5th Circuit overturns ruling that insurer must defend data breach
On July 21, the U.S. Court of Appeals for the Fifth Circuit reversed a lower court’s decision to grant summary judgement for a Houston-based insurer (defendant), finding that publication of material that violates a person’s right of privacy under the insurer’s policy can include making credit card information generally available. According to the opinion, a retail company (plaintiff) was sued by a branch of a national bank (bank) for alleged violations of an agreement that led to a $20 million data breach dispute. In response, the plaintiff filed a separate suit in Texas court against the defendant for breaching the insurance policy. The district court granted the defendant’s motion and dismissed all the claims. In doing so, “the district court held that the bank’s complaint did not allege a ‘publication’ of material that violated a person’s right to privacy because it asserted only that ‘[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.’” Furthermore, the district court found that the complaint also did not allege a violation of a person’s right to privacy because the bank involves the payment processor’s contract claims, not the cardholders’ privacy claims.
On appeal, the 5th Circuit adopted a broad definition of “publication” because such term was undefined, and found that the contract dispute brought by the bank against the plaintiff “plainly alleges” that hackers published the credit card information of the plaintiff customers in several ways. First, the bank accused the plaintiff of publishing its customers’ credit cards to hackers. Then, the hackers allegedly published the information by using it to make fraudulent purchases. The appellate court then examined whether the defendant “has a duty to defend [the plaintiff] in the [u]nderlying [bank] [l]itigation.” The appellate court applied Texas’s “eight-corners rule,” which compares the “four corners of the [p]olicy to the four corners of the [bank’s] complaint.” In doing so, the appellate court found that the bank’s “alleged injuries arise from the violations of customers' rights to keep their credit card data private,” and “[u]nder the eight-corners rule, [the defendant] must defend [the plaintiff] in the underlying [bank’s] litigation.”