It was reported today that the widely-watched data breach case, Zurich American Ins. Co., et al v. Sony Corp. of America (N.Y. Sup. Ct. Feb. 21, 2014), has been settled before the New York appellate court could issue an opinion. While this might be good news for Sony, it is bad news for policyholders because it deprived the appellate court of the opportunity to correct a trial court decision so questionable that the trial judge invited appellate review before he announced his decision.
The case involved a coverage dispute related to the massive hack of the personal information for millions of Sony PlayStation users. After the hack, Sony was sued in over 50 separate class actions related to the disclosure of the users’ private information. Sony sought coverage from Zurich and Mitsui Sumitomo Insurance Company contending that the data breach was a “publication” of information which was private, and thus constituted an invasion of privacy covered under the personal injury provisions in these standard language Commercial General Liability (CGL) policies. There was no dispute that the customers’ suits properly alleged injuries from the invasion of their privacy because their private information was widely published, and because the policy provided coverage for “publication in any manner.”
Zurich and Mitsui denied coverage by claiming that “publication in any manner” described only the type of disclosure, not the identity of the disclosing party, which makes little sense. Zurich contended that coverage would only extend to the publication of information by Sony, not third parties such as hackers, notwithstanding that there were no such limitations in the policy language. Amazingly, the trial court found for the insurance companies and granted summary judgment for the insurers.
It was reported in an earlier Insurance Law 360 article that New York Supreme Court Judge Jeffrey Oing told the parties before announcing his decision from the bench that the insurance coverage issues in the case were important enough to require “immediate appellate authority.” There was good reason for this comment. Judge Oing held that hackers’ theft of confidential data on millions of Sony PlayStation users did constitute a “publication” of private information, as required by the insurance policies, but somehow that did not trigger Zurich and Mitsui’s defense obligations! As reported by Law 360, Sony argued in their appellate brief: “The court ruled that Zurich and Mitsui did not have a duty to defend because the alleged publication was not ‘conducted or perpetrated by the policyholder’ — a requirement not found in the language of the insurance policies.” Sony accused the trial court of a misreading of the insurance policies and the underlying complaints when the court denied the Sony appellants’ motion and granted respondents Zurich’s and Mitsui’s cross-motions.
It was a startling trial court ruling in light of overwhelming law that coverage provisions are to be read broadly for policyholders. And because of that, this settlement should come as no surprise. Zurich and Mitsui could preserve the questionable trial court ruling for reference in future data breach litigation, and avoid the significant exposure that would accompany the very likely reversal of the trial court opinion in a likely published opinion which would create citable law. The settlement merely illustrates an example of the old adage applied for decades by insurance companies: if you aren’t going to beat them, buy them.