News
5th Circuit Rules that CGL Insurance Owes Coverage for Data Breach
August 20, 2021
Share to:
<p style="text-align: justify;">On July 21, 2021, the Fifth Circuit, in <em><a href="https://www.wcmlaw.com/wp-content/uploads/2021/08/Landrys-Order.pdf">Landry’s Inc. v. Ins. Co. of the State of Pa.</a>, </em>issued a pivotal decision concerning coverage for a data breach under a commercial general liability policy. Significantly, the Fifth Circuit held a commercial general liability insurer was obligated to defend its insured in an action asserting breach of contract claims arising out of an alleged data breach.</p>
<p style="text-align: justify;">By way of brief background, in December 2015, Paymentech, LLC, a branch of JPMorgan Chase Bank that processes Visa and Mastercard payments for retail properties operated by Landry’s Incorporated, as successor in interest to Landry’s Management, LP, discovered credit-card problems at some of Landry’s properties. Ultimately, it was discovered that a data breach occurred at 14 Landry’s locations, which involved the unauthorized installation of a program designed to search for data from credit cards’ magnetic strips. Over an approximate eighteen-month period, the program retrieved personal information from millions of customers’ credit cards and some of that information was used to make unauthorized purchases.</p>
<p style="text-align: justify;">In May 2018, Paymentech filed suit against Landry’s for breach of contract for the costs associated with the data breaches. Landry’s sought coverage under its commercial general liability policy with The Insurance Company of the State of Pennsylvania (“ISCOP”). Ultimately, ICSOP disclaimed coverage to Landry’s for the underlying <em>Paymentech </em>action as it determined the <em>Paymentech </em>action did not allege any “personal and advertising injury” as required under the policy. Subsequently, Landry’s filed a lawsuit against ICSOP and both ICSOP and Landry’s moved for summary judgment. The District Court for the Southern District of Texas agreed with ICSOP’s position that Paymentech did not allege a “publication” took place or that its own privacy rights were violated. Landry’s appealed to the Fifth Circuit.</p>
<p style="text-align: justify;">First, the Court determined the publication requirement as defined by the policy was met because the complaint in the <em>Paymentech</em> action alleged Landry’s published its customers’ credit-card information. In other words, the Court held the personal information was exposed to public view in accordance with the dictionary definition of “publish”.</p>
<p style="text-align: justify;">Second, the Court analyzed whether the <em>Paymentech </em>action involves an injury “arising out of . . . the violat[ion] [of] a person’s right of privacy.” By looking to the text of the policy, the court determined the phrase “arising out of” was broad and extended to all injuries that arise out of violations of privacy violations. Since the Court found a person has a right of privacy in his or her credit-card data and a hacker’s theft of credit-card data, the use of that data to make fraudulent purchases constitutes a “violation” of consumers’ privacy rights and the complaint in <em>Paymentech</em> action asserts violations of theft and fraudulent purchases, based on the plain language of the policy, ICSOP has a duty to defend. Significantly, the court reasoned the policy did not distinguish between tort and contract damages; as such, the Court focused on the facts alleged in the complaint as opposed to the legal theories asserted.</p>
<p style="text-align: justify;">The Court held the facts alleged in the <em>Paymentech</em> complaint constitute an injury arising from the violation of customers’ privacy rights. In doing so, the Court held it did not matter whether Paymentech’s legal theories sounded in contract or tort or that individual customers did not sue Landry’s. Rather, the Court reasoned Paymentech’s alleged injuries arise out of the violations of customers’ rights to keep their credit-card data private. Accordingly, under Texas’ eight-corners rule, the Court held ICSOP had a duty to defend Landry’s in the underlying <em>Paymentech </em>action.</p>
<p style="text-align: justify;">This decision represents a significant departure from precedent involving commercial general liability coverage and data breaches. It will be interesting to see how this matter develops as the case is remanded for further proceedings consistent with the Fifth Circuit’s ruling.</p>
<p style="text-align: justify;">Thanks to Lauren Berenbaum for her contribution to this post. Please email <a href="mailto:bgibbons@wcmlaw.com">Brian Gibbons</a> with any questions.</p>