From May 2014 to December 2015, an unauthorized program installed on the payment processing devices at fourteen Landry’s restaurant locations was used to steal data from the magnetic strips of millions of customers making point-of-sale purchases.  Landry’s credit card processing company, Paymentech, LLC (a branch of JPMorgan Chase Bank) became liable under its membership agreements with MasterCard and Visa to pay for data-breach-related losses of $20,062,206.68.  Paymentech then sued Landry’s for breach of its Select Merchant Payment Card Processing Agreement, claiming that Landry’s failed to follow the security guidelines imposed within the Payment Brand Rules which were part of that Agreement, resulting in an obligation to indemnify Paymentech for its $20M in losses.

Landry’s, in turn, filed a claim under its commercial general liability insurance policy, issued by The Insurance Company of the State of Pennsylvania (ICSOP).  ISCOP denied that it had a duty to defend Landry’s in the Paymentech lawsuit because “[n]one of the . . . ‘personal and advertising injury’ triggers are implicated in the allegations in the [Paymentech] Complaint.” 

The applicable text of the ICSOP policy’s definition of “Personal and advertising injury” was directly from the standard form ISO CGL policy: “Oral or written publication, in any manner, of material that violates a person’s right of privacy” (emphasis added). 

Landry’s filed a lawsuit against ISCOP claiming that ISCOP breached the insurance policy and seeking a declaratory judgment that ISCOP had a duty to defend Landry’s in the Paymentech lawsuit.  The U.S. District Court for the Southern District of Texas sided with ISCOP, finding that the Paymentech lawsuit alleged neither a publication, nor a violation of a person's right of privacy.  On Wednesday, the U.S. Court of Appeals for the Fifth Circuit disagreed.  (Case No. 19-20430, 07/21/2021).

The Fifth Circuit reviewed various dictionary definitions and uses of the word “publication.”  Because the policy covered “publication, in any manner,” the Policy “intended to use every definition of the word ‘publication’ – even the very broadest ones.”  If the Paymentech lawsuit alleged any of these definitions of “publication,” “then the Policy’s capacious provision is satisfied” and ISCOP would have a duty to defend Landry’s in the Paymentech lawsuit.   The Court then noted that Webster’s defined “publish” as to make known . . . as by exposing or presenting to view.  The Paymentech complaint alleged that Landry’s exposed its customers’ credit card information to view (of hackers), and thus the duty to defend under the CGL policy was triggered.  As to whether a violation of a person’s right of privacy was involved, “it’s undisputed that a person has a “right of privacy” in his or her credit-card data.

My Take – Data breach / cyber security claims are on the rise and, as the Landry’s case illustrates, the potential liabilities are significant.  Companies that do not maintain specialty cyber risk insurance coverage are forced to try to find “silent cyber-coverage” ambiguities under their traditional insurance policies.  Another recent case in point -- in May, the Illinois Supreme Court found that coverage under the personal or advertising injuries portion of a standard form CGL policy extended to claims under Illinois’ Biometric Information Privacy Act. 

Each of these decisions presents the insurance industry with unanticipated risk accumulation, and the industry is expected to modify its standard policy language accordingly, to limit coverage of these risks to specialty cyber-risk insurance policies.  Thus, a year from now, do not expect these “silent cyber coverage” policy ambiguities to still be there if you need them.

If your business handles consumer credit card data in point-of-sale transactions, you must take the time to understand and comply with your responsibilities under your card processing agreement(s), and you should discuss the scope of your insurance coverage with your agent to ensure that you are adequately covered in the event of a data breach.  You may find cyber insurance is in your future.

May you find joy in what you do and who you are with.