IN THE SUPERIOR COURT OF THE STATE OF DELAWARE
TRUSTWAVE HOLDINGS, INC. Plaintiff,
V. BEAZLEY INSURANCE COMPANY, INC.,
and LEXINGTON INSURANCE COMPANY Defendants.
C.A. No. N18C-06-162 PRW BEAZLEY INSURANCE COMPANY, INC., CCLD and LEXINGTON INSURANCE COMPANY Counter-Plaintiffs/
Third-Party Plaintiffs, V.
TRUSTWAVE HOLDINGS, INC., TRUSTWAVE CORPORATION, and AMBIRONTRUSTWAVE, LTD. Counter-Defendants/ Third-Party Defendants.
Nee Nem Nee Nee” re” Nee Nee Nee Ne ee” Nee ee Nee ne ee” ee” ee Nee” ee” ee” ee” Nee”
Submitted: June 27, 2019 Decided: September 30, 2019
Upon Counter-Defendant and Third-Party Defendants’ Motion to Dismiss, GRANTED, in part, and DENIED, in part.
MEMORANDUM OPINION AND ORDER
Jody Barillare, Esquire (argued), Beth Herrington, Esquire (pro hac vice), Zachary Ryan Lazar, Esquire (pro hac vice), Morgan, Lewis & Bockius, LLP, Wilmington, Delaware, Attorneys for Plaintiff.
Michael C. Heyden, Esquire (argued), Scott Schmookler (pro hac vice), Gordon Rees Scully Mansukhani, LLP, Wilmington, Delaware, Attorneys for Defendants.
WALLACE, J. I. INTRODUCTION
Plaintiff Trustwave Holdings, Inc. brings this declaratory judgment action against Defendants Beazley Insurance Company, Inc., and Lexington Insurance Company (together with Beazley, “Insurers”), seeking the Court’s pronouncement that Trustwave has no obligation to indemnify the Insurers in connection with the Insurers’ payment to a non-party insured, Heartland Payment Systems, with whom Trustwave was contracted to provide cyber security risk assessment services. The Insurers’ payment related to a substantial data breach that Heartland sustained in 2009, and Heartland’s consequent liability to other nonparties.
The Insurers answered the Complaint, and filed Counterclaims against Trustwave, as well as Third-Party Claims against Trustwave Corporation, and AmbironTrustwave, Ltd. (collectively with Trustwave Holdings and Trustwave Corporation, the “Trustwave Entities”),' alleging that Trustwave Entities provided inadequate services and asserting a total of eighteen claims in five causes of action: Breach of Contract, Breach of Express Warranty, Negligent Misrepresentation,
Gross Negligence, and Indemnification.
According to the Counterclaims, Ambiron is Trustwave’s former name used between July
2005 through October 2007, and Trustwave Corporation is now Trustwave’s wholly owned subsidiary. These entities perform their contractual obligations interchangeably. Compl. § 6; Defs.’ Affirmative Defenses Countercls. and Third—Party Compl. [hereinafter “Countercls.”] 49 3-7. Now before the Court is Trustwave Entities’ Motion to Dismiss the Insurers’ Counterclaims and Third-Party Claims. Trustwave Entities argue all Insurers’ claims are barred by the statute of limitations, that their Gross Negligence claims fail to state a claim, and that their Breach of Express Warranty claims are duplicative of their contract claims.
Il. FACTUAL AND PROCEDURAL BACKGROUND
Because of the current procedural posture, the Court herein summarizes the facts as averred in the Insurers’ Answer, Counterclaims, and Third-Party Claims.
A. THE PARTIES.
Trustwave Entities are in the business of inspecting, certifying, and validating clients’ adherence to certain data security regulations—the so-called Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (“PCI DSS”). Specifically, Trustwave Entities assess the security risks of customers’ networks and systems, recommend security control measures, determine compliance with PCI DSS, and issue certificates of compliance accordingly.” Certification of PCI DSS compliance is a commercial necessity for companies like
Heartland that process electronic payment transactions.
2 Countercls. ff 10-11. Between 2005? and 2007, Heartland engaged Trustwave Entities to provide periodic evaluations, certifications and reports regarding PCI DSS compliance and cybersecurity.* The engagement was memorialized through two agreements: the “Trustwave Preferred Sales Agent Agreement” dated February 18, 2005 (the “2005 Agreement”), and the Compliance Validation Services Agreement and _ its Addendum dated December 17, 2007 (the “2007 Agreement”).°
Under those agreements, Trustwave Entities tested and assessed the security and vulnerability of Heartland’s systems and networks. After each test, Trustwave Entities issued a report certifying that Heartland’s systems were compliant with PCI DSS standards.®
B. 2009 DATA BREACH AND SETTLEMENTS OF LITIGATIONS.
In January 2009, Heartland discovered a serious security breach that had resulted in the theft and exfiltration of approximately 100 million credit and debit
card numbers issued by more than 650 financial service companies (the “2009 Data
There is disagreement as to when Heartland began engaging Trustwave Entities.
Trustwave alleges that the engagement began in as early as October, 2004. The Insurers say the parties’ contractual relationship commenced in 2005, and complain that Trustwave fails to provide a copy of any 2004 contract. Compl. {J 6-8; Countercls. §] 10-11. This factual detail, however, is insignificant to this motion’s resolution.
4 Countercls. J 10-11. 5 Id. § 12, 21-24.
: Id. Tf 16-25. Breach”).’ The breach was caused by code maliciously installed on Heartland’s payment processing systems; those systems collect cardholders’ information.’ Code making Heartland’s systems vulnerable to the malware was installed in 2007. The malware itself was installed in 2008.’ Both the vulnerability and the malware rendered Heartland’s systems noncompliant with PCI DSS, but Trustwave Entities improperly certified the compliance of Heartland’s affected systems while performing services pursuant to their contractual relationship.!°
Following the 2009 Data Breach, various federal and state agencies, credit card brands,!! financial institutions, and consumers brought a number of individual and class action claims against Heartland.'? Many of those claims were ultimately
consolidated in the Southern District of Texas (the “Multi-District Litigation’”).'°
7 Id. 7 33, 41. 8 Id. Tf 34-36. ? Id.
ie Id. {ff 37-39.
i These credit card brands principally include Visa, MasterCard, Discovery, and American
Express. Jd. § 12. B Id. ¥§ 42-43.
3 Id. 9 43. The Multi-District Litigation eventually resolved on March 3, 2015, when the action was dismissed with prejudice."
Visa, one of Heartland’s customers, had detected and suspected Heartland’s systems’ security prior to the 2009 Data Breach.'° Visa retained Verizon Business, a third-party consulting firm, to conduct an investigation to evaluate Heartland’s systems. Verizon Business issued its investigative report on February 21, 2009.'°
After the 2009 Data Breach, Heartland reached settlement agreements with Visa for $60 million on January 7, 2010, and MasterCard (another Heartland customer) for $41.4 million on May 19, 2010."
Including these settlements, the Multi-District Litigation, and all other litigation and settlements related to the 2009 Data Breach, Heartland incurred losses
of more than $148 million in claims, attorney’s fees, costs, and other expenses.!®
is Id. Answer 4] 13-15, 25-26; Countercls. § 51. Is Trustwave Holdings, Inc.’s, Trustwave Corporation’s and AmbironTrustwave, Ltd.’s Mot. to Dismiss Countercls. and Third—Party Compl. [hereinafter “Pl.’s Opening Br.”] ex. A. [hereinafter “Heartland Investigation Report’].
7 Heartland Investigation Report, at p. 1.
M7 Pl.’s Opening Br. { 5; Ex. B to Pl.’s Opening Br. [hereafter “Visa Settlement Agreement”);
Ex. C to Pl.’s Opening Br. [hereafter “MasterCard Settlement Agreement”).
7 Countercls. 42. C. THE INSURANCE PAYMENT AND THIS ACTION ENSUES.
Heartland was insured by Beazley and Lexington. Lexington was the primary insurer with a policy limit of $20 million; Beazley provided excess insurance of $10 million.'? Following the 2009 Data Breach, Beazley and Lexington reimbursed Heartland for their respective full policy limits, i.e., a total of $30 million, by the end of 2010.2° Each of them entered into a release agreement (collectively, the “Release Agreements”) with Heartland, pursuant to which Heartland fully and finally released Insurers from all potential costs and liabilities in connection with the 2009 Data Breach, while the Insurers paid Heartland $30 million in accordance with policy limits.”!
In February of 2018, counsel for the Insurers demanded indemnification of $30 million (the total amount reimbursed to Heartland) from Trustwave based on Trustwave’s allegedly inadequate service in assessing the security risks of
Heartland’s systems during 2007 and 2008.”
ie Ex. D to Pl.’s Opening Br. (Lexington Claim and Policy Release Agreement); Ex. E to Pl.’s
Opening Br. (Beazley Claim and Policy Release Agreement).
= Countercls. {4 26, 53-55.
7 Ex. D to Pl.’s Opening Br. [hereafter “Lexington Release Agreement”]; Ex. E to Pl.’s
Opening Br. [“Beazley Release Agreement”] (collectively, the “Release Agreements”).
= Compl. § 15. Four months later, in June 2018, Trustwave brought this action for a declaration that Trustwave is not liable to indemnify the Insurers. The Insurers initially sought to dismiss or stay the action on jurisdictional grounds.”?_ They later voluntarily withdrew that motion,” and filed an Answer with Affirmative Defenses, Counterclaims, and a Third-Party Complaint (“Counterclaims and Third-Party Claims’) against Trustwave Entities.2? Those claims’ filing date is deemed to be February 23, 2018.76
Now before the Court is Trustwave Entities’ Motion to Dismiss the Counterclaims and Third-Party Claims.’
D. STANDARD OF REVIEW
“A defense predicated on a statute of limitations may be brought by motion to dismiss when the complaint itself shows that the action was not brought within
the statutory period.’”*? Superior Court Civil Rule 12(b)(6) provides that one on
id Defs.’ Mot. to Dismiss and Stay (July 17, 2018) (D.I. 8). 24 Notice of Withdrawal (Nov. 9, 2018) (D.I. 41). = Countercls. (Nov. 21, 2018) (D.I. 42).
= See Joint Stipulation and Order, Nov. 2, 2018 (D.I. 40). a Opening Br. in Supp. of Trustwave Holdings, Inc.’s, Trustwave Corporation’s and AmbironTrustwave, Ltd.’s Motion to Dismiss Counterclaims and Third-Party Complaint [hereinafter “‘Pl.’s Opening Br.”] (Jan. 15, 2019) (D.I. 47).
us Lima Delta Co. v. Glob. Aerospace, Inc., 2017 WL 4461423, at *5 (Del. Super. Ct. Oct. 5, 2017), aff'd, 189 A.3d 185 (Del. 2018) (quoting Brooks v. Savitch, 576 A.2d 1329, 1330 (Del. Super. Ct. 1989) (citing Patterson v. Vincent, 61 A.2d 416 (Del. Super. Ct. 1948)).
-g- defense to any action—be it initiating, counter, or third-party—may bring a motion to dismiss if the complaint invoking that action fails “to state a claim upon which relief can be granted.””? On a motion to dismiss, the Court must:
(1) accept all well-pleaded factual allegations as true,
(2) accept even vague allegations as “well pleaded” if they give the opposing party notice of the claim,
(3) draw all reasonable inferences in favor of the non-moving party, and
(4) [not dismiss the claims] unless the non-moving party would not be entitled to recover under any reasonably conceivable set of circumstances.*°
If the Court determines the complainant may recover after engaging that form of
review, then the Court must deny the motion to dismiss.*!
= Del. Super. Ct. Civ. R. 12(b)(6).
= Cent. Mortg. Co. v. Morgan Stanley Mortg. Capital Hldgs. LLC, 27 A.3d 531, 535 (Del. 2011); Wilmington Sav. Fund. Soc’y, F.S.B. v. Anderson, et al., 2009 WL 597268, at *2 (Del. Super. Ct. Mar. 9, 2009) (citing Doe v. Cahill, 884 A.2d 451, 458 (Del. 2005) (Every reasonable factual inference will be drawn in the non-moving party’s favor.); Anderson v. Tingle, 2011 WL 3654531 (Del. Super. Ct. Aug. 15, 2011) (But the Court will “ignore conclusory allegations that lack specific supporting factual allegations.”). And when deriving the facts and their reasonable inferences, certain documents integral to a plaintiff, counter-plaintiff, or third-party plaintiffs claims may be considered by the Court on a motion to dismiss. Commonwealth Land Title Ins. Co. v. Funk, 2014 WL 8623183, *3 (Del. Super. Ct. Dec. 22, 2014) (“The Court generally may not consider extrinsic matters when ruling on a motion to dismiss.”); Furman v. Delaware Dept. of Transportation, 30 A.3d 771, 774 (Del. 2011) (“[T]he only two exceptions to the general rule prohibiting consideration of extrinsic material on a motion to dismiss: (i) where an extrinsic document is integral to a plaintiffs claim and is incorporated into the complaint by reference, and (11) where the document is not being relied upon to prove the truth of its contents.”).
31 Spence v. Funk, 396 A.2d 967, 968 (Del. 1978).
-9- I. DISCUSSION
As a threshold matter, the parties do not dispute that all eighteen of the Insurers’ Counterclaims and Third Party Claims are subject to Delaware’s statute of limitations.*? Accordingly, the Court applies Delaware law.
Relying on Delaware’s statute of limitations, Trustwave Entities seek to dismiss the Counterclaims and Third-Party Claims in their entirety, arguing that they are time-barred and no tolling exceptions apply. According to Trustwave Entities, the Insurers reimbursed Heartland and entered the Release Agreements in 2010, but sat silently and waited for nine years before asserting their claims, while not once notifying Trustwave Entities during the pendency of the several litigations that arose from the 2009 Data Breach.”
The Insurers insist that the statutes of limitations were tolled by the Multi- District Litigation, and their claims did not accrue until that action was finally resolved on March 3, 2015. Thus, they say, their February 2018 Counterclaims and
Third-Party Claims are timely.*4
7 See Pl.’s Opening Br. J] 8-13; Defs.’ Opp’n (Plaintiff's contention that Delaware’s statute of limitations applies is undisputed).
= Pl.’s Opening Br. 7, 8-16.
7 Defs.’ Opp’n 4 2, 7-14.
-10- Delaware has a three-year statute of limitations for both tort and contract claims.*° Accrual of either generally begins at the time of the “wrongful act,” which itself varies depending on the kind of claim:
For breach of contract claims, the wrongful act is the breach, and the cause of action accrues at the time of breach. For tort claims, the wrongful act is a tortious act causing injury, and the cause of action accrues at the time of injury. Where the claim is one for indemnification or contribution for damages paid to a third party, a cause of action accrues only after the party seeking indemnification has made payment to the third party.°°
Delaware law recognizes that limitations periods are “draconian” in nature.*’ These limitations are both harsh and strict—harsh in that they arbitrarily establish
t?8 and strict in that it is
jurisdictional prerequisites for initiating or maintaining sui not even within a court’s power to extend the limitations period out of notions of fair
play.*’ Instead, on a showing that an action was initiated outside the statute of
3 Del. Code Ann. tit. 10, § 8106 (2018). See also Certainteed Corp. v. Celotex Corp., 2005 WL 217032, at *5 (Del. Ch. Jan. 24, 2005) (“[The Delaware Code] provides a three-year statute of limitations governing actions for breach of contract and actions for torts.”) (internal citations omitted).
de Lima Delta Co., 2017 WL 4461423, at *5 (quoting Certainteed Corp., 2005 WL 217032, at *7)).
37 Murphy v. Lucas, 2006 WL 1173893, *3 (Del. Super. Ct. Apr. 28, 2006).
a8 Scharf v. Edgcomb Corp., 864 A.2d 909, 920 (Del. 2004) (internal citations omitted); Marvel v. Prison Industries, 884 A.2d 1065, 1067 (Del. Super. Ct. 2005) (commenting that Delaware’s savings statute is “intended to alleviate the harsh consequences of the statue of limitations”).
a Rash v. C. & M. Corp., 218 A.2d 670, 672 (Del. 1966). -1ll- limitations, the plaintiff bears the burden of pleading facts from which application of a recognized tolling doctrine can be reasonably inferred.”
To determine if a claim is time-barred, the Court examines three things for each individual claim:*! (i) the accrual date for the cause of action; (ii) whether the statute of limitations has been tolled; and (iii) assuming a tolling exception applies, when the claimant was on inquiry notice.”
A. PREJUDICE FROM DELAY IS IRRELEVANT. At argument, Trustwave Entities repeatedly complained of prejudice to their
ability to defend in this litigation due to the passage of time.*” At common law,
litigants had the power to bring suit at any time, no matter how remotely the right
40 SPX Corp. v. Garda USA, Inc., 2012 WL 6841398, at *2 (Del. Super. Ct. Dec. 6, 2012) (quoting Winner Acceptance Corp. v. Return on Capital Corp., 2008 WL 5352063, at *14 (Del. Ch. Dec. 23, 2008)). Valid tolling doctrines include, for example, fraudulent concealment, inherently unknowable injury, and equitable tolling. Certainteed Corp., 2005 WL 217032, at *7; Wright v. Dumizo, 2002 WL 31357891, at *2-4 (Del. Super. Ct. Oct. 17, 2002) (discussing fraudulent concealment of breach and “time of discovery” rule for “inherently unknowable” breach.). Despite its name, “equitable tolling” is available in the Superior Court. McLeod v. McLeod, 2012 WL 2226502, *1 (Del. June 15, 2012).
7 See generally Certainteed Corp., 2005 WL 217032, at *6 (“The statute of limitations analysis differs for each of the subsets of claims[.]’’).
“ SPX Corp., 2012 WL 6841398, at *2; accord Certainteed Corp., 2005 WL 217032, at *7; Winner Acceptance Corp., 2008 WL 5352063, at *14.
= E.g. Or. Arg. Tr. at 8 (“Trustwave now is becoming — — is going to be very prejudiced because witnesses are gone, documents are gone. And until the insurers contacted Trustwave in February of 2008, it was not even put on notice that it would become later subject to litigation’); Id. at 31 (“[T]here is great prejudice to Trustwave by the fact that the insurers sat on their hands for over nine years.”).
-12- first accrued.** Recognizing the potential for abuse that ability accorded plaintiffs, the statute of limitations was created to “restrain” plaintiffs power in courts of law.* In courts of equity, the doctrine of laches*® supplants and replaces the statute of limitations,*” serving the same purpose of protecting a litigant from suits unfairly brought after an unreasonable delay.*® Prejudice from the delay, and an inquiry into a plaintiff's offsetting justification for delaying, are central to laches analysis.” Trustwave Entities’ argument is in essence that the Insurers knew they would be seeking the $30 million based on their insurance payouts, and could have instituted suit for that sum long ago, irrespective of technical accrual dates. They go
on that Insurers’ failure to do so unfairly lured Trustwave Entities into believing no
= IAC/InterActiveCorp v. O’Brien, 26 A.3d 174, 177 (Del. 2011) (citing Perkins v. Cartmell, 4 Del. 270, 274 (Del. Err. & App. 1845)).
= Id.
= See Reid v. Spazio, 970 A.2d 176, 182-83 (Del. 2009) (“Laches is an equitable defense ... itis generally defined as an unreasonable delay by the plaintiff in bringing suit after the plaintiff learned of an infringement of his rights, thereby resulting in material prejudice to the defendant.”).
47 See Adams v. Jankouskas, 452 A.2d 148, 157 (Del. 1982) (“While the limitations of actions applicable in a court of law are not controlling in equity, absent unusual circumstances, the analogous statute of limitations will be given great weight in deciding whether the plaintiff's claim is barred by laches.”).
48 See Hutchinson v. Fish Engineering Corp., 203 A.2d 53, 63 (Del. Ch. 1964) (“One of the firmest of equitable principles is that one may not slumber on his rights to the detriment of another and later attempt to assert them.”).
= See Whittington v. Dragon Group, L.L.C.,991 A.2d 1, 7-8 (Del. 2009) (“An unreasonable delay can range from as long as several years to as little as one month. The temporal aspect of the delay is less critical than the reasons for it. In some circumstances even a long delay might be excused.)
-13- suit would be forthcoming and weakened Trustwave’s ability to mount its best and most vigorous defense on the merits.
This is an equitable argument of laches, appropriate for consideration in the Court of Chancery—not here. This is a court of law—not equity.°? So here, the statute of limitations applies—not laches.°! And the action is barred if and only if the Insurers failed to satisfy the statute of limitations. Prejudice or lack thereof is irrelevant.
B. ALL OF INSURERS’ CLAIMS ARE SUBROGATION CLAIMS IN NATURE.
So are the Insurers’ Counterclaims and Third-Party Claims barred by the statutes of limitations?
Insurers assert a total of eighteen counts, three of which are contractual indemnification claims, and the remaining fifteen counts are claims for (i) breach of contract, (ii) breach of express warranty, (iii) negligent misrepresentation, and
(iv) gross negligence (collectively, the “non-indemnification claims”).
7 See Juras v. Bd. of Pension Trs., 1992 WL 357864, at *2 (Del. Super. Ct. Oct. 15, 1992) (“The [Superior] Court must deal only with the law not equity.”); Kerly v. Battaglia, 1990 WL 199507, at *4 (Del. Super. Ct. Nov. 21, 1990) (describing this Court as “a court of law, not
equity”).
7 See Hart v. Miller, 119 A.2d 751, 754 (Del. Super. Ct. 1955) (“{Plaintiff] is in a Court of law, not equity, and we are not concerned with any question of an equitable [matter] ... which a Court of Equity might consider.”).
-14- All of the non-indemnification claims recite similar allegations: — that Trustwave Entities failed to properly identify, assess, and report the security risks in Heartland’s networks and systems. Those alleged failures, Insurers suggest, were violative of Trustwave Entities’ contractual obligations, and fell short of the standard of ordinary care.>?
The three indemnification counts are based on the 2005 Agreement and 2007 Agreement wherein Trustwave Entities contractually covenanted to indemnify
Heartland for certain third-party claims and suits.*?
52 Countercls. ] 60-234. By way of example:
The Breach of Contract counterclaim (Count I) alleges “[Trustwave] . . . breached its contractual obligations by failing to properly provide ‘Compliance Validation Services’ and to ‘conduct a third party security assessment[.]’”
The Breach of Express Warranty counterclaim (Count I) alleges “Trustwave Corporation ... failed to perform the ‘Trustwave Services and related work’ . . . because it did not properly verify that [Heartland’s] systems and networks complied with PCI DSS and other applicable standards.”
The Negligent Misrepresentation counterclaim (Count VID) alleges “[Trustwave] failed to exercise ordinary care in conducting its compliance assessment and issuing its compliance letter; [and] made false representations . . . [that] included . . . informing [Heartland] that its systems and networks were secured and complied with PCI DSS.”
The Gross Negligence claim (Count IX) alleges “[Ambiron] . . . breached its duty by... failing to detect and report that [Heartland]’s networks and systems were not compliant with each and every requirement of PCI DSS . . . constituted an extreme departure from the ordinary standards of care and constituted gross negligence.”
= Countercls. Counts IV, V, and Third—Party Cls. Count III.
-15- The Insurers now assert these eighteen claims as Heartland’s subrogees, seeking recovery “in an amount in excess of $30 million dollars for the liabilities, damages, remediation costs, fees and other consequential damages they sustained, and for any such other or further relief as the Court deems equitable and just.”**
A subrogee insurer “steps into the shoes of its insureds.”*° The insurer “takes the rights of its insureds, and therefore may proceed with the same claims that the [insured] would have been able to assert.”°° However, the subrogee “may not enjoy greater rights than those of its subrogors.”°’ As such, the statute of limitations applied to the Insurers is that applicable to Heartland’s own injuries, which the Insurers now raise vicariously.
C. NON-INDEMNIFICATION CLAIMS ARE TIME-BARRED.
With respect to the Insurers’ breach-of-contract and breach-of-express warranty claims, Trustwave Entities posit those causes of action accrued on or before
April 10, 2008. That was the date of breach, they say, because that is when
Trustwave Entities issued the last compliance certificate. As to the negligent
"i See Countercls. at WHEREFORE paragraphs following each Count.
= State Farm Fire & Casualty, Co. v. General Electric Co., 2009 WL 5177156, at *3 (Del. Super. Ct. Dec. 1, 2009).
56 Id.
57 Td.
-16- misrepresentation and gross negligence claims, Trustwave Entities aver that those causes of action accrued on or before May 14, 2008, i.e., the date of injury when the malicious code was allegedly installed.*®
Trustwave Entities further contend that even if some tolling exception applied, Heartland (thus, by subrogation, the Insurers) was on inquiry notice no later than February 21, 2009, when the Heartland Investigation Report was issued.
The Insurers make a blanket objection to the accrual dates, claiming that all the claims are tolled by the Multi-District Litigation.
As a start, the Court declines to accept that all-encompassing objection. Because when engaging a statute of limitations analysis, the Court must consider each claim individually. And the Court must, as to each individually, determine: (i) its accrual date; (ii) any tolling mechanism applicable to it; and (411) whether the plaintiff was on inquiry notice of it.°!
Here, the Court finds that the breach-of-contract and breach-of-express
warranty claims arise from the allegation that Trustwave Entities failed to satisfy
BS Pl.’s Opening Br. 11.
=e Id. 12.
60 Defs.’ Opp’n | 9 (“[T]he Trustwave Entities wrongly argue that the Insurer’s action
accrued at the time of the cyber breach.”).
7 Certainteed Corp., 2005 WL 217032, at *6~7; SPX Corp., 2012 WL 6841398, at *2; Winner Acceptance Corp., 2008 WL 5352063, at *14.
-17- their contractual obligations and the attendant warranties. Those claims are subject to a three-year statute of limitations, accruing from the time of breach.”
“Service contracts,” like those between Heartland and Trustwave Entities, are breached when the service is due.®? Trustwave Entities were engaged to provide security risk assessment service. That due service then was Trustwave Entities’ issuance of the certificate of compliance. So all owed contractual performance to Heartland upon which the Insurers raise their claims was due no later than April 10, 2008. That is, therefore, the last possible accrual date for the breach-of-contract claims.
The tort claims—i.e., the negligent misrepresentation and gross negligence claims—accrued on the date Heartland sustained injury. The complained-of injury is Trustwave Entities’ inadequate evaluation and incorrect security validation of Heartland’s networks and systems. That injury was inflicted between July 24, 2007,
and March 14, 2008, when the malicious code was allegedly installed.®
G2 DEL. CODE ANN. tit. 10, § 8106. See Certainteed Corp., 2005 WL 217032, at *5; Lima Delta Co., 2017 WL 4461423, at *5. (“[B]reach of contract claims . . . accrue[] at the time of breach. [T]ort claims . . . accrue[] at the time of injury.”).
63 Wright, 2002 WL 31357891, at *2-4; Shively v. Ken—Crest Centers for Exceptional Persons, 1998 WL 960719, at *3 (Del. Super. Ct. Nov. 19, 1998).
ee Machala v. Boehringer Ingelheim Pharm., Inc., 2017 WL 2814728, at *6 (Del. Super. Ct. June 29, 2017) (citing Winner Acceptance Corp., 2008 WL 5352063, at *14).
= Countercls. Jf 34, 36; Heartland Investigation Report, at p. 7.
-18- Thus, all of the non-indemnification claims “on [their] face accrued outside the statute of limitations.”°° And Insurers, therefore, bear the burden to show reasonable inferences exist that some tolling exception applies.®’
The Court finds no factual allegations supporting an exception sufficient to excuse the Insurers’ untimeliness. Nothing in the Counterclaims and Third-Party Claims suggest that Trustwave Entities “knowingly took affirmative actions” to conceal,®* or that “the breach is inherently unknowable and [Heartland/Insurers as subrogee] was blamelessly ignorant that the cause of action existed.”® Nor did Insurers first file suit in come other court under the erroneous belief jurisdiction was
proper there.”
id SPX Corp., at *2 (quoting Winner Acceptance Corp. v. Return on Capital Corp., 2008 WL
5352063, at *14 (Del. Ch. Dec. 23, 2008)) (Carpenter, J.). 67 Id
7 Certainteed Corp., 2005 WL 217032, at *8; Machala, 2017 WL 2814728, at *6 (Del. Super. Ct. June 29, 2017) (“Under the fraudulent concealment doctrine, the statute of limitations is tolled if there was an affirmative act of concealment or some misrepresentation that was intended to put a plaintiff off the trail of inquiry until such time as the plaintiff is put on inquiry notice.”) (citation and internal quotation marks omitted).
69 Wright, 2002 WL 31357891, at *4. 70 See Owens v. Carmen Ford, Inc., 2013 WL 5496821, *2 (Del. Super. Ct. Sep. 20, 2013)
(“Where a litigant actively pursued judicial remedies by filing a defective pleading during the statutory period, equitable tolling may be appropriate.”).
-19- To the contrary, Heartland learned of the data compromise no later than January 2009.7! Heartland itself publically announced the 2009 Data Breach on February 20, 2009.” With the issuance of the Heartland Investigation Report a day later, Heartland was certainly made aware of the maliciously installed code, the timeline of numerous data compromising events, and their PCI DSS noncompliance in derogation of Trustwave Entities’ prior validation.
Even if the Court found some tolling exception applied, Heartland directly and the Insurers as subrogees were unequivocally on inquiry notice of the causes of action no later than February 21, 2009. Accordingly, any contractual or tort claims brought after February 21, 2012, are time-barred.
Accordingly, the Court GRANTS the Motion to Dismiss the Insurers’ Counterclaims and Third-Party Claims for (i) breach of contract; (ii) breach of
express warranty; (iii) negligent misrepresentation; and (iv) gross negligence.
2 By way of example, the Heartland Investigation Report states “[Heartland] became aware
of a potential problem on October 27, 2008 when a fraud analysis team from one Card Brand began sharing reports of fraud...” and “[o]n January 12, 2008, [Heartland] discovered clear signs of a security breach within their payment processing environment[.]” See Heartland Investigation Report, at pp. 4-6.
R Visa Settlement Agreement § Preamble; MasterCard Settlement Agreement § Preamble.
- 20 - D. THE INDEMNIFICATION CLAIMS ACCRUED WHEN THE MULTI-DISTRICT LITIGATION ENDED.
The Insurers’ remaining claims for indemnification are based on the 2005 Agreement and 2007 Agreement. Specifically, the 2005 Agreement provides: [Trustwave Indemnity]. Trustwave will indemnify, defend and hold [Heartland] harmless from and against... Losses? .. .
incurred by [Heartland] and its affiliates .. . arising out of or connected with any third party claim relating to:
* * *
(iv) Trustwave’s gross negligence or willful misconduct; or
(v) Trustwave’s breach of any representation or warranty in this agreement.”
The 2007 Agreement states:
Indemnification. [Trustwave] shall indemnify and hold harmless [Heartland] and its Affiliates . . . any costs, liabilities, damages or expenses (including reasonable attorneys’ fees) arising out of or relating to:
* * of
(iv) claims or suits attributable to breaches of the other party’s express representations and warranties contained in the Agreement.’°
7 “Losses” are defined in the 2005 Agreement as “any and all losses, liabilities, damages,
penalties, and claims, and all related costs, expenses and other charges (including all reasonable attorneys’ fees and reasonable costs of investigation, litigation and settlement).” m4 Countercls. § 87
» Id. 97.
-2]- The 2005 Agreement’s unambiguous language provides for indemnification of third-party claims relating to Trustwave Entities’ gross negligence, willful misconduct, or breach of representations or warranties.’© Similarly, the 2007 Agreement provides for indemnification for claims or suits attributable to Trustwave Entities’ breaches of express representations and warranties. ””
No doubt, therefore, Insurers plead indemnifiable losses.’® The question is: When did the indemnification claim or claims arising from the Agreements’ language accrue?
A right to indemnification can exist either by common law or through contract.”? A common law indemnity claim accrues when the indemnified party can be confident that any claim against him has been resolved with certainty.®° Contractual indemnification is different only in that resolution with certainty may
depend on the contract’s wording.*!
be Id. | 87
2 Id. ¥ 97.
B Id. J 88-89.
79 Certainteed Corp., 2005 WL 217032, at *3. 80 Id. (quoting Scharf, 864 A.2d at 919),
81 Branon v. Stein Roe Investment Counsel, LLC, 2015 WL 4710321, *4 (Del Ch. Ct. July 31, 2015) (Noble, V.C.)
-22- The Insurers rely on select Delaware decisions, insisting that an indemnification claim does not accrue until the underlying claim is conclusively decided.*? In turn, they say, their indemnification claims did not accrue until the Multi-District Litigation resolved.®
Trustwave Entities argue that indemnification claims accrue as soon as damages are certain, namely, they are determined and recoverable.** And, because the Insurers’ damages were determined (i.e., the total amount of $30 million) and recoverable (i.e., against Trustwave Entities) when the Insurers entered into the Release Agreements with Heartland, these indemnification claims accrued on the dates of the Release Agreements.®
Trustwave Entities’ have it wrong here. True, the Insurers’ loss from their contracts with Heartland were certain once the Release Agreements were signed and
performed. But that’s merely coincidental.®* A “bedrock principle of subrogation”
82 Defs.’ Opp’n Jf 7-12.
83 Id. 44 7-20.
84 Pl.’s Reply 4§ 5-6, 8-12. 85 Id
> See Shively, 1998 WL 960719, at *3 (“An indemnification contract, by its very nature, cannot be breached until one party is liable and seeks indemnification from the other.”)
-23- is that an insurer-subrogee’s rights are coterminous with that of the insured.®’ Insurers have standing based on Heartland’s loss, not their own.
Heartland’s loss consisted of the sum total of the claims arrayed against it, which included the settlements with Visa and MasterCard and the Multi-District Litigation. Even a judgment arising from a jury award does not become final and certain until after the end of all appellate review.®® The rationale behind the “finality” requirement is that “the person seeking indemnity should not have to rush in at the first possible moment but rather should be able to wait until the outcome of the underlying matter is certain.”®?
Heartland’s loss was therefore not certain until the end of the Multi-District Litigation and so the statute of limitations on Heartland’s indemnification cause of action did not begin to accrue until that time. If it sought recovery from Trustwave Entities at any time prior to the dismissal of the Multi-District Litigation, Heartland
would have been unable to determine with certainty the magnitude of its loss that it
would then be calling upon Trustwave Entities to indemnify.
87 Great American Assur, Co. v. Fisher Controls Int’l., Inc., 2003 WL 21901094, at *4 (Del. Super. Ct. Aug. 4, 2003).
a8 LaPoint v. AmerisourceBergen Corp., 970 A.2d 185, 198 (Del. 2009).
89 Td
-24- Trustwave Entities concede that Heartland’s claim would be ripe and timely at the end of the Multi-District Litigation.” Because the Insurers as subrogees sue in Heartland’s shoes and not their own, their indemnification claims are subject to the same measure of timeliness.
Trustwave Entities’ suggestion otherwise—that an insurer’s subrogated indemnification statute of limitations should run from when they pay out their full coverage, rather than from when the insured’s indemnification accrues—would create certain adverse incentives and/or outcomes. For instance, when an insured suffers a loss that causes it to owe multiple creditors more in payment than its insurance coverage, Trustwave Entities’ proposed rule would penalize an insurer who paid promptly and reward one that delayed payment with additional time to plan and prepare a lawsuit. Delaware law strongly favors prompt payment of meritorious insurance claims.”!
Moreover, applying the insured-subrogor’s accrual means the insurer- subrogee can bring one consolidated subrogated suit against the party that allegedly
caused the insured to incur the loss, rather than multiple suits corresponding with the
multiple creditors’ causes of action as the various creditors’ suits settle or finally
20 Or. Arg. Tr. at 34. 9 See Taylor v. State Farm Mut. Auto. Ins. Co.,2012 WL 1415509, *4 (Del. Super. Ct. Mar.
30, 2012) (recognizing that a key purpose of insurance law is “to give the economic benefit of prompt payment to an injured party without awaiting protracted litigation”).
-25- resolve. Delaware law favors judicial economy and discourages piecemeal or duplicative litigation.”
The indemnification claims did not accrue until March 3, 2015, when the Multi-District Litigation finally resolved. So the Insurers’ contractual indemnification claims, filed on February 23, 2018, are timely under the applicable statute of limitations without resort to tolling.
The Court therefore DENIES the Motion to Dismiss Insurers’ Counterclaims and Third-Party Claims for contractual indemnification.
IV. CONCLUSION
Heartland’s action for contractual indemnification accrued when the Multi- District Litigation reached its final disposition on March 3, 2015. All of the non- indemnification claims accrued no later than the issuance of the Heartland Investigation Report on February 21, 2009. Because the date of their filing is
deemed to be February 23, 2018,”° the indemnification claims satisfy the applicable
72 See, e.g., Pontone v. Milso Indus. Corp., 2014 WL 2439973, at *9 (Del. Ch. May 29, 2014) (recognizing the compulsory joinder rule is to “further the policies underlying the rule, including discouraging a multiplicity of suits and promoting judicial economy”); Monsanto Co. v. Aetna Cas. and Sur. Co., 559 A.2d 1301, 1313 (Del. Super. Ct. 1988) (observing, when deciding a motion to dismiss a declaratory judgment action, that a “significant factor . . . is the court’s responsibility to discourage duplicative and piecemeal litigation”); Chrysler Corp. v. New Castle Cty., 464 A.2d 75, 82 (Del. Super. Ct. 1983) (“[C]ollateral estoppel is in accord with Delaware’s established policy to promote judicial economy.”).
%3 See Joint Stipulation and Order, Nov. 2, 2018 (D.I. 40).
Der statute of limitations. But none of the Insurers’ other claims do. And no tolling doctrine excuses the untimeliness of those other claims.
IT IS HEREBY ORDERED, that Trustwave Entities’ Motion to Dismiss is GRANTED as to the Insurers’ Counterclaims and Third-Party Claims for (i) breach of contract, (ii) breach of express warranty, (iii) negligent misrepresentation, and
(iv) gross negligence. Its Motion is DENIED as to the Insurers’ Counterclaims and
Third-Party Claims for Contractual Indemnification.
Paul R. Wallace, Judge
Original to Prothonotary
=o7 =