Fifth Circuit Finds Defense Duty For Credit Card Data Breach

Reversing a federal district court, the Fifth Circuit Court of Appeals recently applied the Texas eight-corners rule to hold that an insurer had a duty to defend a restaurant chain against claims the chain breached its contract with a credit card processor by not preventing hackers from gaining access to its customers’ private information.

In Landry’s Inc. v. Insurance Co. of the State of Penn., No. 19-20430 (July 21, 2021), a commercial general liability policy issued by the Insurance Company of the State of Pennsylvania (ICSOP) insured Landry’s, Inc., against liability for "personal and advertising injury" and agreed to defend Landry’s against such claims.

A data breach at 14 of Landry’s restaurants over an 18-month period gave hackers access to the personal credit card information of millions of customers.

As a result of the breach, Paymentech, which processed Visa and Mastercard charges, was assessed penalties of over $20 million under its contracts with those companies.

To recover these sums, Paymentech sued Landry’s for breach of its Select Merchant Agreement, alleging the data-breach losses were caused by the chain’s violation of "Payment Brand Rules" incorporated into the contract.