On June 25, 2018, in a little-noticed, per curiam unpublished decision applying Texas law, the Fifth Circuit Court of Appeals raised some important questions about the extent to which D&O/Corporate Liability policies may be called upon to respond to cyber breach incidents in which credit card data is stolen by unknown hackers. Spec’s Family Partners, Ltd. v. The Hanover Insurance Co., No. 17-20263 (5th Cir. 2018). Specifically, the Fifth Circuit reversed the entry of judgment on the pleadings in favor of the insurer, finding that the underlying claims arising from a credit card breach could conceivably allege claims within the scope of the D&O corporate liability (“Side C”) coverage. Id. The policyholder – a specialty retail chain in Houston, Texas – entered into a Merchant Agreement with a company called First Data Merchant Services, LLC in order to process credit card payments. Sometime between October 2012 and February 2014, the policyholder’s credit card network was hacked by unknown criminals, resulting in a number of fraudulent transactions. First Data was required to reimburse the issuing banks for the costs and fines associated with those transactions.
First Data sent the policyholder two separate letters demanding payment for the amounts it incurred, claiming that there was “conclusive evidence of a breach of the cardholder environment at [the policyholder’s business],” and that the policyholder “was non-compliant with the Payment Card Industry Data Security [Standard] (PCIDSS) requirements.” The letters also included an itemized list of the costs First Data incurred in responding to the breach and informed the policyholder that, “in accordance with [the policyholder’s] indemnification obligation” under the Agreement, First Data had established reserve accounts in the amount of $7.6M and $1.9M to cover amounts it was required to pay MasterCard and Visa. The letters also included claims of non-compliance with third-party security standards and demands for non-monetary relief. Further, the letters stated “nothing contained herein shall be deemed a waiver of any right we may have under the Merchant Agreement or otherwise and we expressly reserve such right.”
After receiving the first of First Data’s demand letters, the policyholder provided notice to its insurer, and sought defense and indemnity coverage under its Directors, Officers, and Corporate Liability policy. The policy provided coverage for “loss” which the policyholder was legally obligated to pay because of “Claims” made against the policyholder during the policy period. “Claims” were defined as, inter alia, any written demand presented for monetary damages or non-monetary relief for a “Wrongful Act.” The policy also included a duty to defend the policyholder against any covered “Claims.” Notably, however, the policy excluded loss on account of any claim against the policyholder arising out of, or attributable to, a contract or agreement, where liability would not have attached in the absence of such contract or agreement.
After initially refusing to defend the claim, the insurer subsequently agreed to provide a defense under a reservation of rights. The insurer and the policyholder then entered into a Defense Funding Agreement, pursuant to which the insurer agreed, inter alia, to continue funding the policyholder’s defense until it provided written notice of its intent to cancel. Several months later, the policyholder sued First Data to recover the nearly $10M in funds withheld in the reserve accounts. The insurer, however, refused to pay the costs of that affirmative action on the grounds that they did not constitute “defense expenses.”
The policyholder then sued the insurer for breach of the insurance contract, breach of the Defense Funding Agreement, and violation of Chapter 542 of the Texas Insurance Code, Texas’s Unfair Claims Practices Act. The insurer moved for judgment on the pleadings, arguing that the policy’s contract exclusion barred coverage for the dispute with First Data over the Reserve Accounts set up pursuant to the Merchant Agreement, and that, accordingly, there was no basis for recovery under Chapter 542. The district court agreed, dismissing all of the policyholder’s claims.
On appeal, however, the Fifth Circuit reversed. At the outset, the Court found that a duty to defend would be triggered if First Data’s demand letters contained any claim that included potential liability on a non-contractual ground and thus arguably fell within the insurer’s scope of coverage under the D&O policy. Applying that standard, the Court found that the pleadings, when viewed in the light most favorable to the policyholder, did not unequivocally show that all of First Data’s claims fell squarely within the contract exclusion. Specifically, the Court opined that all of the pleaded claims did not necessarily arise out of the Merchant Agreement. Those non-contractual claims included allegations by First Data that the policyholder had been negligent in not complying with the Payment Card Industry Data Security requirements and other third-party security standards, as well as demands for non-monetary relief not arising from or contemplated by the Merchant Agreement. The Court thus found that, construing the pleadings liberally and in the light most favorable to the policyholder, theories of negligence and general contract law were implicated which implied potential liability separate and apart from any contractual obligations “arising out of” the Merchant Agreement. As such, the Court held that the district court should not have entered judgment on the pleadings in favor of the insurer on the duty to defend. The Court further found that it was error to enter judgment sua sponte on the Defense Contract Agreement contract claim because the insurer’s motion did not seek judgment on that claim.
This case illustrates potential issues that can arise under Side C coverage under D&O policies. Although many commentators have noted the potential exposure for cyber claims in the form of shareholder actions under D&O coverage, little attention has been given to the risks of cyber exposure under Side C coverage. D&O policies contain many exclusions and coverage limitations that should protect against undue, unintended expansion of such policies to encompass cyber risks. However, as this case illustrates, courts may not always agree that those coverage limitations fully address cyber breach exposures. The narrow reading of the contract exclusion in relation to the dispute concerning credit card information disclosures arising from a cyber breach in this 5th Circuit opinion is illustrative of those risks.