Where Does Sony Settlement Leave CGL Insurance for Data Breaches?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/id=1202726345560/Where-Does-Sony-Settlement-Leave-CGL-Insurance-for-Data-Breaches?slreturn=20150413160458

It was reported recently that the parties in the closely watched data
breach case of Zurich American Insurance v. Sony Corp. of America (N.Y.
Sup. Ct. Feb. 21, 2014) settled while Sony's appeal of an unfavorable trial
court opinion was pending. That opinion found that no coverage was
available to Sony for a massive data breach under its commercial general
liability (CGL) policy. This settlement leaves open questions regarding
claims by insureds regarding data hacks in existing data breach cases,
especially in light of recent changes to the CGL forms.

Zurich's Controversial Decision

Zurich centered on a data hack that Sony experienced in April 2011. During
that hack, the personal information of tens of millions of Sony PlayStation
users was exposed. Sony was subsequently sued in over 50 separate class
actions from the users; Sony estimated its losses to be as high as $2
billion. Consequently, Sony sought coverage from its insurers, arguing that
the data breach was a "publication" of private information under Coverage B
of its CGL policy, and thus constituted an invasion of privacy.

A standard CGL policy usually contains a section titled "Coverage
B—Personal and Advertising Liability Injury." The current Insurance
Services Office Inc. (ISO) form for Coverage B typically provides coverage
for "those sums that the insured becomes legally obligated to pay as
damages because of 'personal and advertising injury' to which this
insurance applies." "Personal and advertising injury" is defined as an
"oral or written publication, in any matter, of material that violates a
person's right of privacy."

After Sony's data breach, Zurich American Insurance denied Sony's coverage
claim and filed suit in July 2011. The insurer argued that, under Coverage
B, the language "publication in any manner" described only the type of
disclosure, not the identity of the disclosing party. Zurich contended that
coverage would only extend to the publication of information by Sony, not
third parties such as hackers, even though there were no such limitations
in the policy language. Therefore, it argued, the data breach did not fall
under the CGL policy.

In his bench ruling in February 2014, New York Supreme Court Judge Jeffrey
Oing stated that the data breach was a "publication" under the terms of the
CGL policy. In this electronic age, he said, "by just merely opening up
that safeguard or that safe box where all of the information was … my
finding is that that is publication." However, he said, this publication
was not subject to Coverage B, because it was an act by third-party hackers
and therefore did not constitute an "oral or written publication in any
manner of the material that violates a person's right of privacy" under the
CGL policy.

"In this case here," he said, "we have a hacking, an illegal intrusion into
the defendant Sony's secured sites where they had all of the information
... Was that a publication that was perpetrated by Sony or was that done by
the hackers?" He opined, "I am not convinced that that is oral or written
publication in any manner done by Sony. That is an oral or written
publication that was perpetrated by the hackers." He further stated, "[The
CGL policy] requires the policyholder to perpetrate or commit the act. It
cannot be expanded to include third-party acts."

Contradictory Rulings on CGL Policies

Sony, of course, appealed the trial court's decision. Although
controversial, the trial court's ruling was not surprising. Several courts
had struggled with the definition of "publication" under Coverage B in
recent years, with differing results. In Butts v. Royal Vendors, 202 W.Va.
448 (W. Va. 1998), for example, the court held that there was no coverage
for "publication of material" that violates a third party's right to
privacy. In other words, the insured would be covered, but data for
customers, patients, etc., that may be housed with the insured would not.
More recently, a Connecticut court found in Recall Total Info Management v.
Federal Insurance, 83 A.2d 664, 666-67 (Conn. App. Ct. 2014), that a mere
theft of information, without proof of any additional access, was
insufficient to find a "publication" under a CGL policy. However, the U.S.
District Court for the Central District of California has upheld coverage
under a CGL policy for a hospital data breach that compromised the records
of nearly 20,000 patients, in Hartford Casualty Insurance v. Corcino &
Associates, No. CV 13-3728 GAF (JCx) (Oct. 7, 2013).

CGL Policies and Data Breaches

Of course, many companies other than Sony have experienced data breaches
and have attempted to shoehorn their claims under CGL policies that were
not specifically tailored to cover cybersecurity incidences. Such policies
were originally designed to protect for bodily injury, property damages,
and personal and advertising injury. Other than the Coverage B section at
issue in Zurich, most CGL policies also provide a form titled "Coverage
A—Bodily Injury and Property Damage Liability," which typically provides
coverage for "those sums that the insured becomes legally obligated to pay
as damages because of bodily injury or 'property damage' to which this
insurance applies." Insureds have not found much sympathy with courts when
bringing cybersecurity claims under this section as it has frequently been
interpreted to require a showing of harm to a tangible object. Further,
many CGL policies are also now including an electronic data exclusion that
specifically excludes most data from Coverage A.

Unsurprisingly, given the confusion in the courts over these issues and the
rapid uptick in third-party external hacking incidents, these standard CGL
policies have now been updated to provide the insureds with further
clarification. For example, CGL policies now include the 2014 ISO form
"Access or Disclosure of Confidential or Personal Information Exclusion."
This exclusion expressly limits Coverage B and excludes accessing or
disclosure of, among other things, "patents, trade secrets, processing
methods, customer lists, financial information, credit card information,
health information or any other type of nonpublic information." In other
words, most of the information that is compromised during data breaches.
While it can take a long time for standard CGL exclusions to be added to
all policies, this move demonstrates that going forward, insureds will have
an almost impossible task if they try to claim coverage under CGL policies.

Specific Policies to Cover Specific Risks

With CGL forms specifically limiting coverage and insurers fighting data
breach claims under CGL policies, it is no surprise that specific
cyberinsurance policies are on the rise. Technically, these policies have
been available in some form for almost 20 years, but they are only now
gaining prominence—brokers selling these policies have even taken to
mainstream advertising, presumably to inform smaller business owners of
their availability. These policies fill the gaps of traditional coverage,
and often offer first-party coverage for direct costs associated with a
potential data breach, such as a forensic investigation, business
interruption, and computer and data loss. They also cover risks from third
parties such as privacy liability, network liability and Internet media
liability. The language in these policies, however, is not standardized and
is untested by most courts, leaving insureds with little assurance as to
their level of protection.

In the future, expect to see individual cyberinsurance policies widely
utilized by businesses of all sizes to fill much-needed coverage gaps, even
if these policies are still "new" to the insurance market. Similarly,
expect to see decreased claims under CGL policies as the new CGL forms are
adopted and as courts refine their positions on what constitutes a data
breach for older policies. Like it or not, the trial court's decision in
Zurich is currently good law—until the next data breach litigation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!