Fifth Circuit Requires Insurance Coverage for Cyberattack on Payment-Processing System

Cybercriminals continue to find payment card data enticing. And despite the increasingly stringent safeguards designed to prevent misappropriation, payment credentials are routinely compromised. We have recently written about cyber coverages more generally, but a recent federal appeals case gives hope to merchants that such data compromises may be insurable events under traditional policies.

Specifically, the Fifth Circuit determined that a commercial general liability policy (“CGL policy”) carrier – Insurance Company of the State of Pennsylvania (“ICSOP”) – had a duty to defend the merchant, Landry’s, Incorporated (“Landry’s”), for a data breach exposing customers’ credit card information. See Landry’s, Inc. v. Ins. Co. of the State of Pennsylvania, 4 F.4th 366, 367 (5th Cir. 2021).

The backdrop is Landry’s managed several properties, which included restaurants, hotels, and casinos. A data breach resulted in the installation of unauthorized software at certain Landry’s properties and that software searched for credit card data as the information was routed through the payment-processing system.

Upon discovery of the breach, Visa and Mastercard imposed liability assessments on Landry’s processor, Paymentech. Paymentech then sued Landry’s seeking indemnification for the liability assessments, which were triggered by Landry’s failure to adhere to data security standards mandated by the card brands. Landry’s submitted a claim for the Paymentech lawsuit to its CGL policy provider, ICSOP, which rejected the claim. Landry’s then sued ICSOP for coverage.

The relevant provision of the policy provided personal and advertising injury coverage, which covers damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.” The question before the Fifth Circuit was only whether ICSOP had a duty to defend Landry’s in Paymentech’s suit against it, not whether ICSOP was obligated to indemnify Landry’s for any ultimate liability. In assessing whether a carrier has a duty to defend, courts may only look at the allegations asserted in the claim against the policyholder and then determine whether any of those allegations could implicate the policy provisions.

Examining the allegations Paymentech made against Landry’s, the Fifth Circuit determined that the data breach could have been a publication of material violating a person’s right of privacy. Interestingly, the court determined that the transmission of the credit card data while processing a card transaction constituted a “publication.” Next, the hackers’ theft of that data constituted a “violation” of consumers’ privacy rights. So, the Fifth Circuit reasoned, Paymentech’s allegations implicated coverage sufficient to trigger the duty to defend. Whether any ultimate liability would be covered under ICSOP’s duty to indemnify was left unresolved and would depend on the basis for that liability.