IN THE SUPERIOR COURT OF THE STATE OF DELAWARE
NATIONAL UNION FIRE
INSURANCE COMPANY OF
PITTSBURGH, PA.,
Plaintiff,
v. C.A. No. Nl4C-lO-16O MMJ (CCLD)
TRUSTWAVE HOLDINGS, INC.,
TRUSTWAVE CORPORATION,
TRUSTWAVE LTD., and AMBIRON
TRUSTWAVE LTD.,
\J\é\./\./\J§/\/\J\J\,/\./£€\./
Defendants,
Submitted: March 21, 2016
Decided: May 3, 2016
Upon Defendants’ Motion to Dismiss Counts VII, VIII, XV, and XVI
GRANTED
Upon Defendants’ Motion to Dismiss Counts XV-XXVI against Trustwave
Holdings, Inc.
GRANTED without prejudice
Upon Defendants’ Motion to Dismiss Counts XXIII-XXVI
DENIED
OPINION
Robert J. Katzenstein, Esq., Smith, Katzenstein & Jenkins LLP, Christopher M.
Kahler, Esq. (Argued), Scott L. Schmookler, Esq., Craig A. Jacobson, Esq., Gordon
& Rees LLP, Attorneys for Plaintiff National Union Fire Insurance Company of
Pittsburgh, Pa.
J0hn A. Elzuf0n, Esq., Peter C. McGivney, Esq., Elzufon Austin Ta’rlov & Mondell,
P.A., Brian P. Kavanaugh, Esq. (Argued), William E. Arnault, Esq., Elizabeth A.
Honig, Esq., Kirkland & E1lis LLP, Attorneys for Defendants Trustwave Holdings,
Inc., Trustwave C0rp., Trustwave Ltd., and Ambiron Trustwave Ltd.
JOHNSTON, J.
the parties to that provision.B Forum selection clauses are presumptively va1id,
unless the resisting party clearly shows that enforcement would be unreasonable or
unjust, or that the clause is invalid for such reasons as fraud and overreaching.M
The forum selection clause is unreasonable when its enforcement would seriously
15
impair a plaintiffs ability to pursue its cause of action. Mere inconvenience or
additional expense is not the test of unreasonableness.lé
If no exclusive forum selection clause exists, the court will consider which
action is first-filed. When there is an earlier-filed action pending in a foreign
jurisdiction, Delaware courts generally apply the Mc Wane doctrine. This doctrine
favors granting a stay "when there is a prior action pending elsewhere, in a court
capable of doing prompt and complete justice, involving the same parties and the
1317
same issues. lf the Delaware action is considered first-filed, this Court examines
a motion under the traditional forum non conveniens framework. The Mc Wane line
of cases is not directly applicable. The Court will consider this precedent only by
way of analogy.
There are competing forum selection clauses in this case. National Union’s
Amended Complaint implicates both fora. The parties to the 2011 contract agreed
_13+___1_?____ __.__
Id.
14 Ingres Corp. v. CA, Inc., 8 A.3d 1143, 1146 (Del. 2010).
‘5 L@veman, 2009 wL 847655, ar *2.
‘6 Id.
17 McWane Cast Iron Pipe Corp. v. McDowll-Wellman Engineering Co., 263 A.Zd 281, 283 (Del,
1970).
9
to a different forum from the 2006 contract. Any distinct claim arising out of the
2011 contract must be resolved in the Courts of England and Wales. The
contracting parties should have been aware of possibly litigating claims in two
jurisdictions.
National Union contends that the breach happened "sometime before
December 20ll." lt is unclear when the alleged breach occurred. Thus, it is
unclear which forum selection clause is triggered. The conduct may have been one
continuous course of action or there may have been separate, distinct data breaches.
The conduct may be identical or substantially similar. If the claims are severed
before specifying the underlying factual allegations, separate litigation may result.
This would be inefficient, a waste of judicial resources, and risk inconsistent
judgments.
In Ashall Homes Ltd. v. ROK Entertainment Group Inc.,lg the Court of
Chancery discussed policy reasons for not bifurcating claims in cases with different
exclusive forum selection clauses. In Ashall, stockholders filed suit in Delaware
against a corporation and its directors on the grounds that the stockholders were
tricked into investing. The parties had simultaneously executed two sets of
agreements, both of which had English forum selection clauses. One forum
18 992 A.zd 1239 (Del. Ch. 2010)‘
10
selection clause was mandatory. 19 The plaintiffs argued the other was permissive.z°
Defendants moved to dismiss, citing the English forum selection clauses.
The Ashall Court granted Defendants’ motion to dismiss, citing the exclusive
forum selection clauses:
[T]here is an important policy reason for adjudicating all of the disputes
relating to these two agreements in one court. Because the two
agreements are intertwined, . . . bifurcating this dispute . . . would result
in obvious inefficiencies and confusion. . . . McWane, which
generally confines litigation to one forum, serves the public’s interest
in the orderly administration of justice by . . . reducing the risk of
conflicting verdicts.
. . . Under Mc Wane and other analogous doctrines, [] Plaintiffs ought to
be bound for faimess and eff`lciency’s sake to litigate in one place.zl
At oral argument on the pending motions in this case, the parties discussed an
undisclosed forensic report in Euronet’s possession. Defendants stated that the
report will clarify when the alleged breaches occurred. Following discovery, if it
appears that the alleged 2011 conduct was separate and distinct, and not in a
continuous course from 2006 onward, the Court will consider whether to sever the
2011 claims to allow Trustwave to litigate in the Courts of England and Wales.
The Court finds that it is premature to dismiss the claims relating to the 2011
agreement at this time. Therefore, Trustwave’s Motion to Dismiss Counts XXIII
through XXVI is DENIED.
19 Id. ac1249.
2° 1d_at1249-50.
” 1a ar1251.
ll
CONCLUSION
Delaware law does not recognize a cause of action based on an implied
warranty of accuracy. Therefore, Counts VII, VIII, XV, and XVI are hereby
DISMISSED WITH PREJUDICE.
The Court finds that Plaintiff has failed to allege sufficient facts to establish a
prima facie case against Trustwave Holdings, Inc. Therefore, Counts XV through
XXVI are hereby DISMISSED WITHOUT PREJUDICE. Discovery will be
permitted.
The Court holds that it is premature to determine whether the 20ll claims
should be dismissed on the bases of venue and forum selection.
THEREFORE, Defendants’ Motion to Dismiss is hereby GRANTED in
part and DENIED in part. Because of this ruling, the Court need not address
Plaintiff’ s waiver argument.
IT IS SO ORDERED.
FACTUAL AND PROCEDURAL CONTEXT
This subrogation action stems from a credit card processing company’s data
breach. A qualified security assessor allegedly failed to identify or prevent the
breach. Plaintiff National Union Fire Insurance Company of Pittsburgh, Pa.
("National Union") insured Euronet Worldwide, Inc ("Euronet"). Euronet is a
global provider of electronic payment and transaction processing services, including
credit card transactions made from point of sale terrninals. Euronet transmits point
of sale credit card data, including names and card numbers, to credit card companies.
Euronet protects the transmitted data on a highly-secured computer network
system. Euronet designed its security measures to comply with the Payment Card
Industry Data Security Standard ("PCI DSS") Requirements and Security
Assessment Procedures promulgated by major credit card issuers (e.g., Visa and
MasterCard). PCI DSS requires Euronet to have a qualified security assessor
annually validate its compliance. The qualified security assessor tests Euronet’s
systems to identify weaknesses and neutralize threats.
In 2006, Euronet and its subsidiaries entered into a series of contracts with
Defendant Ambiron Trustwave Ltd., a qualified security assessor.l Pursuant to the
contracts, Trustwave delegated some contractual responsibilities to Holdings.
l Ambiron Trustwave Ltd. now is Trustwave Ltd. Trustwave Holdings, Inc. ("Holdings")
formerly was Trustwave Corporation. For ease of reference, Defendants collectively will be
called Trustwave unless specificity is required.
In February 201 l, the parties entered into a new contract. This contract
encompassed and superseded all pri`or, piecemeal contracts. Most of the language
stayed the same. Notab1y, the parties adopted a new forum selection clause.
Delaware was the parties’ mandatory forum in the 2006 contract. The 2011
agreement changed the mandatory forum to the Courts of England and Wales.
Pursuant to the agreements, Trustwave performed yearly PCI DSS
compliance assessments, vulnerability scan and management, and network
penetration services. Trustwave had to: ensure that cardholder data, including
stored and transmitted credit card primary account numbers (PAN), was sufficiently
isolated and encrypted; certify that Euronet’s facilities and applications met PCI
DSS requirements; and verify that anti-virus software was operable.
Trustwave performed at least three audits. On August 25, 2009, Trustwave
performed a PCI DSS audit and a vulnerability scan, purportedly remediating all PCI
DSS non-compliance issues. Trustwave produced a Report on Compliance,
confirming full PCI DSS compliance. On January 25, 2010, Trustwave conducted
another audit, again confirming PCI DSS compliance. On July l2, 20ll,
Trustwave provided another Report on Compliance, again confirming that Euronet
had complied with PCI DSS’s requirements. Euronet alleges it relied on
Trustwave’s continued representations that Euronet’s network was secure.
In December 20ll, Euronet discovered that a security breach occurred at
some point during the contractual pen`ods. A software vendor failed to turn on
necessary PAN encryption, leaving stored credit card data unencrypted.
Additionally, malware found its way onto Euronet’s secured network, and swiped
the unencrypted data. The breach affected approximately two million credit card
numbers. Euronet paid out approximately $6 million in damages. National Union
paid Euronet pursuant to its insurance policy. Now, National Union seeks to
recover its payment from Trustwave. National Union alleges the breach would not
have happened if Trustwave had not misled Euronet that its network was secure.
National Union filed this lawsuit on October l7, 2014. Trustwave moved to
dismiss or, in the alternative, have National Union provide a more definite
statement. On June lO, 2015, the Court denied Trustwave’s Motion to Dismiss, but
required National Union to file a more definitive complaint listing all of the parties’
contracts.z National Union also was ordered to specify which claims it was
bringing against which defendants.3
National Union filed its Amended Complaint on July 27, 20l5. Trustwave
again moved to dismiss on the grounds of improper venue and failure to state a
claim. National Union opposed, arguing, inter alia, that Trustwave waived its
venue argument by failing to raise it in its first Motion to Dismiss.
2 Defs.’ Mot. To Dismiss Hr’ g Tr. 2:9-3:8, Jun. lO, 2015 (Trans. ID 57520499).
3
Id. 3:9-11.
STANDA'RI?' OF RE_VIEW
Superior Court Civil Rule l2(b)(3) governs a motion to dismiss or stay on the
basis of improper venue. The Court should give effect to private agreements’ terms
to resolve disputes in a contractually-designated judicial forum, out of respect for the
parties’ contractual designation." The Court can grant dismissal prior to discovery,
on the basis of affidavits and documentary evidence, if the plaintiff cannot make out
a prima facie case in support of its position.$ The Court generally will allow the
plaintiff to take discovery when the plaintiff advances a non-frivolous legal
argument that would defeat the motion if the facts turn out to be as alleged.6
In a Rule l2(b)(6) motion to dismiss, the Court must determine whether the
claimant "may recover under any reasonably conceivable set of circumstances
susceptible of proof."7 The Court must accept as true all well-pleaded allegations.g
Every reasonable factual inference will be drawn in the non-moving party’s favor.9
lf the claimant may recover under that standard of review, the Court must deny the
motion to dismiss.l°
4 Loveman v. Nusmile, Inc., 2009 WL 847655, at *2 (Del. Super.).
5 Id. (citing Simon v. Navellier Series Fund, 2000 WL 1597890, at *4 (Del. Ch.)).
6 HealthTrio, Inc. v. Margules, 2007 WL 544156, at *2 (Del. Super.) (citing Simon, 2000 WL
1597890, at *4).
; Spence v. Funk, 396 A.2d 967, 968 (Del. l978).
Ia'.
9 Wilmington Sav. Fund. Soc j), F.S.B. v. Anderson, 2009 WL 597268, at *2 (Del. Super.) (citing
Doe v. Cahill, 884 A.2d 45l, 458 (Del. 2005)).
‘° spen¢e, 396 A.2d @1¢968.
___ANALYSIS
Implied Warranly of Accuracy
National Union’s implied warranty of accuracy claims fail as a matter of law
for two reasons. First, National Union has failed to cite any Delaware authority
supporting the existence of a cause of action for the implied warranty of accuracy.
Second, assuming an implied warranty of accuracy exists in Delaware,
National Union’s claim still fails because both contracts contained identical
language expressly disclaiming all warranties. The disclaimer states:
This agreement is a service agreement, and except as expressly
provided in this agreement, [Trustwave] disclaims all other
representations or warranties, express or implied, including, without
limitation, any warranties regarding quality, suitability,
merchantability, or fitness for a particular purpose (irrespective of any
course of dealing, custom or usage of trade) of any services or any
goods or services provided incidental to the services provided under
this agreement.
Delaware’s Uniform Commercial Code allows parties to disclaim warranties.
A warranty disclaimer must use language which in common understanding calls the
buyer’s attention to the warranties’ exclusion stating there is no implied warranty.“
In this case, the disclaimer language validly excludes all implied warranties.
Therefore, Trustwave’s Motion to Dismiss Counts VII, VIII, XV, and XVI is
GRANTED.
“ 6 Dez_ C. § 2-316(3)(3).
Claims Against Holdings
Trustwave argues National Union failed to establish a prima facie case
against Holdings because Plaintiff’s Amended Complaint fails to distinguish
Holdings’ alleged conduct from the other Trustwave entities.
National Union only mentioned Holdings twice in its Amended Complaint,
Paragraph fourteen states: "Upon information and belief, certain of Trustwave
Ltd.’s contractual and professional duties and obligations were delegated to and
7
performed by Trustwave Holdings.’ This paragraph does not allege any specific
conduct by Holdings.
Paragraph twenty-one states:
On January 25, 20l0, "Trustwave, operating under Trustwave
Holdings, Inc." acknowledged that it had been retained to conduct a
third party security assessment and determine whether Euronet []
satisfactorily met [PCI DSS] and other major payment card association
security requirements related to the protection of cardholder data.
"Trustwave, operating under Trustwave Holdings, Inc.," represented
that it had "determined that Euronet [] has satisfactorily met the
security requirements as of January 22, 20l0."
This paragraph also does not allege any conduct undertaken by Holdings that could
form the basis for liability.
Reading paragraphs fourteen and twenty-one together, Trustwave argues
National Union’s allegations merely create a circular relationship void of any
specific conduct on the part of Holdings, a distinct entity.
National Union argues it needs discovery to discern which entity conducted
6
the audits. National Union claims internal documents and employment records will
determine whether Holdings engaged in any conduct for which it may be held liable.
Trustwave stated at argument that it would not resist discovery relating to the
various Trustwave relationships, including Holdings. The Court anticipates
Trustwave will respond to all discovery requests regarding which entity undertook
what responsibilities under the contracts.
The Court finds that Plaintiff has failed to allege sufficient facts to establish a
prima facie clause of action against Holdings. Therefore, Defendants’ Motion to
Dismiss Counts XV through XXVI against Trustwave Holdings, Inc. is GRANTED
without prejudice. Discovery regarding which Trustwave entity performed what
task will be permitted
Venue and Forum selection
The parties’ contracts contain contradicting forum selection clauses. The
2006 agreement and addenda provide:
This Agreement shall be governed by and construed in accordance with
the laws of the State of Delaware, without giving effect to conflict of
law principles. Each party hereto hereby agrees that any proceeding
relating to this Agreement and the transactions contemplated hereby
shall be brought solely in the state or federal court located in Delaware.
The 2011 agreement states:
This Agreement shall be governed by and construed in accordance with
English law, without giving effect to conflict of law principles. Each
party hereto hereby agrees that any proceeding relating to this
Agreement and the transactions contemplated hereby shall be brought
7
solely in the Courts of England and Wales.
Trustwave argues that National Union’s Amended Complaint alleges four
claims against Trustwave arising out of the 2011 agreement. Thus, those claims
must be brought in the Courts of England and Wales.
National Union counters that it has not alleged conduct arising out of the 2011
agreement. Any 201 1 conduct referenced in its Amended Complaint was part of an
ongoing pattern of misconduct. National Union contends it is entitled to file in
Delaware based on claims arising out of the 2006 contract. Additionally, forcing
National Union to litigate in the Courts of England and Wales creates inefficient,
duplicative litigation.
Venue disputes generally arise When: (a) a party claims first-filed status; or
(b) a party alleges another forum is better suited to hear the claims. National Union
seeks to enforce both the 2006 forum selection clause and its first-filed status,
preventing Trustwave from moving litigation to the Courts of England and Wales.
Trustwave argues that the required forum for the 2011 claims is the Courts of
England and Wales.
Consideration of a motion to dismiss a Delaware action, in favor of a foreign
action, rests within the sound discretion of the court.lz When contracting parties
have agreed to an exclusive forum selection clause, Delaware Courts generally hold
12 Choice Hotels Intern., Inc. v. Columbus-Hunt Park DR. BNK Investors, L.L.C., 2009 WL
3335332, at *3 (Del. Ch.).