Sony Units Lose Ruling in CGL Policy Coverage Dispute

A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.

Ruling on the coverage lawsuit, Zurich American Insurance Co. v. Sony Corp. of America et al., Justice Jeffrey K. Oing of the Supreme Court of the State of New York granted summary judgment on Feb. 21 in favor of Zurich American, one of Sony’s CGL insurers.

Zurich American has denied Sony’s claim for defense and indemnification in wake of the massive data breach and filed the suit in July 2011. The insurer asked the court to rule it does not have to defend or indemnify Sony for any data breach claims.

Zurich American said in its court papers that over 50 class-action complaints have been filed in the U.S. against Sony. The data breach had exposed personal information of tens of millions of users, and Sony’s losses are estimated to be as high as $2 billion.

In his bench ruling last month, Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.

The ruling, while subject to appeal, highlights the hazards of relying on traditional CGL policies for data breach coverage, according to law firm Dorsey & Whitney. Robert E. Cattanach, Minneapolis-based partner at Dorsey & Whitney, said the decision was somewhat of a surprise for casual observers of this case who may have thought CGL policies offer at least some coverage for data breach incidents.

Cattanach said another thing to keep in mind is that a specific exclusion would start to clarify the limitations of Coverage B. Last April, the Insurance Services Office (ISO) started revising its standard form of the CGL Coverage B to make clear that it wouldn’t cover acts of third-party hackers, Cattanach said. The new exclusion could start affecting some renewals beginning this May.

“But we’ve already got a lot of breaches out there that have the old CGL policy form,” Cattanach added. “I think you will see more aggressive efforts by the insurers to say there shouldn’t be coverage under Coverage B if it’s a third-party hacker.”