On Feb. 21 a New York trial court judge let Sony’s insurers, Zurich American Insurance and Mitsui Sumitomo Insurance, off the hook for Sony’s massive 2011 PlayStation data breach. That breach, in which hackers stole the personally identifiable information (PII) of PlayStation users, is one of the largest data breaches to date.
The litigation turns on whether Sony is covered for the data breach under Coverage B of its commercial general liability (CGL) insurance policies. Under the standard industry form, which is materially the same as Sony’s policies, Zurich committed to “pay those sums that [Sony] becomes legally obligated to pay as damages because of ‘personal and advertising injury,’” which is defined to include “injury … arising out of … [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
While insurers frequently attempt to avoid coverage for privacy-related claims by arguing that the requirements of a “publication” or “right of privacy” are not satisfied, this would have been a weak argument for Zurich. Instead, Zurich filed a declaratory judgment action against Sony, and Sony’s other insurers, seeking to avoid or minimize its coverage obligations on the basis that Sony itself did not invade any privacy rights. In its cross motion for summary judgment, Zurich asserted that its policy “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents, not by non-insureds or third-parties."
Putting aside the fact that it’s somewhat astonishing for an insurer to take the position that “purposeful and intentional acts committed by the insured” are covered (usually insurers assert that knowing or intentional acts are excluded), the New York trial court agreed. It ruled from the bench that Sony’s liability policies are triggered only by actions by Sony, and not by the actions of the third parties who hacked into the network and stole the PII.
With all respect to the New York trial court, this one should have been a clear Sony victory. Here are five top reasons why:
#1. The plain policy language does not require Sony to “do” anything. Nowhere in the coverage agreement or the key definition do Sony’s policies require any action by Sony. In fact, it is clear that the policies are not triggered by Sony’s actions, as argued by Zurich, but rather by Sony’s liability, i.e., sums that Sony “becomes legally obligated to pay” that “arise out of” the publication of PII. The extremely broad language, moreover, extends to Sony’s liability for injury for publication “in any manner,” such as a hacker attack into Sony’s network. There is absolutely nothing in the broad Coverage B language to limit coverage to the actions of Sony. This is straightforward: Sony has liability for the breach; therefore, Coverage B coverage is triggered.
#2. Sony is entitled to the benefit of any and all reasonable doubt.
To the extent there was any ambiguity at all (I think there is not), Sony is entitled to every reasonable doubt in its favor under well-established rules of insurance contract construction. New York’s highest court has made this abundantly clear: “Ambiguities in an insurance policy are to be construed against the insurer."
In addition, given the standard policy “knowing violation of rights” exclusion applicable to Coverage B (which bars coverage for injury “caused by or at the direction of the insured”), to the extent a “purposeful and intentional” act was required to trigger coverage, as argued by Zurich, then the conduct required to trigger the coverage would also, presumably, in Zurich’s view, trigger the exclusion, thereby rendering the coverage illusory. This result is barred by New York public policy.
#3. The insurance industry has acknowledged that CGL policies provide data breach coverage.
The insurance industry clearly understands that there is data breach coverage under Coverage B, as evidenced by the fact that the industry recently filed a series of data breach exclusions, which were to become effective this May. ISO has issued new data breach exclusions and classified them as resulting in reduction of coverage for data breach (meaning there is coverage at present):
To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.
#4. Zurich itself has acknowledged that its policies provide data breach coverage. Zurich, Sony’s insurer, itself has expressly recognized that the language of its policies may provide coverage in the event of a data security breach via hacking, i.e., third-party actions, because hacking can lead to legal exposure to the insured (i.e., liability, which is the genuine coverage trigger, and not Sony’s action or inaction as now asserted by Zurich):Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud.
A company’s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating.
#5. The cases Zurich cited do not support deviation from the clear policy language. Notably, the few cases cited by Zurich in the Sony litigation are factually inapposite and interpret entirely different policy language. For starters, nearly all involve circumstances in which an insured attempted to avoid the application of the pollution exclusion applicable to Coverage A of the standard industry CGL policy by seeking coverage under Coverage B, which includes coverage for injury arising out of “wrongful entry or eviction or other invasion of the right of private occupancy” (or similar wording). Here, Sony is not trying to avoid application of an allegedly intended exclusion; it is simply trying to secure the privacy coverage that it purchased. Moreover, although the “wrongful entry” wording may have been interpreted narrowly by some courts in the context of pollution-related cases, the “right of privacy” wording at issue in the Sony coverage litigation has been given a broad interpretation. Courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations. For all of these reasons, Sony would appear to have excellent grounds for appeal. While insurers frequently attempt to avoid coverage for privacy-related claims by arguing that the requirements of a “publication” or “right of privacy” are not satisfied, this would have been a weak argument for Zurich. Instead, Zurich filed a declaratory judgment action against Sony, and Sony’s other insurers, seeking to avoid or minimize its coverage obligations on the basis that Sony itself did not invade any privacy rights. In its cross motion for summary judgment, Zurich asserted that its policy “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents, not by non-insureds or third-parties." Putting aside the fact that it’s somewhat astonishing for an insurer to take the position that “purposeful and intentional acts committed by the insured” are covered (usually insurers assert that knowing or intentional acts are excluded), the New York trial court agreed. It ruled from the bench that Sony’s liability policies are triggered only by actions by Sony, and not by the actions of the third parties who hacked into the network and stole the PII. With all respect to the New York trial court, this one should have been a clear Sony victory. Here are five top reasons why: #1. The plain policy language does not require Sony to “do” anything. Nowhere in the coverage agreement or the key definition do Sony’s policies require any action by Sony. In fact, it is clear that the policies are not triggered by Sony’s actions, as argued by Zurich, but rather by Sony’s liability, i.e., sums that Sony “becomes legally obligated to pay” that “arise out of” the publication of PII. The extremely broad language, moreover, extends to Sony’s liability for injury for publication “in any manner,” such as a hacker attack into Sony’s network. There is absolutely nothing in the broad Coverage B language to limit coverage to the actions of Sony. This is straightforward: Sony has liability for the breach; therefore, Coverage B coverage is triggered. #2. Sony is entitled to the benefit of any and all reasonable doubt. To the extent there was any ambiguity at all (I think there is not), Sony is entitled to every reasonable doubt in its favor under well-established rules of insurance contract construction. New York’s highest court has made this abundantly clear: “Ambiguities in an insurance policy are to be construed against the insurer." In addition, given the standard policy “knowing violation of rights” exclusion applicable to Coverage B (which bars coverage for injury “caused by or at the direction of the insured”), to the extent a “purposeful and intentional” act was required to trigger coverage, as argued by Zurich, then the conduct required to trigger the coverage would also, presumably, in Zurich’s view, trigger the exclusion, thereby rendering the coverage illusory. This result is barred by New York public policy. #3. The insurance industry has acknowledged that CGL policies provide data breach coverage. The insurance industry clearly understands that there is data breach coverage under Coverage B, as evidenced by the fact that the industry recently filed a series of data breach exclusions, which were to become effective this May. ISO has issued new data breach exclusions and classified them as resulting in reduction of coverage for data breach (meaning there is coverage at present):To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.
#4. Zurich itself has acknowledged that its policies provide data breach coverage. Zurich, Sony’s insurer, itself has expressly recognized that the language of its policies may provide coverage in the event of a data security breach via hacking, i.e., third-party actions, because hacking can lead to legal exposure to the insured (i.e., liability, which is the genuine coverage trigger, and not Sony’s action or inaction as now asserted by Zurich):Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud.
A company’s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating.
#5. The cases Zurich cited do not support deviation from the clear policy language. Notably, the few cases cited by Zurich in the Sony litigation are factually inapposite and interpret entirely different policy language. For starters, nearly all involve circumstances in which an insured attempted to avoid the application of the pollution exclusion applicable to Coverage A of the standard industry CGL policy by seeking coverage under Coverage B, which includes coverage for injury arising out of “wrongful entry or eviction or other invasion of the right of private occupancy” (or similar wording). Here, Sony is not trying to avoid application of an allegedly intended exclusion; it is simply trying to secure the privacy coverage that it purchased. Moreover, although the “wrongful entry” wording may have been interpreted narrowly by some courts in the context of pollution-related cases, the “right of privacy” wording at issue in the Sony coverage litigation has been given a broad interpretation. Courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations. For all of these reasons, Sony would appear to have excellent grounds for appeal. While insurers frequently attempt to avoid coverage for privacy-related claims by arguing that the requirements of a “publication” or “right of privacy” are not satisfied, this would have been a weak argument for Zurich. Instead, Zurich filed a declaratory judgment action against Sony, and Sony’s other insurers, seeking to avoid or minimize its coverage obligations on the basis that Sony itself did not invade any privacy rights. In its cross motion for summary judgment, Zurich asserted that its policy “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents, not by non-insureds or third-parties." Putting aside the fact that it’s somewhat astonishing for an insurer to take the position that “purposeful and intentional acts committed by the insured” are covered (usually insurers assert that knowing or intentional acts are excluded), the New York trial court agreed. It ruled from the bench that Sony’s liability policies are triggered only by actions by Sony, and not by the actions of the third parties who hacked into the network and stole the PII. With all respect to the New York trial court, this one should have been a clear Sony victory. Here are five top reasons why: #1. The plain policy language does not require Sony to “do” anything. Nowhere in the coverage agreement or the key definition do Sony’s policies require any action by Sony. In fact, it is clear that the policies are not triggered by Sony’s actions, as argued by Zurich, but rather by Sony’s liability, i.e., sums that Sony “becomes legally obligated to pay” that “arise out of” the publication of PII. The extremely broad language, moreover, extends to Sony’s liability for injury for publication “in any manner,” such as a hacker attack into Sony’s network. There is absolutely nothing in the broad Coverage B language to limit coverage to the actions of Sony. This is straightforward: Sony has liability for the breach; therefore, Coverage B coverage is triggered. #2. Sony is entitled to the benefit of any and all reasonable doubt. To the extent there was any ambiguity at all (I think there is not), Sony is entitled to every reasonable doubt in its favor under well-established rules of insurance contract construction. New York’s highest court has made this abundantly clear: “Ambiguities in an insurance policy are to be construed against the insurer." In addition, given the standard policy “knowing violation of rights” exclusion applicable to Coverage B (which bars coverage for injury “caused by or at the direction of the insured”), to the extent a “purposeful and intentional” act was required to trigger coverage, as argued by Zurich, then the conduct required to trigger the coverage would also, presumably, in Zurich’s view, trigger the exclusion, thereby rendering the coverage illusory. This result is barred by New York public policy. #3. The insurance industry has acknowledged that CGL policies provide data breach coverage. The insurance industry clearly understands that there is data breach coverage under Coverage B, as evidenced by the fact that the industry recently filed a series of data breach exclusions, which were to become effective this May. ISO has issued new data breach exclusions and classified them as resulting in reduction of coverage for data breach (meaning there is coverage at present):To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.
#4. Zurich itself has acknowledged that its policies provide data breach coverage. Zurich, Sony’s insurer, itself has expressly recognized that the language of its policies may provide coverage in the event of a data security breach via hacking, i.e., third-party actions, because hacking can lead to legal exposure to the insured (i.e., liability, which is the genuine coverage trigger, and not Sony’s action or inaction as now asserted by Zurich):Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud.
A company’s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating.
#5. The cases Zurich cited do not support deviation from the clear policy language. Notably, the few cases cited by Zurich in the Sony litigation are factually inapposite and interpret entirely different policy language. For starters, nearly all involve circumstances in which an insured attempted to avoid the application of the pollution exclusion applicable to Coverage A of the standard industry CGL policy by seeking coverage under Coverage B, which includes coverage for injury arising out of “wrongful entry or eviction or other invasion of the right of private occupancy” (or similar wording). Here, Sony is not trying to avoid application of an allegedly intended exclusion; it is simply trying to secure the privacy coverage that it purchased. Moreover, although the “wrongful entry” wording may have been interpreted narrowly by some courts in the context of pollution-related cases, the “right of privacy” wording at issue in the Sony coverage litigation has been given a broad interpretation. Courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations. For all of these reasons, Sony would appear to have excellent grounds for appeal.
