One thing that the COVID-19 pandemic has taught us is that you may not be covered, even if you think that you have insurance. Just look at the thousands of business owners who thought they were covered by business interruption insurance only to discover that their policies did not cover losses caused by COVID-19.
An insurance policy is a contract, and its interpretation is a matter of state law. A policy can mean one thing in one state and something entirely different in another state. In addition, the lack of a word or an ambiguous phrase can mean a judge will determine whether a business has insurance coverage, rather than the business owner. This is what happened in Landry’s Incorporated v The Insurance Company of the State of Pennsylvania, a case decided by the United States Court of Appeals for the Fifth Circuit on July 21, 2021.
The facts of the case were both straightforward and complicated. The plaintiff, Landry’s Incorporated (Landry’s), owned and operated hotels, casinos and restaurants. A branch of JP Morgan Chase Bank, Paymentech, LLC (Paymentech), processed VISA and MasterCard payments for transactions at Landry’s’ properties.
In December, 2015, Paymentech discovered a data breach at certain of Landry’s’ locations. It was determined that an unauthorized program had been installed on Landry’s’ credit card processing devices, and the personal data of millions of customers had been stolen. Some of this personal information was used to make purchases.
The reason this case was complicated is that it involved four separate contracts. Paymentech had contracts with both VISA and MasterCard, pursuant to which Paymentech agreed to participate in a program that protected customers of VISA and MasterCard from unauthorized purchases. VISA determined that Paymentech was on the hook for over $12m in losses. MasterCard set Paymentech’s liability at over $7m.
Paymentech also had a contract with Landry’s. This contract bound Landry’s to follow certain security rules in the processing of credit card payments and to indemnify Paymentech against any losses resulting from Landry’s’ failure to follow the rules. Paymentech claimed that the data breach at Landry’s’ locations was caused by Landry’s’ failure to follow the security procedures and demanded that Landry’s cover its obligations to VISA and MasterCard. Paymentech sued Landry’s in federal district court in Texas.
The fourth contract was an insurance policy issued by The Insurance Company of the State of Pennsylvania (ICSOP). The policy provided that ICSOP would pay any damages that Landry’s became obligated to pay as a result of “personal and advertising injury”. In addition, the policy provided that ICSOP would defend Landry’s against any suit alleging “personal and advertising injury”. In other words, the policy contained both a duty to indemnify Landry’s and a duty to defend Landry’s.
Landry’s looked to ICSOP for coverage of Paymentech’s suit. ICSOP denied coverage, claiming that “[n]one of the . . . ‘personal and advertising injury’ triggers are implicated by the allegations in the [Paymentech] Complaint.” Landry’s then filed this lawsuit against ICSOP. The District Court agreed with ICSOP.
If found that Paymentech’s complaint against Landry’s did not allege a “publication”, which is a precondition for a claim under “personal and advertising injury” coverage, because a “third party hacked into the credit card processing system and stole customers’ credit card information”.
In addition, the District Court held that the complaint did not allege a violation of privacy because the lawsuit sought recovery for losses incurred by Paymentech, not the cardholders’ privacy claims.
Landry’s appealed to the U.S. Court of Appeals for the Fifth Circuit, which, fortunately for Landry’s, reversed the decision of the District Court.
The Appeals Court applied what it called Texas’ “eight corners doctrine”. That doctrine required the Court to compare the four corners of the insurance policy with the four corners of the complaint to determine whether the policy provided coverage. In other words, if the wording of the complaint matched the wording of the policy, ICSOP would be obligated to defend Landry’s in Paymentech’s lawsuit.
The Court started by looking at the policy, which provided the following:
“Personal and advertising injury” means injury . . . arising out of one or more of the following offenses:
. . .
(d) Oral or written publication, in any manner, of material that slanders or libels a person or organization . . . ;
(e) Oral or written publication, in any manner, of material that violates a person’s right of privacy . . .
The Court then concluded that “ICSOP has a duty to defend Landry’s if the Paymentech complaint seeks damages “arising out of . . . [the] [o]ral or written publication . . . of material that violates a person’s right of privacy”.
The problem was that the policy did not define the term “oral or written publication”, even though that was the threshold requirement for coverage under the policy. So, the Court applied ordinary principles of contract interpretation to determine the meaning of “oral or written publication”.
The Court held that the parties intended the term to have its “plain and ordinary meaning”. It also assumed that the parties intended the term to have the broadest meaning possible. It made that determination based on the phrase “in any manner”. The policy did not limit the form of publication, but extended coverage to publication “in any manner”.
In addition, because section (d) and section (e) used the same language, section (e) had to be as broad in scope as section (d), which refers to the tort of defamation. Defamation “merely requires transmission of information to one other person”. Finally, the Court said that any ambiguity in an insurance policy is construed against the insurance company.
The Court looked to the dictionary definition of “publication” and found that the dictionary definition is quite broad. It includes exposing to public view; making known to the public or making accessible for public use. The Court then had little difficulty in finding that Paymentech’s complaint alleged a publication of the cardholders’ personal information for two reasons.
First, the complaint alleged that Landry’s had published the cardholders’ credit card data by exposing it to the hackers.
Second, the complaint alleged that the hackers had then published the information by using it to make unauthorized purchases. “Both disclosures “expos[ed] or present[ed] [the credit-card information] to view.”
Once the Court determined that a “publication” had occurred, it then had to determine whether the publication “violate[d] a person’s right of privacy”. Again, the Court said that the term “person’s right of privacy” was not defined in the policy. However, it found little difficulty in holding that the Paymentech complaint alleged a violation of the right of privacy.
First, the Court looked to the policy language “injury . . . arising out of”. It said that the phrase has very broad meaning. It covers not simply violations of privacy rights but any injury related to a violation of privacy rights.
Next, the Court said that a person clearly has a right of privacy in his or her personal information.
Finally, the Court said that it does not matter that the plaintiff seeking redress of a violation of privacy rights was Paymentech under the terms of its contract with Landry’s, rather than the cardholders, whose information was hacked and used to make unauthorized purchases.
The Court reversed the decision of the trial court and found that ICSOP had a duty to defend Landry’s in Paymentech’s lawsuit.
It is important to distinguish between a duty to defend and a duty to indemnify. The Court found that the allegations of the complaint matched the wording of the policy. As a result, it found that ICSOP had a duty to provide a defense to Landry’s. However, this does not mean that ICSOP will have a duty to indemnify Landry’s against any judgment entered against Landry’s in Paymentech’s lawsuit. The duty to defend is much broader than the duty to indemnify.
As long as Paymentech’s complaint alleged a publication of private information, ICSOP has a duty to defend. If the evidence at trial shows that the publication was caused by conduct of Landry’s that is excluded from coverage under the policy, then ICSOP will have no duty to indemnify. So, while the Court gave a victory to Landry’s, it may prove to be fleeting.
Landry’s was fortunate that the Appeals Court interpreted the policy in such a way as to find coverage. However, as stated above, Landry’s victory may be short-lived. The Court found that ICSOP had a duty to defend Paymentech’s lawsuit. It did not find that ICSOP has a duty to pay any damages that may be awarded against Landry’s. Landy’s may still find itself on the hook for almost $20m in damages with no insurance coverage.
A professional broker, like RMC Group, is expert at reading policy language. A professional broker can find and resolve any ambiguities in policy language. In addition, a professional broker can negotiate with an insurance company to make sure that a business has all of the protection that it needs. A business can go it alone and find itself at the mercy of the court, like Landry’s. Or it can seek the help of a professional broker and be confident that it has the coverage that it needs.