The U.S. Court of Appeals for the Fifth Circuit recently held that a Commercial General Liability insurance policy required the insurer to defend Houston-based Landry’s Inc. in a $25 million data breach case brought by its credit card processor. Landry’s, Inc. v. Ins. Co. of the State of Pa., No. 19-20430, 2021 U.S. App. LEXIS 21668 (5th Cir. July 21, 2021). By the time the Fifth Circuit rendered its decision, however, Landry’s had already lost the underlying case to its credit card processor, which was awarded $20 million in damages and is currently moving to recover attorneys’ fees ($1 million), costs ($500,000), and prejudgment interest ($3.2 million). As the Landry’s insurer is now on the hook to pay for any sums that Landry’s becomes “legally obligated to pay as damages,” the defense costs will likely be tacked onto a judgment of approximately $25 million that the insurance company must satisfy.
Landry’s was the victim of a data breach that resulted in the theft of personal information from millions of customers’ credit cards over the course of a year and a half. When the Landry’s payment card processor (Paymentech) was charged over $20 million by Visa and MasterCard for losses relating to the breach, Paymentech sued Landry’s to provide reimbursement under the terms of the contract between the parties (“Paymentech Suit”).
When the Landry’s insurance carrier declined to provide Landry’s a defense under the Commercial General Liability (“CGL”) policy, Landry’s filed suit against its insurer (ICSOP) seeking a declaratory judgment that ICSOP was obligated to defend Landry’s in the Paymentech Suit. The district court dismissed the Landry’s claim on the grounds that the Paymentech complaint did not allege the necessary “publication” of “material that violates a person’s right of privacy,” and therefore, the CGL policy did not require ICSOP to defend Landry’s in the Paymentech Suit.
The Fifth Circuit reversed the dismissal of the case, holding that the Paymentech Suit did indeed seek damages arising out of the violation of a person’s right of privacy. Applying the “eight corners rule” – which compares the four corners of an insurance policy to the four corners of a complaint to determine whether defense and/or indemnification obligations have been triggered – the Fifth Circuit defined “publication” broadly to bring the Paymentech Suit within the coverage of the applicable policy. ICSOP had argued that while a hacker had stolen credit card information, the Paymentech complaint had not alleged “publication” of that information. ICSOP also argued that it was under no duty to defend Landry’s because Paymentech was alleging breach of contract (i.e., the suit did not involve cardholder privacy claims).
After having concluded that the “publication” requirement could be satisfied by the mere transmission of information to one other person, the court noted the broad coverage of the operative words “arising out of” in the policy. In view of the expansive interpretation of this phrase, the court had no difficulty in holding that the defense obligation had been triggered, nor did the court find any persuasive distinction between the contract claim asserted by Paymentech and any other privacy claim covered by the policy.
The amount in controversy in this case ($25 million and counting) provided a powerful incentive for the parties to litigate coverage. It often seems that the scope of liability improperly colors carriers’ interpretations of policy coverage. However, this case reminds us that even though the insurance industry is pedaling a spectrum of independent cybersecurity policies, in the event of a data breach, a deep dive into your CGL policy may be warranted. Understanding that any ambiguity will be resolved in favor of the insured (at least in the Fifth Circuit), a data breach victim may find that coverage turns on judicial construction of terms and phrases like “publication” and “arising out of,” regardless of how forcefully the insurance carrier denies responsibility.
Mike Regitz focuses his practice on intellectual property, cybersecurity, and data privacy counseling and disputes.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high quality legal representation in intellectual property, cybersecurity, and data privacy matters and disputes.