A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.
Ruling on the coverage lawsuit, Zurich American Insurance Co. v. Sony Corp. of America et al, Justice Jeffrey K. Oing of the Supreme Court of the State of New York granted summary judgment on Feb. 21 in favor of Zurich American, one of Sony’s CGL insurers.
Zurich American has denied Sony’s claim for defense and indemnification in wake of the massive data breach and filed the suit in July 2011. The insurer asked the court to rule it does not have to defend or indemnify Sony for any data breach claims. Zurich American said in its court papers that more than 50 class-action complaints have been filed in the U.S. against Sony. The data breach had exposed personal information of tens of millions of users, and Sony’s losses are reportedly estimated to be as high as $2 billion.
In his bench ruling last month, Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.
“In this case here, I have a situation where we have a hacking, an illegal intrusion into the defendant Sony’s secured sites where they had all of the information,” Justice Oing said in his ruling.
The judge said the data breach did result in “publication.” In this electronic age, “by just merely opening up that safeguard or that safe box where all of the information was…my finding is that that is publication.”
So the question, he said, then becomes, “was that a publication that was perpetrated by Sony or was that done by the hackers?”
“There is no way I can find that Sony did that,” the judge said. “This is a case where Sony tried or continued to maintain security for this information. It was to no avail. Hackers criminally got in. They opened it up and they took the information.”
“I am not convinced that that is oral or written publication in any manner done by Sony. That is an oral or written publication that was perpetrated by the hackers,” Justice Oing said.
“The third-party hackers took it. They breached the security. They have gotten through all of the security levels and they were able to get access to this,” the judge said. “[The policy] requires the policyholder to perpetrate or commit the act. It cannot be expanded to include third-party acts.”
“Paragraph E (oral or written publication in any manner of the material that violates a person’s right of privacy) requires an act by or some kind of act or conduct by the policyholder in order for coverage to be present,” the judge said.
“In this case,” Justice Oing said, “my finding is that there was no act or conduct perpetrated by Sony, but it was done by third-party hackers illegally breaking into that security system. And that alone does not fall under paragraph E’s coverage.”
The case is Zurich American Insurance Co. v. Sony Corp. of America et al, 651982/2011, the Supreme Court of the State of New York, County of New York.
Relying on CGL Policies
The ruling, while subject to appeal, highlights the hazards of relying on traditional CGL policies for potential data breach coverage, according to law firm Dorsey & Whitney LLP. Robert E. Cattanach, Minneapolis-based partner at Dorsey & Whitney, said the decision was somewhat of a surprise for casual observers of this case who may have thought CGL policies offer at least some coverage for data breach incidents.
Cattanach said the decision could be seen as significant because it runs contrary to another recent data breach coverage decision. In Hartford Casualty Insurance Company v. Corcino & Associates et al, the U.S. District Court for the Central District of California ruled last November there is coverage under a CGL policy for a data breach involving hospital records of some 20,000 patients. “This Sony case is directly contrary, so that’s significant,” he said.
Cattanach said another thing to keep in mind for policyholders is that a specific exclusion would start to clarify the limitations of Coverage B. Last April, the Insurance Services Office (ISO) started revising its standard form of the CGL Coverage B to make clear that it wouldn’t cover acts of third-party hackers, Cattanach said. The new exclusion could start affecting some renewals beginning this May.
“So I think, going forward, you are going to see changes in the insurance policy. But we’ve already got a lot of breaches out there that have the old CGL policy form,” he said. “And I think you will see more aggressive efforts by the insurers to say there shouldn’t be coverage under Coverage B if it’s a third-party hacker, whereas until now, I think insurers have been probably concerned that if they litigated that issue, they might lose.”
- Increase in Cyber Attacks Costing Millions, Stressing Internet
- Target’s Cyber Insurance Softens Blow of Massive Credit Breach
- Sony Insurer, Zurich, Files Suit to Deny Data Breach Coverage