Sony Data Breach Raises Insurance Issues

May 6, 2011

On April 19, 2011, Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts. The company could not rule out that some 12.3 million credit card numbers had been obtained during the hacking. The breach is reportedly one of the largest-ever Internet security break-ins.

As a result of the breach, Sony shut down its PlayStation Network on April 20. The company later said the breach resulted from a sophisticated criminal attack designed to steal personal and credit card information.

The electronics giant is now reportedly offering insurance and free identity theft protection to customers affected by a recent, colossal data breach. The AllClear ID Plus program by Debix Inc. will be free for 12 months after affected customers enrol in the program (likely requiring them to provide additional personal information to Sony!). Those who enrol will receive monthly status reports and alerts if the program detects that their personal information is being misused. The program also includes an insurance policy that provides up to $1 million in relief for covered costs for a year after an identity theft incident.

Meanwhile, Sony is reportedly looking to its insurers to help pay for the massive data breach. One expert estimates the claim could exceed $2 billion, but others say insurers may balk at paying that kind of money. The foreseeable expenses include hiring at least three companies to investigate the matter, and notifying all of the affected customers about the breach. One expert estimates that it would cost Sony more than $20 per credit card, for each of the 12.3 million credit card numbers that were compromised in the breach.

It also is not clear what liability coverages Sony has, if any, that might indemnify it from related third-party claims. Already one Massachusetts woman has filed a class action lawsuit against the company over the hack. The suit alleges that Sony stored and retained customer data without authorization, failed to maintain a proper firewall, and did not properly encrypt the data it held. The lawsuit seeks damages for customers’ loss of use of PlayStation consoles, and their “time and effort spent attempting to protect their privacy, identities and financial information.”

Another proposed class action lawsuit has been filed in Ontario on behalf of about one million Canadian PlayStation and Qriocity users. The lawsuit claims damages in excess of $1 billion, which includes having Sony pay the costs of credit monitoring services and fraud insurance coverage for two years.

The Sony breach is just one of many data breach examples over the years. Companies need to be mindful of the legal and monetary consequences of failing to protect users’ personal information. Moreover, insurers need to be wary of these issues when writing policies for their clients who collect personal information from third parties.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.