Fifth Circuit Finds Potential Coverage for Data Breach; Interprets “Publication” Broadly

Using general contract interpretation principles, the Fifth Circuit reversed summary judgment in favor of an insurer and found a duty to defend Landry’s in a data breach lawsuit. Landry’s Inc. v. The Insurance Company of the State of Pennsylvania, No. 19-20430 (July 21, 2021). Landry’s contracted with Paymentech to process credit card payments at its restaurants, hotels, and casinos. Paymentech discovered a data breach across fourteen Landry’s locations resulting in $20 million of fraudulent credit card payments. The data breach involved an unauthorized program installed on Landry’s payment-processing devices. The program searched data from credit cards’ magnetic strips, including the cardholder’s name, card number, expiration date, and internal verification code, as the information was being routed through the payment-processing systems. Paymentech sued Landry’s for breach of the Paymentech-Landry’s agreement, under which Landry’s was required to comply with certain security guidelines and indemnify Paymentech for damages resulting from Landry’s failure to comply. 

Landry’s turned to its insurer to defend it for “those sums that [Landry’s] becomes legally obligated to pay as damages because of ‘personal and advertising injury’”, including “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.” In its summary judgment motion, the insurer argued the underlying lawsuit did not implicate “personal and advertising injury” coverage because the stolen credit card information is not alleged to be published by anyone and theft is not the same as publication. With regard to the violation of a right of privacy, the insurer asserted the underlying lawsuit involved Paymentech’s claim for indemnification from Landry’s for monies Paymentech owed Visa and MasterCard and not allegations that Paymentech’s privacy rights were violated.

Ruling on cross motions for summary judgment, the district court denied Landry’s motion and granted the insurer’s motion, finding no coverage and no duty to defend. The district court determined Paymentech’s assertion in the underlying lawsuit that “a third party hacked into the credit card processing system an stole customers’ credit card information” did not amount to a “publication”.  The trial court stated, “[a] plain reading of the contract language shows that the [commercial general liability policy was] not intended to cover the losses at issue here.  If [it had been intended to cover such losses], much clearer language would have been used that could cover injuries arising out of credit card fraud or cyber security breaches.” Additionally, the trial court found the underlying complaint did not allege a “violat[ion] [of] a person’s right of privacy” because the underlying lawsuit involved the payment processor’s contract claims and not the cardholders’ privacy claims.

The Fifth Circuit Court disagreed with the insurer’s argument that no publication existed because the underlying lawsuit did not allege the hackers disseminated cardholder information to anyone nor did Landry’s publish material in violation of any person’s privacy rights. The insurer also argued that the generally accepted meaning of the term “publication” does not include being a victim of theft or the act of a thief taking information for his or her own use.

However, the court relied on basic contract interpretation principles when it found the undefined terms, “[o]ral or written publication”; were intended to bear their ordinary and plain meaning. See DeWitt Cnty. Elec. Co-op, Inc. v. Parks, 1 S.W.3d 96, 101 (Tex. 1999). Importantly, the court determined that the text of the insurance contract required the broadest possible definition of “[o]ral or written publication” because coverage is triggered by a “publication, in any manner” (emphasis in original). Relying on a sampling of dictionary definitions of “publication” and “publish”, the court decided that if the underlying litigation concerns any of the ordinary definitions of “publication”, even merely “exposing or presenting [information] to view”, then the policy’s provision is satisfied.

Similarly, the court looked to the structure of the insurance contract and the presumption of consistent usage to conclude that the meaning of the word “publication”—an oral or written publication, in any manner”, is identical throughout the policy. Therefore, the court concluded the “publication” requirement in both subsections (d) and (e) of the enumerated offenses included in the definition of “personal and advertising injury” must be at least as broad as the tort of defamation (captured in subsection (d)), which merely requires a transmission of information to one other person. See e.g., Exxon Mobil Corp. v. Rincones, 520 S.W.3d 572, 579 (Tex. 2017) (listing “the publication of a false statement of fact to a third party” as an element of a defamation claim, and stating that defamatory “[p]ublication occurs if the defamatory statements are communicated orally, in writing, or in print to some third person who is capable of understanding their defamatory import and in such a way that the third person did so understand” (quotation omitted)). Additionally, even though Landry’s did not assert the policy is ambiguous, the court relied on the general principle that any ambiguity in the policy must be resolved in favor of the insured to further support its reading of the word “publication” to embrace the broadest possible plain meaning of that word.

The court found the underlying complaint alleged Landry’s published its customers’ credit card information—that is—exposed it to view. Landry’s published the credit card data to hackers as the data was routed through the affected systems and the hackers published the data by using it to make fraudulent purchases. The court specified that either publication, standing alone, would constitute “publication” required by the policy. Notably, the court stated that whether Landry’s in fact caused the publication and in turn caused the injuries is a question relevant to the insurer’s duty to indemnify and not its duty to defend.

The court did not tarry long on the issue of whether the underlying complaint alleged injuries “arising out of …the violat[ion] [of] a person’s right of privacy.” The phrase “arising out of” connotes breadth. Nauru Phosphate Royalties, Inc. v. Drago Daic Interests, Inc., 138 F.3d 160, 165 (5th Cir. 1998). It is undisputed that (1) a person has a right of privacy in his or her credit card data, and (2) hacker’s theft of such data and use of that data to make fraudulent purchases constitute violations of consumers’ privacy rights.

The insurer next argued that its policy only covers tort damage arising out of the violation of a person’s right of privacy but the underlying lawsuit seeks damages for breach of contract—which are not covered. However, the court found the policy contained “none of these salami-slicing distinctions” citing  Lamar Homes, Inc. v. Mid-Continent Cas. Co., 242 S.W.3d 1 (Tex. 2007) and noting the Texas Supreme Court makes no distinctions between tort and contract damages. As a result, the Fifth Circuit reversed the district court’s summary judgment and remanded the case to the district court for further proceedings consistent with its opinion.

Practice Pointers: General liability policies without data breach exclusions may owe coverage, or at least a defense, for data breaches under the Fifth Circuit’s analysis. Do not neglect basic contract interpretations principles when assessing the duty to defend. More specifically, with regard to undefined terms in an insurance policy (or any contract), look for context clues to determine whether the undefined terms should be interpreted broadly or narrowly. Additionally, when interpreting undefined terms according to their plain and ordinary meaning, consult several dictionaries and consider whether any meaning in a standard dictionary definition of the undefined term applies. Finally, do not read terms or requirements into a contract.