Beazley Insurance Company, Inc. v. Trustware Holdings, Inc.

Summarize Case

Related Cases

IN THE SUPERIOR COURT OF THE STATE OF DELAWARE TRUSTWAVE HOLDINGS, INC. ) Plaintiff, ) ) v. ) ) BEAZLEY INSURANCE COMPANY, INC., ) and LEXINGTON INSURANCE COMPANY ) Defendants. ) _____________________________________ ) ) C.A. No. N18C-06-162 PRW BEAZLEY INSURANCE COMPANY, INC., ) CCLD and LEXINGTON INSURANCE COMPANY ) Counter-Plaintiffs/ ) Third-Party Plaintiffs, ) ) v. ) ) TRUSTWAVE HOLDINGS, INC., ) TRUSTWAVE CORPORATION, and ) AMBIRONTRUSTWAVE, LTD. ) Counter-Defendants/ ) Third-Party Defendants. ) Submitted: December 15, 2023 Decided: March 14, 2024 Upon Plaintiff/Counter-Defendant Trustwave Holdings and Third-Party Defendant Trustwave Corporation’s Motion for Summary Judgment, DENIED. Upon Defendants/Counter and Third-Party Plaintiffs Beazley Insurance Company and Lexington Insurance Company’s Motion for Partial Summary Judgment, DENIED. Upon Third-Party Defendant AmbironTrustWave, Ltd.’s Motion for Partial Summary Judgment, GRANTED. MEMORANDUM OPINION AND ORDER Jody Barillare, Esquire (argued), Beth Herrington, Esquire (pro hac vice), Zachary Ryan Lazar, Esquire (pro hac vice), Morgan, Lewis & Bockius, LLP, Wilmington, Delaware, Attorneys for Plaintiff. Michael C. Heyden, Esquire (argued), Scott Schmookler (pro hac vice), Gordon Rees Scully Mansukhani, LLP, Wilmington, Delaware, Attorneys for Defendants. WALLACE, J. Before the Court are three motions for summary judgment. The largest is by Trustwave Corporation and Trustwave Holdings, Inc. (together, “Trustwave Entities” or “Trustwave”) and seeks resolution of all remaining issues in this case. Next, Beazley Insurance Company and Lexington Insurance Company (together, “Insurers”) seek summary judgment on one of their two theories, but the practical result of granting it would be a complete win for Insurers. Finally, AmbironTrustwave, Ltd. seeks to be released from this action, claiming it has no connection to the underlying events. Those underlying events culminated in the historically large breach of non-party Heartland Payment Systems’ credit card data. As will be detailed below, Trustwave Entities had contracted with Heartland to provide data security services. During the period of Trustwave’s performance, a hacker was able to infiltrate Heartland’s network and steal millions of credit card numbers. This resulted in liability for Heartland. Insurers paid a combined $30 million for Heartland’s losses and now seek to recover that amount from Trustwave Entities as subrogees. Each party suggests its entitlement to a favorable judgment is undisputed. With the exception of AmbironTrustwave, Ltd., none is correct. Indeed, despite the cross-motions, this matter is rife with unresolved with genuine issues of material fact. The first such dispute relates to whether a certain contract, upon which -1- Insurers’ motion relies, even applies. Application of that contract would require finding Heartland exercised an option therein, which is in doubt. Too, the interplay of a relevant limitation of liability and indemnity provision is ambiguous, deterring summary judgment. Next, there are genuine disputes as to whether Heartland breached an applicable contract and whether such breach was material. If so, at least part of Trustwave Entities’ relevant performance would have been excused. Lastly, there is the central inquiry of whether Trustwave Entities breached warranties made to Heartland and whether that caused the losses within the meaning of the relevant indemnity provision. As might be expected, those fact-sensitive questions are not ripe for summary judgment. The lone issue that does seem ready for resolution is AmbironTrustwave, Ltd.’s motion. It claims it is a United Kingdom corporation, located in the United Kingdom, which has never done business in the United States, and which had no role in any of the conduct at issue here. Though they oppose the motion, Insurers offer no true response to any of those contentions. What’s more, although overlooked by the parties, each claim against AmbironTrustwave, Ltd. was dismissed by this Court’s opinion on Trustwave Entities’ Motion to Dismiss. So, it seems clear there are no genuine issues of material fact left to be decided with regard to AmbironTrustwave, Ltd. -2- II. FACTUAL AND PROCEDURAL BACKGROUND A. THE PARTIES Beazley Insurance Company is a Connecticut corporation with its principal place of business in Connecticut.1 Its parent company is a Delaware corporation.2 Beazley is admitted to do business in Delaware and writes insurance policies that cover risks located in Delaware.3 Lexington Insurance Company is a Delaware corporation with its principal place of business in Massachusetts.4 Insurers insured non-party Heartland Payment Systems, a company that facilitated credit card purchases by connecting merchants and banks.5 After Heartland incurred a loss by having sensitive cardholder data stolen, Lexington provided $20 million and Beazley provided $10 million to reimburse Heartland.6 Now, subrogated to Heartland’s claims, Insurers seek recovery from Trustwave Entities.7 Trustwave Holdings, Inc. is a Delaware corporation with its principal place of 1 Insurers’ Answer to the Complaint [hereinafter “Answer to Compl.”] ¶ 3 (D.I. 42). 2 Answer to Compl. ¶ 3. 3 Id. ¶ 3. 4 Id. ¶ 4. 5 Insurers’ Counterclaim and Third-Party Complaint [hereinafter “Countercl.”] ¶ 52 (D.I. 42); Insurers’ Motion for Summary Judgment Opening Brief [hereinafter “Insurers’ Mot.”] at 1 (D.I. 147); Insurers’ Mot., Ex. 4 [hereinafter “Humphrey Expert Report”] ¶ 9. 6 Countercl. ¶¶ 53-54; Insurers’ Mot., Ex. 7 [hereinafter “Cybertrust Report”] at 4. 7 Countercl. ¶ 55. -3- business in Illinois.8 Trustwave Holdings, Inc. was formed in 2005 to effectuate the merger of Trustwave Corporation and Ambiron, LLC.9 Trustwave Holdings Ltd., a subsidiary of Trustwave Holdings, Inc., is a United Kingdom corporation with its principal place of business in the United Kingdom.10 Trustwave Holdings Ltd. was formerly known as AmbironTrustwave, Ltd.11 Trustwave Entities provided data security services to Heartland during the period when Heartland suffered its data breach.12 Following Insurers’ reimbursement of Heartland, they demanded indemnification from Trustwave Entities.13 Thereafter, Trustwave Holdings, Inc., filed its complaint seeking a declaratory judgment that it is not liable to Insurers.14 B. HEARTLAND’S CONTRACTS WITH TRUSTWAVE ENTITIES Heartland had three contracts with Trustwave Entities that are relevant to this litigation. The first is an agreement Ambiron LLC and Heartland entered into in 8 Trustwave Entities’ Answer to the Counterclaim [hereinafter “Answer to Countercl.”] ¶ 3 (D.I. 60). 9 Answer to Countercl. ¶ 4. 10 Id. ¶¶ 5-6. 11 Id. ¶5. 12 Id. ¶11. 13 Id. ¶15. 14 See generally Complaint [hereinafter “Compl.”] (D.I. 1). -4- October 2004 (the “2004 Agreement”).15 The purpose of that agreement was for Ambiron—which later became part of Trustwave Holdings, Inc.—“to validate [Heartland’s] compliance with the data security regulations of the credit card associations.”16 A central fixture of the 2004 Agreement was Ambiron’s obligation to provide monthly “vulnerability scans” of Heartland’s systems.17 Those scans used proprietary technology to detect potential vulnerabilities in Heartland’s network and thereby ensure compliance with the data security regulations imposed by Visa, MasterCard, and Discover.18 Importantly, Ambiron did not agree to indemnify Heartland under this agreement.19 The 2004 Agreement had an initial term of three years and provided for automatic renewal.20 The next relevant contract is one between Trustwave Corporation and Heartland that was entered into in February 2005 (the “2005 Agreement”).21 This is the agreement upon which Insurers base their summary judgment motion and is the subject of much dispute.22 The 2005 Agreement—self-titled the “Trustwave 15 Trustwave Entities’ Brief in Opposition to Insurers’ Motion for Summary Judgment [hereinafter “Trustwave Opp’n Br.”], Ex. 4 [hereinafter “2004 Agreement”] (D.I. 171). 16 2004 Agreement at 3. 17 Id. at 7, 9. 18 Id. at 4, 6-7. 19 See id. at 15-16. 20 Id. at 15. 21 Trustwave Opp’n Brief, Ex. 6 [hereinafter “2005 Agreement] (D.I. 171). 22 See Insurer’s Mot. at 2. -5- Preferred Sales Agent Agreement”—is primarily an agreement for Heartland to refer clients to Trustwave in exchange for a commission.23 But some language in it suggests Heartland itself would become a Trustwave client by virtue of the agreement.24 Still other language suggests Heartland merely retained the option to engage Trustwave’s services25—leading to the parties’ dispute. The 2005 Agreement does describe Trustwave’s services, but in considerably less detail than the 2004 Agreement.26 Trustwave warranted it would perform its services “using reasonable care and skill.”27 Of note, and unlike the 2004 Agreement, the 2005 Agreement provides that Trustwave would indemnify Heartland for losses “arising out of or connected with any third party claim relating to” “TrustWave’s breach of any representation or warranty.”28 This agreement had an initial term of one year and provided for automatic renewal.29 Lastly, there is the contract Trustwave Holdings, Inc., and Heartland entered 23 See 2005 Agreement at 1-4 (all capitals in original). 24 Id. at 3 (“during the Term TrustWave will provide to [Heartland] the services (the ‘TrustWave Services’)”). 25 Id. (“Should [Heartland] elect to utilize any of the TrustWave Services for its own internal use . . . .”). 26 Compare 2005 Agreement at 1-2 with 2004 Agreement at 6-13. 27 2005 Agreement at 3, 4. 28 Id. at 8-9. 29 Id. at 6. -6- into in December 2007 (the “2007 Agreement”).30 This agreement was presented by Trustwave to Heartland in October 2007, which corresponds to the end of the 2004 Agreement’s initial term.31 Similarly to the 2004 Agreement, the 2007 Agreement focuses on Trustwave providing its “Compliance Validation Service” to Heartland.32 That service included conducting monthly vulnerability scans, providing a “Compliance Validation Report” to document non-compliance with the applicable standards and suggest remedies, and issuing a “Report on Compliance” (“ROC”) once Heartland achieved full compliance.33 This description of Trustwave’s services was again much more detailed than what is contained in the 2005 Agreement.34 The 2007 Agreement also contained an indemnification provision for any costs “arising out of or relating to” “claims or suits attributable to breaches of the other party’s express representations and warranties.”35 Trustwave warranted that it would perform its services “in a professional and workmanlike manner.”36 This contract also contained a limitation of liability, stating Trustwave would only be 30 Trustwave Opp’n Brief, Ex. 7 [hereinafter “2007 Agreement] (D.I. 171). 31 2007 Agreement cover page; 2004 Agreement at 15. 32 Id. at 3-8. 33 Id. at 3-5, 7. 34 Compare 2007 Agreement at 3-8 with 2005 Agreement at 1-2. 35 2007 Agreement at 9-10. 36 Id. at 9. -7- liable for its gross negligence, would only be liable up to the amount of fees paid by Heartland, and would “in no event . . . be liable for any special, indirect, exemplary, incidental or consequential losses or damages.”37 This agreement had an initial term of three years and provided for automatic renewal.38 C. DATA BREACH AND INSURERS’ PAYMENTS To maintain the security of the payment card data it processed, Heartland’s computer network was bifurcated.39 One part of the system was unsecured and only used for standard business tasks, such as email.40 The other side was secured and only used for processing the sensitive data.41 As described in the relevant industry standards—the Payment Card Industry Data Security Standard (“PCI DSS”)— segregating the portions of a company’s network that contain sensitive data is critical because “seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems.”42 Indeed, installing and maintaining a “firewall” to separate publicly accessible servers from the secured network was the 37 Id. at 9 (all capitals in original). 38 Id. at 10. 39 Trustwave Holdings, Inc., and Trustwave Corporation’s Motion for Summary Judgment Opening Brief [hereinafter Trustwave’s Mot.] (D.I. 149), Ex. 3 [hereinafter “Sims Dep.”] at 108 (D.I. 160). 40 Sims Dep. at 108. 41 Id. 42 Trustwave’s Mot., Ex. 22 [hereinafter “PCI DSS 1.1”] at 3 (D.I. 164). -8- first requirement of the PCI DSS.43 It was a failure of this network segregation that led to the eventual data theft.44 The digital heist began in late 2007.45 In July of that year, an application called Payroll Manager, which was housed in the unsecured side of Heartland’s network, became vulnerable to attack.46 Specifically, Payroll Manager became susceptible to an “SQL Injection”—an attack that imparts malware by taking advantage of weaknesses in “public facing information input fields on a web application such as the ‘First Name’ field.”47 In late December 2007, a hacker injected malware through Payroll Manager and Heartland detected the malicious activity in less than two days.48 Although Heartland acted “quickly and aggressively to scope and contain the incident,” its efforts fell short.49 Remnants of the SQL attack’s malware “remained unnoticed during the entire time-frame between December 2007 through January 2009.”50 The SQL injection affecting the corporate side of Heartland’s network wasn’t 43 PCI DSS 1.1 at 3-4. 44 Cybertrust Report at 15. 45 Id. at 17. 46 Id. 47 Id. 48 Id. at 18. 49 Id. at 19, 21. 50 Id. at 21. -9- able to steal the payment card data on its own, though. Instead, the hackers needed access to the payment card network. That access was provided by at least three digital bridges between the two networks: (1) a “dual VPN connection between the [Heartland] corporate and [Heartland] processing environments” set up by Heartland’s Chief Technology Officer, Alan Sims; (2) a “server sitting on the corporate [Heartland] network whose function is to connect to merchant POS devices in the field for the purpose of passing install software and firmware updates”; and, (3) another corporate-network server meant to support “service and help desk requests and functionality” that “maintained the ability to connect to the production payment environment.”51 The eventual investigation into the data breach revealed those connections “could have acted as conduits” to steal the card data from the secured environment.52 The “earliest known date” of the network’s payment processing side being infiltrated via one of those connections is May 14, 2008.53 In summary, a hacker injected malware onto the corporate side of Heartland’s network through Payroll Manager. That malware then migrated to the payment processing side of the network through connections between the ostensibly separate networks. Once it infected the payment processing side, the malware enabled the 51 Id. at 22. 52 Id. at 22. 53 Id. at 21. -10- hacker to capture and exfiltrate cardholder data. On October 27, 2008, Visa contacted Heartland about reported fraud that suggested a data breach.54 The breach was “effectively closed” two days later.55 In December 2008, Verizon Business was retained to conduct a forensic examination, leading to the Cybertrust Report.56 By January 2009, Heartland confirmed the data breach and notified the card companies and law enforcement.57 In all, more than 88 million card numbers were stolen before the breach was contained.58 Naturally, litigation ensued. The details of Heartland’s array of extensive liabilities aren’t particularly relevant to this matter. Suffice it to say, Heartland’s losses far exceeded Insurers’ combined limit of $30 million. So, Lexington and Beazley each paid up to their limits—$20 million and $10 million, respectively.59 That is the sum Insurers seek now that they are subrogated to Heartland’s claims.60 D. TRUSTWAVE ENTITIES’ SERVICES TO HEARTLAND Though the parties dispute which contract applied when, there is no dispute 54 Id. at 4. 55 Id. at 5. 56 Id. at 4. 57 Id. at 4. 58 Insurers’ Mot., Ex. 10 [hereinafter “Visa Qualification Summary”] at 9 (D.I. 147). 59 Compl. ¶ 26; Countercl. ¶¶ 53-54. 60 Countercl. ¶¶ 93-95, 105-07, 192-94. -11- that Trustwave Entities were responsible for Heartland’s data security compliance during the period when its systems were infiltrated. In that role, Trustwave had two primary responsibilities relevant to this litigation: (1) performing “vulnerability scans” of Heartland’s systems at least quarterly; and (2) annually ensuring Heartland’s compliance with the PCI DSS requirements.61 These are the services Trustwave Entities failed to perform adequately thus triggering indemnification, Insurers say.62 1. Vulnerability Scans One requirement of the PCI DSS is vulnerability scans performed by an approved scan vendor (“ASV”) at least once per quarter.63 Simply put, these scans consist of the ASV using its automated “scanning tool,” which must first be approved by the PCI Security Standards Council (“PCI SCC”), to look for potential weaknesses in a secure system.64 Insurers specifically challenge the scans performed in August and September 2007 because those scans occurred while Payroll Manager was vulnerable to attack but before the vulnerability had been exploited.65 Insurers 61 See Trustwave’s Mot., Ex. 30 [hereinafter “2007 ROC”], Ex. 32 [hereinafter “2008 ROC”] (D.I. 164). 62 Insurers’ Brief in Opposition to Trustwave Holdings, Inc. and Trustwave Corporation’s Motion for Summary Judgment [hereinafter “Insurer’s Opp’n to Trustwave”] at 1-2. (D.I. 170). 63 Trustwave’s Mot., Ex. 23 [hereinafter “PCI Security Audit Procedures 1.1”] at 39-40 (D.I. 164). 64 See Trustwave’s Mot., Ex. 1 [hereinafter “Leach Report”] ¶ 95 (D.I. 150). 65 Insurers’ Mot. at 10. -12- argue these scans were performed under the 2005 Agreement,66 but Trustwave Entities contend they were performed under the 2004 Agreement.67 An initial step in the scanning procedure—and one key to this dispute—is setting the scope of the scan.68 In short, only the parts of the network that are connected to the payment processing activities need to be part of the scan.69 Because Payroll Manager and the rest of the corporate network was supposed to be completely separate from the payment processing environment, it was not included in the vulnerability scans.70 The failure to scan Payroll Manager and catch the SQL vulnerability therein is the primary basis of Insurers’ summary judgment motion. Regarding the obligation to correctly set the scope of the scan the PCI Security Scanning Procedures state: Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible.71 Nonetheless, Insurers’ expert, Andrew Valentine, opined that “[c]ompliance with 66 Id. at 7-8. 67 Trustwave Opp’n Br. at 2-3. 68 Trustwave Opp’n Br., Ex. 2 [hereinafter “PCI Security Scanning Procedures”] at 1-2 (D.I. 171). 69 PCI Security Scanning Procedures at 1-2; see also Leach Report ¶ 98. 70 Insurers’ Mot., Ex. 2-A [hereinafter “Valentine Report”] ¶ 78 (D.I. 147). 71 PCI Security Scanning Procedures at 2. -13- PCI DSS standards required Trustwave to properly scope Heartland’s network, identify the connection between the corporate environment and pay[ment] processing environment, and scan in[-]scope systems.”72 Separately from the scope of the scans, the parties are also at odds on the effect that including Payroll Manager in the scans would have had. Specifically, Mr. Valentine opined that including Payroll Manager in the scans “would have enabled Heartland to uncover the vulnerability in the Payroll [M]anager in August or September 2007—prior to the exploitation of the vulnerability in December 2007.”73 Trustwave Entities, meanwhile, argue a scan of Payroll Manager still might not have caught the vulnerability.74 They point to deposition testimony by a Trustwave employee, Thomas Leavey, who said a vulnerability scan “may or may not catch” an “SQL injection issue.”75 Further, according to a disclaimer in the August 2007 scan report: “it is usually only possible to fully validate [SQL] vulnerabilities in a test or QA environment.”76 72 Valentine Report ¶ 78. 73 Id. ¶ 79. 74 Trustwave Opp’n Br. at 15-16. 75 Trustwave Opp’n Br., Ex. 16 [hereinafter “Leavey Dep.”] at 109-11 (D.I. 171). His testimony explained that certain SQL vulnerabilities are the result of application-specific coding errors that the automated scanning tool is not designed to detect. 76 Trustwave Opp’n Br., Ex. 18 [hereinafter “Aug. 2007 Scan Report”] at 9 (D.I. 171). -14- 2. 2008 Report on PCI DSS Compliance The second Trustwave service Insurers challenge is the ROC issued in April 2008.77 In a rare instance of consensus between the parties, they both acknowledge this work was done pursuant to the 2007 Agreement.78 The purpose of the ROC is simple: document Heartland’s compliance with the twelve sets of PCI DSS requirements.79 To do so, Trustwave conducted remote and on-site investigations into Heartland’s systems, starting in January 2008.80 In the process, Trustwave interviewed eighteen Heartland employees and reviewed seventeen Heartland documents, such as Heartland’s applicable policies and procedures.81 An ROC is limited in terms of its goals. As explained by Insurers’ expert, Mr. Valentine, the ROC is only meant to determine whether a company is complying with the specific PCI DSS requirements.82 It is not meant to ensure that the company’s network is actually secure.83 According to Mr. Valentine, “security is not a thing you can validate.”84 This subtle but important distinction is reflected in 77 Insurers’ Mot. at 2. 78 Id. at 7-8; Trustwave’s Mot. at 19. 79 Trustwave’s Mot., Ex. 32 [hereinafter “2008 ROC”] at 1-2 (D.I. 164). 80 2008 ROC at 7. 81 Id. at 14-15. 82 Trustwave’s Mot. Ex. 13 [hereinafter “Valentine Dep.”] at 66-68 (D.I. 164). 83 Valentine Dep. at 66-68. 84 Id. at 68. -15- industry documents. For example, each page of Visa’s “List of Compliant Service Providers” comes with the disclaimer: “PCI DSS assessments represent only a ‘snapshot’ of security in place at the time of the review, and do not guarantee that those security controls remain in place after the review is complete.”85 Relatedly, the 2007 Agreement notes, “use of Trustwave’s services does not guarantee PCI compliance or that [Heartland]’s systems are secure from unauthorized access.”86 Even the 2008 ROC itself states, “[Heartland] acknowledges that completion of the PCI assessment and a finding of compliant will not prevent a compromise of cardholder data on any of [Heartland]’s systems.”87 The ROC was initially completed in March 2008 but was updated the next month.88 Notably, its preparation took place in the months between Heartland’s discovery of the SQL injection and the malware’s first appearance on the network’s payment processing side. Despite Heartland’s knowledge of malware having been injected through Payroll Manager in December 2007, that event wasn’t fully disclosed to Trustwave. Rather, according to an internal Trustwave email, Heartland recounted the incident as Heartland having simply discovered a vulnerability—as 85 Trustwave’s Mot, Ex. 25 (D.I. 164). 86 2007 Agreement at 10. 87 2008 ROC at 2. 88 Id. at cover page, 3 -16- opposed to an exploitation thereof—on its own.89 This is relevant because Heartland was contractually obligated to notify Trustwave of “any suspected breach of [its] systems.”90 The parties dispute whether the unreported malware injection constituted a “suspected breach.” According to both Mr. Valentine and a Trustwave employee, evidence of a breach would have been treated with much more diligence than evidence of a mere vulnerability.91 Additionally, there is the issue of the ROC’s purported recognition of a connection between the corporate and payment processing realms of Heartland’s network. In an appendix to the 2008 ROC, there are “Compensating Control” worksheets.92 As described in the PCI DSS, a compensating control is an alternative risk-mitigation strategy used “when an entity cannot meet a technical specification of a [PCI DSS] requirement.”93 Three of the compensating control descriptions reference access to the payment processing network using a VPN that required two- factor authentication.94 Insurers rely on statements from their own expert, Mr. Valentine, and Trustwave’s expert, Troy Leach, to establish that the referenced 89 Trustwave’s Mot., Ex. 33. 90 2007 Agreement at 10. 91 Trustwave’s Mot., Ex. 34 [hereinafter “Skipper Dep.”] at 305 (D.I. 164); Valentine Dep. at 254-59. 92 2008 ROC at 120-24. 93 PCI DSS 1.1 at 16. 94 2008 ROC at 121-23 -17- VPN connection brought Heartland’s malware-infected corporate network into the scope of the ROC assessment.95 Mr. Valentine opined that Trustwave’s failure to account for the VPN connection’s effect on the adequacy of Heartland’s network segmentation meant the 2008 ROC fell below the standard warranted in the 2007 Agreement.96 A quasi-judicial decision by Visa assessing Heartland’s liability under corporate regulations determined non-compliance with the PCI DSS requirements led to the data theft.97 That conclusion was based upon the findings of the Cybertrust Report that was prepared following Verizon Business’s investigation.98 Most relevant to this litigation, Visa found Payroll Manager’s vulnerability to SQL injections and the VPN connections between the corporate and payment processing portions of Heartland’s network violated the PCI DSS.99 Visa rejected Heartland’s contention that the 2008 ROC proved compliance, noting the Cybertrust Report consisted of a more thorough investigation than the 2008 ROC.100 Mr. Valentine, who was involved in the Cybertrust investigation, explained that a forensic 95 Valentine Report ¶¶ 43-44; Insurers’ Opp’n to Trustwave, Ex. 2 [hereinafter “Leach Dep.”] at 140-57 (D.I. 147). 96 Valentine Report ¶ 44. 97 Insurers’ Opp’n to Trustwave, Ex. 12 [hereinafter “Visa’s Appeal Response”] at 17-28 (D.I. 172). 98 Visa’s Appeal Response at 17. 99 Id. at 18. 100 Id. at 19. -18- investigation is a “[c]ompletely different analysis” than an ROC assessment and “[u]ses different tools to answer a different question.”101 Also of note, the workpapers used in the preparation of the 2008 ROC were not preserved for use in this litigation.102 Trustwave kept the documents during the predicate litigation against Heartland,103 but that resolved in March 2015.104 By the time Insurers sent their demand letter in February 2018,105 Trustwave had discarded the workpapers.106 Consequently, Insurers now seek a spoliation inference in their favor.107 E. PROCEDURAL HISTORY After receiving a letter from Insurers demanding indemnification, Trustwave Holdings, Inc. filed its complaint seeking a declaratory judgment.108 It sought declarations that: (1) the 2007 Agreement is the agreement applicable to this dispute; (2) the statute of limitation bars counterclaims by Insurers; and, (3) it is not liable 101 Valentine Dep. at 286, 296. 102 Trustwave’s Mot. at 22. 103 Trustwave Holdings, Inc., and Trustwave Corporation’s Reply Brief in Support of their Motion for Summary Judgment [hereinafter “Trustwave’s Reply Br.”] at 24-25 (D.I. 180). 104 Answer to Compl. ¶ 15; Trustwave’s Reply Br. at 24. 105 Answer to Compl. ¶ 15. 106 Trustwave’s Mot. at 22. 107 Insurers’ Opp’n to Trustwave at 30-32. 108 Compl. ¶¶ 5, 19-34. -19- for a breach of the 2007 Agreement.109 Insurers initially moved to dismiss the Complaint but withdrew that motion and instead filed an Answer.110 Accompanying Insurers’ Answer were counterclaims against Trustwave Holdings, Inc., and third-party claims against Trustwave Corporation and AmbironTrustwave, Ltd.111 In all, Insurers level 18 counts against Trustwave Entities.112 Insurers’ claims were based on: (1) breach of contract; (2) breach of express warranty; (3) breach of contractual indemnification; (4) negligent misrepresentation; and (5) gross negligence.113 In an earlier opinion the Court dismissed all of Insurers’ non-indemnification claims as barred by the statute of limitations.114 Accordingly, the only remaining issue is whether Trustwave Entities are liable for indemnification under either the 2005 or 2007 Agreement.115 Now, each party has moved for at least partial summary judgment. Trustwave Holdings, Inc., and Trustwave Corporation moved for summary judgment on all remaining counts.116 AmbironTrustwave Ltd. incorporated that larger motion by 109 Id. ¶¶ 19-34. 110 Insurers’ Notice of Withdrawal at 1 (D.I. 41); Answer to Compl. ¶¶ 1-34. 111 Countercl. ¶¶ 1-234. 112 Id. ¶¶ 60-234. 113 Id. ¶¶ 60-234. 114 Trustwave Hldgs., Inc. v. Beazley Ins. Co., 2019 WL 4785866 (Del. Super. Ct. Sept. 30, 2019). 115 Insurers did not seek indemnity under the 2004 Agreement, presumably because Ambiron did not agree to indemnify Heartland under that contract. 116 Trustwave’s Mot. at 1. -20- reference and separately moved for partial summary judgment as to any claims against it.117 Insurers moved for summary judgment on its indemnity claim under the 2005 Agreement but not the 2007 Agreement.118 III. APPLICABLE LEGAL STANDARDS Summary judgment is warranted “if the pleadings, depositions, answers to interrogatories, and admission on file, together with the affidavits” show “there is no genuine issue as to any material fact and that the moving party is entitled to judgment as a matter of law.”119 The movant bears the initial burden of proving its motion is supported by undisputed facts.120 If the movant meets its burden, the non- movant must show there is a “genuine issue for trial.”121 To determine whether a genuine issue exists, the Court construes the facts in the light most favorable to the non-movant.122 117 AmbironTrustwave, Ltd.’s Motion for Summary Judgment Opening Brief [hereinafter “AmbironTrustwave’s Mot.”] at 1 (D.I. 141). Though not mentioned in its brief, it is explained below that all claims against AmbironTrustwave, Ltd., appear to have already been dismissed. The indemnification claim in Insurers’ Third-Party Complaint does not reference AmbironTrustwave, Ltd., and all the non-indemnification claims were dismissed. See Countercl. ¶¶ 185-94; Trustwave Hldgs, 2019 WL 4785866, at *11. 118 Insurers’ Mot. at 1. 119 Del. Super. Ct. Civ. R. 56(c); see also Options Clearing Corp. v. U.S. Specialty Ins. Co., 2021 WL 5577251, at *7 (Del. Super. Ct. Nov. 30, 2021). 120 Options Clearing Corp., 2021 WL 5577251, at *7 (citing Moore v. Sizemore, 405 A.2d 679, 680 (Del. 1979)). 121 Del. Super. Ct. Civ. R. 56(e); see also Brzoska v. Olson, 668 A.2d 1355, 1364 (Del. 1995) (“If the facts permit reasonable persons to draw but one inference, the question is ripe for summary judgment.”). 122 Judah v. Del. Tr. Co., 378 A.2d 624, 632 (Del. 1977). -21- The “Court may not be able to grant summary judgment ‘if the factual record has not been developed thoroughly enough to allow the Court to apply the law to the factual record.’”123 Similarly, summary judgment will not be granted “where it seems prudent to make a more thorough inquiry into the facts.”124 But “[i]f the Court finds that no genuine issues of material fact exist, and the moving party has demonstrated [its] entitlement to judgment as a matter of law, then summary judgment is appropriate.”125 “These well-established standards and rules apply in full when the parties have filed cross-motions for summary judgment.”126 If such cross-motions have been filed “and neither party argues the existence of a genuine issue of material fact, ‘the Court shall deem the motions to be the equivalent of a stipulation for decision on the merits based on the record submitted with the motions.’”127 But if genuine 123 Radulski v. Liberty Mut. Fire Ins. Co., 2020 WL 8676027, at *4 (Del. Super. Ct. Oct. 28, 2020) (quoting CNH Indus. Am. LLC v. Am. Cas. Co. of Reading, 2015 WL 3863225, at *1 (Del. Super. Ct. June 8, 2015)). 124 Zenith Energy Terminals Joliet Hldgs. LLC v. CenterPoint Props. Tr., 2023 WL 615997, at *8 (Del. Super. Ct. Jan. 23, 2023) (first citing Ebersole v. Lowengrub, 180 A.2d 467, 470-72 (Del. 1962); and then citing Pathmark Stores, Inc. v. 3821 Assocs., L.P., 663 A.2d 1189, 1191 (Del. Ch. 1995)). 125 Brooke v. Elihu-Evans, 1996 WL 659491, at *2 (Del. Aug. 23, 1996) (citing Oliver B. Cannon & Sons, Inc. v. Dorr-Oliver, Inc., 312 A.2d 322 (Del. Super. Ct. 1973)); see also Jeffries v. Kent Cty. Vocational Tech. Sch. Dist. Bd. of Educ., 743 A.2d 675, 677 (Del. Super. Ct. 1999) (“[A] matter should be disposed of by summary judgment whenever an issue of law is involved and a trial is unnecessary.” (citing State ex. rel. Mitchell v. Wolcott, 83 A.2d 759, 761 (Del. 1951))). 126 Radulski, 2020 WL 8676027, at *4 (collecting cases); see also Zenith Energy, 2023 WL 615997, at *8. 127 Zenith Energy, 2023 WL 615997, at *8 (quoting Del. Super. Ct. Civ. R. 56(h)). -22- issues of material fact persist despite the cross-motions, “summary judgment is not appropriate.”128 “To determine whether there is a genuine issue of material fact, the Court evaluates each motion independently.”129 IV. PARTIES’ CONTENTIONS Trustwave Entities wage a multi-fronted attack in their quest for summary judgment. As an opening volley, they claim the 2007 vulnerability scans were performed under the 2004 Agreement—which had no indemnity provision—and so the 2005 Agreement is inapplicable to this litigation.130 As for the 2007 Agreement, under which the 2008 ROC was performed, they make four main arguments: first, that there is no contractual basis for indemnification because the 2007 Agreement disclaimed any guarantee of security and limited liability for indirect damages; second, there is no evidence that they breached a representation or warranty; third, Heartland’s failure to remediate its vulnerabilities after learning of the SQL injection in December 2007 broke the causal chain between Trustwave’s allegedly deficient performance and Heartland’s losses; and fourth, Heartland materially breached the 2007 Agreement by withholding the details of the SQL injection, so Trustwave’s 128 Id. (collecting cases). 129 Id. (citing Motors Liquidation Co. DIP Lenders Tr. V. Allianz Ins. Co., 2017 WL 2495417, at *5 (Del. Super. Ct. June 19, 2017), aff’d sub nom., Motors Liquidation Co. DIP Lenders Tr. v. Allstate Ins. Co., 191 A.3d 1109 (Del. 2019)). 130 Trustwave’s Mot. at 13-14, 17-18. -23- further performance was excused.131 In countering, Insurers basically take the opposite position on all of Trustwave’s arguments. They say the 2007 Agreement’s limitation of liability is belied by that contract’s indemnity provision and, alternatively, is unenforceable.132 They claim there is a triable question of fact as to the “professional and workmanlike manner” of Trustwave’s preparation of the 2008 ROC and that any such deficiency was a cause of the data theft because the ROC was completed prior to any data exfiltration.133 They also maintain Heartland was not obligated to report the malware injection because it did not qualify as a “suspected breach,” and even if Heartland was obligated to do so, that contractual breach was immaterial.134 But above all, they argue the 2007 scans occurred under the 2005 Agreement—whose limitation of liability carved out indemnity obligations—and were deficient, entitling them to indemnification under that contract and obviating all of Trustwave Entities’ other arguments.135 Insurers moved for summary judgment on the two counts from their counterclaims and third-party complaint related to the 2005 Agreement.136 131 Id. at 3-4. 132 Insurers’ Opp’n to Trustwave at 3. 133 Id. at 26-28 134 Id. at 33-40. 135 Id. at 2-3. 136 Insurers’ Mot. at 1. -24- Unsurprisingly, their argument in support thereof is essentially the same as their most vociferous argument in opposition to Trustwave Entities’ motion.137 Specifically, they claim Trustwave cannot demonstrate a material dispute of fact as to the reasonableness of the 2007 vulnerability scans because Trustwave doesn’t have expert testimony on that point.138 Their argument centers on the allegedly improper scope of the scans—i.e., not scanning Payroll Manager.139 Insurers also say that the 2005 Agreement doesn’t have a limitation of liability and that the 2007 Agreement’s limitation does not apply to the vulnerability scans.140 Trustwave Entities respond to Insurers’ motion in four ways. First, they reiterate their argument that the vulnerability scans occurred under the 2004 Agreement, not the 2005 Agreement.141 Next, they cite the PCI DSS Security Scanning Procedures to refute Insurers’ expert’s claim that Trustwave was responsible for ensuring the proper scope of the scans.142 They also say there is no evidence Payroll Manager needed to be within the scope of the scans at the time the scans were performed.143 And lastly, they insist there is no causation between the 137 Id. at 2-4. 138 Id. at 3-4. 139 Id. at 11-12. 140 Id. at 22-24 141 Trustwave’s Opp’n at 2-3. 142 Id. at 3. 143 Id. at 4. -25- allegedly deficient scans and the data theft because scanning Payroll Manager might not have caught the vulnerability and, in any event, Heartland independently learned of the vulnerability but still failed to fix the problem.144 Finally, there is AmbironTrustwave, Ltd.’s comparatively simple motion. According to AmbironTrustwave, Ltd., it was named as a third-party defendant in error “based on a case of mistaken identity.”145 That entity says it is a United Kingdom corporation that works exclusively in Europe.146 It believes Insurers confused it with a d/b/a registered to Trustwave Holdings, Inc.147 That registered d/b/a is AmbironTrustWave—without “Ltd.”148 AmbironTrustwave, Ltd., maintains it has “never done business in the United States,” let alone with Heartland.149 Undeterred, Insurers oppose AmbironTrustwave, Ltd.’s motion. But Insurers do little—indeed, nothing—to counter AmbironTrustwave, Ltd.’s argument. Insurers’ brief doesn’t reference the United Kingdom, doesn’t mention the “d/b/a” issue, and wholly ignores any notion of a mistaken identity. Instead, Insurers point to the repeated use of “AmbironTrustWave”—never with the distinguishing 144 Id. at 4-5. 145 AmbironTrustwave’s Mot. at 1. 146 Id. at 2. 147 Id. at 3. 148 Id. 149 Id. -26- “Ltd.”—and claim that as proof of AmbironTrustwave, Ltd.’s involvement with the Heartland services.150 V. DISCUSSION A. THERE REMAINS A GENUINE DISPUTE OF MATERIAL FACT AS TO WHETHER THE 2005 AGREEMENT IS APPLICABLE. A threshold issue in this litigation is determining whether the 2005 Agreement governed the vulnerability scans done in August and September 2007. If it did, Insurers’ central argument might be viable. If it didn’t, the 2007 vulnerability scans become irrelevant because they would have been performed under the 2004 Agreement, which did not provide for indemnification. The parties differ as to whether Heartland exercised an option it had under the 2005 Agreement to have Trustwave perform its services under that contract. Insurers’ evidence is light on this point, but it is not so insubstantial that summary judgment is appropriate. 1. The 2005 Agreement Provided Heartland With an Option to Engage Trustwave’s Services. There are two requirements for an option: an underlying offer and a promise to hold that offer open.151 Unless otherwise provided for in the agreement, “acceptance [of an option] ‘may be made in words or by other symbols of assent, or 150 Insurers’ Brief in Opposition to AmbironTrustwave, Ltd.’s Motion for Summary Judgment [hereinafter “Insurer’s Opp’n to AmbironTrustwave”] at 1-3 (D.I. 169). 151 Walsh v. White House Post Prods., LLC, 2020 WL 1492543, at *5 (Del. Ch. Mar. 25, 2020) (citing 1 Williston on Contracts § 5:15 (4th ed. 1993)). -27- it may be implied from conduct.’”152 In this instance, both requirements for an option are contained in the 2005 Agreement, but evidence of subsequent acceptance is missing. The underlying offer contemplated in the 2005 Agreement is the provision of the “TrustWave Services,” as defined in the Recitals, which includes “vulnerability scans.”153 This offer and the promise to hold it open is evident in three provisions of the 2005 Agreement. First, one of the “whereas” clauses in the Recitals states, “TrustWave desires to provide, and [Heartland] may desire to receive for its own internal use, the TrustWave Services.”154 Next, and most notably, Section 1(c) of the 2005 Agreement provides, “[s]hould [Heartland] elect to utilize any of the TrustWave Services for its own internal use as determined at [Heartland]’s sole discretion, [Heartland] will pay the applicable fees and expenses set for in Exhibit B.”155 In addition, with regard to the promise to hold the offer open, Section 1(a) of the agreement states, “[s]ubject to the terms and conditions of this Agreement, during the Term TrustWave will provide to [Heartland] the services (the ‘TrustWave Services’).”156 152 Walsh, 2020 WL 1492543, at *6 (quoting Restatement (Second) of Contracts § 50 cmt. c.). 153 2005 Agreement at 1-2. 154 Id. at 2 (emphasis added). 155 Id. at 3. 156 Id. (emphasis added). -28- In arguing that the 2005 Agreement governs the 2007 vulnerability scans, Insurers emphasize the “will provide . . . the services” language.157 But reading that provision to automatically require the rendering of Trustwave’s services to Heartland ignores the language about Heartland “elect[ing] to utilize any of the TrustWave Services . . . at [its] sole discretion.” Of course, contractual provisions should neither be read in isolation nor be read to render other contractual language meaningless.158 The only way to give meaning to the election language of Section 1(c) is to deem the offer of services an option. Additionally, Insurers cite the 2005 Agreement’s integration clause to suggest that the 2004 Agreement was repudiated—meaning, in their view, the scans could only have been performed under the 2005 Agreement.159 But that argument is belied by the relevant chronology. The 2004 Agreement was entered into with Ambiron, LLC before it merged with Trustwave Corporation.160 The 2005 Agreement was entered into with Trustwave Corporation in February 2005—approximately one 157 Insurers’ Mot. at 8. 158 Sunline Com. Carriers, Inc. v. CITGO Petrol. Corp., 206 A.3d 836, 846 (Del. 2019) (“The contract must . . . be read as a whole, giving meaning to each term and avoiding an interpretation that would render any term ‘mere surplusage.’” (quoting Osborn ex rel. Osborn v. Kemp, 991 A.2d 1153, 1159-60 (Del 2010)). 159 Insurers’ Mot. at 19 n.58. 160 2004 Agreement passim. -29- month before Ambiron and Trustwave merged.161 So, as of the 2005 Agreement’s effective date, Ambiron wasn’t a party thereto, and so the 2004 Agreement wasn’t covered by the integration clause. As for Trustwave Entities’ argument that the 2005 Agreement does not apply, they focus on the overall gist of the contract and its failure to define payment terms applicable to a “Level 1” service provider such as Heartland.162 Trustwave Entities are correct that the 2005 Agreement is clearly more concerned with a referrals-for-commissions arrangement than the provision of compliance validation services. Nevertheless, Heartland’s ability to elect to receive the services for itself under that contract cannot be ignored.163 Also, the fact that the fee schedule in Exhibit B does not appear to cover entities like Heartland must yield to Section 1(c)’s specific direction that “[Heartland] will pay the applicable fees and expenses set forth in Exhibit B in consideration for TrustWave’s performance of such TrustWave Services to [Heartland].”164 Perhaps recognizing the shortcomings of their principal arguments, Trustwave Entities retreat to saying, “[a]t most, the language referenced 161 2005 Agreement at 1, 14; AmbironTrustwave’s Mot., Ex. A [hereinafter “Hannagan Aff.”] ¶ 3 (D.I. 142). 162 Trustwave’s Mot. at 18. 163 See Sunline Com. Carriers, 206 A.3d at 846. 164 2005 Agreement at 3; see also id. at 12 (“The terms of this Agreement will control in the event of any inconsistency with the terms of any Exhibit hereto.”). Any ambiguity about how Heartland’s potential payments would be calculated under the referenced fee schedule is not determinative of whether Heartland could elect to receive the services in the first place. -30- by Insurers creates an option contract” and then argue there is no creditable evidence Heartland exercised that option.165 2. There Remains a Material Dispute as to Whether Heartland Exercised Its Option. At this point, Trustwave’s fallback position that Heartland did not exercise its option under the 2005 Agreement is the central inquiry. What remains is to evaluate the evidence that Heartland did. The contract doesn’t specify any required method for Heartland’s election, so general principles of express or implied assent apply.166 To demonstrate Heartland’s use of Trustwave’s services under the 2005 Agreement, Insurers rely on the branding of the proprietary software used to conduct the 2007 vulnerability scans.167 Specifically, the 2004 Agreement called for the use of Ambiron’s “Vital Signs” software.168 The 2005 Agreement, in contrast, referred to Trustwave’s “TrustKeeper” technology.169 The cover pages of the August and September 2007 vulnerability scans indicate TrustKeeper was used.170 On its face, that suggests Heartland exercised its option under the 2005 Agreement. While Ambiron and Trustwave had merged well before those scans were run. And it is 165 Trustwave’s Opp’n Br. at 23. 166 Walsh, 2020 WL 1492543, at *6 (quoting Restatement (Second) of Contracts § 50 cmt. c.). 167 Insurers’ Reply Br. at 14-16. 168 2004 Agreement at 6. 169 2005 Agreement at 1-2. 170 Insurers’ Mot., Exs. 5, 6. -31- possible the combined entity simply unified its branding while leaving its contractual relationship with Heartland unchanged. That possibility cannot be resolved as fact here. It may be in the end that Trustwave Entities’ competing evidence is more persuasive. First, as a matter of simple timing, the 2004 Agreement was presented on October 11, 2004, and had a three-year term.171 Correspondingly, the 2007 Agreement was presented on October 10, 2007.172 Though not definitive, that seems to suggest the 2004 Agreement remained in effect until it was replaced by the 2007 Agreement. Also, Trustwave Entities cite to the testimony of former Trustwave employees, Allen Hannagan and Phillip Smith.173 Both testified that, to their knowledge, Trustwave did not provide compliance validation services under the 2005 Agreement.174 Although that evidence may have a bit more heft than the Insurers’, summary judgment is not typically the proper place for weighing such competing evidence.175 171 2004 Agreement at 1, 10 172 2007 Agreement at 1. 173 Trustwave’s Opp’n Br. at 22. 174 Trustwave’s Opp’n Br., Ex. 5 at 251-54, Ex. 6 ¶ 9 (D.I. 171). Insurers argue Mr. Smith’s affidavit should be disregarded because he was not previously disclosed as a witness; but the case they cite is inapposite and Rule 56(e) and (f) evince a preference for entertaining all relevant affidavits at this stage in the interest of justice. See Insurers’ Reply Br. at 17. 175 Bobcat N. Am., LLC v. Inland Waste Hldgs., LLC, 2020 WL 5587683, at *7 n.64 (Del. Super. Ct. Sept. 18, 2020) (“‘If a trial court must weigh the evidence to a greater degree than to determine that it is hopelessly inadequate ultimately to sustain the substantive burden, summary judgment is -32- No doubt, an opponent “cannot defeat a motion for summary judgment by asking the Court to draw inferences ‘based on surmise, speculation, conjecture, or guess, or on imagination or supposition.’”176 And certainly, “[n]ot all disputes of fact will defeat a motion for summary judgment.”177 But at this point, whether the use of TrustKeeper is attributable to intra-entity conformity or to Heartland’s election to receive services under the 2005 Agreement remains an issue of material dispute. 3. The Parties’ Alternative Arguments With Regard to the 2005 Agreement Do Not Change the Analysis. Insurers, for the first time in their reply brief,178 suggest that even if the 2007 scans weren’t performed under the 2005 Agreement, that contract’s warranties and indemnity provision would still apply to those scans. This argument—though laudably creative—fails. Insurers first rely on the warranty in the 2005 Agreement that Trustwave “will perform the TrustWave Services . . . using reasonable care and skill.”179 They then inappropriate.’”) (quoting Cerebus Int’l, Ltd. v. Apollo Mgmt., L.P., 794 A.2d 1141, 1150 (Del. 2002)). 176 Ogus v. SportTechie, Inc., 2023 WL 2746333, at *9 (Del. Ch. Apr. 3, 2023) (quoting In re Asbestos Litig., 2017 WL 510463, at *1 n.2 (Del. 2017)). 177 In re Asbestos Litig., 2012 WL 1413673, at *2 (Del. Super. Ct. Feb. 2, 2012). 178 See Ethica Corp. Fin. S.r.L v. Dana Inc., 2018 WL 3954205, at *3 (Del. Super. Ct. Aug. 16, 2018) (“Courts may disregard or deem waived any arguments made in a reply brief which w[ere] not raised in the opening brief.” (citing In re Asbestos Litig., 2014 WL 7150472, at *1 n.5 (Del. Super. Ct. Dec. 5, 2014))). 179 Insurers’ Reply Br. at 17; 2005 Agreement § 5(e). -33- point out that the “TrustWave Services” include “vulnerability scans.”180 Connecting those clauses, they suggest that any and all vulnerability scans performed by Trustwave under any contract would be covered by the 2005 Agreement’s warranty and, thus, its indemnity clause. While textually plausible, such an expansive interpretation would be antithetical to well-settled principles of contract interpretation. “Delaware adheres to the ‘objective’ theory of contracts, i.e., a contract’s construction should be that which would be understood by an objective, reasonable third party.”181 “An unreasonable interpretation produces an absurd result or one that no reasonable person would have accepted when entering the contract.”182 Insurers’ suggested interpretation would be just that. Moreover, such a sweeping interpretation would function as a judicial rewriting of the 2004 Agreement to include an unnegotiated-for indemnity provision. That’s not the Court’s role.183 Accordingly, “TrustWave Services” as used in the 2005 Agreement should be interpreted to only encompass services provided by Trustwave with some connection 180 Id. at 17. 181 Osborn, 991 A.2d at 1159 (quoting NBC Universal v. Paxson Commc’ns, 2005 WL 1038997, at *5 (Del. Ch. Apr. 29, 2005)). 182 Id. (collecting cases). 183 Intermec IP Corp. v. TransCore, LP, 2023 WL 5661585, at *9 n.94 (Del. Super. Ct. Aug. 23, 2023) (“Delaware courts will ‘not rewrite [a] contract to appease a party who later wishes to rewrite a contract he now believes to have been a bad deal.’” (alteration in original) quoting Nemec v. Shrader, 991 A.2d 1120, 1126 (Del. 2010)). -34- to that contract. Not to be outdone, Trustwave Entities put forth an alternative argument of their own. They argue in a footnote of their Opposition Brief that even if the 2007 scans were performed under the 2005 Agreement, that contract’s indemnity provision would still be inapplicable in light of its “prompt notice” requirement.184 Possibly due to its unassuming placement, Insurers do not respond to this argument. Under the 2005 Agreement’s indemnity procedure clause, a lack of notice only forecloses indemnification if the putative indemnitor “has been materially damaged or prejudiced as a result of such delay.”185 Trustwave Entities raise their failure to “obtain and preserve additional relevant evidence close-in-time to the underlying events” as their material prejudice.186 Though this argument invites a laches-like inquiry into prejudicial delay, that is largely unnecessary here. The indemnitee’s prompt-notice requirement only pertains to “the existence of a Third Party Claim.”187 Unquestionably, Trustwave became aware of then-extant claims against Heartland years ago when this historically large data breach became public information. So, in practical effect, the violation of the indemnity procedures was not an actual lack of notice but the lack 184 Trustwave’s Opp’n Br. at 24 n.8; 2005 Agreement § 13(c)(i). 185 2005 Agreement § 13(c)(i). 186 Trustwave’s Opp’n Br. at 24 n.8. 187 2005 Agreement § 13(c)(i). -35- of a written document separately providing that notice. Accordingly, Trustwave Entities are hard pressed to argue they would have kept additional evidence if they had known third parties had claims against Heartland. To sum up, although Insurers’ position on the applicability of the 2005 Agreement is tenuous, it meets the threshold to withstand summary judgment. The software-name discrepancy adduced by Insurers appears to carry their evidentiary burden, even if just barely. Because of that, Insurers should be able to pursue the issue of Heartland’s exercise of the 2005 Agreement’s option at trial. Since there is a genuine dispute as to that material fact, both parties’ summary judgment motions on the claims under the 2005 Agreement must be denied. B. THE 2007188 AGREEMENT’S LIMITATION OF LIABILITY’S EFFECT ON THE INDEMNITY PROVISION IS AMBIGUOUS. Another central issue, made even more important by the dubious applicability of the 2005 Agreement, is the application of the 2007 Agreement’s limitation of liability. The issue is complicated by that provision’s facial inconsistency with the 2007 Agreement’s indemnity provision. Expectedly, Insurers say the indemnity 188 The 2005 Agreement has an analogous limitation of liability that purports to broadly limit consequential damages and does not carve out indemnity obligations. 2005 Agreement § 14(b). Insurers nevertheless state that clause doesn’t exist. Insurers’ Mot. at 4. Even Trustwave Entities, in their roughly 130 pages of briefing—which include alternate defenses should the Court find the 2005 Agreement applies—never once mention it. Accordingly, to the extent that provision may have benefitted Trustwave, they have waived the argument. See Wescott v. Moon, 2022 WL 10788238, at *1 (Del. Super. Ct. Oct. 18, 2022) (“[I]ssues not briefed are deemed waived.” (quoting Emerald Partners v. Berlin, 726 A.2d 1215, 1224 (Del. 1999))). -36- provision controls, while Trustwave Entities argue for application of the limitation. For the reasons that follow, the all-encompassing language used by the two contrary terms creates a seemingly irreconcilable conflict. Resolution of the question, then, will depend on a fact-sensitive consideration of the parties’ intent, which is a task ill-suited for summary judgment. In addition to that primary issue, Insurers raise the question of whether the limitation is enforceable under Delaware law; but neither of their two arguments on that point are persuasive. The applicable terms as they appear in the contract provide: LIMITATION OF LIABILITY AND DISCLAIMER OF WARRANTY. a. TRUSTWAVE SHALL NOT BE LIABLE TO [HEARTLAND] FOR (1) ANY ACTS OR OMMISSIONS WHICH ARE NOT THE RESULT OF TRUSTWAVE’S GROSS NEGLIGENCE, RECKLESSNESS OR WILLFUL MISCONDUCT, (2) ANY AMOUNTS IN EXCESS OF ANY FEES PAID TO TRUSTWAVE BY [HEARTLAND] HEREUNDER, (3) ANY OUTAGES OR SLOW DOWNS OF [HEARTLAND]’S COMPUTER SYSTEMS RESULTING FROM THE PERFORMANCE OF ANY SERVICES, UNLESS SUCH OUTAGES OR SLOW DOWNS ARE THE RESULT OF TRUSTWAVE’S GROSS NEGLIGENCE, RECKLESSNESS OR WILLFUL MISCONDUCT, OR (4) ANY LOSSES, COSTS, DAMAGES OR EXPENSES INCURRED BY [HEARTLAND] RESULTING FROM THE PERFORMANCE OF ANY TEST, UNLESS SUCH ARE THE RESULT OF TRUSTWAVE’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT. b. THIS AGREEMENT IS A SERVICE AGREEMENT, -37- AND EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, TRUSTWAVE DISCLAIMS ALL OTHER REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES REGARDING QUALITY, SUITABILITY, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE (IRRESPECTIVE OF ANY COURSE OF DEALING, CUSTOM OR USAGE OF TRADE) OF ANY SERVICES OR ANY GOODS OR SERVICES PROVIDED INCIDENTAL TO THE SERVICES PROVIDED UNDER THIS AGREEMENT. c. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INDIRECT, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL LOSSES OR DAMAGES, INCLUDING LOST PROFITS WHETHER FORESEEABLE OR NOT, WHETHER OCCASIONED BY ANY FAILURE TO PERFORM OR THE BREACH OF ANY REPRESENTATION, WARRANTY, COVENANT OR OTHER OBLIGATION FOR ANY CAUSE WHATSOEVER. Indemnification. Each party shall indemnify and hold harmless the other party and its Affiliates and their respective officers, directors, employees, partners, agents, successors and assigns from, and shall defend the other against, any costs, liabilities, damages or expenses (including reasonable attorneys’ fees) arising out of or relating to (i) any third party claim that the services, software, or any work performed by either party, or their agents, consultants or contractors under this Agreement infringes the proprietary rights of any third party; (ii) an act or omission by either party and/or their employees and agents relating to any laws or regulations for a protected class or category of persons, and sexual discrimination or harassment; (iii) claims for personal injuries, death or damage to tangible personal or real property to the extent caused by acts or omissions as a result of gross negligence, recklessness or willful misconduct of the party or its -38- Affiliates, contractors or agents; and (iv) claims or suits attributable to breaches of the other party’s express representations and warranties contained in the Agreement.189 1. The Conflict Between the Indemnity and Limitation of Liability Provisions Renders Them Ambiguous. As can be readily gleaned from the above language, there is discord between those portions of the contract. Both clauses use broad language to describe functionally opposite rights and obligations. Faced with that tension, the Court must endeavor to find “an interpretation that harmonizes the provisions,” if possible.190 But, “where a contract contains two conflicting provisions, the document is rendered ambiguous.”191 “In that case, extrinsic evidence is an appropriate resource for the court to use in determining the parties’ reasonable intentions at the time of the contract.”192 “Sources of such evidence include ‘overt statements and acts of the parties, the business context [of the contract], prior dealings between the parties, business custom, and usage in the industry.’”193 That need to weigh evidence 189 2007 Agreement at 9-10. 190 Coronado Coal II, LLC v. Blackhawk Land and Res. LLC, 2022 WL 1772246, at *4 (Del. Super. Ct. May 31, 2022) (quoting GRT Inc. v. Marathon GTF Tech., Ltd., 2012 WL 2356489, at *4 (Del. Ch. June 12, 2012)). 191 Erving v. ABG Intermediate Hldgs. 2, LLC, 2022 WL 17246320, at *2 (Del. Ch. Nov. 28, 2022) (quoting Duff v. Innovative Discovery LLC, 2012 WL 6096586, at *12 (Del. Ch. Dec. 7, 2012)). 192 Dittrick v. Chalfant, 948 A.2d 400, 406 (Del. Ch. 2007) (citing The Liquor Exch., Inc. v. Tsaganos, 2004 WL 2694912, at *2 (Del Ch. Nov. 16, 2004)). 193 Id. (alteration in original) (quoting The Liquor Exch., 2004 WL 2694912, at *2). -39- militates against granting summary judgment.194 The parties conflicting interpretations are unsurprising. Insurers cite the phrase “any cost, liabilities, damages or expenses” within the indemnity provision to suggest that recovery under that clause is “without any limitation whatsoever.”195 Trustwave Entities retort that the “limitation of liability doesn’t carve out indemnification” and counter with the phrases “any amounts in excess of any fees paid” and “any special, indirect, exemplary, incidental, or consequential losses or damages” within the limitation of liability.196 They conclude, “Insurers’ argument regarding the prominence of the indemnification provision [based on the use of the word “any”] is applicable with equal weight to the limitation of liability.”197 That being so, neither parties’ baseline interpretation is significantly more or less reasonable than the others’. Recognizing this conflict, Insurers scry for accord. They do so by claiming, “Delaware courts have generally held that indemnification provisions apply to third- party claims, whereas the limitation of liability applies to direct first-party loss.”198 That predicate, Insurers say, means the Court can harmonize the provisions by 194 GMG Cap. Invs., LLC v. Athenian Venture Partners I, L.P., 36 A.3d 776, 783-84 (Del. 2012). 195 Insurers’ Mot. at 25. 196 Trustwave’s Opp’n Br. at 38-39. 197 Id. at 39. 198 Insurers’ Mot. at 28 (citing Column Form Tech., Inc. Caraustar Indus., Inc., 2014 WL 2895507, at *5-8 (Del. Super. Ct. June 10, 2014)). -40- applying the limitation only to Heartland’s first-party losses and leaving recovery of third-party liability unchecked. Though one plausible interpretation, it doesn’t settle the issue. Insurers’ assertion that indemnification provisions typically only apply to third-party claims is well-taken. Often, applying an indemnity provision to first- party losses could lead to the absurd result of a party being obligated to defend against itself.199 Insurers’ second postulate—that limitations on liability are generally unique to first-party costs—is less convincing. Without question, in the case Insurers cite for this point, Column Form Technology, Inc. v. Caraustar Industries, Inc., the limit on liability did not apply to the indemnity provision.200 But that is because the limitation of liability clause in that case began: “except for the parties, [sic] indemnification obligations hereunder.”201 A similar exception can be found in the 2005 Agreement’s limitation of liability, but not so in the 2007 Agreement.202 Without further support, the notion that indemnity is typically limitless founders. Be they caps, baskets, temporal or conduct-based restrictions, limitations 199 See Column Form Tech., 2014 WL 2895507, at *8; CIGNEX Datamatics, Inc. v. Lam Rsch. Corp., 2020 WL 2063924, at *14 n.14 (D. Del. Apr. 29, 2020). 200 2014 WL 2895507, at *3. 201 Column Form Tech., 2014 WL 2895507, at *3 (alteration in original) (all capitals in original). 202 2005 Agreement §14(a); 2007 Agreement at 9. -41- on indemnity come in many of forms.203 Though unartfully drafted, it is entirely conceivable that the limitation of liability in this case was intended to cap Trustwave’s indemnity obligations to the sum certain of fees received. Moreover, interpretively adding “except for a third-party claim” seems too great an alteration to “in no event”204 for this to be considered a truly harmonious reading. It follows that there is no solitary reasonable interpretation of the interaction between the indemnity and limitation of liability provisions, and so the contract is ambiguous. And resolving that ambiguity requires evaluating evidence to a greater extent than summary judgment typically allows.205 2. To the Extent It Applies, The Limitation of Liability is Enforceable. Insurers separately argue the limitation of liability is unenforceable as applied to indemnity claims. They suggest the amount of damages was readily ascertainable at the time of contracting based on a formula Visa uses to calculate certain damages following a data breach.206 They also claim the fees-paid limitation is grossly inadequate.207 Neither of those contentions is persuasive. 203 See, e.g., Aveanna Healthcare, LLC v. Epic/Freedom, LLC, 2021 WL 3235739, at *1 (Del. Super. Ct. July 29, 2021); EMSI Acquisition, Inc. v. Contrarian Funds, LLC, 2017 WL 1732369, at *4-5 (Del. Ch. May 3, 2017); ABRY Pr’s V, L.P. v. F&W Acq. LLC, 891 A.2d 1032, 1035 (Del. Ch. 2006). 204 2007 Agreement at 9. 205 GMG Cap. Invs., 36 A.3d at 783-84 (Del. 2012). 206 Insurers’ Mot. at 31-35. 207 Insurers’ Mot. at 35-37 -42- Regarding the effect of the Visa’s Account Data Compromise Recovery program (“ADCR”) damages formula, it does not provide the certainty Insurers suggest. Putting aside the variability of the necessary inputs to that formula, the formula only pertains to a specific set of damages owed to a single third party. The litigation against Heartland continued after a settlement with Visa and included claims brought by government agencies, non-Visa card brands, financial institutions, and consumers.208 Also, the ADCR calculation was not an inviolable determination of damages even with regard to Visa. Instead of strictly complying with Visa’s ADCR calculation—which, together with a separate “Operating Expense Recovery,” totaled $138 million—Heartland settled with Visa for $60 million.209 It follows that the ADCR formula set neither a ceiling nor floor to Heartland’s exposure. It does little, then, to demonstrate Heartland’s third-party liability was “easily ascertainable” at the time of contracting.210 Insurers’ contention as to the gross inadequacy of the fees-paid limitation is also unavailing. To be sure, the fees paid by Heartland—Insurers estimate them at $80,000—were far less than Heartland’s eventual liability. But the question of a limitation’s reasonableness is not strictly about the percentage of liability the 208 See Trustwave Hldgs, Inc., 2019 WL 4785866, at *2. 209 Insurers’ Mot. at 15-16. 210 See D’Aguiar v. Heisler, 2011 WL 6951847, at *12 (Del. Com. Pl. Dec. 15, 2011). -43- limitation covers. Instead, the inquiry looks at the rationality of the limitation in the greater context of the contractual relationship. In the analogous arena of home inspection and fire monitoring contracts, Delaware courts have upheld limitations of liability in the hundreds of dollars despite damages in the hundreds of thousands of dollars.211 The reasoning in those cases is applicable here. An entity that provides security services—be it building integrity, fire safety, or as here, digital security— does not necessarily become a de facto insurer for its clients. Were it otherwise, such service providers would be forced to dramatically increase their prices lest they go bankrupt after a single mistake. The lone case Insurers cite as an example of an invalid damages provision does little to undermine that rationale. In Unifirst Corporation v. Borris, the Court of Common Pleas invalidated a liquidated damages clause as punitive.212 There, a garment laundering contract called for weekly charges of roughly thirty dollars.213 The contract had a five-year term and a liquidated damages provision valued at 50% of the remaining charges.214 Based on that clause, despite the modest weekly charges 211 See, e.g., D’Aguiar, 2011 WL 6951847, at *13; Iavarone v. Eagle Eye Home Inspections, LLC, 2019 WL 5692265, at *1-2 (Del. Super. Ct. Nov. 4, 2019); Donegal Mut. Ins. Co. v. Tri-Plex Sec. Alarm Sys., 622 A.2d 1086, 1087, 1090 (Del. Super. Ct. 1992); White v. Mood, 2020 WL 996736, at *5 (Del. Super. Ct. Mar. 2. 2020). 212 1999 WL 1847348, at *5 (Del. Com. Pl. May 11, 1999). 213 Unifirst, 1999 WL 1847348, at *1. 214 Id. -44- and the lack of upfront expenditures by the launderer, the launderer sought over $3,000 following a breach by the client.215 That was held to be an invalid penalty, and damages were instead fixed at lost profits plus interest.216 To the extent that decision has any bearing on this case, it serves as another example of courts looking to the fairness of a damages provision in light of the parties’ actual relationship. Here, Insurers seek to convert the 2007 Agreement into an implied insurance policy. That does not appear to be the benefit Heartland bargained for. Heartland’s contractual acknowledgment that “use of Trustwave’s services do not guarantee PCI compliance or that its systems are secure from unauthorized access” supports the limited nature of Trustwave’s assurances and related responsibility.217 Though the fees-paid limitation falls well short of the eventual liability, it is not detached from reason as Insurers suggest. Instead, it served as a mechanism that motivated Trustwave Entities’ reasonable efforts by putting their profits on the line without requiring Trustwave to charge fees commensurate with an insurance provider. So, assuming the 2007 Agreements limitation of liability applies to the indemnity provision, it is enforceable. 215 Id. 216 Id. at *5. 217 Trustwave attempts to use this clause as an absolute disclaimer of liability for the damages at issue here. That argument is unpersuasive. Trustwave may not be strictly liable for imperfections in their service, but the interpretation Trustwave suggests ignores its express warranty regarding performing in a “professional and workmanlike manner.” -45- C. WHETHER HEARTLAND BREACHED THE 2007 AGREEMENT BY FAILING TO REPORT THE SQL INJECTION DEPENDS ON RESOLUTION OF AN AMBIGUITY, AND THE MATERIALITY OF ANY SUCH BREACH IS A DISPUTED FACT. Trustwave Entities seek to excuse any alleged breach of the 2007 Agreement by charging Heartland had itself materially breached the contract. There are two questions implicated by this argument--neither of which is well-suited to summary judgment. The first issue is whether Heartland’s failure to inform Trustwave of the December 2007 SQL injection breached its requirement to notify Trustwave of “any suspected breach of [its] systems.”218 The second is: if that was a breach, was it sufficiently material to excuse Trustwave’s continued performance. The issue of whether Heartland breached the contract is not ripe for summary judgment because it rests on an ambiguity. Specifically, the definition of “suspected breach” as used in the 2007 Agreement is susceptible to two reasonable but different meanings, according to the parties. Trustwave contends that a “breach” means the unauthorized infiltration of Heartland’s network—a definition that would encompass the SQL injection. Insurers counter that a “breach” does not occur until data is exfiltrated from the network—a definition that does not include the injection. Each side cites discovery evidence supporting their desired interpretation. As explained above, the resolution of contractual ambiguities generally requires weighing evidence in a way that is incompatible with summary judgment. 218 2007 Agreement at 10. -46- Additionally, assuming Heartland’s failure to disclose the SQL injection breached its notice requirement, whether that was a material failure sufficient to excuse Trustwave’s performance is a question better left for trial. “Materiality is predominantly a question of fact.”219 “Whether a breach is material . . . cannot be readily resolved under the summary judgment standard. The central issues—which party breached the [contract] and whether said breach is material—are best suited for [a factfinder’s] determination”220 on a full trial record. As indicated, weighing the five Restatement factors adopted by this Court to determine materiality221 is not a task suited for this stage. Thus, resolution of this question should await trial. As a final note, Insurers suggest Trustwave waived this argument by not raising “prior material breach” as an affirmative defense. Not so. Trustwave Entities’ sixth affirmative defense in their answer to Insurers’ counter/third-party complaint is titled “Breach of Contract” and states, “Insured and Insurer are not entitled to indemnification because Insured breached the applicable contract or contracts.”222 Insurers cite no authority to suggest that “prior” or “material” are indispensable words that must be included to validly state this 219 Grottenthaler v. SVN Med, LLC, 2022 WL 17249642, at *5 (Del. Super. Ct. Nov. 28, 2022) (collecting cases). 220 Grottenthaler, 2022 WL 17249642, at *5 n.55. 221 See Foraker v. Voshell, 2022 WL 2452396, at *8 (Del. Super. Ct. July 1, 2022). 222 Trustwave’s Answer at 37. -47- defense. Accordingly, there is no reason to hold Trustwave waived this defense. D. THE ADEQUACY OF TRUSTWAVE’S PERFORMANCE UNDER THE CONTRACTS IS A MATERIAL FACT IN DISPUTE. * Though there are numerous ancillary issues, the heart of this litigation is whether Trustwave Entities breached their warranties by not performing their duties with the requisite care and skill. Simply put, this is a quintessential material fact that is very much in dispute. Regarding both categories of challenged performance—the 2007 vulnerability scans and the 2008 ROC—the applicable standard of care and Trustwave’s adherence to it remain contested. For that reason, summary judgment on this issue is not warranted. 1. The 2007 Vulnerability Scans As explained earlier, this performance issue will only be relevant if Insurers can demonstrate the 2007 scans were done under the 2005 Agreement. If not, the 2004 Agreement, which did not provide for indemnity, would apply. Assuming the 2005 Agreement applies, there is still a material dispute of fact regarding Trustwave’s performance. Specifically, it must be determined whether Trustwave or Heartland was responsible for setting the scope of the scans and, if Trustwave bore that burden, whether not including Payroll Manager in that scope fell below “reasonable care and skill.”223 223 2005 Agreement § 5(e). -48- Insurers seek summary judgment on this issue insisting their expert’s opinion is uncontroverted. They say that because Mr. Valentine opined Trustwave was obligated to set the scope of the scans, Trustwave needed to offer a competing expert to refute that point. They argue Trustwave’s purportedly belated submission of Mr. Leach’s expertise on this point is tantamount to a sham affidavit. Even putting aside the extent to which the pursuit of truth should yield to procedural concerns, Mr. Valentine’s opinion is not as unimpeachable as Insurers suggest. Relying on Mr. Valentine’s opinion, Insurers claim Trustwave was obligated to “properly identify the Payroll Manager as an in-scope system.”224 Trustwave’s failure to do so is the primary basis of Insurers’ motion. Mr. Valentine’s opinion, though, is in direct contrast to the actual PCI “Security Scanning Procedures” that governed the vulnerability scans. Those procedures explicitly state: Merchants and service providers [here, Heartland] have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs [here, Trustwave] for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible.225 Insurers suggest the Court should disregard that plain language as an 224 Insurers’ Mot. at 20. 225 PCI Security Scanning Procedures at 2 (emphasis added). -49- “unverified reference[] to secondary sources.”226 Understanding that language requires “unique educational requirements and a professional certification,” Insurers say.227 But, in refuting Trustwave’s argument that Mr. Valentine’s qualifications do not extend to the scanning procedures, Insurers recite, “[t]he usual concerns of the Daubert rule—keeping unreliable expert testimony from the jury—do not apply . . . when the matter is before the Court on a motion for summary judgment, because the Court acts as fact-finder.”228 Insurers can’t have it both ways. If the Court is qualified to examine expert opinions without first considering the expert’s credentials, surely it can compare an opinion to unequivocal language in controlling industry documents. At the very least, the Court can determine there is a dispute worthy of further exploration at trial. Insurers’ comparison of the discrete PCI DSS Security Scanning Procedures to broad EPA standards on air quality in the context of a landlord’s obligation to mitigate mold is unpersuasive.229 Furthermore, another dispute relating to Mr. Valentine’s opinion is whether Payroll Manager needed to be included in the scans, regardless of which entity was required to set the scope. Basically, there is no direct evidence that Payroll Manager 226 Insurers’ Reply at 6. 227 Id. at 7. 228 Id. at 8 (omission in original) (quoting In re Zurn Pex Plumbing Prods. Liab. Litig., 644 F.3d 604, 613 (8th Cir. 2011)). 229 See id. at 7 (discussing Brandt v. Rokeby Realty Co., 2004 WL 2050519, at *5 (Del. Super. Ct. Sept. 8, 2004)). -50- was connected to the payment processing environment at the time of the 2007 vulnerability scans, so there is no direct evidence it was “in-scope” at that time. Mr. Valentine explained the reasons he believed that it was connected to the payment environment in his deposition but confirmed he had no direct evidence of it. Trustwave Entities cite that lack of certainty as a reason to doubt Mr. Valentine’s opinion that they violated their warranty of reasonable care by not scanning Payroll Manager. This, too, seems to be a factual determination better left to trial. So, summary judgment is yet again uncalled for. 2. The 2008 Report on Compliance As for the 2008 ROC, Trustwave Entities insist there is no dispute that the ROC was performed in a “professional and workmanlike manner.”230 They primarily rely on the limited nature of an ROC—validating compliance with standards, not actual security—to claim they had no obligation to catch the ongoing infiltration of Heartland’s systems. Insurers do not attempt to argue the opposite conclusion is undisputed; instead, they claim resolution of this issue depends on a battle of the experts. Similarly to the vulnerability scans issue, Insurers point to the purportedly recognized connection between the payment processing and corporate components of Heartland’s network, and Trustwave’s failure to properly address that, as their basis for claiming substandard performance. Insurers also claim 230 2007 Agreement at 9. -51- Trustwave’s failure to maintain the relevant workpapers generated during the ROC assessment is a basis for a spoliation inference. Though the spoliation inference seems unwarranted, there are material facts in dispute precluding summary judgment. As with the vulnerability scans, known junctures between the two sides of Heartland’s network should have expanded the scope of the ROC to include all systems connected to the sensitive data. The compensating control worksheets affixed to the 2008 ROC suggest Trustwave was—or at least should have been— aware of such connections. In arguing for summary judgment, Trustwave relies heavily on the fact that “workmanlike” does not contemplate perfection. Insurers adduce the assignment of Todd Skipper, an inexperienced and they say unqualified assessor, to this project as evidence of Trustwave’s unprofessionalism. Despite Trustwave’s protestations, it is clear that there is a genuine dispute as to whether Trustwave’s performance met the standard they warranted in the 2007 Agreement. But in resolving that dispute, Insurers isn’t entitled to a spoliation inference in their favor. Insurers cite Trustwave’s acknowledgement of anticipated litigation in 2011 and the subsequent failure to preserve the relevant workpapers as the basis for spoliation. Plausible as that argument seems, it ignores a critical fact. Trustwave was not preserving the documents because they anticipated this litigation; instead, it was preserving the papers for potential use in the underlying Heartland litigation. -52- The litigation against Heartland concluded in 2015 and Insurers didn’t send their demand to Trustwave until almost three years later. For context, in the absence of litigation, Trustwave would have only been required to maintain the work papers for three years. Even assuming the conclusion of the Heartland litigation restarted the clock on Trustwave’s duty to preserve the workpapers—meaning Insurers’ demand arrived with one month remaining in Trustwave’s obligatory maintenance period— the sanction of an adverse inference is discretionary.231 It doesn’t appear Trustwave engaged in anything approaching bad faith by not keeping the papers after the conclusion of the Heartland litigation, so a spoliation inference here would result in a windfall to Insurers with no corresponding deterrent effect. So, any evaluation of Trustwave’s performance starts from a level playing field. E. CONTRACTUAL LANGUAGE GOVERNS THE APPLICABLE STANDARD OF CAUSATION, AND CAUSATION REMAINS A MATERIAL FACT IN DISPUTE. Trustwave Entities contend there can be no dispute that any alleged misconduct by them was not a proximate cause of Heartland’s losses, entitling them to summary judgment. Not so. First of all, the 2005 Agreement’s indemnity provision is triggered by an agreed-upon standard of causation that is less than 231 See Charter Commc’ns Operating, LLC v. Optymyze, LLC, 2021 WL 1811627 (Del. Ch. Jan. 4, 2021) (“Whether and to what extent to impose sanctions is a matter entrusted to the discretion of the trial court.”) -53- proximate cause. Second, even if the 2007 Agreement’s “attributable to” standard is considered to be coextensive with proximate cause, evaluating causation under that standard isn’t ripe for summary judgment. 1. The 2005 Agreement’s Indemnity Provision Doesn’t Require Proximate Cause. When Trustwave entered the 2005 Agreement—an agreement they seemingly drafted—it agreed to indemnify Heartland for losses “arising out of or connected with any third party claim relating to” its breach of an express warranty.232 Now Trustwave Entities argue that the breach of warranty must be the proximate cause of the loss for indemnity to apply. But that’s not the protection they bargained for. In Charney v. American Apparel, Inc., the Court of Chancery interpreted the analogous phrase “related to the fact” as “equivalent to the meaning of ‘by reason of the fact.’”233 Our Supreme Court has interpreted “by reason of the fact” to mean “there is a nexus or causal connection.”234 That “nexus” requirement is not as broad as but-for causation,235 but implicitly, it must be less than a “causal connection” to avoid rendering it redundant. So, it follows that “relating to” is not as demanding as proximate cause. Even if it were, Trustwave is not entitled to summary judgment 232 2005 Agreement § 13(a). 233 2015 WL 5313769, at *14 (Del. Ch. Sept. 15, 2015). 234 Homestore, Inc. v. Tafeen, 888 A.2d 204 (Del. 2005). 235 Charney, 2015 WL 5313769, at *13. -54- on the issue of proximate causation. 2. Even Under a Proximate Cause Standard, Trustwave Entities Aren’t Entitled to Summary Judgment on Causation. It seems no Delaware court has had to interpret the term “attributable to”— which is used in the 2007 Agreement’s indemnity provision—in an analogous context. Without delving into a detailed interpretation of that term, it does at least facially appear to be closer to proximate causation than “relating to.” Even assuming it is equivalent to proximate cause, though, Trustwave’s argument is unconvincing. Notably, “proximate cause is ‘almost always’ a jury issue. Indeed, proximate cause is ‘fact driven’ and so ‘is to be determined, on the facts, upon mixed considerations of logic, common sense, justice, policy and precedent.’”236 For that reason, it can preclude summary judgment where in doubt.237 Here, it is in doubt. Basically, Trustwave Entities make a contributory-fault argument and say Heartland knew or should have known of the malware on their systems and failed to respond appropriately. According to Trustwave, that failure to effectively remediate the situation absolved Trustwave of any fault in not alerting Heartland. But that argument is flawed and certainly does not render the issue undisputed. First, Trustwave underplays its role by suggesting it would have been 236 Torrent Pharma, Inc. v. Priority Healthcare Distrib., Inc., 2022 WL 3272421, at *18 (Del. Super. Ct. Aug. 11, 2022) (first quoting Mazda Motor Corp. v. Lindahl, 706 A.2d 526, 533 (Del. 1998); and then quoting Duphily v. Del. Elec. Coop., Inc., 662 A.2d 821, 830 (Del. 1995)). 237 Torrent Pharma, 2022 WL 3272421, at *18. -55- powerless to make Heartland engage in more comprehensive remediation. Heartland was required to have approvals issued by Trustwave or another approved compliance validation service to stay in business. The notion that Heartland would have ignored Trustwave’s guidance on how to bring its systems into compliance is, therefore, untenable. Moreover, one of the components of Trustwave’s services was to assist in necessary remediation. As stated in the 2007 Agreement regarding vulnerability scans: “The reports will . . . provide detailed results and remediation action for technicians. Remediation instructions include CVE-linked vulnerability checks and best practices defined by Trustwave consultants.”238 As for the ROC aspect of Trustwave’s services, the 2007 Agreement reads, “any areas of non-compliance will be identified, documented and reported to [Heartland] for appropriate action,” and continues, “the ROC will include . . . recommendations for addressing areas of non-compliance.”239 Similar assurances are provided in 2005 Agreement.240 Perhaps, if Heartland had been given those recommendations, its response would not have been as woefully inadequate as Trustwave now describes. Because Trustwave was in a position to compel more conscientiousness from 238 2007 Agreement at 3. 239 Id. at 3, 5. 240 2005 Agreement at 1-2. -56- Heartland than Heartland may have volunteered, and because Trustwave was contractually obligated to assist Heartland in its remediation efforts, Trustwave cannot claim that Heartland’s deficient remediation spares it from liability. At the very least, the extent to which the blame lies with Trustwave is a material question of fact in dispute. F. THERE IS NO EVIDENCE AMBIRONTRUSTWAVE, LTD. TOOK PART IN THE RELEVANT CONDUCT, SO ITS MOTION MUST BE GRANTED. Finally, there is AmbironTrustwave, Ltd.’s narrow motion seeking summary judgment only as to itself. Insurers present no evidence that AmbironTrustwave, Ltd.—as opposed to Trustwave Holdings using the d/b/a AmbironTrustWave—took any part in the disputed conduct. Instead, Insurers simply ignore that issue and proceed in their opposition brief as if the two “AmbironTrustwave” entities are one and the same. But, in a footnote of their Reply Brief, Insurers admit that AmbironTrustWave as used in the vulnerability scans “is a d/b/a of Trustwave.” As a result, Insurers have not created a genuine dispute as to whether AmbironTrustwave, Ltd. rendered services to Heartland. Additionally, Insurers’ only counts that survived this Court’s September 2019 decision are against Trustwave Holdings and Trustwave Corporation. This motion centers on testimony from a Trustwave representative, Allen Hannagan, explaining AmbironTrustwave, Ltd., didn’t perform work in the United -57- States, didn’t contract with Heartland, and performed no work for Heartland.241 When asked why the name “AmbironTrustWave” appeared on documents related to Heartland, Mr. Hannagan explained, “that was a d/b/a of Trustwave Holdings.”242 That moniker for Trustwave Holdings is fitting, considering Trustwave Holdings is the combination of Ambiron, LLC and Trustwave Corporation.243 Mr. Hannagan’s affidavit expresses the same information and adds that AmbironTrustwave, Ltd.—a subsidiary of Trustwave Holdings—is based in the United Kingdom and “exists for the purpose of conducting business in the European Union.”244 Insurers don’t address any of that information. Seemingly unconcerned with the “Ltd.” versus “d/b/a” distinction, Insurers expressly omit the “Ltd.” when referring to AmbironTrustwave, Ltd. throughout their papers.245 Insurers then proceed to point out the several places where the name “AmbironTrustWave” appears on documents related to Heartland.246 Conspicuously missing from those references is the distinguishing “Ltd.” Insurers’ lone contention that is responsive to AmbironTrustWave, Ltd.’s argument is that Mr. Hannagan’s testimony is “self- 241 AmbironTrustwave’s Mot., Ex. D [hereinafter “Hannagan Dep.”] at 5, 245-46 (D.I. 144). 242 Hannagan Dep. at 245-46. 243 Id. at 245. 244 Hannagan Aff. ¶ 5. 245 Insurers’ Opp’n to AmbironTrustwave at 1. 246 Id. at 2, 6-8, 11. -58- serving” and thus insufficient to support summary judgment.247 Insurers rely on three cases to argue self-serving affidavits alone cannot support summary judgment: Wilson v. Metzger,248 Abacus Sports Installations, Ltd. v. Casale Const., LLC,249 and Fomby v. Frank E. Basil, Inc.250 In Wilson, this Court stated in a succinct order, “[a]bsent further supporting evidence, a self-serving, conclusory affidavit alone is insufficient to justify summary judgment.”251 That comment was made in the context of denying a plaintiff-inmate’s motion for summary judgment after he submitted a “conclusory” affidavit that “merely mirrored [the allegations] in the complaint.”252 This Court made similar statements in Abacus Sports Installations en route to denying a defendant’s pre-discovery motion for summary judgment based on “self-serving” affidavits that were “little more than vague recollections.”253 Lastly, in Fomby, this Court rejected a defendant-doctor’s motion for summary judgment based on the doctor’s own affidavit saying the treatment be rendered was “appropriate” and “proper.”254 247 Id. at 11-12. 248 2021 WL 2355230, at *1 (Del. Super. Ct. June 9, 2021). 249 2011 WL 5288866, at *2 (Del. Super. Ct. July 21, 2011). 250 1986 WL 9021, at *1-2 (Del. Super. Ct. Aug. 18, 1986). 251 2021 WL 2355230, at *1 (citing Abacus Sports Installations, 2011 WL 5288866, at *2). 252 Wilson, 2021 WL 2355230, at *1. 253 2011 WL 5288866, at * 2. 254 1986 WL 9021, at *1-2. -59- There are meaningful differences between those cases and AmbironTrustwave, Ltd.’s motion here. Most critical is the level to which the affidavits in the other cases are “conclusory” and the Insurers’ evidence is absent. In Wilson and Fomby, the affidavits were simply renewed contentions bereft of specific factual support.255 In Abacus Sports Installations, not only were the affidavits limited to “vague recollections,” but they were also submitted before any discovery had taken place.256 By contrast, in this instance, expansive discovery has already occurred, and Mr. Hannagan’s testimony provides a well-reasoned and uncontroverted explanation as to AmbironTrustwave, Ltd.’s conclusion that it was not involved in the disputed conduct. In fact, the most conclusory allegation in this portion of the briefing is Insurers’ implied claim that Mr. Hannagan is lying. As Insurers recognize, “[t]he mere suggestion that [a witness’s] credibility may be in question does not suffice to create an[] issue of fact.”257 Further, and even more importantly, apparently losing track of their web of contentions, Insurers actually admit in their reply brief that AmbironTrustwave as used in the vulnerability scan documents “is a d/b/a of Trustwave.”258 Conveniently, 255 Wilson, 2021 WL 2355230, at *1; Fomby, 1986 WL 9021, at *1-2. 256 2011 WL 5288866, at * 2. 257 Insurers’ Reply Brief in Support of their Motion for Summary Judgment [hereinafter “Insurers’ Reply Br.”] at 8 (second alteration in original) (quoting Khan v. Del. State Univ., 2016 WL 3575524, at *12 (Del. Super. Ct. June 24, 2016)). 258 Insurers’ Reply Br. at 14 n.29. -60- they even provide the notarized form registering “AmbironTrustwave” as a trade name for Trustwave Holdings.259 Not only does that admission quell their argument that the trade name’s usage implicates the European entity, but the provided form means Mr. Hannagan’s testimony is not the sole support for AmbironTrustwave, Ltd.’s motion. For those reasons, there is no genuine dispute as to AmbironTrustwave, Ltd.’s involvement in providing services to Heartland and its prayer for summary judgment is granted.260 VI. CONCLUSION For the foregoing reasons, Trustwave Entities’ Motion for Summary Judgment be DENIED; Insurers’ Motion for Partial Summary Judgment is DENIED; and AmbironTrustwave, Ltd.’s Motion for Partial Summary Judgment is GRANTED. IT IS SO ORDERED. 259 Insurers’ Reply Br., Ex. 5 (D.I. 179). 260 What’s more, though undiscussed by the parties, a simple fact renders this analysis superfluous: there are presently no claims against AmbironTrustwave, Ltd. Its motion seeks summary judgment on Insurers’ Counterclaim Counts IV and V, as well as Count III of Insurers’ third-party complaint. AmbironTrustwave’s Mot. at 1. But Counterclaim Counts IV and V are “against Trustwave Holdings.” Countercl. at 47, 50. And Count III of the Insurers’ third-party complaint is “against Trustwave Corporation.” Countercl. at 67. Only two Counts were ever brought against AmbironTrustwave, Ltd.—Counts IV and VI of the third-party complaint. Countercl. at 69, 72. Those Counts pleaded negligent misrepresentation and gross negligence. Countercl. at 67, 71. As such, they were dismissed by this Court’s earlier ruling on Trustwave Entities’ Motion to Dismiss. Trustwave Hldgs, Inc., 2019 WL 4785866, at *11 (dismissing “Insurers’ Counterclaims and Third-Party Claims for . . . (iii) negligent misrepresentation, and (iv) gross negligence”). With no claims against AmbironTrustwave, Ltd. left to be decided, no factual dispute could be material with regard to that entity, so for that reason too it is due summary judgment. -61-