A federal appeals court reversed a lower court Wednesday and ruled an American International Group Inc. unit is obligated to defend a retailer in connection with a data breach.
Houston-based Landry’s Inc., which operates retail properties including restaurants, hotels and casinos, discovered a data breach that occurred between May 2014 and December 2015 that involved the unauthorized installation of a program on its payment processing devices, according to Wednesday’s ruling by the 5th U.S. Circuit Court of Appeals in New Orleans in Landry’s Inc. v. The Insurance Co. of the State of Pennsylvania.
Over about a year-and-a-half, the program retrieved personal information from millions of credit cards and at least some of that information was used to make unauthorized charges, the ruling said.
The issue led to litigation between Landry’s and its credit card processor, Paymentech LLC, a unit of JPMorgan Chase Bank N.A. Paymentech alleged Landry’s was obligated to pay it $20.1 million.
Landry’s sought a defense from AIG unit Insurance Co. of the State of Pennsylvania under a policy provision that said the insurer would pay “personal and advertising injury” damages arising out of the publication of material that “violates a person’s right of privacy.”
After AIG refused the claim, Landry’s filed suit, and the U.S. District Court in Houston ruled in the insurer’s favor and dismissed the case. A unanimous three-judge appeals court panel overturned that decision.
“The contractual text and structure suggest the parties intended the broadest possible definition of ‘(o)ral or written publication,’” the ruling said.
“The Paymentech complaint plainly alleges that Landry’s published its customers’ credit-card information – that is, exposed it to view,” it said.
This publication involved an injury arising out of a person’s right to privacy, it said, “We need not tarry long on this phrase because it’s undisputed that a person has a ‘right of privacy’ in his or her credit-card data,” the ruling said.
“It’s also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute ‘violations’ of consumers’ privacy rights,” the panel said in reversing the lower court decision and remanding the case for further proceedings.
Attorneys in the case did not respond to requests for comment.