On April 28, 2015, the Sony Corporation, Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. notified the New York State Supreme Court that they concluded a settlement and executed a settlement agreement in the matter of Zurich American Ins. Co. v. Sony Corp. of America, et al., case number 651982/2011, ending the wait for what was anticipated to be an important decision defining the scope of an insurer's obligations pursuant to a general liability policy for damages resulting from a data breach.
As we previously reported in February of 2014, the New York Supreme Court ruled that Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. of America (the "Insurers") had had no duty to defend the Sony Corporation in connection with class-action lawsuits relating to the 2011 breach of Sony's Playstation Network. The breach resulted in the unauthorized access of the personal information, including names, addresses, birth date and credit card numbers of millions of Sony 's customers. The Insurers has issued Commerical General Liability ("CGL") policies to Sony which included coverage for "personal and advertising injury" arising out of the "oral written publication, in any manner, of material that violates a person's right of privacy." In seeking a declaration from the Court regarding their duty to defend Sony, the Insurers argued, in part, that "personal and advertising injury" coverage is limited to the purposeful and intentional acts committed by Sony, as the insured, and not by third-parties. Sony countered by claiming that its "act" was the alleged failure to properly secure its customers' information, and that coverage therefore existed. The Court agreed with the Insurers, finding that while there was a publication, coverage was only afforded to the extent that Sony was responsible for the publishing. Due to the fact that the publication at issue was due to the criminal actions of hackers, the Judge found that "there is no way I can find that Sony did that" and refused to extend coverage. Sony appealed, arguing that the requirement that the publication was conducted or perpetrated by the policyholder was not contained in the policy language. The New York State Appellate Division, First Department, in a case of first impression, heard oral argument on the issue this past February, and a decision, which would have represented one of the first, and perhaps most important, appellate court rulings in a case involving a coverage dispute resulting from a data breach, was anticipated soon.
With the current settlement, and no other appellate decisions on the horizon specific to this issue, companies across all areas of industry should consider cyber insurance policies to ensure that they are adequately protected in the event of a data breach. As more and more CGL policies exclude such coverage, and coverage issues present in many of the ones that don't (as was the case in the Sony matter), it would be a best practice for a company to ensure that they have adequate cyber insurance in place.