UPDATE: Texas Court Releases Opinion Explaining Reasoning for Dismissal of Claim for Coverage of Attorneys’ Fees Incurred to Recover PCI Fees and Fines Withheld by a Card Processor
Spec’s Family Partners Ltd. v. Hanover Ins. Co., Case. No. 4:16-cv-00438 (U.S.D.C., S.D. Tex. March 15, 2017).We have previously reported on the March 15, 2017, dismissal of a retailer’s claim for coverage of attorneys’ fees incurred to recover PCI fees and fines withheld by a card processor. The explanatory Memorandum Opinion and Order (“Opinion”) initially was filed under seal. That Opinion was unsealed on April 16, revealing that the decision was based on the absence of a duty to defend because of the contractual liability exclusion.
The case arose under a Private Company Management Liability Policy with a Directors, Officers and Corporate Liability Coverage Part issued by Hanover Insurance Company to Spec’s, a chain of liquor stores in Texas. Spec’s suffered two data breaches of its credit card payment system. Its transactions were processed by First Data Merchant Services, LLC pursuant to a Merchant Agreement.
Visa and MasterCard issued $9.5 million in case management fees and assessed fines (collectively, “fines”). The court concluded that these were levied against First Data. First Data sent two letters to Specs for claims arising from the data breaches. To satisfy its demands, First Data withheld $4.2 million from daily payment card settlements for Spec’s and used the money to establish a reserve account. Spec’s sued First Data to seek recovery of the withheld amounts. It also sued Hanover, which had entered into a Defense Funding Agreement (“DFA”), arguing that Hanover should pay for its lawyers in the action against First Data.
The court granted Hanover’s motion to dismiss on the pleadings, resolving the case by holding that there was no duty to defend in the first instance because coverage was precluded by the exclusion for liability under a contract.
The policy gave Hanover the right and duty to defend a “Claim,” which was defined to include a written demand for monetary damages for a Wrongful Act. The court found that the fines were levied against the card processor, First Data did not represent a separate demand against Spec’s and thus was not a Claim under the policy. Rather, the Claim was made in the demand letters for indemnification under the Merchant Agreement.
In applying the contractual exclusion, the court reviewed the DFA to determine whether it modified the exclusion, and concluded it did not, because, in the DFA, Hanover reserved its rights to challenge its duty of defense or to withdraw its defense. The court went on to reject the contention that the fines and the funding of a reserve account did not arise out of the contract with First Data, so were covered because the exclusion did not apply if the liability would have attached in the absence of the contract. The court declined “to find a speculative factual scenario or legal theory in which MasterCard or Visa make a claim directly against [the insured].” It found the only Claim was the one for indemnification in the demand letters.
The court also rejected the insured’s argument that the hack leading to the breach constituted superseding criminal conduct, which was an independent, “but for” cause of the claim making the contractual exclusion inapplicable. The court held that the only reason for the liability of specs to First Data was the Merchant Agreement.