Insurers win: first judicial ruling says no CGL coverage for data breaches

Policyholder efforts to shoehorn coverage for data breach liability into the personal and advertising liability coverage of Commercial General Liability (CGL) policies suffered a setback this week. A New York trial court has held that the theft of information by third-party hackers breaking into a computer system does not qualify as "oral or written publication in any manner of material that violates a person's right of privacy" for purposes of personal and advertising injury coverage (Coverage B) in a CGL policy. Zurich Am. Ins. Co. v. Sony Corp. of Am., 651982/2011 (N.Y. Sup. Ct., N.Y. Cnty. Feb. 21, 2014). Describing the case before it as the only "data breach case of this magnitude involving" CGL policies, the court agreed with insurer arguments concerning the scope and intent of coverage for "oral or written publication in any manner of material that violates a person's right to privacy." This provision, the court concluded, requires "an act by or some kind of act or conduct by the policyholder in order for coverage to be present."

Sony's PlayStation Network, which allows users to play video games against each other over the Internet, was hacked in April 2011. The hackers stole personally-identifiable information belonging to over 77 million users, which was one of the largest data breaches in history. After the breach, Sony tendered suits brought by its customers to its CGL carriers, arguing that the hackers' theft of personal information fell within the enumerated offense of "oral or written publication in any manner of material that violates a person's right or privacy" under Coverage B. The carriers sought a declaratory judgment that the data breach claims did not fall within the policy's coverage.

The policyholder asserted that the policy's reference to "publication in any manner" was "inconsistent with reading an implied requirement" that the publication had to be due to an act by the policyholder. The insurer disagreed, arguing that the phrase "in any manner" was most logically read to address only the method of publication, and not the party that sends that publication.

In granting summary judgment to the insurers, Justice Jeffrey K. Oing of the Supreme Court of the State of New York stated that, if he were to find coverage for the acts of third parties, he would be "essentially rewriting this contract, the insurance contract . . .and . . . expanding coverage when it was never contemplated." Recognizing that the offenses in Coverage B all have an intent element, the court ruled that the coverage provision "cannot be expanded to include third party acts." The court noted that the rest of the offenses enumerated in Coverage B focused on the acts of the policyholder, and it would be illogical for this prong to "take[] a different approach and include[] acts by third parties." The court further noted that the limited case law published on the issue, such as Butts v. Royal Vendors, Inc., 202 W. Va. 448, 454 (1998), supported the proposition that Coverage B offenses do not cover publications by third parties.

Policyholder advocates have characterized the Sony ruling as an unexpected one, contending that the focus on the party that published the private data came as a surprise. An article today in Law360 suggested that the opinion "could convince reluctant policyholders to take the plunge and buy data breach policies." The Law360 article suggested that many policyholders have not purchased cyber coverage because of the belief that there is coverage for data breach losses under CGL policies. And while some policyholder advocates have opined that it is ill-advised for companies to rely on CGL coverage to respond to data breach liabilities, most expect that the existence of data breach coverage under CGL policies will remain hotly contested.