Five Reasons Why The Sony Data Breach Coverage Decision Is Wrong
On Friday February 21st, a New York trial court judge let Sony’s insurers, Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co., off the coverage hook for Sony’s massive 2011 PlayStation data breach. That breach, in which hackers stole the personally identifiable information (PII) of PlayStation users, is one of the largest data breaches to date. In the wake of a breach, Zurich filed a declaratory judgment action against Sony, and Sony’s other insurers, seeking to avoid or minimize its coverage obligations.
The coverage litigation turns on whether Sony is covered for the data breach under Coverage B of its commercial general liability (CGL) insurance policies. Under the standard industry form, which is materially the same as Sony’s policies, Zurich committed to “pay those sums that [Sony] becomes legally obligated to pay as damages because of ‘personal and advertising injury’,” which is defined to include “injury… arising out of… [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
While insurers frequently attempt to avoid coverage for privacy-related claims by arguing that the requirements of a “publication” and/or “right of privacy” are not satisfied, this would have been a weak argument for Zurich. Instead, Zurich sought to avoid coverage (so far successfully) on the basis that Sony itself did not invade any privacy rights. In particular, in its cross motion for summary judgment, Zurich asserted that its policy “coverage is limited to protect against the purposeful and intentional acts committed by the insured or its agents, not by non-insureds or third-parties.” [1]
Putting aside the fact that it’s somewhat astonishing for an insurer to take the position that “purposeful and intentional acts committed by the insured” are covered (usually insurers assert knowing or intentional acts exclusions for such acts, and we can be sure that Zurich would have done exactly that if facts were present to support the assertion), the New York trial court agreed with this proposition, ruling from the bench that Sony’s liability policies are triggered only by actions by Sony, and not to the actions of the third-parties who hacked into the network and stole the PII.
With all respect to the New York trial court, this one should have been a clear Sony victory. Here are five top reasons why:
#1. The Plain Policy Language Does Not Require Sony To “Do” Anything. Nowhere in the coverage agreement or the key definition do Sony’s policies require any action by Sony. In fact it is clear that the policies are not triggered by Sony’s actions, as argued by Zurich, but rather are triggered by Sony’s liability, i.e., sums that Sony “becomes legally obligated to pay” that “arise out of” the publication of PII. The extremely broad language, moreover, extends to Sony’s liability for injury for publication “in any manner,” i.e., via a hacker attack into Sony’s network or otherwise. There is absolutely nothing in the broad Coverage B language to limit coverage to the actions of Sony. This is straightforward: Sony has liability for the breach; therefore, Coverage B coverage is triggered. [2]
#2. Sony Is Entitled To The Benefit Of Any And All Reasonable Doubt.
To the extent there were any ambiguity at all (I think there is not), Sony is entitled to every reasonable doubt in its favor under well-established rules of insurance contract construction. New York’s highest court has made this abundantly clear: “ambiguities in an insurance policy are to be construed against the insurer.” [3]
In addition, given the standard policy “knowing violation of rights” exclusion applicable to Coverage B (which bars coverage for injury “caused by or at the direction of the insured”), to the extent a “purposeful and intentional” act were required to trigger coverage, as argued by Zurich, then the conduct required to trigger the coverage would also presumably, in Zurich’s view, trigger the exclusion, thereby rendering the coverage illusory. This result is barred by New York public policy. [4]
#3. The Insurance Industry Has Acknowledged That CGL Policies Provide Data Breach Coverage.
The insurance industry clearly understands that there is data breach coverage under Coverage B, as evidenced by the fact that the industry recently filed a series of data breach exclusions, which are to become effective this May. In issuing the new exclusions, ISO [5] acknowledged that coverage for data breaches is currently available under its standard forms, but explained that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy”: [6]
At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information. [7]
ISO has classified its data breach exclusions as resulting in reduction of coverage for data breach (meaning there is coverage at present):
To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage. [8]
#4. Zurich Itself Has Acknowledged That its Policies Provide Data Breach Coverage.
Zurich, Sony’s insurer, itself has expressly recognized that the language of its policies may provide coverage in the event of a data security breach via hacking, i.e., third party actions, because hacking can lead to legal exposure to the insured (i.e., liability, which is the genuine coverage trigger, and not Sony’s action or inaction as now asserted by Zurich):
Security breaches via hacking, phishing, pharming, unauthorized internal access and the inadvertent disclosure of non-public personal information are all circumstances that can lead to legal exposure. Potential causes of action resulting from data security breaches may include increased risk of identity theft, actual or attempted identity theft, violation of consumer protection statutes, negligence, breach of contract, breach of fiduciary duty and even fraud.
A company’s standard property and casualty insurance policies may provide some coverage in the event of a data security breach, but specialized cyberliability coverages may be worth exploring and evaluating. [9]
#5. The Cases Zurich Cited Do Not Support Deviation From The Clear Policy Language.
Notably, the few cases cited by Zurich in the Sony litigation are factually inapposite and interpret entirely different policy language. For starters, nearly all involve circumstances in which an insured attempted to avoid the application of the pollution exclusion applicable to Coverage A of the standard industry CGL policy by seeking coverage under Coverage B, which includes coverage for injury arising out of “wrongful entry or eviction or other invasion of the right of private occupancy” (or similar verbiage). Here, Sony is not trying to avoid application of an allegedly intended exclusion; it is simply trying to secure the privacy coverage that it purchased.
Moreover, although the “wrongful entry” verbiage may have been interpreted narrowly by some courts in the context of pollution-related cases, the “right of privacy” verbiage at issue in the Sony coverage litigation has been given a broad interpretation. Courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging breach of privacy laws and regulations. [10]
For all of these reasons, Sony would appear to have excellent grounds for appeal.
Notes:
[1] See,
e.g.,
Zurich Am. Ins. Co.’s Mem. of Opp. to Sony Computer Entertainment Am. LLC’s Motion for Partial Summary Judgment and in Support of Cross-Motion for Summary Judgment, at p. 16 (Aug. 30, 2013) (emphasis added).
[2] Importantly, the underlying claims in data breach litigation against Sony’s liability allege, among other things, violations of the California Financial Information Privacy Act, which extends to negligent disclosures of confidential information.
[3] Breed v. Ins. Co. of N. Am., 385 N.E.2d 1280, 1282 (N.Y. 1978).
[4] Wright v. Evanston Ins. Co., 788 N.Y.S.2d 416, 417 (“[I]n light of the additional premium paid by the insured, the interpretation advanced by [the insurer] would render the coverage illusory, a result which the public policy of this state cannot abide.”)
[5] ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.
[6] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at p. 8.
[10] See, e.g., Netscape Commc’ns Corp. v. Federal Ins. Co., 343 Fed.Appx. 271 (9th Cir. 2009), aff’g 2007 WL 1288192 (N.D. Cal. Apr. 27, 2007) (upholding coverage for claims alleging that the insured’s “SmartDownload” software violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act by, among other things, “collecting, storing, and disclosing… claimants’ Internet usage,” which was “used… to create opportunities for targeted advertising”).
