The Fifth Circuit Court of Appeals in Spec’s Family Partners, Ltd. v. Hanover Insurance Co. (No. 17-20263, Jun. 25, 2018), afforded a contractual liability exclusion a narrow interpretation to deny an insurer judgment in its favor. The coverage litigation resulted from Hanover Insurance Company’s (Insurer) refusal to pay Spec’s Family Partners’ (Spec’s) litigation costs in connection with a payment card industry (PCI) liability dispute between Spec’s and First Data Merchant Services, LLC (First Data) following a data breach.
The Spec’s credit card network had been breached by hackers. First Data suffered loss and sought to shift to Spec’s the cost associated with resultant fraudulent transactions. First Data alleged noncompliance with PCI data security standards. First Data, pursuant to its merchant agreement with Spec’s, established a Reserve Amount of approximately $9.5 million. First Data also demanded documentation and security compliance from Spec’s. Spec’s filed an affirmative action against First Data to recover the amounts withheld in the Reserve Accounts.
Spec’s demanded coverage for the affirmative action, and the Insurer disclaimed coverage under a Management Liability Insurance Policy’s Exclusion N., which applied to: “‘loss’ on account of any ‘claim’ made against any ‘insured’ directly or indirectly based upon, arising out of, or attributable to any actual or alleged liability under a written or oral contract or agreement. However, this exclusion does not apply to your liability that would have attached in the absence of such contract or agreement.” Spec’s then filed the instant action against the Insurer, and the district court granted judgment on the pleadings in favor of the Insurer. Spec’s appealed.
The Fifth Circuit reversed, finding the exception to the exclusion to potentially be satisfied by the “non-contract claims.” The court latched onto the demand letters’ insistence on security compliance by Spec’s, although it is unclear from the opinion whether those steps had been completed prior to Spec’s initiation of the recovery action against First Data. The court concluded that these demands, along with prompt payment of the amounts required by the merchant agreement, “implicate theories of negligence and general contract law that imply Spec’s liability for the assessments separate and apart from any obligations ‘based upon, arising out of, or attributable to any actual or alleged liability under’ the merchant agreement.”
How the court ultimately divorced from Spec’s obligations under the merchant agreement First Data’s demands for reimbursement of loss and Spec’s compliance with PCI standards is difficult to discern. Moreover, it seems the cost of prosecuting the recovery action had nothing to do with the compliance protocols, which may have already been completed by Spec’s voluntarily. Nonetheless, the significance of this opinion lies in its contradistinction to the U.S. District Court for the District of Arizona’s seminal opinion in P.F. Chang’s China Bistro, Inc. v. Federal Insurance Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016). Notably, that well-reasoned decision was based upon facts similar to those in Spec’s, although the relevant policy was a stand-alone cyberinsurance policy.
This dispute between Spec’s and Hanover is hardly over. We will continue to monitor this dispute and report further developments.