Fifth Circuit holds GL Carrier must defend data breach litigation
On July 21, 2021, in Landry’s Inc. v. The Insurance Company of the State of PA, the Fifth Circuit ruled that a carrier had a duty to defend its insured under Coverage B (personal and advertising injury) of a CGL policy for a claim arising out of a data breach. The Fifth Circuit’s treatment of the meaning of “publication” was remarkable (a word we do not choose lightly). As a result, this case may have a significant impact on Coverage B, but not for the reasons many might suspect.
In Landry’s, the insured retailer was sued by a payment card processing vendor for costs related to a breach of credit card data (PCI data) from the insured’s point-of-sale (POS) system. The intrusion was not discovered for 18 months, resulting in the theft of large volumes of PCI data, some of which resulted in unauthorized charges to consumers’ credit cards. Under its membership agreements with Visa and MasterCard, the processing vendor was assessed over $20 million in fines and losses related to the data breach. Pursuant to the vendor’s own contract with the insured, which required the insured to implement and maintain cybersecurity safeguards data that allegedly had not been followed, the insured was required to indemnify the processing vendor for the $20 million amount. When the insured refused, the vendor filed suit against it.
The insured sought “personal and advertising injury” coverage under Coverage B of its CGL policy. The policy defined “personal and advertising injury” in part as an “injury ... arising out of one or more of the following offenses”:
(d) Oral or written publication, in any manner, of material that slanders or libels a person or organization ...;
(e) Oral or written publication, in any manner, of material that violates a person’s right of privacy;
The insured sought coverage under the privacy violation offense. The insurer disagreed that a duty to defend existed, and in the subsequent coverage litigation, the federal district court granted summary judgment for the insurer. The district court ruled that the underlying complaint did not allege a “publication,” reasoning that for privacy violations, publication meant dissemination to the public at large. Because the underlying complaint made no such allegation, and instead alleged only that a “third party hacked into [the] credit card processing system and stole consumers’ credit card information,” the meaning of the term publication was not satisfied. The court also ruled that the lawsuit did not allege a violation of a person’s right of privacy because the lawsuit sought recovery for breach of contract only, and did not allege a privacy claim. The insured appealed, and the United States Court of Appeals of the Fifth Circuit reversed.
Publication. The Fifth Circuit held that the underlying complaint alleged a publication on three separate grounds. First, it concluded that the phrase “publication, in any manner,” meant that “the Policy intended to use every definition of the word ‘publication’ – even the very broadest ones.” Thus, without detailed analysis, the court concluded that “even merely ‘exposing or presenting [information] to view’’” satisfied “the Policy’s capacious provision.”
Second, the court concluded that because “oral or written publication, in any manner” appeared in both the offenses for defamation and privacy, the term must mean the same. Citing an interpretative rule referenced in Antonin Scalia’s and Bryan Garner’s book, Reading Law, the court concluded that because the phrase “oral or written publication, in any manner” appeared twice in the policy, it had to have the same meaning. As a result, the phrase had to mean dissemination of information to a single person in order to satisfy the legal standard of publication for the tort of defamation. The court explained:
[T]he structure of the Policy’s coverage provision confirms our reading of the text. The “publication” requirement—an “oral or written publication, in any manner”—is identical for both subsections (d) and (e). So, based on the presumption of consistent usage, we assume the parties intended the word “publication” to have the same meaning in both subsections. See ANTONIN SCALIA & BRYAN GARNER, READING LAW 170 (2012) (“A word or phrase is presumed to bear the same meaning throughout a text; a material variation in terms suggests a variation in meaning.”). That means the “publication” requirement in both subsections must be at least as broad as the tort of defamation (captured in subsection (d)), which merely requires transmission of information to one other person.
Third, the court suggested that the juxtaposition of the defamation and privacy violation offenses in the definition for “personal and advertising injury” also created an ambiguity that required interpretation of the policy in the insured’s favor.
Contract Claims. The Fifth Circuit also rejected the carrier’s argument that the claim was not covered because it arose from the insured’s alleged breach of contract, and not a violation of privacy rights. Focusing on the phrase “arising out of,” the court held that the policy “does not simply extend to violation of privacy rights; the Policy instead extends to all injuries that arise out of such violations [emphasis in original].” The court reasoned:
Here, everyone agrees that the facts alleged in the Paymentech complaint constitute an injury arising from the violation of customers’ privacy rights, as those terms are commonly understood. It does not matter that Paymentech’s legal theories sound in contract rather than tort. Nor does it matter that Paymentech (rather than individual customers) sued Landry’s. Paymentech’s alleged injuries arise from the violations of customers’ rights to keep their credit-card data private.
The court would not, in some sharp words, give credence to the carrier’s “salami-slicing distinctions.”
What This Case Means. From a coverage standpoint for underlying data breach claims, this decision should not have an impact. The data breach dated back to 2014 and the policy was an older form that did not have the “Access or Disclosure of PI” exclusion most CGL policies now have today. Yet, this case could have a significant impact in other areas, especially given its treatment of the term “publication” in the privacy violation offense.
The court concluded without any in-depth analysis that the phrase “publication, in any manner,” permitted “even the very broadest” interpretation of the term “publication.” Yet, this argument has been rejected by multiple other courts that have examined the issue, including the Third and Eleventh Circuits. OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., 625 Fed App’x 177 (3d Cir. 2015) (holding phrase “in any manner” does not expand meaning of publication); Creative Hospitality Ventures, Inc. v. United States Liab. Ins. Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding “in any manner” means format of publication, not scope of term’s meaning); see also Yahoo v. Nat’l Union Fire Ins. Co., 2017 US. Dist. LEXIS 85200 (N.D. Cal. June 2, 2017). In addition, the Landry’s opinion itself cites at least 7 different dictionary definitions that support the “plain and ordinary” meaning of the term “publication” to require a public pronouncement or release – not merely a dissemination to a single third person.
The court’s citation to the Scalia/Garner work is just as troubling because the phrase “publication, in any manner” is not used in isolation, but in fact is used differently to connote different meanings. Using the interpretive tool espoused by Scalia/Garner, the court wholly ignores that in each instance, the phrase is modified by the tort offense to it is attached to. In essence, the court reads the first half of the offense, but ignores the second half, thereby violating more germane canons of instruction such as not reading provisions in isolation, and ejusdem generis – words “of the same kind” – in order to narrow the meaning of a term or phrase. Ironically, we doubt very much that Garner would approve the court’s approach. The 7-plus dictionary definitions cited for the term “publication” further belie the court’s approach. The court’s third ground – ambiguity – suffers from the same defect as its second. Any purported ambiguity is a court-created one.
Finally, let’s not forget the obvious. The insured did not publish, share, or disseminate anything. To the extent there was any publication – and we do not see one alleged in the complaint - a third-party criminal organization arguably “published” the material, not the insured. Policies do not insure against the bad actions of others; they insure against the insured’s own actions. Courts require the insured to have committed the publication in order to implicate a Coverage B duty to defend. E.g., Penn-Amer. Ins. Co. v. Tomei, 2016 Pa. Super. Unpub. LEXIS 1859 (Pa. Super. Ct. May 24, 2016); Zurich Am. Ins. Corp. v. Sony, No. 651982/20911 (N.Y. Supr. Ct. Feb. 21, 2014); Butts v. Royal Vendors, Inc., 504 S.E.2d 911 (W. Va. 1998). The contractual exclusion also should preclude coverage here. E.g., P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 79749 (D. Ariz. May 31, 2016).
Nevertheless, the broad meaning given to the term “publication” may be becoming somewhat of a trend. This is the third recent case in which a court has broadly defined “publication” to require insurers to provide a defense in privacy-related cases. See also Brighton Collectibles, LLC v. Certain Underwriters at Lloyd’s London, 798 F. App’x 144 (9th Cir. 2020) (involving the alleged sale of customers’ personal information in violation of California’s Song-Beverly Credit Card Act) and West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, (May 20, 2021) (sharing biometric information with a single vendor in alleged violation of the Illinois Biometric Privacy Act). The Landry’s decision is an outlier even in relation to those cases because the insured in Landry’s in no way shared information with a third party.