Whenever your business is impacted by a cyber-attack or a data breach – whether directly or indirectly – it is important to determine whether there is insurance to cover the resulting costs and potential liability. While Cyber-Risk/Data Breach policies are common, companies should be aware that there may also be coverage that exists outside of that specific type of policy. Recently, the United States Court of Appeals for the Fifth Circuit found that a breach of contract action arising out of a data breach was covered under “personal and advertising injury” coverage contained in a commercial general liability policy.
In this case, Landry’s, which operates numerous hotels, restaurants and casinos, entered into a contract with Paymentech for credit card processing services. Under the contract, Landry’s had to comply with programs designed to protect the credit card companies from loss associated with a data breach, which Paymentech was also required to abide by under its agreements with the credit card companies.
Paymentech and Landry’s discovered that, from May 2014 through December 2015, there was an unauthorized program installed on Landry’s credit card readers. The program captured consumers’ credit card data – including name, card number, expiration date, and verification codes. As a result, Paymentech was assessed significant fines under the credit card companies’ protection programs. Paymentech then sued Landry’s for breach of contract seeking to recoup those amounts.
Landry’s sought coverage under its commercial general liability policy, asserting that Paymentech’s claim fell within the “personal and advertising injury” coverage. That provision covered, among other things, “injury arising out of . . . oral or written publication in any manner, of material that violates a person’s right of privacy.” The insurer denied its duty to defend, and Landry’s filed suit against the insurer.
Ultimately, the Fifth Circuit held, under Texas law, that the claim was covered. The court first determined that the word “publication,” as required for the personal and advertising injury coverage, was intended to be broadly construed. Given that broad construction, the court found that Paymentech’s complaint alleged a “publication” because (a) it alleged that the data was exposed (i.e. published) to the hackers, and (b) it alleged the hackers published the data to make fraudulent purchases. The court then looked at whether Paymentech alleged that its injury was one “arising out of the violat[ion] [of] a person’s right to privacy.” The court noted that the policy language covered not only claims of violation of privacy rights, but also claims arising out of privacy violations. The court easily determined that theft of credit card information violated a person’s right of privacy and that Paymentech’s claims arose out of that theft. The insurer argued that the policy only covered tort claims and not contract claims such as those alleged by Paymentech. The court rejected that argument, however, stating that the policy made no such distinctions.
This case illustrates an important lesson for companies facing litigation and other costs related to data breaches – insurance coverage may exist under a policy or policies not dealing directly with cyber-security or data breaches. Therefore, it is important to review your entire insurance portfolio, and not just the coverage dedicated to cyber-risk. The specific language of each coverage, the exclusions, and the endorsements – not the title of the policy – will determine whether coverage exists. Having your policies reviewed by an experienced lawyer early on can help ensure that you are able to take advantage of all coverage to which you or your organization may be entitled.