Reversing a federal district court, the Fifth Circuit Court of Appeals recently applied the Texas eight-corners rule to hold that an insurer had a duty to defend a restaurant chain against claims the chain breached its contract with a credit cards from gaining access to its customers' private information.
In Landry's Inc. v. Insurance Co. of the State of Penn., No. 19-20430 (July 21, 2021), a commercial general liability policy issued by the Insurance Company of the State of Pennsylvania (ICSOP) insured Landry's, Inc., against liability for "personal and advertising injury" and agreed to defend Landry's against such claims. A data breach at 14 of Landry's restaurants over an 18-month period gave hackers access to the personal credit card information of millions of customers.
As a result of the breach, Paymentech, which processed Visa and Mastercard charges, was assessed penalties of over $20 million under its contracts with those companies. To recover these sums, Paymentech sued Landry's for breach of its Select Merchant Agreement, alleging the data-breach losses were caused by the chain's violation of "Payment Brand Rules" incorporated into the contract.
Landry's tendered the suit to ICSOP, which denied coverage and refused to defend. Landry's sued ICSOP in Texas state court; after ICSOP removed to federal court, the parties filed competing motions for summary judgment. The district court granted the insurer's motion and dismissed all claims, holding Paymentech's complaint did not allege a "publication" or a violation of a person's right to privacy because it involved Paymentech's contractual rights against Landry's, not the cardholders' privacy claims. Landry's appealed.
The Fifth Circuit's Ruling
A Fifth Circuit panel reversed based on its application of Texas law's eight-corners rule. ICSOP had a duty to defend Landry's, the court explained, if the underlying Paymentech complaint sought damages "arising out of the oral or written publication of material that violates a person's right of privacy." The duty thus turns on two questions: does the complaint allege a "publication," and does Paymentech seek damages "arising out of" the violation of privacy rights?
First, the court determined the word "publication," which was not defined in the policy, must be given the "broadest possible definition." After reviewing several dictionary definitions and the structure of the policy's coverage provisions, the court invoked the ambiguity-favors-the-insured rule and concluded the Paymentech complaint "plainly alleges that Landry's published its customers' credit-card information—that is, exposed it to view." The court also noted that whether Landry's actually caused the publication was irrelevant to the duty to defend.
Second, the court observed that the "operative text begins with the words 'arising out of,'" and held those words "connote breadth." Applying the broad scope of that phrase, the court concluded the policy "does not simply extend to violations of privacy rights; [but] to all injuries that arise out of such violations." And it is undisputed that cardholders have a "right of privacy" to the personal information that was exposed to view. Accordingly, the losses borne by Paymentech arose out of the violation of the cardholders' rights.
Finally, the court rejected ICSOP's argument that the "policy covers only tort damages" arising out of a privacy violation, not damages for breach of contract as alleged by Paymentech. That argument, the court held, was precluded by the Texas Supreme Court's 2007 holding in Lamar Homes, Inc. v. Mid-Continent Cas. Co., 242 S.W.3d 1 (Tex. 2007), that foundation defects were an "occurrence" where the policy made "no distinction between tort and contract damages."
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.