Update: Thompson Coe appellate partner Wade Crosnoe has submitted an amicus curiae brief for American Property Casualty Insurance Association in support of The Insurance Company of the State of Pennsylvania’s Petition for Rehearing in this appeal.
On July 21, 2021, the Fifth Circuit in Landry’s, Incorporated v. The Insurance Company of the State of Pennsylvania interpreted the term “publication” broadly to reverse summary judgment in favor of a commercial general liability (CGL) insurer and found a duty to defend in a $20 million data-breach-related lawsuit. --- F.4th ---, 2021 WL 3075937 (5th Cir. 2021).
Landry’s, Incorporated (“Landry’s”) operates restaurants, hotels, and casinos. Paymentech, LLC (“Paymentech”) processes Visa and MasterCard payments for Landry’s properties. Paymentech uncovered a data breach that occurred at multiple Landry’s locations between May 2014 and December 2015. It was later determined that the data breach involved the unauthorized installation of a program on Landry’s payment-processing devices, which was designed to search for data from credit cards’ magnetic strips (including names, card numbers, expiration dates, and internal verification code) as the information was being routed through the payment-processing systems.
Under Paymentech’s contracts with Visa and MasterCard, it was required to pay for data-breach-related losses, which amounted to approximately $20 million. In turn, Paymentech filed suit against Landry’s for breach of their processing agreement. In turn, Landry’s sought coverage under four CGL insurance policies issued by The Insurance Company of the State of Pennsylvania (“ICSOP”) for the relevant time periods. ICSOP denied Landry’s claim for a defense and indemnity, stating that the Paymentech’s lawsuit “does not qualify for coverage” because “[n]one of the ... ‘personal and advertising injury’ triggers are implicated by the allegations in the [Paymentech] Complaint.” Landry’s filed suit against ICSOP, which was removed to the U.S. District Court for the Southern District of Texas. On cross-Motions for Summary Judgment, the trial court found in favor of ICSOP.
Relevant here, the ICSOP policies’ Coverage B provides coverage for amounts that the insured is legally obligated to pay due to “personal and advertising injury.” Within the policies, “personal and advertising injury” is defined as “injury ... arising out of ... oral or written publication, in any manner, of material that violates a person’s right of privacy.” In granting ICSOP’s Motion for Summary Judgment, the trial court held that the events surrounding the data breach did not meet this standard. Notably, “[a] third party hacked into [Landry’s] credit card processing system and stole consumers’ credit card information. [Landry’s] did not knowingly or willingly publish this information.” Stated another way, the trial court “decline[d]” to hold that “theft of data by a third party was considered a ‘publication.’”
However, in reversing and remanding the case, the Fifth Circuit concluded the opposite. In reaching that conclusion, the Court looked to the policies’ text regarding “an oral or written publication,” and held that “[t]he contractual text and structure suggest the parties intended the broadest possible definition of ‘[o]ral or written publication’” for three reasons. First, the Fifth Circuit observed that “coverage is triggered by a ‘publication, in any manner’ … And some of the dictionary definitions of ‘publication’ are quite broad.” For example, the Fifth Circuit observed that Black’s Law Dictionary simply defines “publication” as “the act of declaring or announcing to the public.” According to the Fifth Circuit, the policies “intended to use every definition of the word ‘publication’—even the very broadest ones.” Thus, according to the Fifth Circuit, if the underlying lawsuit “concerns any of these ‘publications’—even merely ‘exposing or presenting [information] to view’—then the Policy’s capacious provision is satisfied.” Second, the Fifth Circuit held that the structure of the policies’ coverage provision confirms its broad reading of the text, as the policies use the same publication language when considering slander and libel, as well as violations of a person’s right to privacy. Thus, the Fifth Circuit concluded that the “publication” requirement must be at least as broad as the tort of defamation, which merely requires transmission of information to one other person. Third and finally, the Fifth Circuit observed that if there is any ambiguity in the policies, it must be resolved in Landry’s favor.
After concluding that the broadest possible definition of “[o]ral or written publication” should be applied, the Fifth Circuit looked to Paymentech’s complaint, which alleged two different types of “publication”—i.e., (1) that Landry’s published customers’ credit-card data by exposing it to the hackers and (2) that the hackers published the credit-card data by using it to make fraudulent purchases. Relying on a broad definition of “publish,” the Fifth Circuit held that “[b]oth disclosures ‘expos[ed] or present[ed] [the credit-card information] to view.’ And either one standing alone would constitute the sort of ‘publication’ required by the Policy.” For similar reasons, the Fifth Circuit also held that alleged injuries arose out of the violation of a person’s right of privacy, as required by the policies. According to the Fifth Circuit, the words “connote breadth” that extends to “all injuries that arise out of [violations of privacy rights].” Additionally, “it’s undisputed that a person has a ‘right of privacy’ in his or her credit-card data.” Thus, the Fifth Circuit concluded that ICSOP had a duty to defend Landry’s in its lawsuit with Paymentech.
As is clear from the Fifth Circuit’s decision, courts are willing to accept novel interpretations of existing to CGL policy language when considering insurance coverage issues. Such an approach seems even more likely when considering data theft and cyber liability. Insurance companies should expect policyholders to advocate for broad definitions of terms that bear on losses “arising out of” privacy thefts. Additionally, the Landry’s decision may also be harbinger of a growing trend by policyholders to seek insurance coverage under CGL policies, particularly when a loss is not covered by a separate cyber policy or the insured has chosen not to purchase such coverage.
On a more practical level, this decision (and the Fifth Circuit’s reliance on secondary sources) underscores the need for insurers to retain coverage counsel early when considering whether a loss is potentially covered. The decision is also cautionary in that an insurer should not seek to read additional terms and/or requirements into a policy, as the Fifth Circuit (in contrast to the trial court) adopted the position that intent to publish was not necessary, as considered above.
On the other hand, this particular panel at the Fifth Circuit, which only consisted of two judges following a recusal post-argument, appeared to stretch the concept of “publication” beyond how courts have previously recognized the term. Moreover, the decision appears to be grounded in a non-typical understanding of “publication” and expansion of even the broadest definitions identified by the Fifth Circuit to encompasses acts of third parties. Nevertheless, it is worth noting that the Landry’s decision is ultimately limited to ICSOP’s duty to defend based on the broad allegations in the underlying complaint and an Eight-Corners Rule analysis under Texas law, so there may ultimately not be a duty to indemnify. However, the cost of defending a data-breach-related lawsuit could be extremely high.
Undeniably, this opinion could have far reaching implications; however, whether it will alter the insurance coverage landscape under Texas law or merely be known as an outlier is yet to be seen. It is expected that ICSOP will seek rehearing.