What Cyber Insurance Lessons Did We Learn from Sony-Zurich?

By Amy Stewart Law

Sony and Zurich recently reached a settlement in an insurance coverage dispute over the April 2011 hacking of Sony’s PlayStation network, resulting in the release of personal information of over 77 million user accounts. At the time, it was the largest data security breach in history, costing Sony roughly $178 million in lost profits.

In the wake of a class-action lawsuit filed against Sony by PlayStation users (Sony eventually settled the underlying claim for $15 million), Sony sought coverage from Zurich and Mitsui Sumitomo Insurance Company, contending the data breach was a “publication” of information constituting an invasion of privacy covered under Coverage B – the “Personal and Advertising Injury Liability” portion of its policies.

Zurich filed suit in New York state court, alleging it had no duty to defend or indemnify Sony because the publication was perpetrated by hackers, not Sony. According to Zurich, the phrase “in any manner” referred to the type of publication, not the party initiating the publication. Sony disagreed, arguing that interpreting the policy in the manner urged by Zurich would have the effect of providing coverage for errant acts and omissions of a Sony employee, but denying Sony coverage under circumstances where it is victimized by a third party.

In February 2014, although the trial court held the data breach did result in publication, it granted summary judgment in favor of Zurich. The court reasoned the policies did not provide coverage for the users’ claims because “[the policy] requires the policyholder to perpetrate or commit the act. It cannot be expanded to include third-party acts.”

Sony appealed.

Following oral argument, Zurich settled Sony’s claims – an indication to some that Zurich was potentially concerned the court of appeals would set precedent interpreting the policies favorably to Sony. Insurers have long taken the position that CGL policies are not intended to cover cyber-related risks, which are  now more commonly insured under E&O technology and cyber-security policies.

To policyholders, however, the policy says what it says. The fact the insurer might not have anticipated the risk when the policy was written should not be a basis to deny coverage. As it pertains to Zurich’s policy, the phrase “publication in any manner” should mean just that, publication in any manner, no matter who does the publishing, as long as liability is being imposed on Sony for the publication.

What have we learned from Sony-Zurich?

1. The trial court’s decision, while viewed as an “outlier” decision by us, highlights the need for companies to focus as much on risk mitigation as they do on protecting their data in the first place, especially in this day and age where e-commerce is often the primary source of marketing and sales.
2. Cyber mitigation – i.e., knowing what the company’s existing insurance policies do and do not insure, and procuring coverage specifically designed to insure the company’s cyber-related risks –  should receive c-suite and board-level attention.
3. The costs and liability exposure of a data-breach alone are a drain on company resources. Adding a dispute with your insurer over whether the breach is covered by your insurance policy adds insult to injury.
4. The Sony-Zurich settlement neither hurts nor helps a policyholder’s cause, but it does highlight the need for companies to manage proactively their cyber-related risks and, as important, to understand their insurance coverage rights in the event of a security breach.