IRMI Online Talk With Us

Category Focus
Claims, Case Law, Legal

Commercial Auto

Commercial Liability

Commercial Property

COVID-19

Personal Lines and Small Business

Risk Financing and Captives
Risk Management

Specialty Lines

Workers Compensation

White Papers

Free Articles

Videos
Industry Focus
Agribusiness Industry

Construction Industry

Energy Industry
Transportation Industry

Insurance Industry
Conferences
Agribusiness Conference

Construction Risk Conference

Energy Risk and Insurance Conference
Transportation Risk Conference

Sessions On Demand
Insurance Education
Certifications

Agribusiness and Farm Insurance Specialist

Construction Risk and Insurance Specialist

Energy Risk and Insurance Specialist

Management Liability Insurance Specialist
Manufacturing Risk and Insurance Specialist

Transportation Risk and Insurance Professional

Continuing Education

Insurance Industry Training

IRMI Webinars
Subscribe
Plans and Pricing

Catalog

Request a Demo

IRMI Tutorials

Product Updates

Enterprise Subscriptions
Free Newsletters

White Papers

Product Tour

Podcast

How-To Videos
About IRMI
Our Mission

Our Story

Our Team

Our Brands
Press Releases

Careers

Contact Us

Advertise
Glossary
Terms
Acronyms

Home Articles Expert Commentary Fifth Circuit Finds Defense Duty for Credit Card Data Breach

Defense and Settlement

Fifth Circuit Finds Defense Duty for Credit Card Data Breach

Lyndon Bittle | August 12, 2021

Reversing a federal district court, the Fifth Circuit Court of Appeals recently applied the Texas eight-corners rule to hold that an insurer had a duty to defend a restaurant chain against claims the chain breached its contract with a credit cards from gaining access to its customers' private information.

In Landry's Inc. v. Insurance Co. of the State of Penn., No. 19-20430 (July 21, 2021), a commercial general liability policy issued by the Insurance Company of the State of Pennsylvania (ICSOP) insured Landry's, Inc., against liability for "personal and advertising injury" and agreed to defend Landry's against such claims. A data breach at 14 of Landry's restaurants over an 18-month period gave hackers access to the personal credit card information of millions of customers.

As a result of the breach, Paymentech, which processed Visa and Mastercard charges, was assessed penalties of over $20 million under its contracts with those companies. To recover these sums, Paymentech sued Landry's for breach of its Select Merchant Agreement, alleging the data-breach losses were caused by the chain's violation of "Payment Brand Rules" incorporated into the contract.

Landry's tendered the suit to ICSOP, which denied coverage and refused to defend. Landry's sued ICSOP in Texas state court; after ICSOP removed to federal court, the parties filed competing motions for summary judgment. The district court granted the insurer's motion and dismissed all claims, holding Paymentech's complaint did not allege a "publication" or a violation of a person's right to privacy because it involved Paymentech's contractual rights against Landry's, not the cardholders' privacy claims. Landry's appealed.

The Fifth Circuit's Ruling

A Fifth Circuit panel reversed based on its application of Texas law's eight-corners rule. ICSOP had a duty to defend Landry's, the court explained, if the underlying Paymentech complaint sought damages "arising out of the oral or written publication of material that violates a person's right of privacy." The duty thus turns on two questions: does the complaint allege a "publication," and does Paymentech seek damages "arising out of" the violation of privacy rights?

First, the court determined the word "publication," which was not defined in the policy, must be given the "broadest possible definition." After reviewing several dictionary definitions and the structure of the policy's coverage provisions, the court invoked the ambiguity-favors-the-insured rule and concluded the Paymentech complaint "plainly alleges that Landry's published its customers' credit-card information—that is, exposed it to view." The court also noted that whether Landry's actually caused the publication was irrelevant to the duty to defend.

Second, the court observed that the "operative text begins with the words 'arising out of,'" and held those words "connote breadth." Applying the broad scope of that phrase, the court concluded the policy "does not simply extend to violations of privacy rights; [but] to all injuries that arise out of such violations." And it is undisputed that cardholders have a "right of privacy" to the personal information that was exposed to view. Accordingly, the losses borne by Paymentech arose out of the violation of the cardholders' rights.

Finally, the court rejected ICSOP's argument that the "policy covers only tort damages" arising out of a privacy violation, not damages for breach of contract as alleged by Paymentech. That argument, the court held, was precluded by the Texas Supreme Court's 2007 holding in Lamar Homes, Inc. v. Mid-Continent Cas. Co., 242 S.W.3d 1 (Tex. 2007), that foundation defects were an "occurrence" where the policy made "no distinction between tort and contract damages."

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.