(Article from Insurance Law Alert, July/August 2021)
For more information, please visit the Insurance Law Alert Resource Center.
Reversing a Texas district court decision, the Fifth Circuit ruled that a credit card data breach constitutes a “publication” that triggers an insurer’s duty to defend. Landry’s Inc. v. Ins. Co. of the State of Pa., 2021 WL 3075937 (5th Cir. July 21, 2021).
The policyholder sought coverage for assessments imposed in connection with a data breach that compromised the personal data of millions of credit card holders. The insurer argued that “personal and advertising injury” coverage was unavailable because there was no “publication” of material that violated a person’s right of privacy, as required by the policy. A Texas federal district court agreed and dismissed the suit. The district court reasoned that the hacker’s accessing of data, without more, did not constitute a “publication” and that the damages sought were not “privacy” damages because the suit was brought by a bank and processing company based on the policyholder’s alleged failure to follow industry cybersecurity standards, rather than consumers whose personal data was improperly obtained.
The Fifth Circuit reversed, holding that under Texas’s “eight-corners rule” for determining an insurer’s duty to defend, the underlying complaint alleged claims potentially within the policy’s coverage. The court reasoned that the policy’s use of “publication in any manner” provided “the broadest possible definition” of publication. Applying that interpretation, the court concluded that the underlying complaint sufficiently alleged publication. First, the complaint alleged that the policyholder exposed customers’ credit card data to hackers as it was routed through the company’s computer system. Second, the complaint alleged that hackers used that credit card data to make fraudulent purchases. The court held that “[b]oth disclosures expos[ed] or present[ed]” personal information, and that “either one standing alone would constitute the sort of ‘publication’ required by the Policy.”
Additionally, the Fifth Circuit ruled that the underlying claims alleged injury arising out of a violation of privacy. The court explained that “arising out of” extends the scope of coverage beyond violations of privacy per se to “all injuries that arise out of such violations.” (Emphasis in original).