BreachExchange mailing list archives
Where Does Sony Settlement Leave CGL Insurance for Data Breaches?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 13 May 2015 19:33:33 -0600
http://www.thelegalintelligencer.com/id=1202726345560/Where-Does-Sony-Settlement-Leave-CGL-Insurance-for-Data-Breaches?slreturn=20150413160458 It was reported recently that the parties in the closely watched data breach case of Zurich American Insurance v. Sony Corp. of America (N.Y. Sup. Ct. Feb. 21, 2014) settled while Sony's appeal of an unfavorable trial court opinion was pending. That opinion found that no coverage was available to Sony for a massive data breach under its commercial general liability (CGL) policy. This settlement leaves open questions regarding claims by insureds regarding data hacks in existing data breach cases, especially in light of recent changes to the CGL forms. Zurich's Controversial Decision Zurich centered on a data hack that Sony experienced in April 2011. During that hack, the personal information of tens of millions of Sony PlayStation users was exposed. Sony was subsequently sued in over 50 separate class actions from the users; Sony estimated its losses to be as high as $2 billion. Consequently, Sony sought coverage from its insurers, arguing that the data breach was a "publication" of private information under Coverage B of its CGL policy, and thus constituted an invasion of privacy. A standard CGL policy usually contains a section titled "Coverage B—Personal and Advertising Liability Injury." The current Insurance Services Office Inc. (ISO) form for Coverage B typically provides coverage for "those sums that the insured becomes legally obligated to pay as damages because of 'personal and advertising injury' to which this insurance applies." "Personal and advertising injury" is defined as an "oral or written publication, in any matter, of material that violates a person's right of privacy." After Sony's data breach, Zurich American Insurance denied Sony's coverage claim and filed suit in July 2011. The insurer argued that, under Coverage B, the language "publication in any manner" described only the type of disclosure, not the identity of the disclosing party. Zurich contended that coverage would only extend to the publication of information by Sony, not third parties such as hackers, even though there were no such limitations in the policy language. Therefore, it argued, the data breach did not fall under the CGL policy. In his bench ruling in February 2014, New York Supreme Court Judge Jeffrey Oing stated that the data breach was a "publication" under the terms of the CGL policy. In this electronic age, he said, "by just merely opening up that safeguard or that safe box where all of the information was … my finding is that that is publication." However, he said, this publication was not subject to Coverage B, because it was an act by third-party hackers and therefore did not constitute an "oral or written publication in any manner of the material that violates a person's right of privacy" under the CGL policy. "In this case here," he said, "we have a hacking, an illegal intrusion into the defendant Sony's secured sites where they had all of the information ... Was that a publication that was perpetrated by Sony or was that done by the hackers?" He opined, "I am not convinced that that is oral or written publication in any manner done by Sony. That is an oral or written publication that was perpetrated by the hackers." He further stated, "[The CGL policy] requires the policyholder to perpetrate or commit the act. It cannot be expanded to include third-party acts." Contradictory Rulings on CGL Policies Sony, of course, appealed the trial court's decision. Although controversial, the trial court's ruling was not surprising. Several courts had struggled with the definition of "publication" under Coverage B in recent years, with differing results. In Butts v. Royal Vendors, 202 W.Va. 448 (W. Va. 1998), for example, the court held that there was no coverage for "publication of material" that violates a third party's right to privacy. In other words, the insured would be covered, but data for customers, patients, etc., that may be housed with the insured would not. More recently, a Connecticut court found in Recall Total Info Management v. Federal Insurance, 83 A.2d 664, 666-67 (Conn. App. Ct. 2014), that a mere theft of information, without proof of any additional access, was insufficient to find a "publication" under a CGL policy. However, the U.S. District Court for the Central District of California has upheld coverage under a CGL policy for a hospital data breach that compromised the records of nearly 20,000 patients, in Hartford Casualty Insurance v. Corcino & Associates, No. CV 13-3728 GAF (JCx) (Oct. 7, 2013). CGL Policies and Data Breaches Of course, many companies other than Sony have experienced data breaches and have attempted to shoehorn their claims under CGL policies that were not specifically tailored to cover cybersecurity incidences. Such policies were originally designed to protect for bodily injury, property damages, and personal and advertising injury. Other than the Coverage B section at issue in Zurich, most CGL policies also provide a form titled "Coverage A—Bodily Injury and Property Damage Liability," which typically provides coverage for "those sums that the insured becomes legally obligated to pay as damages because of bodily injury or 'property damage' to which this insurance applies." Insureds have not found much sympathy with courts when bringing cybersecurity claims under this section as it has frequently been interpreted to require a showing of harm to a tangible object. Further, many CGL policies are also now including an electronic data exclusion that specifically excludes most data from Coverage A. Unsurprisingly, given the confusion in the courts over these issues and the rapid uptick in third-party external hacking incidents, these standard CGL policies have now been updated to provide the insureds with further clarification. For example, CGL policies now include the 2014 ISO form "Access or Disclosure of Confidential or Personal Information Exclusion." This exclusion expressly limits Coverage B and excludes accessing or disclosure of, among other things, "patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information." In other words, most of the information that is compromised during data breaches. While it can take a long time for standard CGL exclusions to be added to all policies, this move demonstrates that going forward, insureds will have an almost impossible task if they try to claim coverage under CGL policies. Specific Policies to Cover Specific Risks With CGL forms specifically limiting coverage and insurers fighting data breach claims under CGL policies, it is no surprise that specific cyberinsurance policies are on the rise. Technically, these policies have been available in some form for almost 20 years, but they are only now gaining prominence—brokers selling these policies have even taken to mainstream advertising, presumably to inform smaller business owners of their availability. These policies fill the gaps of traditional coverage, and often offer first-party coverage for direct costs associated with a potential data breach, such as a forensic investigation, business interruption, and computer and data loss. They also cover risks from third parties such as privacy liability, network liability and Internet media liability. The language in these policies, however, is not standardized and is untested by most courts, leaving insureds with little assurance as to their level of protection. In the future, expect to see individual cyberinsurance policies widely utilized by businesses of all sizes to fill much-needed coverage gaps, even if these policies are still "new" to the insurance market. Similarly, expect to see decreased claims under CGL policies as the new CGL forms are adopted and as courts refine their positions on what constitutes a data breach for older policies. Like it or not, the trial court's decision in Zurich is currently good law—until the next data breach litigation.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Where Does Sony Settlement Leave CGL Insurance for Data Breaches? Audrey McNeil (May 19)