Sony lost the first round in its bid to force its commercial liability carriers to defend lawsuits arising out of the breach of its PlayStation network. Last week, a New York trial court granted Sony’s insurers summary judgment on the issue of whether the claims fall within the personal and advertising injury coverage of the policies. Zurich Am. Ins. Co. v. Sony Corp. of Am., case no. 651982/2011 (N.Y. Sup. Ct. February 21, 2014). If the decision survives an expected appeal, Sony will lose out on reimbursement of potentially millions in defense costs. The decision is significant for other policyholders only because it is one of the first to consider an insurer’s obligation under the personal and advertising injury coverage. Although decided unfavorably for policyholders, it will likely have minimal impact. The decision will be appealed, and even if it stands, other states will likely look to their own rules of interpretation to determine coverage. Moreover, carriers are already moving to limit coverage for cyber claims under the personal and advertising injury coverage. If successful, this move would render the Sony decision largely irrelevant.
In April 2011, hackers attacked three networks operated by Sony for the benefit of Sony PlayStation owners. The hackers stole the nonpublic personal information of approximately one hundred million individuals, including financial account information. The breach forced Sony to take down the network for a month. Soon after Sony announced the attack, plaintiffs’ lawyers hit it with 64 class action lawsuits (since consolidated) on behalf of network users. The plaintiffs alleged that they suffered injury due to the release of their personal information and Sony’s failure to timely notify the class members of the breach. Some complaints also sought damages arising from the inability to access the network while it was down. In addition to the lawsuits, Sony faced investigations by a variety of government entities.
Sony sought coverage from its commercial general liability carriers, Zurich American Insurance Company, Mitsui Sumitomo Insurance Company of America and a number of excess carriers. Mitsui Sumitomo denied coverage but Zurich filed a declaratory judgment lawsuit against Sony before it made a coverage decision. Zurich argued that the class action complaints fell outside the policy’s coverage or were excluded. Sony moved for summary judgment, arguing that the allegations against it fell within the commercial general liability policies’ “personal and advertising injury” coverage part. Sony maintained that the claims against it were encompassed within the offense of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Sony argued that this coverage applies no matter who does the publishing, so that if a hacker breaks into a system and publishes nonpublic personal information, such an event would fall within the policy’s coverage. Sony also contended that the insurers had failed to exclude coverage for the cyber-related risk of information theft.
The insurers countered that, under New York law, the personal and advertising offenses insures only purposeful conduct by an insured. The class plaintiffs made no allegations that Sony had published the information. Therefore, the insurers argued that the publication of private information by a third party fell outside the policy’s coverage. Ultimately, the court sided with the insurers and found that to fall within the offense, the insured must publish the information that violates a right of privacy. Because the complaints against Sony fall outside the insuring agreement, the carriers would not have a duty to defend. Sony is expected to appeal this decision.
The import of the court’s ruling remains to be seen, as an appeal is likely to follow. At least for now, in New York, the decision further limits potential coverage for cyber claims under commercial general liability policies. Commercial general liability policies afford two coverage types: coverage for bodily injury or property damage arising from accident; and coverage for personal or advertising injury offenses. Cyber claims rarely involve bodily injury. With respect to “property damage,” insurers have defined “property damage” to exclude damage to data. Further, most recent commercial general liability policies include a cyber exclusion, which bars coverage under the property damage part for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.” The court’s ruling against Sony precludes coverage under the personal and advertisement injury coverage.
Commercial general liability carriers, however, are not waiting to see how the Sony decision plays out to limit coverage for cyber claims. The Insurance Services Office, an industry-owned company that writes standardized policies for insurers, introduced in 2013 an “Amendment of Personal and Advertising Injury Definition” endorsement, which eliminates the offense of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy[.]” The Insurance Services Office has also introduced an endorsement titled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exception.” The exclusion will bar coverage under both coverage parts for, among other things, injury arising out of the disclosure of financial and health information. This would also serve to take claims like those faced by Sony outside the commercial general liability policy.
The decision highlights two important points. First, because of the insurance industry’s continued efforts to limit coverage for cyber claims under commercial general liability policies, most businesses should consider policies specifically written to insure against cyber risks.
Second, policyholders need to purchase adequate limits of liability for cyber risks. Ironically, Sony purchased cyber insurance, and its cyber insurer provided coverage, but Sony quickly exhausted its limits of liability defending the class action lawsuits. Once a hacker has breached a company’s security, the number of potential claimants may equal the number of clients the company has. Litigation costs resulting from a breach will likely be proportionately high, so it is important to purchase adequate limits of liability.
Counsel can assist the company in evaluating the risks that it faces from cyber losses and can evaluate the scope of coverage offered under cyber policies. An experienced broker can identify the insurers who offer the product most suited to your company’s needs and help negotiate favorable terms, limits and price. Working together, a team including your broker and outside counsel can ensure that you purchase the right coverage with appropriate terms and conditions.
For more information, please contact the author, Luke Quinlan, or any other member of the McGuireWoods insurance recovery team.