Sony, Zurich Settle PlayStation Data Breach Case

Sony Corp. of America and Zurich American Insurance Co. have reached a settlement in a commercial general liability (CGL) policy coverage case stemming from the April 2011 hacking of Sony’s PlayStation online services, according to court documents filed on April 30.

The New York trial court had ruled in favor of Zurich American last year and the case was subsequently appealed to the intermediate appellate court in New York before a settlement was reached.

In his bench ruling on Feb. 21, 2014, Justice Jeffrey K. Oing of the Supreme Court of the State of New York had granted summary judgment, ruling that acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich. (Zurich had denied Sony’s claim for defense and potential indemnification in the wake of the breach and filed the suit in July 2011.)

Court documents showed that since the 2011 incident, more than 50 class-action complaints have been filed in the U.S. against Sony. The data breach had exposed the personal information of tens of millions of users.

The terms of the settlement have not been announced. Zurich American and Sony could not be immediately reached for comment.

“The case was argued to the intermediate appellate court in New York after the trial court had ruled for the insurance company’s position that there was no coverage,” said law firm Anderson Kill’s Cyber Insurance Recovery Group Chair Joshua Gold, who was not involved in the Sony case.

“Sony appealed that decision to the intermediate appellate court and even though that argument was briefed and argued before the appellate division, obviously one or more parties decided it was time to settle the case,” said Gold. “So it appears no decision will come from the appellate court now that there is this final settlement.”

Gold said policyholders looking for better clarification over CGL insurance coverage for class action privacy suits stemming from cyber breaches won’t be getting it soon under the New York law with news of this settlement.

Also commenting on the news of the settlement, Linda Kornfeld, partner with law firm Kasowitz, Benson, Torres & Friedman’s Insurance Recovery Group, said Judge Oing’s decision in the New York trial court last year should now remain as an outlier decision.

“The issue of whether Judge Oing’s decision was correct has now been taken away from the appellate court,” said Kornfeld, who was not involved in the Sony case. “As a result, insurer arguments regarding the precedential value of the opinion will be diminished, as it should remain an outlier trial court decision.”

Gold added that policyholders will just need to follow instead other cyber-related cases making their way through the court system. “For example, high courts in New York and Connecticut will soon be considering important cases involving insurance coverage for data breaches under crime and general liability policies,” he said. “Given the few cases touching upon coverage for cyber-related claims, any additional jurisprudence would be welcomed – especially for policyholders who need to make decisions about how best to protect against this area of significant risk.”

“The safest way to proceed for policyholders is if they have a claim that involves a data breach, they need to figure out what policies are potentially implicated,” Gold advised. “The policies I would consider an immediate notification of claim under are CGL policies, obviously any cyber specialty policies that the policyholder might buy, E&O policies, and I would also look at D&O and crime insurance.”