Written by Jeff Stone
An insurance company is arguing in court it should not be responsible for covering a $20 million lawsuit filed in connection with a data breach at a national restaurant and hospitality chain.
The Insurance Company of the State of Pennsylvania, an AIG subsidiary, argued in the U.S. Court of Appeals for the Fifth Circuit on Nov. 25 that it does not need to fund a legal defense for the Landry’s restaurant chain following a breach uncovered in 2015.
JP Morgan Chase and its payment processing arm, Paymentech, filed suit in 2018 against Landry’s, alleging the company has failed to compensate the bank for breach-related costs. Chase accused Landry’s, which operates Bubba Gump Shrimp, Rainforest Café and Joe’s Crab Shack locations, among others, of failing to reimburse the bank for post-breach assessments conducted by Visa and Mastercard. Hackers spent months lurking inside Landry’s systems from 2014 to 2015, accessing customers’ payment card information from some 350 locations.
A federal judge ruled in May that the Insurance Company of the State of Pennsylvania does not need to fund Landry’s defense from that Chase suit on the grounds that the insurance policy covered “personal and advertising injury” matters, and issues arising out of privacy violations, but not a lawsuit of this kind. Landry’s appealed that decision, arguing its insurer had, in fact, promised to defend the company, or pay defense costs, in connection with injuries “arising out of…oral or written publication, in any manner or material that violates a person’s right to privacy,” and that the policy does cover this scenario.
In its filing Monday, the Insurance Company of the State of Pennsylvania said Landry’s was making “novel and confounding arguments” in its appeal, and suggested oral arguments might help resolve the standoff.
The dispute comes amid a period of ongoing interest over whether insurance companies will help firms clean up the financial mess that often accompanies hacks or other security incidents.
The best known example of the contention is an ongoing suit between Zurich Insurance and Mondelez over whether the insurer is responsible for losses incurred as a result of the NotPetya cyberattack, which Zurich has interpreted as an act of war. Since then, aluminum manufacturer Norsk Hydro said its insurance has covered about 6% of its total losses from a ransomware attack, with more payments expected.
AIG has argued it’s not responsible for covering nearly $6 million in losses incurred by another client.
Meanwhile, some providers have weighed whether providing cyber coverage is worth the financial risk, at all.
The ISCOP argument is available in full below.