§ 5-6, 8-12.
85 Id

> See Shively, 1998 WL 960719, at *3 (“An indemnification contract, by its very nature,
cannot be breached until one party is liable and seeks indemnification from the other.”)

-23-
is that an insurer-subrogee’s rights are coterminous with that of the insured.®’
Insurers have standing based on Heartland’s loss, not their own.

Heartland’s loss consisted of the sum total of the claims arrayed against it,
which included the settlements with Visa and MasterCard and the Multi-District
Litigation. Even a judgment arising from a jury award does not become final and
certain until after the end of all appellate review.®® The rationale behind the
“finality” requirement is that “the person seeking indemnity should not have to rush
in at the first possible moment but rather should be able to wait until the outcome of
the underlying matter is certain.”®?

Heartland’s loss was therefore not certain until the end of the Multi-District
Litigation and so the statute of limitations on Heartland’s indemnification cause of
action did not begin to accrue until that time. If it sought recovery from Trustwave
Entities at any time prior to the dismissal of the Multi-District Litigation, Heartland

would have been unable to determine with certainty the magnitude of its loss that it

would then be calling upon Trustwave Entities to indemnify.

 

87 Great American Assur, Co. v. Fisher Controls Int’l., Inc., 2003 WL 21901094, at *4 (Del.
Super. Ct. Aug. 4, 2003).

a8 LaPoint v. AmerisourceBergen Corp., 970 A.2d 185, 198 (Del. 2009).

89 Td

-24-
Trustwave Entities concede that Heartland’s claim would be ripe and timely
at the end of the Multi-District Litigation.” Because the Insurers as subrogees sue
in Heartland’s shoes and not their own, their indemnification claims are subject to
the same measure of timeliness.

Trustwave Entities’ suggestion otherwise—that an insurer’s subrogated
indemnification statute of limitations should run from when they pay out their full
coverage, rather than from when the insured’s indemnification accrues—would
create certain adverse incentives and/or outcomes. For instance, when an insured
suffers a loss that causes it to owe multiple creditors more in payment than its
insurance coverage, Trustwave Entities’ proposed rule would penalize an insurer
who paid promptly and reward one that delayed payment with additional time to
plan and prepare a lawsuit. Delaware law strongly favors prompt payment of
meritorious insurance claims.”!

Moreover, applying the insured-subrogor’s accrual means the insurer-
subrogee can bring one consolidated subrogated suit against the party that allegedly

caused the insured to incur the loss, rather than multiple suits corresponding with the

multiple creditors’ causes of action as the various creditors’ suits settle or finally

 

20 Or. Arg. Tr. at 34.
9 See Taylor v. State Farm Mut. Auto. Ins. Co.,2012 WL 1415509, *4 (Del. Super. Ct. Mar.

30, 2012) (recognizing that a key purpose of insurance law is “to give the economic benefit of
prompt payment to an injured party without awaiting protracted litigation”).

-25-
resolve. Delaware law favors judicial economy and discourages piecemeal or
duplicative litigation.”

The indemnification claims did not accrue until March 3, 2015, when the
Multi-District Litigation finally resolved. So the Insurers’ contractual
indemnification claims, filed on February 23, 2018, are timely under the applicable
statute of limitations without resort to tolling.

The Court therefore DENIES the Motion to Dismiss Insurers’ Counterclaims
and Third-Party Claims for contractual indemnification.

IV. CONCLUSION

Heartland’s action for contractual indemnification accrued when the Multi-
District Litigation reached its final disposition on March 3, 2015. All of the non-
indemnification claims accrued no later than the issuance of the Heartland
Investigation Report on February 21, 2009. Because the date of their filing is

deemed to be February 23, 2018,”° the indemnification claims satisfy the applicable

 

72 See, e.g., Pontone v. Milso Indus. Corp., 2014 WL 2439973, at *9 (Del. Ch. May 29, 2014)
(recognizing the compulsory joinder rule is to “further the policies underlying the rule, including
discouraging a multiplicity of suits and promoting judicial economy”); Monsanto Co. v. Aetna
Cas. and Sur. Co., 559 A.2d 1301, 1313 (Del. Super. Ct. 1988) (observing, when deciding a motion
to dismiss a declaratory judgment action, that a “significant factor . . . is the court’s responsibility
to discourage duplicative and piecemeal litigation”); Chrysler Corp. v. New Castle Cty., 464 A.2d
75, 82 (Del. Super. Ct. 1983) (“[C]ollateral estoppel is in accord with Delaware’s established
policy to promote judicial economy.”).

%3 See Joint Stipulation and Order, Nov. 2, 2018 (D.I. 40).

Der
statute of limitations. But none of the Insurers’ other claims do. And no tolling
doctrine excuses the untimeliness of those other claims.

IT IS HEREBY ORDERED, that Trustwave Entities’ Motion to Dismiss is
GRANTED as to the Insurers’ Counterclaims and Third-Party Claims for (i) breach
of contract, (ii) breach of express warranty, (iii) negligent misrepresentation, and

(iv) gross negligence. Its Motion is DENIED as to the Insurers’ Counterclaims and

Third-Party Claims for Contractual Indemnification.

Paul R. Wallace, Judge

 

Original to Prothonotary

=o7 =
