Fifth Circuit Issues Rules on Risk of Loss in Data Breach

On July 21, 2021, the U.S. Court of Appeals for the Fifth Circuit issued a reversal of the district court in Landry’s, Inc. v. Ins. Co. of the State of Pennsylvania, No. 19-20430, 2021 WL 3075937, at *5 (5th Cir. July 21, 2021). In this case, a retail company, Landry’s, (plaintiff) contracted with Paymentech, LLC (Paymentech) to process custom er credit card transactions at their many retail locations. When malware infected Landry’s payment processing devices, the names, card numbers, expiration dates, and internal verification codes of multiple credit card company’s customers were compromised.

Pursuant to an agreement between Paymentech and these creditors, Paymentech was required to pay for the customer losses that were incurred — payment which they sought indemnification for from Landry’s according to their contract terms.  In response, Landry’s sought out its commercial general liability insurer, Insurance Company of the State of Pennsylvania (ICSOP), to defend them against Paymentech’s claims as their policy covered “any suit” seeking damages as a result of “personal and advertising injury.” The policy defines such injury as “oral or written publication, in any manner, of material that violates a person’s right of privacy.”

ISCOP refused to do so and moved to dismiss on the basis that it was not within Landry’s coverage. The district court granted ICSOP’s motion because “the bank’s complaint did not allege a ‘publication’ of material that violated a person’s right to privacy because it asserted only that ‘[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.’” Furthermore, the court found that Paymentech’s complaint also did not allege a violation of a person’s right to privacy because the originating claim between the bank and Paymentech involved a contracts claim, not a claim of violation of a consumer’s privacy rights.

On appeal, the 5th Circuit adopted a broad definition of “publication” because such term was undefined in the contract between ICSOP and Landrys and that the complaint “plainly alleges” the credit card information of the bank’s customers were published by the hackers — both because Landry’s “published” customer information through a compromised point-of-sale system to the hackers, and the hackers themselves “published” the information when they made fraudulent purchases with the customer data.

The Court then examined whether ICSOP “has a duty to defend [the plaintiff] in the [u]nderlying [bank] [l]itigation.” In answering this, the Court applied Texas’s “eight-corners rule,” which compares the “four corners of the [p]olicy to the four corners of the complaint.” As a result, the Court found that the bank’s “alleged injuries arise from the violations of customers' rights to keep their credit card data private,” and “[u]nder the eight-corners rule, [the insurance company] must defend [the business] in the underlying [bank’s] litigation.”

This ruling has significant implications for business owners as cybersecurity and data governance issues grow in frequency — bringing with it questions as to who should be forced to “bear the loss” associated with a breach. This is especially true for businesses with contracts that obligate them to indemnify their customers for potential breaches. As a result of this litigation, Texas businesses should review the language of their insurance policies and determine — based on this ruling and other local interpretations — whether or not their general commercial liability insurer could play a role in defending against any claims of loss following a data breach.