The U.S. Fifth Circuit Court of Appeals addressed whether an insurer has a duty to defend its insured in a data-breach lawsuit under personal and advertising injury coverage when the underlying claims involved a contractual relationship with a third party and not the individual consumers. Landry's, Inc. v. The Ins. Co. of the State of Pennsylvania, 4 F.4th 366 (5th Cir. 2021).

A company operating retail restaurant and other properties contracted with a company that processes credit transactions. An unauthorized program was installed on the payment-processing devices that intercepted customer's names, card numbers, expiration dates, and internal verification codes The payment processor was bound by contract with credit card companies to pay for data-breach-related losses, but the retailer was required to indemnify the payment processor, and the payment processor sought reimbursement for losses that occurred due to the data breach. The retailer sought coverage from its insurer, which denied coverage on the lack of personal or advertising injury. In subsequent coverage litigation, the trial court granted summary judgment in favor of the insurer because the complaint against the retailer did not allege a personal or advertising injury but rather contractual claims.

The Firth Circuit reversed, finding that the complaint against the retailer sought damages “arising out of ...[the] [o]ral or written publication ... of material that violates a person's right of privacy.” It noted that the publication could be “in any manner” and would include every definition of the word, and that “merely ‘exposing or presenting [information] to view” would be sufficient to be considered a “publication” under the policy. It further found that the allegations that the retailer published credit-card data to hackers when the data was routed through the affected systems and that the hackers published the data by making fraudulent purchases were sufficient under the policy's publication requirement. Second, the court noted that the policy's requirement that the injury arise out of a violation of a person's right of privacy would include “all injuries” resulting from the privacy violation. The court concluded that it was without question that a person had right of privacy to his or her credit-card information, and the fraudulent use of that data would be a violation of that right. The court noted that the policy did not restrict coverage based on either tort or contract and explained that the analysis of coverage is based on the facts alleged in the complaint not the actual legal theories.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.