A New York Supreme Court Justice ruled from the bench (that is, verbally and not in a written opinion) that Sony Corp.’s Commercial General Liability policies do not cover liability for the theft by hackers of Sony’s PlayStation Network users’ personal information. How is this decision likely to shape the future of cyber-coverage disputes involving CGL policies?
On February 14, 2014, a New York Supreme Court Justice (the Supreme Court in New York is the trial-level court) ruled that the Personal and Advertising Liability coverage provisions of insurance policies issued to Sony by Zurich American Insurance Company and Mitsui Sumitomo Insurance Company do not cover liabilities Sony faces from the theft by hackers of confidential information belonging to users of Sony’s PlayStation Network. In a verbal ruling from the bench, the Justice said that coverage under the policy did not apply because the harm was caused by third parties (the hackers) and not by Sony, itself. That ruling has left lawyers who do insurance coverage work scratching their heads.
Here’s what Coverage Part B of the standard Personal and Advertising Liability portion of the CGL policy says it covers: “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” Read that one more time and see if there is any language that supports a requirement that the policyholder, itself, must be the publisher of the private material. In fact, the language conveys the opposite of such a requirement. It says that the carrier will pay for damage from publication “in any manner.” What the Court did was to add words to the policy language that just aren’t there. Specifically, it added the words, “by the insured,” so that the policy would read, “Oral or written publication by the insured, in any manner, ….” Well-settled and universal rules of interpretation prohibit re-writing insurance policies in this manner.
In the week and a half since the Court issued the decision, lots of insurance lawyers on both sides of the coverage divide have commented on the implications. Some have said that, because the policyholder was a high-profile company, the decision would likely change the cyber-coverage landscape in cases involving CGL policies. It is far more likely, in fact, that the decision will have no effect at all on the future of cyber-coverage under CGL policies. Here’s why.
The CGL policy is about to change.
First, the decision does not appear in a written opinion. It is, therefore, twice removed from the kind of published opinion (meaning published in the official Court Reporter) that is a prerequisite in most jurisdictions for a decision to have precedential value. The rules of civil procedure in most states actually prohibit citation to unpublished opinions as precedent.
Second, as a trial-court-level decision, it would not be binding on other courts even if there were a written and published opinion. Third, the decision is so patently contrary to the policy language that it is unlikely other courts will pick up on its reasoning and follow it.
Fourth — and here is the salient reason — the CGL policy is about to change. The Insurance Services Office (the insurance-industry trade association that drafts standard form language for the CGL policy) has written a specific exclusion for Coverage B, Personal and Advertising Liability, that precludes coverage for cyber liabilities. And the exclusion is very broadly written. Here’s what it excludes:
“‘Personal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, . . . financial information, credit card information, health information or any other type of nonpublic information.
This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.”
Upwards of forty state insurance commissioners have already approved of this exclusion. It is expected to start hitting renewal policies in about May 2014. This exclusion, and not the Sony decision, is the real and long-term future of cyber-coverage under the CGL policy.
We have written in the past about the relatively new cyber-coverage policies in a number of posts (here, for example). With the advent of the new exclusion for CGL policies, and in light of the ubiquity of cyber threats (corporate executives and in-house counsel routinely cite the risk of a cyber attack as among their top concerns), companies will soon be purchasing cyber policies in great numbers. But the buyer must beware.
Many of the cyber policies on the market contain traps for the unwary that could leave policyholders uncovered for even the usual and well-known kinds of attacks.
There is no ISO standard form cyber policy as yet. This means that every carrier presently offering such a policy is coming up with its own unique language. And the differences in coverage offered by the various carriers are as plentiful as the number of policies on the market. Many of these policies provide very broad coverage that should give policyholders protection against nearly all presently existing threats and indemnity payment for all of the usual costs of liabilities, including, investigation, remediation, notification, customer service, public relations, liability to the government, credit monitoring, and the like.
Conversely, many of the policies currently on the market contain traps for the unwary that could leave policyholders uncovered for even the usual and well-known kinds of attacks that are routinely launched against corporations. It is clear that underwriters have some catching up to do on the learning curve of cyber-attack risk assessment. In the meantime, companies would do well to consult knowledgeable professionals about the language and coverage of any contemplated cyber-policy before writing a premium check.