The fallout from the massive data breaches suffered by Sony Corp. earlier this year now includes insurance coverage litigation. In April, hackers accessed account data on more than 100 million users of Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures. Sony estimates that the attack on its data centers will cost $178 million this fiscal year, not including potential compensation to claimants.
Not surprisingly, what some are calling the "second-largest online data breach in U.S. history" has led to an avalanche of litigation. Sony has been sued in 55 putative class actions in the United States and another three class actions in Canada. The class actions generally allege common law and federal and state statutory claims against Sony. The class members assert that they maintained accounts with Sony and have been damaged by the theft of their personal identification and financial information, Sony's delay in notifying them of the cyber attack, and the shutdown of Sony's PlayStation and online entertainment services following the data breaches. Additionally, several state attorneys general and the Federal Trade Commission are investigating the data breach. Faced with the prospect of huge litigation costs, Sony asked its liability insurers to defend and indemnify it against the lawsuits and potential government actions. Unfortunately for Sony, its liability insurers are not clamoring to fund Sony's defense.
Instead, Zurich American Insurance Company filed a declaratory judgment action against Sony in late July seeking, among other things, a declaration that it has no duty to defend or indemnify Sony against customer class actions and related matters. Zurich sold primary commercial general liability (CGL) and excess liability policies to Sony. Zurich claims that the lawsuits arising out of the cyber attacks are not covered by the "bodily injury," "property damage" and "personal and advertising injury" coverages provided by its liability policies. Zurich also claims that the lawsuits against Sony are excluded by its policies.
The Zurich lawsuit is not the first time an insurer has refused to pay claims resulting from a network security breach under CGL policies, nor will it be the last. Although policyholders have had some success in securing coverage for computer-related losses under CGL policies, insurers have prevailed in their fair share of the coverage cases. More importantly, express exclusions for data breaches and other cyber claims are becoming more and more common in CGL policies.
The coverage battle between Zurich and Sony highlights the mistake that some policyholders make when purchasing liability insurance. They assume that the broad scope of coverage provided by CGL policies will protect them from cyber liability claims. Depending on the circumstances of the loss, however, this assumption may be incorrect. Moreover, even where coverage should be available, the insurance company likely will resist payment on the alleged grounds that CGL policies are not intended to cover cyber risks. In such cases, coverage will only be secured after a lengthy dispute with the insurance company.
In order to avoid the coverage troubles faced by Sony, companies should consider the purchase of a cyber security policy. Cyber security policies provide defense and indemnity coverage for third-party claims such as the class actions filed against Sony. The policies also cover the defense of government investigations and the payment of consumer redress costs arising out of regulatory actions related to data breaches. Cyber security policies offer many other protections against cyber losses, including the often massive direct costs to companies arising out of cyber attacks, such as business interruption losses, remediation costs and public relations expenses.
All companies use electronic data in their businesses, and no company's firewalls provide bullet-proof protection against a persistent hacker. Even if you believe that your company is not a prime target of cyber criminals, take a lesson from Sony's painful experience and place cyber security insurance on the agenda at your company's next meeting with its insurance broker.