Home Page The Publication The Editor Contact Information Insurance Key issues Book Subscribe


Significant CGL Data Breach Decision From Federal Appeals Court



Significant CGL Data Breach Decision From Federal Appeals Court

Wednesday's decision, from the Fifth Circuit, in Landry's, Inc. v. Ins. Co. of the State of Pa., No. 19-20430 (5th Cir. July 21, 2021), is a significant one in the area of coverage for data breaches.

Reasons: The insurer lost the case – despite having the much better arguments. In other words, the decision could open a door to policyholders that should be closed. In addition, the Fifth Circuit is well-regarded and the decision is published.

Importantly, the decision involves a not uncommon fact pattern when it comes to data breaches -- and coverage under a commercial general liability policy and not a cyber policy. There are a lot more CGL policies out there than cyber policies. This is to say that the case may have increased opportunities to be influential. Not to mention that there is limited case law for a court to go to for guidance for data breach coverage under a CGL policy. So Landry's may be an attractive place to look.

On the other hand, the decision's impact should certainly be tempered by insurers' use of Data Breach Exclusions in CGL policies. If the decision's impact is limited by Data Breach exclusions, then the decision may be felt in other areas -- based on the court's expansive uses of the terms "publication" and "privacy," which come up frequently in all kinds of coverage cases.

The decision was made based on a duty to defend standard and does not speak to the insurer's ultimate obligation for coverage for damages. I did not read the complaint. But based on the court's excerpts from it, it sounds like it was drafted to plead into coverage.       

At issue was coverage for Landry's, a Houston-based company, that operates retail businesses, including restaurants. Between May 2014 and December 2015, 14 Landry's locations suffered data breaches. A unauthorized program had been installed on its payment processing devices that enabled card numbers and customer names and other important information to be taken.

The court describes all manner of complex agreements in place between the various companies involved when a consumer uses a credit card. When all was said and done, Landry's was sued by its credit card processing company and faced a $20 million tab for the data breaches. 

Landry's sought coverage under the "personal and advertising injury" section of its commercial general liability policy. Specifically, for "oral or written publication, in any manner, of material that violates a person's right of privacy." The insurer disclaimed coverage on the basis that the allegations at issue did not satisfy such provision. 

Landry's undertook its own defense and filed a declaratory judgment action that was removed to federal court. The district court sided with the insurer on cross motions for summary judgment. The court held that the "complaint did not allege a 'publication' because it asserted only that '[a] third party hacked into [the] credit card processing system and stole customers' credit card information.' And the district court held that the complaint also did not allege a 'violat[ion] [of] a person's right of privacy' because [the complaint] involves the payment processor's contract claims, not the cardholders privacy claims."

The Fifth Circuit disagreed with the lower court on both issues and reversed. 

The federal appeals court started with the meaning of "publication," which it noted was undefined. After looking at several dictionaries, various uses of the term in the policy and the fact that publication is modified by the phrase "in any manner," the court concluded that "publication" is entitled to the broadest possible plain meaning.

With that as the test, the court concluded that the "publication requirement" had been satisfied: "The Paymentech complaint plainly alleges that Landry's published its customers' credit-card information—that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of 'publication.' The complaint first alleges that Landry's published customers' credit-card data to hackers. Specifically, as the credit-card 'data was being routed through affected systems,' Landry's allegedly exposed that data—including each 'cardholder name, card number, expiration date and internal verification code.' Second, the Paymentech complaint alleges that hackers published the credit-card data by using it to make fraudulent purchases. Both disclosures 'expos[ed] or present[ed] [the credit-card information] to view.' Publish, Webster's Second, at 2005. And either one standing alone would constitute the sort of 'publication' required by the Policy."
The court also concluded that the "privacy" requirement was satisfied, despite the fact that Landry's was being sued by its credit card processing company, on a contract basis, and not by customers in tort for privacy violations. As far as the court saw it, the policy does not support such "salami-slicing distinctions."

Instead, the court simply focused on a person's right to privacy (which it also concluded was subject to a broad interpretation): "[I]t's undisputed that a person has a 'right of privacy' in his or her credit-card data. It's also undisputed that hackers' theft of credit-card data and use of that data to make fraudulent purchases constitute 'violations' of consumers' privacy rights. And it's still further undisputed that the Paymentech complaint alleges such theft and such fraudulent purchases."

For any insurers without Data Breach exclusions on CGL policies, the decision could help to open what should otherwise be a closed door for coverage.



Website by Balderrama Design Copyright Randy Maniloff All Rights Reserved