An important ruling has been made concerning the scope of coverage for data breaches and other cyber risks under traditional commercial general liability policies, and it favors insurers.
In a bench ruling, New York Supreme Court Judge Jeffrey Oing said Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. has no duty to provide defense coverage to Sony Corp. of America for litigation filed after a cyber attack of Sony’s PlayStation gaming system.
Hackers in 2011 stole personal identification information such as names, addresses, birth dates as well as credit card and bank information, potentially.
Zurich sued Sony and other insurers to determine which, if any, would be straddled with coverage obligations.
ALSO READ: New York court to Sony: No personal injury coverage for you!
CGL policies provide coverage for oral or written publication of materials that violate a person’s right to privacy but the judge’s interpretation of policy language led him to declare coverage could not be triggered by anyone other than Sony. Publication must be from the policyholder, Oing concluded.
The ruling was predictably lambasted by policyholder attorneys.
“The plain language of the policy is not ambiguous,” Roberta Anderson, partner in K&L Gates’ Pittsburgh office, told Advisen. “It doesn’t require Sony to do anything deliberate or intentional to get coverage. Coverage B (Personal and Advertising Injury Liability) follows liability, not actions.”
Josh Gold, shareholder in Anderson Kill’s New York office, said the ruling set a bad precedent from a general coverage standpoint.
“I think there is nothing in the policy language to support this ruling,” he said. “Coverage is granted and
ought to be available under a CGL policy even if liability arises from a confluence of actions, including third-parties.”
Ruling in box
According to a transcript of the hearing, Oing found there had been a publication when hackers opened up the “box” where Sony’s customer information was stored. But despite Sony’s insistence that it did not matter if the publication was by Sony or a third party, Oing “cornered himself with an incorrect analogy of the Internet,” said Lon Berk, partner in Hunton & Williams.
“[Oing] should have stopped with the publication but instead he got confused with this analogy of a ‘box,’ and who opened it,” he added. “A computer connected to the Internet is not a closed box. A computer is a device that executes commands. And by connecting it to the internet, its owner is allowing others to give the device commands to execute. Here Sony’s devices executed commands that allegedly led to publication of personal information. The class alleges that is Sony’s fault. Whether it is or is not Sony’s fault should not be a matter for determining the duty to defend, but a matter for determining Sony’s liability.”
“By just merely opening up that safeguard or that safe box where all the information was…my finding is that is publication,” Oing said in court. However, Oing said coverage was not granted to Sony under any circumstance, or “in any manner.”
“That [“in any manner”] talks about the kind of way that it is sent out there and disseminated in the world,” Oing said. “It doesn’t talk about who is actually doing that dissemination.”
“[Oing] should have stopped with the publication but instead he got confused with an incorrect analogy of a ‘box,’ and who opened it,” he added.
Square peg, round hole
Richard J. Bortnick, a shareholder in Christie, Parabue and Young, said Oing acted as an “activist” in “reading in a limitation that was never written in to the policy.”
“The court recognized that personal injury coverage was never designed to extend to cyber breaches or third parties’ publication of personally identifiable information obtained as the result of an unauthorized intrusion,” said Bortnick, who said he agreed with the ruling.
“Finding personal injury coverage in such a circumstance would be tantamount to putting a square peg in a round hole and converting a claim of inadequate cybersecurity into a privacy violation,” he continued. “Looking for GL coverage might be convenient. But it’s also inappropriate and manifestly wrong.”
“If policyholders want privacy insurance coverage, they can purchase it as part of a monoline cyber insurance policy,” Bortnick said.
Anderson said the case is “a Super Bowl ad for cyber insurance.”
Short-lived insurer victory?
Sony is expected to appeal Oing’s ruling. Anderson said Sony has “good legal grounds” for an appeal.
But no matter the final outcome of this case, it may not hold up as a long-term courtroom precedent because efforts are already underway by insurers to tighten policy language and inject new electronic data exclusions.
“The transformation is already underway,” Gold said. “More and more computer-peril exclusions are being added.”
Anderson assumed Sony had no new exclusions in their policy. She added that it may take “a while” for new exclusions to make their way into policies—making the Sony ruling more important.
“I also think the timing issue is under-appreciated,” added Berk. “Many times companies don’t know they were hacked for a year or more. So just because you currently have a policy with exclusions doesn’t mean the triggered policy has them.”