In Landry’s Inc., v. The Ins. Co. of the State of PA, No. 19-20430 (5th Cir. July 21, 2021) the Fifth Circuit addressed whether a general liability carrier, Insurance Company of the State of Pennsylvania (“ICSOP”), had a duty to defend its insured, Landry’s, in data-breach litigation. At summary judgment, the district court ruled no; however, the Fifth Circuit disagreed and reversed finding that the complaint potentially alleged “personal and advertising injury” under the policy.
Landry’s is a Houston-based company that operates retail properties including restaurants, hotels, and casinos. Paymentech, LLC, a branch of JPMorgan Chase Bank, processed Visa and MasterCard payments for those properties. On December 2, 2015, Paymentech discovered credit card problems at some Landry’s properties. An investigation uncovered a data breach that occurred across fourteen Landry’s locations between May 2014 and December 2015, involving the unauthorized installation of a program on Landry’s payment-processing devices that searched and captured data from credit cards’ magnetic strips—including cardholder’s name, card number, expiration date, and internal verification code. Over the course of approximately a year and a half, the program retrieved personal information from millions of customers’ credit cards, some of which was used to make unauthorized charges.
The credit card companies, Visa and MasterCard, sought approximately $20 million in breach-related losses from Paymentech through various membership agreements. Paymentech, in turn, sought payment from Landry’s (which had its own agreement with Paymentech). When Landry’s refused to pay, Paymentech filed suit alleging that Landry’s was obligated to pay the $20,062,206.88 collectively assessed against Paymentech by Visa and MasterCard.
Landry’s sought coverage for the Paymentech suit from its commercial general liability carrier, ICSOP. The ICSOP Policy provided coverage, in relevant part, for sums that Landry’s becomes legally obligated to pay as damages because of “personal and advertising injury,” which included “oral or written publication, in any manner, of material that violates a person’s right of privacy.” ICSOP denied coverage stating that “[n]one of the . . . ‘personal and advertising injury’ triggers are implicated by the allegations in the [Paymentech] Complaint.” While funding its own defense against Paymentech, Landry’s filed a separate suit against ICSOP for breach of contract and declaratory judgment.
The district court granted summary judgment to ICSOP and dismissed all the claims. In doing so, the district court held that the Paymentech complaint did not allege a “publication” because it only asserted that “[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.” The district court also held that the complaint did not allege a “violat[ion] [of] a person’s right of privacy” because Paymentech involved the payment processor’s contract claims, not individual cardholders’ privacy claims.
On appeal, the Fifth Circuit reversed. The Fifth Circuit framed the coverage issue in two parts. First, the court must determine whether the Paymentech complaint involved a “publication.” If so, the court must also determine whether Paymentech sought damages “arising out of” the “violat[ion] [of] a person’s right of privacy.”
As respects “publication,” the Fifth Circuit reasoned that the contractual text and structure of the policy language suggested the parties intended the broadest possible definition of “[o]ral or written publication.” For example, coverage under the policy was triggered by a “publication, in any manner.” To the Fifth Circuit, this meant the policy intended to use every definition of the word “publication”—even the very broadest ones. One dictionary definition of “publication” merely required “exposing or presenting [information] to view,” which the Fifth Circuit found applicable. Similarly, the structure of the policy’s coverage provision meant that the “publication” requirement must be at least as broad as the tort of defamation, another “personal and advertising injury” offense with a publication requirement, which merely required transmission of information to one other person.
According to the court, the Paymentech complaint plainly alleged that Landry’s published its customers’ credit card information—that is, exposed it to view. First, the complaint alleged that Landry’s published customers’ credit-card data to hackers. Specifically, as the credit card “data was being routed through affected systems, Landry’s allegedly exposed that data, including cardholder name, card number, expiration date and internal verification code.” Second, the Paymentech complaint alleged that hackers published the credit card data by using it to make fraudulent purchases. Both disclosures, according to the Fifth Circuit, “exposed or presented the credit-card information to view….And either one standing alone would constitute the sort of ‘publication’ required by the Policy.” The court noted that it was irrelevant whether Landry’s itself caused the publications, and hence, caused the personal and advertising injuries. For duty to defend purposes, it only mattered that Paymentech alleged a publication of the data.
Next, the Fifth Circuit addressed whether the breach involved an injury “arising out of” the violation of a person’s right of privacy. As is typically the case, the phrase “arising out of” is construed broadly. Thus, the policy did not simply extend to violations of privacy rights; the policy instead extended to all injuries that arise out of such violations. It was undisputed that individuals have a “right of privacy” in their credit card data. It was also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constituted “violations” of consumers’ privacy rights. Further still, there was no dispute that the Paymentech complaint alleged such theft and such fraudulent purchases. As such, the Fifth Circuit found that the alleged injuries arose out of a privacy right violation.
ICSCOP argued that while the policy might cover Landry’s for tort claims brought by individual customers, ICSCOP had no obligation to defend Landry’s in a breach of contract action brought by Paymentech. According to the court, however, the facts alleged in the Paymentech complaint constituted an injury arising from the violation of customers’ privacy rights. It did not matter that Paymentech’s legal theories sounded in contract rather than tort. Nor did it matter that Paymentech (rather than individual customers) sued Landry’s. As the Fifth Circuit saw it, Paymentech’s alleged injuries arose from the violations of customers’ rights to keep their credit-card data private. Therefore, under the eight-corners rule and Texas law, ICSOP was required defend Landry’s in the underlying Paymentech litigation.