The Fifth Circuit reversed the district court's grant of summary judgment which held that the insurer had no duty to defend a data breach suit filed against the insured. Landry's, Inc. v. Ins. Co. of the State of Pennsylvania, 2021 U.S. App. LEXIS 21688 (5th Cir July 21, 2021).      Landry's operated retail properties like restaurants, hotels, and casinos. Pamentech processed Visa and MasterCard payments to those properties. When Paymentech discovered credit-card problems at some of the properties, it investigated and found a data breach occurred across 14 Landry's locations. The data breach involved the unauthorised installation of a program on Landry's payment-processing devices. The program was designed to search for data from credit cards magnetic strips, including the cardholder's name and other information. Over a year and a half, the program retrieved personal information from millions of customers' credit cards.      Paymentech filed suit agains Landry's for breaching the agreement between them. Paymentech alleged that Landry's violated the Payment Brand Rules, which led to the data breach. Paymentech alleged Landry's was liable under the agreement to pay $20,062,206 assessed against Paymentech by Visa and MasterCard.      Landry's submitted the claim to Insurance Company of the State of Pennsylvania (ICSOP). The policy stated that ICSOP would "pay those sums that [Landry's] becomes legally obligated to pay as damages because of personal and advertising injury" and "will have the right and duty to defend [Landry's] against any suit seeking those damages." ICSOP denied the claim and Landry sued. Cross-motions for summary judgment were filed and the district court ruled in favor of ICSOP.      The policy provided that ICSOP had a duty to defend Landry's if the Paymentech complaint sought damages "arising out of . . . the oral or written publication . . . of material that violates a person's right of privacy." The policy did not define "oral or written publication." The dictionary definition included the definition of "publication" as "the act of declaring or announcing to the public." The Paymentech compliant alleged that Landry's published its customers' credit-card information, or exposed it to view. The complaint alleged that Landry's published customers' credit-card data to hackers. Further, it alleged that the hackers published the credit-card data by using it to make fraudulent purchases. This met the requirement of publication.     Next, the Fifth Circuit noted that the hackers' theft of credit-card data and use of that data to make fraudulent purchases constituted violations consumers' privacy rights.      Therefore, under the eight-corners rule, ICSOP had a duty to defend the underlying lawsuit. 

from Insurance Law Hawaii https://ift.tt/2WlGdSG