A US appeals court reversed a judgment of the lower court which had declined to read-in cyber coverage in a commercial general liability policy.

The insured operated retail properties and took out a commercial general liability policy (“the CGL Policy”) with the insurer.

During the periods of May 2014 and December 2015 the insured’s credit card system was breached by hackers who obtained unauthorised access to customers’ information from their Visa, MasterCard, and the bank (point-of-sale-system service providers) which issued the customers’ credit cards. This occurred across 14 of Landry’s locations. The credit cards became unusable in the hands of its customers because the information on the cards was compromised. The hackers published the information and used same for illicit activity.

The insured was sued by the point-of-sale-system service providers for $20 million for breach of contract. The insured had failed to follow all programs that protected the service providers from incurring direct liability from any data-breach-related losses.

The insured lodged a claim with its insurer and the claim was rejected by the insurer on the basis that the cyber loss was not covered. The court found that the CGL policy included indemnification for the cyber breach. In interpreting the CGL policy the panel considered the following wording:
“the insurer will pay those sums that the insured becomes legally obligated to pay as damages because of personal and advertising injury” for loss arising from “oral or written publication, in any manner, of material that violates a person’s right of privacy”

The court held that the inclusion of cover for losses resulting from “publication” should be read to include exposing or mere transmission of information even by third-parties (hackers). The court embraced the broadest possible plain meaning of “publication”.

Any ambiguity in the CGL policy was deemed to be resolved in favour of the insured and the claim was payable by the insurer.

The decision is based on an older policy and the latest CGL policies of the insurer have adequate exclusions to prevent cyber liability coverage.

How cyber proof is your policy wording?

Landry’s, Inc. v. The Insurance Company of the State of Pennsylvania, No. 19-20430 (5th Cir. 2021) the U.S. Court of Appeals for the Fifth Circuit