United States: Fifth Circuit Supports Data Breach Coverage Under Commercial General Liability Insurance Policies

The United States Court of Appeals for the Fifth Circuit wrapped up the month of July by handing down a helpful ruling for policyholders seeking coverage for cybersecurity and data breach risks. On July 21, 2021, the Fifth Circuit ruled in Landry's Inc. v. Insurance Company of the State of Pennsylvania that the terms "publication" and "privacy" should be construed broadly to trigger the insurer's duty to defend a policyholder. ¹ Notably, the insurance policy at issue was a commercial general liability (CGL) policy and the underlying lawsuit was a data breach claim. This decision is a reminder that insurance coverage for cyber liability or data breach liability may be found in a number of different types of insurance policies, not just those marketed or sold as cyber policies.

Since December 2008, Landry's Inc. (Landry's), which operates retail properties including restaurants, hotels, and casinos, had contracted with Paymentech to process Visa and MasterCard payments made at Landry's properties (Agreement). In December 2015, Paymentech discovered a data breach that occurred across fourteen Landry's locations, and Landry's independently initiated its own investigation to discover that the data breach involved unauthorized installation of a program on its payment-processing devices. Over a year and a half period, the program had searched and retrieved personal information from millions of customers' credit cards as the information was being routed through the payment-processing system. Some of this information was then used to make unauthorized charges.

Paymentech alleged that as a part of its Agreement, Landry was required to abide by Paymentech's "Payment Brand Rules," and to indemnify Paymentech for any assessments arising from any failure by Landry's to comply with the "Payment Brand Rules." The amount of liability resulting from Landry's failure to encrypt the data was over $20 million, according to the assessment by Paymentech's membership programs with Visa and MasterCard. Landry's refused to reimburse Paymentech, and the underlying lawsuit ensued (Paymentech Litigation).²

Landry's had four CGL insurance policies (Policies) issued by the Insurance Company of the State of Pennsylvania (ICSOP), to which Landry's tendered the Paymentech Litigation for coverage. Under the Policies, ICSOP had a duty to defend Landry's for damages because of "personal and advertising injury," further defined in relevant part as "injury ... arising out of ... oral or written publication, in any manner, of material that violates a person's right of privacy." ICSOP denied the claim, and Landry's filed suit in Texas state court to enforce ICSOP's duty to defend. The case was eventually removed to federal district court, which sided with ICSOP by granting it summary judgment and concluding that the Policies "do not identify any duty ...to defend or indemnify" the type of injuries stemming from a consumer data breach by a third-party. ³ After finding that the events surrounding the case data breach do not meet the standard of "oral or written publication" by the policyholder, the district court also distinguished the damages in question to be contractual as opposed to damages arising out of a violation of a "right of privacy" sustained by the cardholders.

On appeal, the Fifth Circuit had to determine whether ICSOP had a duty to defend Landry's. The Firth Circuit followed Texas's "eight-corners rule" by comparing the four corners of the Policies to the four corners of the underlying Paymentech Litigation complaint. The first question to answer was whether the Paymentech Litigation complaint involved an "oral or written publication" and the second question to answer was whether the Paymentech Litigation involved an injury "arising out of . . . the violat[ion] [of] a person's 'right of privacy.'"

Landry's argued that the district court incorrectly narrowed the terms of the Policies and ignored the allegations in the Paymentech Litigation complaint. Landry's reasoned that when interpreted broadly in favor of the policyholder, as is the well-settled Texas law regarding an insurer's duty to defend, the Paymentech Litigation complaint satisfied the standard of "publication" in plain and ordinary meaning. Specifically, Landry's pointed out that the Paymentech Litigation complaint alleged transmission of "'millions' of cardholders' private account data to hackers and other" which in turn "undisputedly violated the privacy rights of Landry's customers." ⁴

ICSOP countered that the district court's decision should be affirmed because the Paymentech Litigation complaint was missing the element of public distribution. ICSOP contended that Landry's was "ask[ing] this court to stretch the meaning of 'publication' beyond recognition, treat[ing] a corporate breach of contract dispute ...as equivalent of an action by an individual seeking compensation for a violation of his or her privacy." ⁵ ICSOP then redirected the Fifth Circuit's attention to the cause of action in the Paymentech Litigation-the breach of contract, quantum meruit and unjust enrichment- which arose from Landry's alleged failure to adhere to its Agreement and underlined that the elements of publication and privacy were not necessary to prove claims in the Paymentech Litigation.

Rejecting ICSOP's argument, the Fifth Circuit ruled in favor of the policyholder, Landry's, and reversed the district court's decision. Listing off a number of definitions from three different dictionaries for the term "publication" which had not been defined in the Policies, the Fifth Circuit sought for the "broadest possible" definition suitable for the language "oral or written publication, in any manner." Focusing on Webster's Dictionary definition "to make known as by exposing or presenting it to view," ⁶ the Fifth Circuit reasoned such definition satisfied the Policies' "capacious provision." ⁷ Employing this definition, the Fifth Circuit found the first question on appeal in Landry's favor because the Paymentech Litigation complaint alleged two types of publication: first, Landry's publication of customer's credit card data to hackers, and second, the hackers' publication of the credit card data to make unauthorized charges. Either one was enough to meet the Policies' requirement of publication.

Landry's likewise benefited from the Firth Circuit's equally favorable interpretation of the Policies language, in which the court straightforwardly concluded, "the facts alleged in the Paymentech complaint constitute an injury arising out of the violation of a person's right of privacy, as those terms are commonly understood." ⁸ Simplifying the argument to whether there was a violation of consumer's privacy rights alleged in the Paymentech Litigation complaint, the Fifth Circuit agreed with Landry's that the right of privacy in credit card data was undisputedly violated by the hacking. Further, the Fifth Circuit relied on Lamar Homes, Inc. v. Mid-Continent Casualty Co. to reject ICSOP's attempt to distinguish injury caused by breach of contract versus injury caused by the data breach. Relying on Texas Supreme Court precedent that "[t]he duty to defend must be determined under the eight-corners rule rather than by the labels attached to the underlying claims," ⁹ the Fifth Circuit underscored that the focus must be on "the facts alleged" in the complaint, "not on the actual legal theories" invoked, e.g. tort versus contract. ¹⁰ The Fifth Circuit put it simply that "it does not matter Paymentech's legal theories sound in contract rather than tort. Nor that Paymentech and not the customers sued Landry's." ¹¹ Instead, it was enough that the "alleged injuries arise from the violations of customers' rights to keep their credit-card data private." ¹²

The Fifth Circuit's decision is important in its breadth of what is considered "oral or written publication" within the personal and adverting injury coverage of a CGL insurance policy, rightly rejecting the insurer's overly restrictive interpretation. In addition, the Fifth Circuit's broad view of what injury arises out of a violation of a person's right of privacy is likely to have influential impact in granting policyholders access to coverage for cyber or data breach liability coverage under CGL insurance policies. Policyholders, however, should be mindful of the facts of each case and the specific CGL policy language, and in particular, whether there are any data breach or similar type exclusions in their CGL policies. While policyholders may have separate policies specifically sold or marketed as covering cyber or privacy liability, the Landry's decision serves as a reminder that other types of insurance policies, CGL included, should be considered for potential coverage.

Footnotes

1. Landry's, Inc. v. Ins. Co. of the State of Pa., No. 19-20430, 2021 WL 3075937 (5th Cir. July 21, 2021).

2. Paymentech, LLC & JPMorgan Chase Bank v. Landry's, Inc., 4:18-CV-01622 (S.D. Tex.).

3. Landry's Inc. v. Insurance Company of Pennsylvania, No. 4:18-CV-02679, 2019 WL 3080917 (S.D. Tex. May 22, 2019).

4. Appellant's Br. at 15, Landry's Inc., No. 19-20430, 2019 WL 5070136 (5th Cir. Oct. 1, 2019).

5. Appellee's Br. at 12, Landry's Inc., No. 19-20430, 2019 WL 6529524 (5th Cir. Nov. 25, 2019)

6. WEBSTER'S NEW INTERNATIONAL DICTIONARY2005 (2d ed. 1934; 1950).

7. 2021 WL 3075937 at 3.

8. Id. at 5.

9. Lamar Homes, Inc. v. Mid-Continent Casualty Co., 242 S.W.3d 1, 15-16 (Tex. 2007).

10. St. Paul Fire & Marine Ins. Co. v. Green Tree Fin. Corp.-Tex., 249 F.3d 389, 391 -392 (5th Cir. 2001)

11. 2021 WL 3075937 at 5.

12. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.