Appeal from the United States District Court for the Southern District of Texas USDC No. 4:18-CV-2679
Before Smith and Oldham, Circuit Judges. [*]
ANDREW S. OLDHAM, CIRCUIT JUDGE
The question presented is whether the Insurance Company of the State of Pennsylvania ("ICSOP") has a duty to defend its insured, Landry's, in data-breach litigation. At summary judgment, the district court said no. We disagree and reverse.
Landry's is a Houston-based company that operates retail properties like restaurants, hotels, and casinos. Paymentech, LLC-a branch of JPMorgan Chase Bank-processes Visa and MasterCard payments to those properties. A typical payment process follows the same steps: (1) The customer presents his card to a Landry's property; (2) a point-of-sale system at Landry's sends the credit-card information to Paymentech; (3) Paymentech obtains an authorization from Visa or MasterCard and from the bank that issued the customer's credit card; and (4) the funds are collected and sent to JPMorgan Chase.
On December 2, 2015, Paymentech discovered credit-card problems at some Landry's properties. Paymentech began an investigation, which uncovered a data breach that occurred across 14 Landry's locations between May 2014 and December 2015. Landry's then initiated its own investigation, and it discovered that the data breach involved the unauthorized installation of a program on its payment-processing devices. The program was designed to search for data from credit cards' magnetic strips-including the cardholder's name, card number, expiration date, and internal verification code-as the information was being routed through the payment-processing systems. Over approximately a year and a half, the program retrieved personal information from millions of customers' credit cards. And at least some of that credit-card information was used to make unauthorized charges.
Given their corporate relationship, and for ease of reference, we refer to JPMorgan Chase and Paymentech simply as "Paymentech."
As relevant here, the fallout from the data breach implicated four contracts. The first two bound Paymentech to Visa and MasterCard. In its membership agreement with Visa, Paymentech agreed to participate in the Global Compromised Account Recovery ("GCAR") Program. And in its membership agreement with MasterCard, Paymentech agreed to participate in the Account Data Compromise ("ADC") Program. These programs protect Visa and MasterCard customers by requiring Paymentech to pay for data-breach-related losses. Under the GCAR Program, Visa determined that the total amount of Paymentech's liability for the data breach was $12, 678, 367.13. And under the ADC Program, MasterCard determined that the total amount of Paymentech's liability was $7, 383, 839.75.
The third contract bound Paymentech to Landry's. In 2008, Paymentech and Landry's signed the Select Merchant Payment Card Processing Agreement (the "Paymentech Agreement"). Under the Paymentech Agreement, Landry's was obligated to follow all Payment Brand Rules (including the GCAR Program and ADC Program requirements), comply with certain security guidelines, and indemnify Paymentech for any assessments, fines, or penalties stemming from any failure by Landry's to comply with the Payment Brand Rules. So, according to Paymentech, Landry's was on the hook for the losses assessed by Visa and MasterCard. Landry's refused to pay.
In May 2018, Paymentech filed suit against Landry's for breaching the Paymentech Agreement. Paymentech, LLC & JPMorgan Chase Bank v. Landry's, Inc., 4:18-cv-01622 (S.D. Tex.) [hereinafter the "Underlying Paymentech Litigation"]. Paymentech alleged that Landry's violated the Payment Brand Rules, which led to the data breach, which led to Visa's and MasterCard's respective GCAR and ADC assessments. Therefore, Paymentech alleged, Landry's was obligated under the Agreement to pay the $20, 062, 206.88 collectively assessed by Visa and MasterCard.
That's when Landry's turned to the fourth contract at issue here: its insurance agreement with ICSOP (the "Policy"). The Policy states that ICSOP "will pay those sums that [Landry's] becomes legally obligated to pay as damages because of 'personal and advertising injury'" and "will have the right and duty to defend [Landry's] against any 'suit' seeking those damages." It defines "[p]ersonal and advertising injury" as "injury . . . arising out of" several offenses, including "[o]ral or written publication, in any manner, of material that violates a person's right of privacy." ICSOP denied its duty to defend Landry's, stating that the Underlying Paymentech Litigation "does not qualify for coverage" because "[n]one of the . . . 'personal and advertising injury' triggers are implicated by the allegations in the [Paymentech] Complaint."
While funding its own defense against Paymentech, Landry's filed a separate suit against ICSOP in Texas state court. As relevant here, Landry's claimed that ICSOP breached the Policy. Landry's also sought a declaratory judgment regarding ICSOP's duty to defend Landry's in the Underlying Paymentech Litigation. ICSOP removed the case to federal court. The parties filed cross-motions for summary judgment.
ICSOP moved for summary judgment on all claims based on the text of all four of the parties' insurance agreements. Landry's moved for partial summary judgment, relying on the text of only one of the insurance agreements-the Policy we analyze here-and reserving damages for trial.
The district court denied the motion by Landry's, granted the motion by ICSOP, and dismissed all the claims. In doing so, the district court held that the Paymentech complaint did not allege a "publication" because it asserted only that "[a] third party hacked into [the] credit card processing system and stole customers' credit card information." And the district court held that the complaint also did not allege a "violat[ion] [of] a person's right of privacy" because Paymentech involves the payment processor's contract claims, not the cardholders' privacy claims. Landry's timely appealed. Our review is de novo. See Playa Vista Conroe v. Ins. Co. of the W., 989 F.3d 411, 414 (5th Cir. 2021).
The question presented is whether ICSOP has a duty to defend Landry's in the Underlying Paymentech Litigation. To answer that question, we apply Texas's "eight-corners rule"-comparing the four corners of the Policy to the four corners of the Paymentech complaint. Gonzalez v. Mid-Continent Cas. Co., 969 F.3d 554, 557 (5th Cir. 2020).
Under the Policy, ICSOP has a duty to defend Landry's if the Paymentech complaint seeks damages "arising out of . . . [the] [o]ral or written publication . . . of material that violates a person's right of privacy." We first determine whether the Paymentech complaint involves a "publication." Then we determine whether Paymentech seeks damages "arising out of" the "violat[ion] [of] a person's right of privacy."
We start with the Policy's text regarding "an oral or written publication." The Policy states:
"Personal and advertising injury" means injury . . . arising out of one or more of the following offenses:
. . .
(d) Oral or written publication, in any manner, of material that slanders or libels a person or organization . . .;
(e) Oral or written publication, in any manner, of material that violates a person's right of privacy;
The Policy does not define "[o]ral or written publication," so we presume the parties intended those words to bear their plain and ordinary meaning. See DeWitt Cnty. Elec. Co-op., Inc. v. Parks, 1 S.W.3d 96, 101 (Tex. 1999).
The contractual text and structure suggest the parties intended the broadest possible definition of "[o]ral or written publication." That's for three reasons. First, coverage is triggered by a "publication, in any manner." It follows that the Policy intended to use every definition of the word "publication"-even the very broadest ones. And some of the dictionary definitions of "publication" are quite broad. For example, Webster's Second defines "publication" as (1) the "[a]ct of publishing, or state of being published; public notification, whether oral, written, or printed; proclamation; promulgation" and (2) the "[a]ct of making public or public property; specif., a giving over to public use, as by confiscation or dedication." Publication, Webster's New International Dictionary 2005 (2d ed. 1934; 1950) [hereinafter Webster's Second]. And it defines "publish" as "[t]o make known (a person, situation, discovery, etc.) as by exposing or presenting it to view, or by openly declaring its character or status." Publish, Webster's Second, at 2005 (emphasis added). The Oxford English Dictionary defines "publication" as "that which is published." Publication, The Oxford English Dictionary 782 (2d ed. 1989). And it defines "publish" as (1) "[t]o make publicly or generally known; to declare or report openly or publicly; to announce; to tell or noise abroad; also, to propagate, disseminate," (2) "[t]o bring under public observation or notice; to give public notice of," (3) "[t]o expose to public view," and (4) "[t]o make generally accessible or available for acceptance or use." Publish, The Oxford English Dictionary, at 785. Finally, Black's Law Dictionary simply defines "publication" as "the act of declaring or announcing to the public." Publication, Black's Law Dictionary 1423 (10th ed. 2014). Thus, if the Underlying Paymentech Litigation concerns any of these "publications"-even merely "exposing or presenting [information] to view"-then the Policy's capacious provision is satisfied.
Second, the structure of the Policy's coverage provision confirms our reading of the text. The "publication" requirement-an "oral or written publication, in any manner"-is identical for both subsections (d) and (e). So, based on the presumption of consistent usage, we assume the parties intended the word "publication" to have the same meaning in both subsections. See Antonin Scalia & Bryan Garner, Reading Law 170 (2012) ("A word or phrase is presumed to bear the same meaning throughout a text; a material variation in terms suggests a variation in meaning."). That means the "publication" requirement in both subsections must be at least as broad as the tort of defamation (captured in subsection (d)), which merely requires transmission of information to one other person. See, e.g., Exxon Mobil Corp. v. Rincones, 520 S.W.3d 572, 579 (Tex. 2017) (listing "the publication of a false statement of fact to a third party" as an element of a defamation claim, and stating that defamatory "[p]ublication occurs if the defamatory statements are communicated orally, in writing, or in print to some third person who is capable of understanding their defamatory import and in such a way that the third person did so understand" (quotation omitted)).
Third and finally, if there's any ambiguity in the Policy, it must be resolved in favor of Landry's. See St. Paul Fire & Marine Ins. Co. v. Green Tree Fin. Corp.-Tex., 249 F.3d 389, 392 (5th Cir. 2001). "If any allegation in the complaint is even potentially covered by the policy then the insurer has a duty to defend its insured." Primrose Operating Co. v. Nat'l Am. Ins. Co., 382 F.3d 546, 552 (5th Cir. 2004) (quotation omitted). That further supports our reading of the word "publication" to embrace the broadest possible plain meaning of the term.
The Paymentech complaint plainly alleges that Landry's published its customers' credit-card information-that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of "publication." The complaint first alleges that Landry's published customers' credit-card data to hackers. Specifically, as the credit-card "data was being routed through affected systems," Landry's allegedly exposed that data-including each "cardholder name, card number, expiration date and internal verification code." Second, the Paymentech complaint alleges that hackers published the credit-card data by using it to make fraudulent purchases. Both disclosures "expos[ed] or present[ed] [the credit-card information] to view." Publish, Webster's Second, at 2005. And either one standing alone would constitute the sort of "publication" required by the Policy.
For present purposes, it's irrelevant whether Landry's did in fact cause the publications and hence cause the personal and advertising injuries. This case relates only to ICSOP's duty to defend Landry's in the Underlying Paymentech Litigation, not the duty to indemnify the company should it be found liable. See St. Paul Fire, 249 F.3d at 391 (stating that because "[a]n insurance company's duty to defend is broader than its duty to indemnify," we can find and "enforce an insurer's duty to defend even when an insurer's duty to indemnify is not yet settled"). So it only matters (for duty to defend purposes) that Paymentech alleges a publication of the data. Cf. Nat'l Union Fire Ins. Co. v. Merchants Fast Motor Lines, Inc., 939 S.W.2d 139, 141 (Tex. 1997) (holding that even if "the complaint does not state facts sufficient to clearly bring the case within or without the coverage, the general rule is that the insurer is obligated to defend if there is, potentially, a case under the complaint within the coverage of the policy" (emphases added) (quotation omitted)).
Having established that the Underlying Paymentech Litigation involves at least one "publication," we next determine whether it involves an injury "arising out of . . . the violat[ion] [of] a person's right of privacy."
Again, we start with the text of the Policy. The operative text begins with the words "arising out of." These words again connote breadth. See, e.g., Prima Paint Corp. v. Flood & Conklin Mfg. Co., 388 U.S. 395, 398 (1967) (describing as "broad" a contractual clause regarding "[a]ny controversy or claim arising out of or relating to this Agreement"); Nauru Phosphate Royalties, Inc. v. Drago Daic Interests, Inc., 138 F.3d 160, 165 (5th Cir. 1998) (holding that when parties agree to an arbitration clause governing "[a]ny dispute . . . arising out of or in connection with or relating to this Agreement," they "intend the clause to reach all aspects of the relationship" (quotation omitted)). Thus, the Policy does not simply extend to violations of privacy rights; the Policy instead extends to all injuries that arise out of such violations.
Next, the Policy insures against "violat[ions of] a person's right of privacy." We need not tarry long on this phrase because it's undisputed that a person has a "right of privacy" in his or her credit-card data. It's also undisputed that hackers' theft of credit-card data and use of that data to make fraudulent purchases constitute "violations" of consumers' privacy rights. And it's still further undisputed that the Paymentech complaint alleges such theft and such fraudulent purchases. Thus, the plain text of the Policy anticipates ICSOP's duty to defend in the Underlying Paymentech Litigation.
ICSOP urges us not to follow the plain text of the Policy and instead to alter it. In ICSOP's view, the Policy covers only tort damages "arising out of . . . the violation of a person's right of privacy." Thus, ICSOP suggests, it might defend Landry's if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used. But ICSOP thinks it bears no obligation to defend Landry's in a breach-of-contract action brought by Paymentech. Of course, the Policy contains none of these salami-slicing distinctions.
Under Texas law, that's dispositive. Take Lamar Homes, Inc. v. Mid-Continent Casualty Co., 242 S.W.3d 1 (Tex. 2007). In that case, a homebuilder wanted its insurance company to defend a suit filed by two homebuyers alleging foundation defects. Id. at 5. The homebuilder's insurance policy stated that its insurer would "defend the insured against any 'suit' seeking . . . damages" because of "bodily injury" or "property damage" caused by an "occurrence." Id. at 6. The insurer read "bodily injury" and "property damage" to cover tort claims and not contract claims. Id. at 13. But the Texas Supreme Court disagreed. It noted that the policy "ma[de] no distinction between tort and contract damages." Ibid. So, based on the established principle that "[t]he duty to defend must be determined under the eight-corners rule rather than by the labels attached to the underlying claims," the court's "proper inquiry [wa]s whether an 'occurrence' ha[d] caused 'property damage,' not whether the ultimate remedy for the claim [sounded] in contract or in tort." Id. at 15-16. That's a different way of saying that we must focus on "the facts alleged" in the complaint, "not on the actual legal theories" invoked. St. Paul Fire, 249 F.3d at 391-92.
Here, everyone agrees that the facts alleged in the Paymentech complaint constitute an injury arising from the violation of customers' privacy rights, as those terms are commonly understood. It does not matter that Paymentech's legal theories sound in contract rather than tort. Nor does it matter that Paymentech (rather than individual customers) sued Landry's. Paymentech's alleged injuries arise from the violations of customers' rights to keep their credit-card data private. Under the eight-corners rule, ICSOP must defend Landry's in the Underlying Paymentech Litigation.
The district court did not address the Policy's Self-Insured Retention Endorsement, which ICSOP offered as an alternative ground for denying its duty to defend. We express no view on it. See Cutter v. Wilkinson, 544 U.S. 709, 718 n.7 (2005) ("[W]e are a court of review, not of first view[.]").
* * *
The judgment of the district court is REVERSED, and the case is REMANDED for further proceedings consistent with this opinion. [*] Judge Ho participated in oral argument and then determined that he is recused. Accordingly, this matter is decided by a quorum. See 28 U.S.C. § 46(d).