Square Peg…Round Hole

On February 21, 2014, the New York Supreme Court, New York County, issued an important decision shedding light on whether a standard Comprehensive General Liability (CGL) policy extends cyber liability coverage to policyholders for claims emanating from a data breach. In Zurich American Insurance Company v. Sony Corporation, a New York trial court found that coverage was unavailable to Sony Corporation of America for claims arising from Sony’s massive data breach under the Personal and Advertising Injury section of a standard CGL policy issued to Sony by Zurich American Insurance Company. An appeal is anticipated. The Sony case is not only instructive to insureds and insurers alike, but underscores the need for insureds to tailor their coverage portfolio to specifically address cyber-related risks.

In Sony, the court was tasked with addressing coverage for a data breach involving the Sony Playstation Network. In addition to permitting its users to play video games with each other over the Internet, Sony Playstation Network permits its users to purchase video games, add-on content, demos and movies that can be selectively downloaded. As part of the network registration process, users are required to disclose certain personal information, such as names, addresses, passwords and credit card information. In April 2011, hackers were able to access and steal some or all of that information from over 77 million Sony Playstation Network users. Litigation ensued and various class action complaints were subsequently consolidated into a Federal Multi-District Litigation in the District Court for the Southern District of California. Sony tendered the claims to various carriers, including its CGL carrier, Zurich, who responded to the tender by instituting a declaratory judgment action in New York State Supreme Court against various Sony entities. Zurich’s action against Sony sought a declaration that the claims did not qualify for coverage under the Personal and Advertising Injury portion of its policy. Sony and Sony Computer Entertainment America filed motions for Summary Judgment against Zurich who cross-moved, in part, for a declaration that coverage was unavailable.

The Zurich policy included the standard 2006 CGL Insurance Services Office form defining Personal and Advertising Injury to include, in pertinent part, “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” Sony argued that the theft of the Sony Playstation Network users’ personal information constituted “publication, in any manner” for purposes of Personal and Advertising Injury. Thus, Sony contended that damages arising out of the theft were covered under the Zurich CGL policy. Zurich, on the other hand, argued that the theft of data was not “publication.” Zurich also argued in the alternative that even if the theft was publication, such publication was perpetrated by the third party hackers and not the insured and therefore coverage was not triggered.

The court held that the theft of the users’ information qualified as “publication” for purposes of Personal and Advertising Injury — equating it to the opening of Pandora’s Box. Nevertheless, the court agreed with Zurich that coverage was unavailable where the act leading to the “publication” was not performed by the policyholders but instead by a third party, in this instance, hackers. In so doing, the court rejected Sony’s argument that the “in any manner” qualification extended to the “medium” in which the publication occurs and the entities responsible for the publication. Instead, the court concluded that the “in any manner” qualification pertained solely to the medium in which the confidential information was released and not the party responsible for publication. In order to trigger coverage, the court found that SONY, or another policyholder, had to have committed or perpetrated the act of publicizing the information. Publication by third party hackers was insufficient.

Groundbreaking Decision

The Sony decision is the first major insurance coverage ruling in the data breach context that focuses on the entity responsible for the “publication.” Prior to the Sony ruling, decisions addressing the “publication” provision of Personal and Advertising Injury grant of coverage focused largely on the dissemination of the information (i.e., whether widespread or localized) and whether the information, for example, had actually been disclosed to a third party.

For example, in Encore Receivable Management, Inc. v. ACE Property and Casualty Insurance Company, the Court addressed the question of coverage under a CGL policy for claims against an entity that operated a call center for Hyundai. Encore recorded conversations between Encore employees and Hyundai customers and used the recordings for training and quality control purposes. Claims were filed and coverage litigation followed soon thereafter. The Court found that under Ohio law widespread dissemination of confidential information was not necessary in order to establish “publication” under Personal and Advertising Injury coverage and that the mere recording of the conversations constituted such “publication.” That decision is currently on appeal.

In Recall Total Info Mgmt. Inc. v. Federal Ins. Co., Recall sought coverage under its CGL policy with Federal for a suit involving loss of electronic data tapes that had fallen out of a truck and were subsequently stolen. The court found that because there was no allegation of disclosure to someone who was unauthorized to access the data, there was no viable claim for invasion of privacy. In early 2014, the Recall decision was upheld on appeal.

Lessons Learned

Perhaps the lesson to be learned from Sony is that policyholders cannot depend on their CGL portfolio to provide peace of mind with respect to coverage for data breach and cyber insurance risks. If anything, the decision underscores the need for companies, especially those doing business on the Internet (which means just about everybody), to have specialized cyber liability coverage. There are growing signs that companies are already seeking out specific cyber insurance products. Indeed, a top of official of Marsh & McLennan recently testified before a Senate committee and noted that the number of Marsh clients purchasing stand-alone cyber insurance increased by more than 20 percent in just the past year.

Interest in specific, stand-alone cyber coverage should come as no surprise to those involved in risk management and insurance-related fields. Companies have long been utilizing specialized coverage products to fill in gaps in their insurance coverage portfolios. Finely crafted Professional Indemnity, Errors & Omissions and Directors & Officers’ insurance policies were the first such products created and offered to fill gaps in policyholders’ broader coverage profile. Cyber risk insurance is just the latest in a long list of insurance products geared to cover specific risks not neatly fitting under the CGL form. Additionally, one has to question whether and to what extent the Sony decision, and perhaps others to follow, may harden the market with respect to pricing for cyber-related insurance products.

In light of the Sony decision and with data breaches becoming larger and more commonplace, it will be interesting to see whether and to what extent companies, who have not already done so, attempt to tailor their insurance coverage profile to specifically and comprehensively address potential claims arising from a data breach.