Data privacy litigations are on the rise.  With this increase in cases comes an increase in coverage disputes regarding when an insurer has a duty to defend its insured in a data-breach and data privacy litigations.  A decision out of the Fifth Circuit earlier this summer has put this issue under additional focus.  Landry’s, Inc. v. Ins. Co. of the Pa., 2021 U.S. App. LEXIS 21668 (5th Cir. July 2021).  Read on to learn more.

In In Landry’s, the insured retailer was sued by a payment card processing in the wake of a data event involving the exfiltration of credit card data (“PCI Data”) from the insured’s point-of-sale (“POS”) system.  The data event occurred over an 18-month period and involved the misappropriation of millions of customers’ PCI Data.

Landry’s is a Houston-based company that operates retail properties (restaurants, hotels, casinos, etc.).  Paymentech, LLC (“Paymentech”) processes credit card payments to those properties.  In May 2018, Paymentech filed suit against Landry’s for breaching the Paymentech Agreement.  Under the terms of that Agreement, Landry’s was obligated to: (i) follow all Payment Brand Rules; (ii) comply with certain security guidelines; and (iii) indemnify Paymentech for any assessments, fines, or penalties stemming from any failure by Landry’s to comply with the Payment Brand Rules.  Landry’s, in turn, looked to its insurer to defend it.

The insurance policy Landy’s had with its insurer (the “Policy”) stated that the insurer “will pay those sums that [Landry’s] becomes legally obligated to pay as damages because of ‘personal and advertising injury’” and “will have the right and duty to defend [Landry’s] against any ‘suit’ seeking those damages.”  The Policy defined “[p]ersonal and advertising injury” as “injury . . . arising out of” several offenses, including “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

The insurer denied its duty to defend Landry’s, stating that the underlying litigation “does not qualify for coverage” because “[n]one of the . . . ‘personal and advertising injury’ triggers are implicated” by the allegations in the Paymentech Complaint.  While funding its own defense against Paymentech, Landry’s filed a separate suit against its insurer, claiming that the insurer breached the Policy.

Ruling on the parties’ cross motions for summary judgment, the district court denied Landry’s motion and granted the insurer’s motion, finding no coverage and no duty to defend.  On appeal, the Fifth Circuit was asked to determine de novo whether the insurer has a duty to defend Landry’s in the underlying Paymentech Litigation.  In making this assessment, the Fifth Circuit first determined whether the complaint in the Paymentech litigation involves a “publication.”  Second, the Court then examined whether Paymentech seeks damages “arising out of” the “violation of a person’s right to privacy.”

The Fifth Circuit held that the contractual text and structure of the Policy suggested the parties intended the broadest possible definition of “oral or written publication”—which included “exposing or presenting information to view.”  The court concluded that the Paymentech complaint allegesd publication by Landry’s twice.  The complaint first alleged that Landry’s published customers’ credit-card data to hackers. Specifically, as the credit-card “data was being routed through affected systems,” Landry’s allegedly exposed that data— including each “cardholder name, card number, expiration date and internal verification code.”  The Paymentech complaint also alleged that hackers published the credit-card data by using it to make fraudulent purchases.  The Court concluded that both disclosures “exposed or presented that credit card information to view.”

Since the Fifth Circuit determined that the Paymentech litigation involved at least one “publication,” the Court then moved to whether the publication involves an injury “arising out of the violation of a person’s right of privacy.”  The Court found that “arising out of” as used in the Policy, reasoning that the Policy does not simply extend to violations of privacy rights; it extends to all injuries that arise out of such violation.

Next, and without much discussion, the Fifth Circuit concluded that a person has a “right of privacy” in his or her “credit-card data” and that “hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute violations of consumers’ privacy rights.”  Since the Paymentech complaint alleged such theft and fraudulent purchases, the Court held the insurer has a duty to defend Landry’s.

The insurer had argued in opposing coverage that the Policy only covers tort damages “arising out of the violation of a person’s right of privacy”—suggesting that it might defend Landry’s if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used, but not in a breach of contract action.  The Fifth Circuit rejected that argument, on the basis that the Policy “contains none of these salami-slicing distinctions.”

As with the West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc. coverage ruling earlier this year, this decision is anticipated to have a significant impact on coverage disputes going forward.  2021 IL 125978 (Ill. May 20, 2021).  For more on this, stay tuned.  CPW will be there.