The legal dispute between Sony and Zurich American Insurance Co. over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents, especially if they don't have the right type of coverage in place. (See related Insurance Unplugged interview.)
Zurich asked the New York State Supreme Court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company.
The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs.
But the company's attempts to get Zurich to defend it against the claims have hit a roadblock.
According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyberattacks Sony experienced.
The lawsuit is similar to one filed last year by the Colorado Casualty Insurance Co. against the University of Utah in another data breach incident. In its lawsuit, Colorado Casualty, like Zurich, argued that it wasn't responsible for reimbursing the university for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.
In that case, however, Colorado Casualty offered no reasons for its position, which later resulted in a motion for dismissal by the third-party service provider.
The position that Zurich has taken in its lawsuit is likely to be substantiated by the court, predicted Dana Coates, a cyber liability insurance specialist with United Agencies, an insurance brokerage company based in California.
"Personal and advertising injury liability coverage, as provided by typical General Liability policies, is specifically intended to cover resulting bodily injury and property damage liability," Coates said. Cyber attacks and data breaches are not defined or considered as bodily injury or property damage, he said via email.
Quite often, cyber incidents are specifically excluded by some policies to underscore the carrier's intention to not consider such allegations as being covered, Coates said. Sony needed to have specifically purchased cyber liability coverage for its claims to be considered, Coates said.
Part of the problem is that companies sometimes mistakenly assume that any general insurance coverage they have also offers protection against cyber incidents, said Alan Paller, director of research at the SANS Institute.
Companies, for instance, sometimes assume that the insurance coverage they have in place to compensate them in case financial or business records get destroyed also protects them in the event of a cyber breach. In reality, such business records insurance coverage does not extend to data losses stemming from cyber incidents, though it might have in the past, he said.
Now if a company wants business records coverage that includes protection against data breaches, it needs to buy a separate cyber insurance policy, Paller said.