Fifth Circuit Requires Insurance Coverage for Cyberattack on Payment-Processing System

Arnall Golden Gregory LLP

Cybercriminals continue to find payment card data enticing. And despite the increasingly stringent safeguards designed to prevent misappropriation, payment credentials are routinely compromised. We have recently written about cyber coverages more generally, but a recent federal appeals case gives hope to merchants that such data compromises may be insurable events under traditional policies.

Specifically, the Fifth Circuit determined that a commercial general liability policy (“CGL policy”) carrier – Insurance Company of the State of Pennsylvania (“ICSOP”) – had a duty to defend the merchant, Landry’s, Incorporated (“Landry’s”), for a data breach exposing customers’ credit card information. See Landry’s, Inc. v. Ins. Co. of the State of Pennsylvania, 4 F.4th 366, 367 (5th Cir. 2021).

The backdrop is Landry’s managed several properties, which included restaurants, hotels, and casinos. A data breach resulted in the installation of unauthorized software at certain Landry’s properties and that software searched for credit card data as the information was routed through the payment-processing system.

Upon discovery of the breach, Visa and Mastercard imposed liability assessments on Landry’s processor, Paymentech. Paymentech then sued Landry’s seeking indemnification for the liability assessments, which were triggered by Landry’s failure to adhere to data security standards mandated by the card brands. Landry’s submitted a claim for the Paymentech lawsuit to its CGL policy provider, ICSOP, which rejected the claim. Landry’s then sued ICSOP for coverage.

The relevant provision of the policy provided personal and advertising injury coverage, which covers damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.” The question before the Fifth Circuit was only whether ICSOP had a duty to defend Landry’s in Paymentech’s suit against it, not whether ICSOP was obligated to indemnify Landry’s for any ultimate liability. In assessing whether a carrier has a duty to defend, courts may only look at the allegations asserted in the claim against the policyholder and then determine whether any of those allegations could implicate the policy provisions.

Examining the allegations Paymentech made against Landry’s, the Fifth Circuit determined that the data breach could have been a publication of material violating a person’s right of privacy. Interestingly, the court determined that the transmission of the credit card data while processing a card transaction constituted a “publication.” Next, the hackers’ theft of that data constituted a “violation” of consumers’ privacy rights. So, the Fifth Circuit reasoned, Paymentech’s allegations implicated coverage sufficient to trigger the duty to defend. Whether any ultimate liability would be covered under ICSOP’s duty to indemnify was left unresolved and would depend on the basis for that liability.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.