LAW.coLAW.co

LANDRY INCORPORATED LP v. INSURANCE COMPANY OF THE STATE OF PENNSYLVANIA (2021)

United States Court of Appeals, Fifth Circuit.2021-07-21No. No. 19-20430

Authorities cited

No cited authorities resolved to law.co cases yet.

Opinion

The question presented is whether the Insurance Company of the State of Pennsylvania (“ICSOP”) has a duty to defend its insured, Landrys, in data-breach litigation. At summary judgment, the district court said no. We disagree and reverse.

I.

Landrys is a Houston-based company that operates retail properties like restaurants, hotels, and casinos. Paymentech, LLC—a branch of JPMorgan Chase Bank—processes Visa and MasterCard payments to those properties. A typical payment process follows the same steps: (1) The customer presents his card to a Landrys property; (2) a point-of-sale system at Landrys sends the credit-card information to Paymentech; (3) Paymentech obtains an authorization from Visa or MasterCard and from the bank that issued the customers credit card; and (4) the funds are collected and sent to JPMorgan Chase.

On December 2, 2015, Paymentech

1

discovered credit-card problems at some Landrys properties. Paymentech began an investigation, which uncovered a data breach that occurred across 14 Landrys locations between May 2014 and December 2015. Landrys then initiated its own investigation, and it discovered that the data breach involved the unauthorized installation of a program on its payment-processing devices. The program was designed to search for data from credit cards’ magnetic strips—including the cardholders name, card number, expiration date, and internal verification code—as the information was being routed through the payment-processing systems. Over approximately a year and a half, the program retrieved personal information from millions of customers’ credit cards. And at least some of that credit-card information was used to make unauthorized charges.

As relevant here, the fallout from the data breach implicated four contracts. The first two bound Paymentech to Visa and MasterCard. In its membership agreement with Visa, Paymentech agreed to participate in the Global Compromised Account Recovery (“GCAR”) Program. And in its membership agreement with MasterCard, Paymentech agreed to participate in the Account Data Compromise (“ADC”) Program. These programs protect Visa and MasterCard customers by requiring Paymentech to pay for data-breach-related losses. Under the GCAR Program, Visa determined that the total amount of Paymentechs liability for the data breach was $12,678,367.13. And under the ADC Program, MasterCard determined that the total amount of Paymentechs liability was $7,383,839.75.

The third contract bound Paymentech to Landrys. In 2008, Paymentech and Landrys signed the Select Merchant Payment Card Processing Agreement (the “Paymentech Agreement”). Under the Paymentech Agreement, Landrys was obligated to follow all Payment Brand Rules (including the GCAR Program and ADC Program requirements), comply with certain security guidelines, and indemnify Paymentech for any assessments, fines, or penalties stemming from any failure by Landrys to comply with the Payment Brand Rules. So, according to Paymentech, Landrys was on the hook for the losses assessed by Visa and MasterCard. Landrys refused to pay.

In May 2018, Paymentech filed suit against Landrys for breaching the Paymentech Agreement. Paymentech, LLC & JPMorgan Chase Bank v. Landrys, Inc., 4:18-cv-01622 (S.D. Tex.) [hereinafter the “Underlying Paymentech Litigation”]. Paymentech alleged that Landrys violated the Payment Brand Rules, which led to the data breach, which led to Visas and MasterCards respective GCAR and ADC assessments. Therefore, Paymentech alleged, Landrys was obligated under the Agreement to pay the $20,062,206.88 collectively assessed by Visa and MasterCard.

Thats when Landrys turned to the fourth contract at issue here: its insurance agreement with ICSOP (the “Policy”). The Policy states that ICSOP “will pay those sums that [Landrys] becomes legally obligated to pay as damages because of ‘personal and advertising injury’ ” and “will have the right and duty to defend [Landrys] against any ‘suit’ seeking those damages.” It defines “[p]ersonal and advertising injury” as “injury ․ arising out of” several offenses, including “[o]ral or written publication, in any manner, of material that violates a persons right of privacy.” ICSOP denied its duty to defend Landrys, stating that the Underlying Paymentech Litigation “does not qualify for coverage” because “[n]one of the ․ ‘personal and advertising injury’ triggers are implicated by the allegations in the [Paymentech] Complaint.”

While funding its own defense against Paymentech, Landrys filed a separate suit against ICSOP in Texas state court. As relevant here, Landrys claimed that ICSOP breached the Policy. Landrys also sought a declaratory judgment regarding ICSOPs duty to defend Landrys in the Underlying Paymentech Litigation. ICSOP removed the case to federal court. The parties filed cross-motions for summary judgment.

2

The district court denied the motion by Landrys, granted the motion by ICSOP, and dismissed all the claims. In doing so, the district court held that the Paymentech complaint did not allege a “publication” because it asserted only that “[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.” And the district court held that the complaint also did not allege a “violat[ion] [of] a persons right of privacy” because Paymentech involves the payment processors contract claims, not the cardholders’ privacy claims. Landrys timely appealed. Our review is de novo. See Playa Vista Conroe v. Ins. Co. of the W., 989 F.3d 411, 414 (5th Cir. 2021).

II.

The question presented is whether ICSOP has a duty to defend Landrys in the Underlying Paymentech Litigation. To answer that question, we apply Texass “eight-corners rule”—comparing the four corners of the Policy to the four corners of the Paymentech complaint. Gonzalez v. Mid-Continent Cas. Co., 969 F.3d 554, 557 (5th Cir. 2020).

Under the Policy, ICSOP has a duty to defend Landrys if the Paymentech complaint seeks damages “arising out of ․ [the] [o]ral or written publication ․ of material that violates a persons right of privacy.” We first determine whether the Paymentech complaint involves a “publication.” Then we determine whether Paymentech seeks damages “arising out of” the “violat[ion] [of] a persons right of privacy.”

A.

We start with the Policys text regarding “an oral or written publication.” The Policy states:

“Personal and advertising injury” means injury ․ arising out of one or more of the following offenses:

(d) Oral or written publication, in any manner, of material that slanders or libels a person or organization ․;

(e) Oral or written publication, in any manner, of material that violates a persons right of privacy;

The Policy does not define “[o]ral or written publication,” so we presume the parties intended those words to bear their plain and ordinary meaning. See DeWitt Cnty. Elec. Co-op., Inc. v. Parks, 1 S.W.3d 96, 101 (Tex. 1999).

The contractual text and structure suggest the parties intended the broadest possible definition of “[o]ral or written publication.” Thats for three reasons. First, coverage is triggered by a “publication, in any manner.” It follows that the Policy intended to use every definition of the word “publication”—even the very broadest ones. And some of the dictionary definitions of “publication” are quite broad. For example, Websters Second defines “publication” as (1) the “[a]ct of publishing, or state of being published; public notification, whether oral, written, or printed; proclamation; promulgation” and (2) the “[a]ct of making public or public property; specif., a giving over to public use, as by confiscation or dedication.” Publication, Websters New International Dictionary 2005 (2d ed. 1934; 1950) [hereinafter Websters Second]. And it defines “publish” as “[t]o make known (a person, situation, discovery, etc.) as by exposing or presenting it to view, or by openly declaring its character or status.” Publish, Websters Second, at 2005 (emphasis added). The Oxford English Dictionary defines “publication” as “that which is published.” Publication, The Oxford English Dictionary 782 (2d ed. 1989). And it defines “publish” as (1) “[t]o make publicly or generally known; to declare or report openly or publicly; to announce; to tell or noise abroad; also, to propagate, disseminate,” (2) “[t]o bring under public observation or notice; to give public notice of,” (3) “[t]o expose to public view,” and (4) “[t]o make generally accessible or available for acceptance or use.” Publish, The Oxford English Dictionary, at 785. Finally, Blacks Law Dictionary simply defines “publication” as “the act of declaring or announcing to the public.” Publication, Blacks Law Dictionary 1423 (10th ed. 2014). Thus, if the Underlying Paymentech Litigation concerns any of these “publications”—even merely “exposing or presenting [information] to view”—then the Policys capacious provision is satisfied.

Second, the structure of the Policys coverage provision confirms our reading of the text. The “publication” requirement—an “oral or written publication, in any manner”—is identical for both subsections (d) and (e). So, based on the presumption of consistent usage, we assume the parties intended the word “publication” to have the same meaning in both subsections. See Antonin Scalia & Bryan Garner, Reading Law 170 (2012) (“A word or phrase is presumed to bear the same meaning throughout a text; a material variation in terms suggests a variation in meaning.”). That means the “publication” requirement in both subsections must be at least as broad as the tort of defamation (captured in subsection (d)), which merely requires transmission of information to one other person. See, e.g., Exxon Mobil Corp. v. Rincones, 520 S.W.3d 572, 579 (Tex. 2017) (listing “the publication of a false statement of fact to a third party” as an element of a defamation claim, and stating that defamatory “[p]ublication occurs if the defamatory statements are communicated orally, in writing, or in print to some third person who is capable of understanding their defamatory import and in such a way that the third person did so understand” (quotation omitted)).

Third and finally, if theres any ambiguity in the Policy, it must be resolved in favor of Landrys. See St. Paul Fire & Marine Ins. Co. v. Green Tree Fin. Corp.-Tex., 249 F.3d 389, 392 (5th Cir. 2001). “If any allegation in the complaint is even potentially covered by the policy then the insurer has a duty to defend its insured.” Primrose Operating Co. v. Natl Am. Ins. Co., 382 F.3d 546, 552 (5th Cir. 2004) (quotation omitted). That further supports our reading of the word “publication” to embrace the broadest possible plain meaning of the term.

The Paymentech complaint plainly alleges that Landrys published its customers’ credit-card information—that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of “publication.” The complaint first alleges that Landrys published customers’ credit-card data to hackers. Specifically, as the credit-card “data was being routed through affected systems,” Landrys allegedly exposed that data—including each “cardholder name, card number, expiration date and internal verification code.” Second, the Paymentech complaint alleges that hackers published the credit-card data by using it to make fraudulent purchases. Both disclosures “expos[ed] or present[ed] [the credit-card information] to view.” Publish, Websters Second, at 2005. And either one standing alone would constitute the sort of “publication” required by the Policy.

3

B.

Having established that the Underlying Paymentech Litigation involves at least one “publication,” we next determine whether it involves an injury “arising out of ․ the violat[ion] [of] a persons right of privacy.”

Again, we start with the text of the Policy. The operative text begins with the words “arising out of.” These words again connote breadth. See, e.g., Prima Paint Corp. v. Flood & Conklin Mfg. Co., 388 U.S. 395, 398, 87 S.Ct. 1801, 18 L.Ed.2d 1270 (1967) (describing as “broad” a contractual clause regarding “[a]ny controversy or claim arising out of or relating to this Agreement”); Nauru Phosphate Royalties, Inc. v. Drago Daic Interests, Inc., 138 F.3d 160, 165 (5th Cir. 1998) (holding that when parties agree to an arbitration clause governing “[a]ny dispute ․ arising out of or in connection with or relating to this Agreement,” they “intend the clause to reach all aspects of the relationship” (quotation omitted)). Thus, the Policy does not simply extend to violations of privacy rights; the Policy instead extends to all injuries that arise out of such violations.

Next, the Policy insures against “violat[ions of] a persons right of privacy.” We need not tarry long on this phrase because its undisputed that a person has a “right of privacy” in his or her credit-card data. Its also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute “violations” of consumers’ privacy rights. And its still further undisputed that the Paymentech complaint alleges such theft and such fraudulent purchases. Thus, the plain text of the Policy anticipates ICSOPs duty to defend in the Underlying Paymentech Litigation.

ICSOP urges us not to follow the plain text of the Policy and instead to alter it. In ICSOPs view, the Policy covers only tort damages “arising out of ․ the violation of a persons right of privacy.” Thus, ICSOP suggests, it might defend Landrys if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used. But ICSOP thinks it bears no obligation to defend Landrys in a breach-of-contract action brought by Paymentech. Of course, the Policy contains none of these salami-slicing distinctions.

Under Texas law, thats dispositive. Take Lamar Homes, Inc. v. Mid-Continent Casualty Co., 242 S.W.3d 1 (Tex. 2007). In that case, a homebuilder wanted its insurance company to defend a suit filed by two homebuyers alleging foundation defects. Id. at 5. The homebuilders insurance policy stated that its insurer would “defend the insured against any ‘suit’ seeking ․ damages” because of “bodily injury” or “property damage” caused by an “occurrence.” Id. at 6. The insurer read “bodily injury” and “property damage” to cover tort claims and not contract claims. Id. at 13. But the Texas Supreme Court disagreed. It noted that the policy “ma[de] no distinction between tort and contract damages.” Ibid. So, based on the established principle that “[t]he duty to defend must be determined under the eight-corners rule rather than by the labels attached to the underlying claims,” the courts “proper inquiry [wa]s whether an ‘occurrence’ ha[d] caused ‘property damage,’ not whether the ultimate remedy for the claim [sounded] in contract or in tort.” Id. at 15–16. Thats a different way of saying that we must focus on “the facts alleged” in the complaint, “not on the actual legal theories” invoked. St. Paul Fire, 249 F.3d at 391–92.

Here, everyone agrees that the facts alleged in the Paymentech complaint constitute an injury arising from the violation of customers’ privacy rights, as those terms are commonly understood. It does not matter that Paymentechs legal theories sound in contract rather than tort. Nor does it matter that Paymentech (rather than individual customers) sued Landrys. Paymentechs alleged injuries arise from the violations of customers’ rights to keep their credit-card data private. Under the eight-corners rule, ICSOP must defend Landrys in the Underlying Paymentech Litigation.

4

* * *

The judgment of the district court is REVERSED, and the case is REMANDED for further proceedings consistent with this opinion.

FOOTNOTES

1

.   Given their corporate relationship, and for ease of reference, we refer to JPMorgan Chase and Paymentech simply as “Paymentech.”

2

.   ICSOP moved for summary judgment on all claims based on the text of all four of the parties’ insurance agreements. Landrys moved for partial summary judgment, relying on the text of only one of the insurance agreements—the Policy we analyze here—and reserving damages for trial.

3

.   For present purposes, its irrelevant whether Landrys did in fact cause the publications and hence cause the personal and advertising injuries. This case relates only to ICSOPs duty to defend Landrys in the Underlying Paymentech Litigation, not the duty to indemnify the company should it be found liable. See St. Paul Fire, 249 F.3d at 391 (stating that because “[a]n insurance companys duty to defend is broader than its duty to indemnify,” we can find and “enforce an insurers duty to defend even when an insurers duty to indemnify is not yet settled”). So it only matters (for duty to defend purposes) that Paymentech alleges a publication of the data. Cf. Natl Union Fire Ins. Co. v. Merchants Fast Motor Lines, Inc., 939 S.W.2d 139, 141 (Tex. 1997) (holding that even if “the complaint does not state facts sufficient to clearly bring the case within or without the coverage, the general rule is that the insurer is obligated to defend if there is, potentially, a case under the complaint within the coverage of the policy” (emphases added) (quotation omitted)).

4

.   The district court did not address the Policys Self-Insured Retention Endorsement, which ICSOP offered as an alternative ground for denying its duty to defend. We express no view on it. See Cutter v. Wilkinson, 544 U.S. 709, 718 n.7, 125 S.Ct. 2113, 161 L.Ed.2d 1020 (2005) (“[W]e are a court of review, not of first view[.]”).

Andrew S. Oldham, Circuit Judge: