Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Insurers obligated to indemnify retailer’s payment card claims following data breach

    Privacy, Cyber Risk & Data Security

    On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Indemnification Insurance

  • Insurance company not obligated to indemnify retailer’s payment card claims following data breach

    Courts

    On February 8, the U.S. District Court for the District of Minnesota granted defendant’s motion for summary judgment, ruling that an insurance company is not obligated to indemnify a national retailer (plaintiff) for settlements paid to multiple banks to resolve claims over the costs of canceling and reissuing customers’ compromised credit and debit cards after a 2013 data breach. After the data breach, the banks sued the plaintiff for the costs associated with cancelling and reissuing the cards (payment card claims). The plaintiff notified the defendant of its potential liability for payment card costs associated with the data breach, claiming that the payment card claims were covered under the defendant’s commercial general liability policies. The defendant denied coverage under the policies, and the plaintiff filed a breach-of-contract action seeking both declaratory judgment that its liability for the payment-card claims was covered under the policies, as well as judgment against the defendant for the settlement payments related to the payment card claims. In granting the defendant’s motion for summary judgment, the court determined, among other things, that the plaintiff failed to “establish[] a connection between the damages incurred for settling claims related to replacing the payment cards and the value of the use of those cards, either to the payment-card holders or issuers.” As such, “the connection between the damages claimed and the loss of use of the payment cards is insufficiently direct and, therefore, the damages claimed are not loss-of-use damages covered under the policies,” the court stated, noting that the defendant’s policies only allowed for indemnification when the plaintiff had a legal obligation to pay damages because of a “loss of use” of “tangible property that is not physically injured.”

    Courts Insurance Indemnification Data Breach Privacy/Cyber Risk & Data Security

  • 6th Circuit: Merchant indemnified against card breach costs

    Courts

    On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.

    The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.

    On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.

    Courts Sixth Circuit Appellate Payment Processors Credit Cards Data Breach Privacy/Cyber Risk & Data Security Indemnification

  • 2nd Circuit: Bank’s suit to recover RMBS losses is untimely

    Courts

    On February 6, the U.S. Court of Appeals for the 2nd Circuit affirmed the judgment of the district court dismissing, as untimely, a trustee’s breach of contract and indemnity claims related to losses resulting from alleged defects in mortgage loans. At issue are three pools of residential home mortgages that at the time of sale had an aggregate principal balance exceeding $3.4 billion. These loans were sold by a mortgage company to Lehman Brothers Holding Inc. and Lehman Brothers Bank FSB in 2006 and subsequently securitized into three trusts. In addition to the representations and warranties made and the remedies provided in the Mortgage Loan Purchase Agreements (MLPAs) and Trust Agreements, the mortgage company, Lehman, and the depositor entered into a separate Indemnification Agreement for each trust, which contained its own representations and warranties indemnification provision. Investors, including Freddie Mac, purchased certificates in the trusts.

    According to the court, Freddie Mac conducted a forensic review of the trusts six years after the sale, which allegedly revealed that an “overwhelming percentage” of the loans in the trusts breached the mortgage company’s representations and warranties (R&W). Shortly after discovery, the trustee submitted breach notices to the mortgage company, which did not cure or repurchase the loans.

    The Federal Housing Finance Agency (FHFA), as conservator for Freddie Mac, filed a complaint against the mortgage company asserting breach of contract and indemnification claims. After the FHFA dropped out of the litigation, the trustee filed an amended complaint that included two breach of contract counts and two indemnification counts—one seeking indemnification based on the MLPAs and Trust Agreements and another seeking indemnification based on the Indemnification Agreements.

    The mortgage company moved for summary judgment on the first three claims and moved to dismiss the fourth claim. The district court granted the motion. It found that the breach of contract claims were time-barred because the FHFA filed the summons with notice more than six years after the limitations period at issue, which begins to run on the effective date of the R&Ws. The court also found the trustee’s indemnification claim based on the MLPAs and Trust Agreements to be time-barred because it was “merely a reformulation of its breach-of-contract claims.” The district court dismissed the other indemnification claim based on the Indemnification Agreements as time-barred because it involved a new set of operative facts and thus could not relate back to the original complaint filed by the FHFA.

    On review, the 2nd Circuit affirmed the lower court’s decision. As to the breach of contract claims, the 2nd Circuit relied on two New York Court of Appeals cases: Ace Securities Corp. v. DB Structured Products, which held that the six year statute of limitations begins to run on the effective date of R&Ws, and Deutsche Bank National Trust v. Flagstar Capitals Market Corporation which held that an express accrual clause in a contract cannot delay the start of a limitations period under New York law. With respect to the third cause of action for indemnification under the MLPAs and Trust Agreements, the 2nd Circuit stated that absent unmistakably clear language in an indemnification agreement that demonstrates that the parties intended this clause to cover first-party claims as opposed to third-party claims, an agreement between two parties to indemnify each other does not mean that one party’s failure to perform gives rise to an indemnification claim. In reviewing the claim at issue in count three, the court found that the claim sought payment to the trustee arising from the mortgage company’s alleged breach of R&Ws, which is a breach of contract claim. The trustee argued that the indemnification section provided an independent remedy, but the 2nd Circuit rejected that argument stating that a claim is not independent if its success directly depends on the breach of the R&Ws in the MLPAs outlined in the contract claims. Finally, with respect to the fourth clause of action for indemnification, the 2nd Circuit held that this claim filed in 2016, would only be timely if it related back to the facts of the earlier claims, but since it arose out of different contracts it therefore could not relate back.

    Courts RMBS Second Circuit Appellate Indemnification

Upcoming Events