Amid high-profile cybersecurity breaches that have spurred regulatory action and encouraged compliance revamps, the Fifth Circuit recently ruled that the Insurance Company of the State of Pennsylvania (“ICSOP”) has a duty to defend Landry’s, a Houston-based hospitality chain, in a $20 million data breach litigation. Landry’s, Inc. v. Ins. Co. of the State of Pennsylvania, No. 19-20430, 2021 WL 3075937, at *5 (5th Cir. July 21, 2021). Circuit Judges Jerry Smith and Andrew Oldham held that key policy language — “an oral or written publication…of material that violates a person’s right of privacy” — triggered ICSOP’s duty to defend Landry’s in a breach of contract action between Landry’s and its credit card payment processor.

As a company that operates restaurants, hotels, and casinos, Landry’s contracted with Paymentech, LLC (“Paymentech”) to process customer credit card payments. For each of Landry’s sales, Paymentech obtains credit authorization from one of two credit card companies and then directs payments to its parent bank. From May 2014 to December 2015, malware infected Landry’s payment processing devices and extracted names, card numbers, expiration dates, and internal verification codes of customers who swiped their cards at 14 different retail locations.1

Pursuant to agreements with both credit card companies, Paymentech was required to pay for customer losses resulting from data breaches. Landry’s and Paymentech, however, had a separate agreement requiring Landry’s to comply with security guidelines and indemnify Paymentech in the event of Landry’s failure to comply with rules imposed by the credit card companies.

When Paymentech sued Landry’s for breach of their agreement, Landry’s turned to ICSOP, its commercial general liability insurer, to defend Landry’s against Paymentech. Landry’s policy with ICSOP covered “any suit” seeking damages because of “personal and advertising injury.” The policy defines such injury as “oral or written publication, in any manner, of material that violates a person’s right of privacy.” These coverage provisions are fairly common in many off-the-shelf commercial general liability (“CGL”) insurance policies.

The federal district court sided with the insurer, holding that (i) stealing customer information is not a “publication,” and (ii) Paymentech’s complaint against Landry’s did not allege a violation of a person’s right of privacy because the litigation arose out of a contractual dispute and not tort claims by direct customers.

The Fifth Circuit reversed the district court’s findings after analyzing key policy language and breaking down the issue into two elements: (1) Does Paymentech’s complaint against Landry’s involve a “publication”; and (2) do the alleged damages “arise out of” the “violation of a person’s right of privacy”?

According to the Fifth Circuit, the complaint involves an “oral or written publication” because the ICSOP policy intended the broadest possible definition. The court looked to surrounding language, numerous dictionary definitions (and other secondary sources, including Justice Scalia and Bryan Garner’s Reading Law: The Interpretation of Legal Texts), the structure of the policy’s coverage provision, and the principle that insurance policy ambiguity should be resolved in favor of the insured. For example, the court highlighted one dictionary definition stating that “exposing or presenting [information] to view” constitutes a publication. The structure of the policy’s coverage provision also mandated a broad reading because (1) the “publication” requirement under the privacy section was syntactically identical to the defamation section and (2) “publication” for defamation purposes means “transmission of information to one other person.” The court found that Paymentech’s complaint alleged a “publication” under the ICSOP policy both because Landry’s “published” customer information through a compromised point-of-sale system to the hackers, and the hackers themselves “published” the information when they made fraudulent purchases with the customer data.

The alleged damages were found to arise out of the “violation of a person’s right of privacy” because Supreme Court and Fifth Circuit precedent states that “arising out of” language is broad. Such language represents an intent for the clause to reach all aspects of the contractual relationship and extend to all injuries that arise out of violations. The parties did not dispute that a person has a “right of privacy” in their credit card data or that theft and use of such data is a violation of a consumer’s privacy rights.

The court rejected ICSOP’s argument that the policy would trigger a duty to defend Landry’s only if individual customers had sued Landry’s in tort. Refusing to “salami slice” the legal theories, the court focused on the facts alleged in the complaint. “It does not matter than Paymentech’s legal theories sound in contract rather than tort. Nor does it matter that Paymentech (rather than individual customers) sued Landry’s.” Id.

What This Means for You

As cybercrime continues to terrorize public and private entities across industries, companies can expect insurance companies to advocate for narrow definitions of terms that bear on loss “arising out of” privacy threats, such as “publication” and “violation.” Companies should not overlook insurance coverage that may exist in an unexpected place, such as within an existing CGL policy, even if a particular loss is not covered by a cyber policy. To the extent that coverage hinges on undefined terms, companies should research local precedent and secondary sources (e.g., dictionary definitions) of undefined terms and analyze the overall policy structure to consider whether it covers a breadth of potential threats. This is especially true for companies whose contracts obligate them to indemnify others for potential breaches, which may involve significant exposure.

More broadly, this opinion encourages collaboration between compliance teams and those responsible for purchasing and renewing insurance, including general corporate insurance and insurance specific to losses associated with cyberattacks, such as payments of ransoms, business interruption, and notification costs. Data privacy policies and comprehensive incident response plans that include periodic communication between information security personnel, compliance and insurance experts could lead to appropriately expansive cybersecurity coverage and save time and dollars in the event of a crisis.