The Matrix

1. General Liability Policy Provides a Defense in Data Breach Lawsuit. 

Paymentech, LLC (“Paymentech”), a processor of Visa and MasterCard payments for retailers, filed suit (the “Paymentech Case”) against Landry’s, Incorporated (“Landry’s”) for breach of contract resulting from Landry’s refusal to reimburse Paymentech for losses assessed to Paymentech in connection with a data breach occurring at Landry’s properties (the “Breach”). By contractual agreement, Landry’s was obligated to pay for and indemnify Paymentech against any fines, penalties, or assessments that Paymentech incurred as a result of Landry’s failure to comply with certain “payment brand rules” (rules designed to insulate consumers / customers from unintended costs by requiring Paymentech to pay for data-breach losses). The Breach occurred over an eighteen month period at fourteen Landry’s locations, and affected millions of customers whose personal information was retrieved by data hackers and used to make unauthorized charges. Visa and MasterCard collectively assessed losses to Paymentech in the amount of $20,062,206.88 (the “Assessment”), which Paymentech claimed was Landry’s ultimate responsibility.

Landry’s looked to Insurance Company of the State of Pennsylvania (“ICSOP”), its  general liability insurer, for a defense in the Paymentech Case, which Landry’s asserted was owed under its commercial general liability policy (the “Policy”). The Policy provided that “[ICSOP] will pay those sums that [Landry’s] becomes legally obligated to pay as damages because of ‘personal and advertising injury’” and “will have the right and duty to defend [Landry’s] against any ‘suit’ seeking those damages.” “Personal and advertising injury” in the Policy was defined as “injury … arising out of” certain offenses, including “oral or written publication, in any manner, of material that violates a person’s rights of privacy” (emphasis added).

ICSOP had a filed a motion for summary judgement with the district court, asking it to declare that ICSOP had no duty to defend Landry’s under the Policy. The district court granted ICSOP’s motion, and Landry’s appealed to the United States Court of Appeals for the Fifth Circuit (the “Court”). On appeal, the Court reversed the lower court’s decision in favor of ICSOP, and ruled that ICSOP did owe a defense to Landry’s under the Policy. In making its decision following a “de novo review” (i.e., a review of all issues as if being heard for the first time), the Court applied certain established principles regarding policy interpretation to the Policy’s language and the underlying allegations of the Paymentech Case. Initially, the Court began its discussion with an application of the “eight-corners rule” – a comparison of the four corners of the Policy to the four corners of the Paymentech complaint. This rule stems from a longstanding principle that documents should be read and interpreted in accordance with their literal, explicit and plain meanings, to the greatest extent possible. With that in mind, the Court determined that the Paymentech Case did in fact trigger “personal and advertising injury” coverage for the following reasons:

• The Paymentech complaint involves a “publication,” which is required for personal and advertising injury to apply, because such term is broadly defined to include oral or written content in any manner, which would include exposure of customers’ personal credit card information for others to view;
• The injuries alleged “arise out of” the data breach violations, the breadth of which is intended to apply broadly “to reach all aspects of the relationship” (between Landry’s and Paymentech); and
• It is undisputed that customers have a right to privacy and that the Breach violated such rights.

ICSOP’s primary argument against providing a defense to Landry’s was that the Policy’s language applied to tort related claims and not to claims involving a breach of contract. The Court quickly rejected that argument, asserting that the Policy did not make a distinction between such claim types for purposes of applying the relevant language. Procedurally, the coverage issues were remanded back to the district court for further proceedings, consistent with the Court’s opinion that ICSOP has a duty to defend, with filings scheduled during the first half of 2022.

2. Plaintiff Alleges Newborn Infant’s Death was caused by Ransomware Attack. 

In the summer of 2021, a novel claim was filed in the Circuit Court of Mobile County, Alabama (the “Court”), in which Teiranni Kidd (the “Plaintiff”) has alleged that the negligent actions and omissions of Springhill Memorial Hospital, its affiliated organizations and members of its business and medical professional staff (collectively, “Springhill”) in the midst of a ransomware attack on the hospital caused the death of her newborn daughter, nine months after the baby’s delivery at Springhill in 2019 (the “Claim”).  The Claim, described below, has sparked a major discussion in the health care industry during a particularly vulnerable time where ransomware attacks are at an all-time high. Insurance industry observers and attorneys have been considering how claims for injury might arise from cyber-related incidents, and this Claim provides an example that might open the door for similar litigation.

The Plaintiff presented to Springhill for delivery of her daughter on July 16, 2019. Seven days prior to her arrival, Springhill had been hit with a serious ransomware attack that blocked and encrypted the hospital’s computer network systems and certain of its patient data (the “Cyberattack”). Springhill reported publically that the Cyberattack “would not affect patient care,” and that patients should be assured that high quality care would continue to be delivered as networks were recovered. As a result of the Cyberattack, certain of the equipment used for fetal monitoring was not accessible, and health care personnel were forced to use outdated paper charting as their only method of documentation for the Plaintiff’s delivery. The complaint alleges that while a number of notations were included in the Plaintiff’s medical record during delivery, none accurately measured the unborn infant’s worsening condition due to the lack of access to hospital equipment following the Cyberattack. During the birth process, the baby’s umbilical cord wrapped around her neck, depriving her brain of oxygen and ultimately causing severe brain damage, and later, death on April 16, 2020.

The Plaintiff alleges that Springhill’s failure to provide adequate care during labor caused her daughter to suffer avoidable and preventable injuries, and that she would have chosen another hospital had she known about the Cyberattack. Additionally, the Plaintiff claims that Springhill concealed pertinent information from her and from the general public regarding the Cyberattack, including, for example, the (i) severity and paralyzing nature of the Cyberattack; (ii) scope of data and electronic systems that were compromised by the Cyberattack (such as fetal heartbeat monitors), and the lack of access to critical services; (iii) hospital’s lack of adequate training and preparation for a Cyberattack; and (iv) concern that certain of the hospital’s agents and employees had expressed regarding patient exposures and vulnerabilities following the Cyberattack.

Several industry commentators have speculated about the arguments to be made by both sides in court, acknowledging that this is the first U.S. claim to attempt to make a direct link between a ransomware attack and a patient fatality. One of the leading questions that has been posed is whether the Plaintiff will be able to demonstrate that but-for the Cyberattack, her baby’s condition would have been known and that a different course of treatment (namely, a C-section) would have been administered. By way of comparison, a similar lawsuit was filed in Germany in late 2020 involving allegations that a ransomware attack caused the death of a 78-year old woman. The woman, suffering from an aortic aneurysm, was forced to be transported to a farther emergency room, delaying her treatment by an hour, because the closest one had undergone a ransomware attack that corrupted 30 of the hospital’s servers and disabled internal communication systems. Upon investigation into the claim, government authorities could not establish sufficient evidence to prove that the ransomware attack was the decisive factor or the sole, direct cause of the woman’s death, despite the possibility that it may have been one of several factors that led to her death.

In a recent Wall Street Journal podcast, industry reporter, Keven Poulsen noted that the Court has a difficult decision in deciding this Claim and that visibility into cyberattacks is fairly inconsistent across the board, stating, “right now, there’s just no clear guidance, or direction, or standards for hospitals about what they have to disclose to the public and to their patients when they’re facing an incident like this. In this case, Springhill was very reticent to disclose anything about it to the public. And their initial characterizations of this attack to the local press have failed to capture the actual impact of the event. In other cases, we’ve seen hospitals be much more forthright and open about it, and even identify which ransomware group they’re dealing with.”