Background
The New York Supreme Court recently ruled in the long legal battle between Sony Corp. of America ("Sony") and Zurich American Insurance Co. ("Zurich") concerning the infamous PlayStation Network data breach from April 2011.
In what still remains as one of the largest data security breaches in history, Sony suffered from cyber-attacks during April 2011, which allowed the criminal hackers’ unauthorized access to Sony’s Playstation Network. The hacking incident resulted in the theft of personal details from approximately 77 million accounts and forced Sony to shut off its Playstation Network for approximately 24 days.
As a result, Sony has been named as a defendant in 55 class action complaints filed in the United States and 3 class action lawsuits instituted in Canada. The Class Action Complaints generally allege that Sony’s Playstation customers have suffered damages as a result of the unauthorized access to their personal identification and financial information that was maintained by its Network, as a result of Sony's delay in notifying them of the cyber-attack. This subjected Sony to investigations conducted by several authorities. In addition to the unusual amount of lawsuits, as described above, Sony’s losses are reportedly estimated to be as high as US$2 billion.
Insurer liability in case of third-party hackers
Since Sony’s insurer Zurich denied Sony’s claim for defense and indemnification in the wake of the massive data breach, Sony filed a suit in July 2011 against the insurer. In response, the insurer requested the court to rule that it is not required to defend or indemnify Sony for any data breach claims, as third-party hacking incidents are not covered by its insurance policy.
According to the ruling published by the court in 30 April 2015, acts conducted by third-party hackers are not covered under the personal and advertising injury coverage in Zurich’s insurance policy, which is part of their commercial general liability insurance policy, the reason being that the damages resulting from such conduct, do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy”. According to the ruling, in this particular case, the policy requires the policyholder to perpetrate or commit the act of publication, and cannot be expanded to include third-party acts.
The significance of the ruling
Although cyber liability insurance is increasingly available, many companies have not purchased such policies, and data breaches are likely to result in a claim under their commercial general liability policies.
The ruling, which is subject to appeal, emphasizes the risks of relying on traditional general commercial liability policies for potential data breach coverage. Companies facing the threat of data breaches need to be aware of these new insurance policy endorsements when purchasing insurance and accordingly, to carefully assess the insurance products being offered upon renewal in order to ensure that they receive the full and required insurance coverage.
This conclusion is supported by the emerging trend in the area of cybersecurity insurance policies. The Association of British Insurers (ABI) said that by 2025, it expects cyber insurance to become as common for UK businesses as property insurance.
