Contract Exclusion Does Not Bar Defense Obligation for Alleged Payment Card Breach
The United States Court of Appeals for the Fifth Circuit, applying Texas law, has reversed an order granting an insurer judgment on the pleadings, holding that a breach of contract exclusion did not bar coverage for a demand received by an insured retailer from its credit card processor for indemnification and other relief arising from a payment card breach. Spec’s Family Partners, Ltd. v. Hanover Ins. Co., 2018 WL 3120794 (5th Cir. June 25, 2018).
Unknown criminals hacked into the credit card network of the insured retailer. After the hacking led to payment card losses, certain issuing banks demanded payment from the insured’s card processor, which in turn demanded reimbursement from the insured. Among other things, the processor’s demand letters noted the insured’s non-compliance with Payment Card Industry Data Security Standards and demanded that the insured take steps to confirm its security compliance. The letters also referred to the insured’s contractual indemnification obligations and requested other unspecified amounts. The insured’s private company D&O insurer agreed to fund the retailer’s defense under a reservation of rights. In ensuing coverage litigation, however, a federal district court granted the insurer’s motion for judgment on the pleadings, holding that the processor’s claim against the retailer was barred by a breach of contract exclusion.
On appeal, the court reversed. In so doing, the court ruled that the pleadings, when viewed in the light most favorable to the insured, did not “unequivocally show” that the breach of contract exclusion applied. In relevant part, the policy barred coverage for any loss or claim “directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement,” except for “liability that would have attached in the absence of such contract or agreement.” The court reasoned that the demand letters included reference to the insured’s non-compliance with third-party data security standards and noted that the letters made “not insignificant demands for non-monetary relief, wholly apart” from the indemnification demand. Specifically, the court indicated that the demand letters asked for the insured to complete and submit “forms and an Attestation of Compliance from a Qualified Security Assessor,” which required it to incur considerable time and expense in responding. The court also noted that the demands asked the insured to “promptly pay” certain amounts to the claimant upon request. According to the court, these allegations, when construed liberally and in the light most favorable to the insured, “implicate[d] theories of negligence and general contract law that imply [the insured’s] liability for the assessments separate and apart from any obligations” under the operative contract. For that reason, the court reversed the ruling in favor of the insurer, holding that the breach of contract exclusion did not bar the duty to defend.