Fifth Circuit Holds Payment Card Breach Lawsuit Triggers Coverage for “Personal and Advertising Injury”
The United States Court of Appeals for the Fifth Circuit, applying Texas law, held that an insurer owed a duty to defend its insured in an underlying litigation stemming from a payment card breach because it found that the underlying complaint sufficiently alleged a “personal and advertising injury” under the terms of the policy. Landry’s Inc. v. Ins. Co. of the State of Pa., 2021 WL 3075937 (5th Cir. July 21, 2021).
The insured, a retail property manager, suffered a payment card breach at fourteen of its locations between May 2014 and December 2015. The breach involved the unauthorized installation of a program on its credit card-processing devices. The program was designed to search for data from magnetic strips on credit cards, including the cardholder’s name, card number, expiration date, and internal verification code, as the information was routed through the payment-processing system. The threat actor then used the information retrieved by the program to make approximately $20 million in unauthorized charges. The insured’s payment processing vendor sought indemnification from the insured for these losses pursuant to the terms of their payment card processing agreement. After the insured refused to pay, the vendor filed suit against the insured.
The insured sought coverage for the lawsuit under its general liability insurance policy, which afforded coverage for damages because of “personal and advertising injury.” The policy defined “personal and advertising injury” as “injury . . . arising out of . . . oral or written publication, in any manner, of material that violates a person’s right of privacy.” The insurer denied coverage on the grounds that the underlying litigation did not allege a “personal and advertising injury.” In the subsequent coverage litigation, the district court granted the insurer’s motion for summary judgment and held that there was no coverage under the policy.
On appeal, the Fifth Circuit reversed, holding that the underlying complaint both alleged a “publication” and also arose from a violation of “a person’s right of privacy,” such that the insurer owed a duty to defend. First, the court interpreted the meaning of the undefined term “publication.” The court noted that coverage was triggered by “publication, in any manner,” which suggested that the policy intended to apply the broadest possible definition of “oral or written publication,” including mere exposure or presentation of the information to view. The court further concluded that the policy’s use of the phrase “oral or written publication, in any manner” in two separate provisions relating to defamation and privacy offenses meant that the publication requirement should be at least as broad as the tort of defamation, which merely requires transmission of information to one other person. The court thus determined that the underlying complaint sufficiently alleged a “publication” because it asserted that customers’ credit card information was exposed to view, both to the hacker and then again to merchants to make fraudulent purchases. Next, the court addressed whether the injury arose from the violation of a person’s right of privacy. Construing the “arising out of” language broadly, the court held that the underlying litigation arose out of violations of a person’s right of privacy because it involved the theft and fraudulent use of private information in the form of credit card data. In so holding, the court rejected the insurer’s argument that the policy only covered tort lawsuits brought by individual customers whose credit card data was stolen and not breach-of-contract actions brought by vendors.