(Article from Insurance Law Alert, June 2021)
For more information, please visit the Insurance Law Alert Resource Center.
The Fifth Circuit will rule on whether a credit card data breach constitutes a “publication” that would trigger an insurer’s duty to defend a $20 million lawsuit filed by a bank and credit card processing company. Landry’s Inc. v. Ins. Co. of the State of Pa., No. 19-20430 (5th Cir. Oral Arg. June 10, 2021).
The policyholder sought coverage for assessments imposed in connection with a data breach that compromised the personal data of millions of credit card holders. The insurer denied coverage, arguing that “personal and advertising injury” coverage was unavailable because there was no “publication” of material that violates a person’s right of privacy, as required by the policy.
A Texas federal district court agreed and dismissed the suit against the insurer. Landry’s, Inc. v. Ins. Co. of the State of Pa., 2019 WL 3080917 (S.D. Tex. May 23, 2019). The court reasoned that the accessing of data by a hacker, without more, does not constitute a “publication.” In addition, the court explained that the damages sought were not “privacy” damages because the suit against the policyholder was brought by a bank and processing company based on the policyholder’s alleged failure to follow industry cybersecurity standards, rather than consumers whose personal data was improperly obtained.
This month, the Fifth Circuit heard oral argument relating to whether the hackers’ act of accessing the private consumer data was a “publication.” We will keep you posted on developments in this matter.