An insured seeking coverage for credit card fees assessed against its third-party payment processor following a data breach recently filed an appeal in the Fifth Circuit Court of Appeals. Spec's Family Partners Ltd. v. Hanover Ins. Co., Case No. 17-20263 (5th Cir. Aug. 18, 2017). Spec's, a liquor store chain with over 160 locations throughout Texas, suffered two major data breaches of its credit card payment system, resulting in the loss of customer information and credit card numbers. Spec's accepts Visa and MasterCard payments from its customers through a third-party processor, First Data. As a result of the breach, First Data incurred liability assessments from MasterCard and Visa totaling $9.6 million. A merchant agreement required Spec's to indemnify First Data for any assessments First Data incurred as a result of a breach of Spec's system. First Data demanded indemnification from Spec's for the fees. Without any adjudication of First Data's claims and without Spec's consent, First Data allegedly wrongfully withheld $4.2 million in credit card payments owed to Spec's. Consequently, Spec's sued First Data in Tennessee federal court to recover the $4.2 million.
Spec's was insured under a private company management liability policy issued by Hanover Insurance Company, which covered directors and officers and corporate liability. After Hanover disputed coverage, Spec's filed a declaratory judgment action in the Southern District of Texas, arguing that the fines assessed by Visa and MasterCard against First Data constituted loss to Spec's covered by the policy. The court disagreed, finding that the fines were assessed against First Data, not Spec's. The court also found that Spec's expenses in bringing suit against First Data did not constitute a "claim" against Spec's under the policy. According to the court, the only "claim" against Spec's was First Data's demand letters seeking indemnification. And the court found the indemnification claim was barred under the policy's broad exclusion for loss "arising out of ... any actual or alleged liability under a written or oral contract or agreement." Spec's argued that First Data's loss was not contractual, but, rather, was the result of superseding criminal conduct--hackers infiltrating its network. Accordingly, Spec's argued that the loss was covered based on the concurrent causation doctrine, under which a loss is covered if it results from both covered and uncovered causes. But the court found that First Data's demand against Spec's included no mention of criminal conduct and Spec's failed to show it would be liable to First Data for any reason other than contractual liability.
On appeal, Spec's argued that the lower court was wrong because, among other things, First Data's claim against Spec's (i) alleged liability based on noncontractual grounds, including its general allegation that Spec's had not been compliant with industry security standards, (ii) included a demand for nonmonetary relief wholly unrelated to any contract and (iii) was based upon the criminal attacks on Spec's data system, not Spec's contract with First Data. The case remains pending before the Fifth Circuit.
Spec's highlights the pitfalls of broad contractual liability exclusions that may bar coverage for any claim arising under an indemnification agreement. Policyholders should carefully read their policies--whether they are policies covering cyber risks, general liability, directors and officers liability, technology errors and omissions and other policies--to ensure they are covered for these risks. In particular, policyholders should confirm that coverage exists for liabilities that might arise independent of any contract or agreement. Spec's also highlights the importance of securing coverage for PCI-DSS assessment fees, which is provided under some cyber policies. Lastly, policyholders will be watching closely to see if the Fifth Circuit finds coverage for Spec's affirmative claims given First Data's decision to simply set off the allegedly owed amounts instead of filing a lawsuit that would have included claims and liability potentially covered by the policy. To avoid such uncertainly and to prevent such a situation, policyholders should seek prompt coverage from their insurers.