A recent decision by a New York state trial court judge has the potential to spark an enormous expansion of the data breach coverage marketplace. Until now, many policyholders have been reluctant to buy additional insurance under the assumption that data breach losses would be covered under existing commercial general liability policies. The decision in Zurich American Insurance Company v. Sony Corporation, among the first to address coverage issues for large-scale data security breaches, brings that assumption into serious doubt.

On February 21, 2014, a judge ruled that Zurich American Insurance Company has no duty to defend Sony Corporation in lawsuits relating to a 2011 cyberattack on its PlayStation network. At the time, that attack was among the largest such events in history – nearly $2 billion in losses were claimed after hackers stole personal information from millions of PlayStation users including names, addresses, birthdates, credit card numbers, and bank account information.

Zurich, Sony’s general liability insurer, brought a declaratory action to determine coverage for approximately 60 underlying lawsuits arising out of the PlayStation cyberattack. The Coverage B (personal injury coverage) provision at issue in Zurich’s policy covered “oral or written publication in any manner of material that violates a person’s right of privacy.”  The fundamental question was whether this grant of coverage required Sony to commit the breach-causing act, or if third parties’ acts sufficed. The court emphasized that Sony was not at all involved in the “publication,” but that criminal hackers illegally intruded the PlayStation sites, breaching Sony’s security. The court concluded that “in any manner” referred to “any manner” of dissemination, and not “by any actor.”

Sony asserted that the policy lacked clear language to exclude this type of cyberattack from coverage. Zurich countered that every tort claim within the purview of the personal injury coverage required an intentional act or affirmative conduct by the policyholder.  The court further noted that the insurers were bargaining with only the policyholder, and not with any third parties, when issuing the liability insurance. The court would not agree to further expand the coverage being issued to include the hackers responsible for the data breach.

Although subject to appeal, the recent PlayStation cyberattack decision is likely to be a frequently cited decision going forward and will likely impact the realm of liability insurance and cyber insurance significantly.  Companies susceptible to data breach claims would be wise to have a mitigation-of-risk program in place that includes, but certainly is not limited to purchasing insurance that safeguards against these specific risks.