As cybercrimes and data breaches continue to cause significant damage to companies of all types, policyholders are looking to their various insurance policies for coverage to help weather the storm and recoup losses. A recent decision by the U.S. Court of Appeals for the Fifth Circuit highlights the need for companies to review all of their policies for potential cyber-related coverage, including their CGL policies.
In Landry’s Inc. v. The Insurance Company of the State of PA, the Fifth Circuit reversed a trial court ruling in favor of the insurer, finding that the carrier had a duty to defend a claim arising out of a data breach under the CGL policy’s coverage for personal and advertising injury.
Following a hacker’s theft of large volumes of consumer credit card data, Landry’s, a restaurant and hospitality company, was sued by its payment card processing vendor for over $20 million. The payment vendor alleged that Landry’s was required to implement and maintain cybersecurity safeguards, which it had allegedly not followed, and that Landry’s was therefore required to indemnify the vendor for over $20 million in fines and losses related to the data breach.
Landry’s sought coverage under its CGL policy’s “personal and advertising injury” coverage, arguing that it was entitled to coverage for the underlying litigation because the payment vendor was seeking damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.” The insurer denied coverage on multiple grounds, including that there was no “publication” of the sensitive payment card information after it was stolen.
The district court accepted the insurer’s argument that the underlying complaint did not allege a “publication,” finding that for privacy violations, “publication” required dissemination to the public at large. The court reasoned that because the underlying complaint made no such allegation, and instead alleged only that a “third party hacked into [the] credit card processing system and stole consumers’ credit card information,” the meaning of the term “publication” was not satisfied.
The U.S. Court of Appeals for the Fifth Circuit reversed the decision, holding that the underlying complaint did, in fact, allege a “publication.” The court found:
First, the phrase “publication, in any manner,” meant that “the Policy intended to use every definition of the word ‘publication’—even the very broadest ones.” Thus, the court concluded that “even merely ‘exposing or presenting [information] to view’” satisfied “the Policy’s capacious provision.”
Second, the policy’s coverage provisions mandated a broad reading of the phrase “oral or written publication, in any manner.” Noting that this language appeared in both the privacy and defamation sections of the policy, the court found that the phrase must be interpreted to mean “transmission of information to one other person.” This is the only way to satisfy the legal standard of “publication” for purposes of a defamation claim (because you can defame an individual by communicating with one other person), and the phrase must be applied in the same way to the policy’s privacy coverage.
Third, the “publication” of the credit card information arose out of the violation of a person’s right to privacy. The Fifth Circuit explained that it is:
undisputed that a person has a right of privacy in his or her credit card data. It is also undisputed that hackers’ theft of credit card data and use of that data to make fraudulent purchases constitute ‘violations’ of consumers’ privacy rights. And it is still further undisputed that the Paymentech [underlying] complaint alleges such theft and such fraudulent purchases. Thus, the plain text of the policy anticipates [the insurer’s] duty to defend in the underlying Paymentech litigation.
The Fifth Circuit’s opinion is another important example of a court interpreting the term “publication” in a standard-form CGL policy broadly, as well as a reminder that insurance coverage for cyber-related damages may exist outside of dedicated cyber insurance policies. Moreover, to the extent coverage hinges on undefined terms, Landry’s again highlights the need to resist insurers’ attempts to narrow policy language to avoid increased exposure.
Given the wide array of policy forms, endorsements and exclusions, there is no one-size-fits-all approach for assessing coverage for cybercrimes and data breaches. But this case is another reminder that policyholders should provide prompt notice to every potential insurer. Coverage may be available, even where it appears to be an uphill battle. Policyholders should keep their options open and work with experienced counsel to navigate coverage.