In a decision last week entitled Landry’s, Inc. v. The Ins. Co. Of The State Of Pennsylvania, No. 19-20430, 2021 WL 3075937 (5th Circ., July 21, 2021), the Fifth Circuit Court of Appeals found coverage under a CGL Policy for a traditional data breach. More particularly, the Fifth Circuit held the insurer has a duty to defend Landry’s in the litigation that resulted from a breach incident involving credit card information. This case marks a departure from the general premise that there is no coverage to be found under CGL policies for liability resulting from “classic” data breach incidents.
The Facts Giving Rise to the Breach, the Breach Litigation and the Insurance Declaratory Judgment Action
Landry’s operated a number of retail establishments, including restaurants, hotels and casinos and uses Paymentech, LLC to process credit card payments at its retail properties. The facts indicate this process involves Paymentech, an intermediary between Landry’s and its bank, obtaining authorization from Visa or MasterCard to complete the sale prior to the funds being sent to JPMorgan Chase.
At some point, Paymentech discovered a data breach occurred at a number of Landry’s properties caused by an unauthorized installation of a program on devices used to process credit card transactions. “Over approximately a year and a half, the program retrieved personal information from millions of customers’ credit cards. And at least some of that credit card information was used to make unauthorized charges.” Id. at *1. This resulted in millions of dollars in unauthorized charges to Landry’s customers’ cards.
Landry’s and Paymentech had a number of contracts that controlled the processing of credit cards from the point where Landry’s customers presented their cards until the point when the funds were deposited with JPMorgan Chase. Ultimately, Paymentech filed the underlying lawsuit where it sought over $20 million in damages for amounts assessed by Visa and MasterCard related to the fraudulent credit card transactions.
Landry’s filed a declaratory judgment against its insurer The Insurance Company of the State of Pennsylvania (“ICSP) seeking a declaration that ICSP had a duty to defend Landry’s in the underlying breach litigation for “publication” under the advertising and privacy injury clause of the policy.
In particular, Landry’s argued ICSP had a duty to defend under the Personal Injury clause arguing the allegations in the underlying litigation sought damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.” Additionally, to trigger coverage, Landry’s would need to show Paymentech’s alleged damages are “arising out of” the “violat[ion] [of] a person’s right of privacy.”
The District Court dismissed all the claims against ICSP holding “the Paymentech complaint did not allege a ‘publication’ because it asserted only that “[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.” Id. at *2. Specifically, the District Court found these allegations did not constitute a “violat[ion] [of] a person’s right of privacy” because Paymentech involves the payment processor’s contract claims, not the cardholders’ privacy claims.” Id.
The Fifth Circuit’s Reversal of the District Court’s Finding of No Coverage
In overturning the District Court, the Fifth Circuit first found the allegations in the Paymentech constituted a “publication” as defined under the CGL policy issued to Landry’s based on the following reasoning:
The Paymentech complaint plainly alleges that Landry’s published its customers’ credit card information—that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of “publication.” The complaint first alleges that Landry’s published customers’ credit card data to hackers. Specifically, as the credit-card “data was being routed through affected systems,” Landry’s allegedly exposed that data—including each “cardholder name, card number, expiration date and internal verification code.” Second, the Paymentech complaint alleges that hackers published the credit card data by using it to make fraudulent purchases. Both disclosures “expos[ed] or present[ed] [the credit-card information] to view.” Publish, WEBSTER’S SECOND, at 2005. And either one standing alone would constitute the sort of “publication” required by the Policy. Id. at 4.
Next, the Fifth Circuit analyzed whether the allegations in Paymentech’s complaint sought damages for “an injury ‘arising out of…the violation of a person’s right of privacy.” The Fifth Circuit found this requirement was easily met since “it’s undisputed that a person has a ‘right of privacy’ in his or her credit card data.” Id. at 5. The Fifth Circuit further held “[i]t’s also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute ‘violations’ of consumers’ privacy rights.” Id.
The Fifth Circuit’s decision is interesting since it simply glazes over the fact that Paymentech was suing Landry’s for breaching its contracts. Of course, breach of contract claims typically do not trigger coverage under a CGL policy. Also, the Fifth Circuit quickly moved past the fact that Paymentech did not suffer damages from the “publication” with the following reasoning dismissing real coverage questions as “salami-slicing distinctions:”
ICSOP urges us not to follow the plain text of the Policy and instead to alter it. In ICSOP’s view, the Policy covers only tort damages “arising out of … the violation of a person’s right of privacy.” Thus, ICSOP suggests, it might defend Landry’s if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used. But ICSOP thinks it bears no obligation to defend Landry’s in a breach-of-contract action brought by Paymentech. Of course, the Policy contains none of these salami-slicing distinctions.
The Fifth Circuit’s decision in Landry makes more sense from a coverage standpoint if the underlying litigation was brought by the individuals that may have been damaged from the breach of their credit cards. This decision is also missing an analysis of exclusionary language that is become more common in CGL policies for breach/privacy/cyber incidents and the litigation arising from such incidents. Nevertheless, insurers should expect to see insureds use the reasoning in this decision to argue CGL policies provide coverage for cyber and privacy incidents.
For more information about this article, contact Todd Rowe, working at home, of course, at firstname.lastname@example.org.