Delaware Court Allows Some Claims To Proceed In Data Breach Subrogation Action

Earlier this month, a Delaware state court dismissed multiple implied-warranty claims in a subrogation lawsuit against cybersecurity company Trustwave Corp., but allowed discovery to proceed on certain claims.

The suit involved a data breach at Euronet Worldwide Inc., a credit card processer. Trustwave had contracted with Euronet to provide vulnerability scans, compliance assessments, network-penetration attempts and compliance with the Payment Card Industry Data Security Standard requirements to Euronet. In December 2011, Euronet discovered that a software vendor had failed to turn on certain necessary encryption, leaving stored credit card data unencrypted, which, coupled with a malware intrusion into Euronet’s network, resulted in a breach of approximately two million credit card numbers.

Following the breach, Euronet paid out approximately $6 million in damages. Euronet was insured by National Union Fire Insurance Co. of Pittsburgh, Pennsylvania. National Union paid Euronet under the policy, and subsequently filed a subrogation action against Trustwave in October 2014, alleging the breach was the result of Trustwave’s faulty security services. Trustwave moved to dismiss the claims or to require National Union to amend its complaint. National Union filed an amended complaint in July 2015, and Trustwave again moved to dismiss.

In May 2016, Judge Mary M. Johnston of the Delaware Superior Court granted Trustwave’s motion to dismiss National Union’s “implied warranty of accuracy” claims, holding there was no legal basis for those claims. Judge Johnston found that even if there were a legal basis, the service contracts at issue between Trustwave and Euronet contained valid disclaimers, vitiating all implied warranty claims, which she dismissed with prejudice.

Judge Johnston granted Trustwave’s motion to dismiss several other claims, but without prejudice. The judge found that there was insufficient evidence at this stage to support twelve claims against Trustwave’s affiliate, Trustwave Holdings Inc., for its role in the breach. Instead of dismissing the claims outright, Judge Johnston granted discovery to determine “which Trustwave entity performed what task.”

The judge also granted discovery to clear up a discrepancy with the forum selection clauses contained in the contracts at issue. In 2006, the contract between Euronet and Trustwave identified Delaware in its forum selection clause. In 2011, the contract identified the courts of England and Wales. Since it is unclear exactly when the data breach occurred—National Union contends it was “sometime before December 2011”—the court held it was unclear which forum selection clause was triggered.

The case is National Union Fire Insurance Co. of Pittsburgh, Pa. v. Trustwave Ltd. et al., case number N14C-10-160, in the Superior Court of the State of Delaware.

About The Author
Tagged with: , , , ,
Posted in Data Breach, Litigation

Leave a Reply

Your email address will not be published. Required fields are marked *

*

About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs