On May 6, 2011, we blogged about Sony’s unfortunate data breach incident, which exposed account data on close to 100 million individuals, and compromised over 12 million credit and debit cards.
On July 20, 2011, Zurich Insurance issued a Complaint in the New York State Supreme Court, seeking a declaration that it does not owe Sony any duty to defend or indemnity for various third-party liability claims arising from the data breaches at the technology company. Zurich also named three other insurers as defendants in its lawsuit, seeking as an alternative the court’s direction about allocating/apportioning Sony’s losses and defence duties amongst the different insurers.
It seems that over the past 10 weeks or so, Sony (and its many affiliated companies) has been named as a defendant in 58 class-action lawsuits (55 in the United States and 3 in Canada) over the data breaches. The company, in turn, has claimed indemnity against Zurich under Commercial General Liability and excess policies with the insurer in the U.S. and Canada. Sony also claims Zurich has a duty to defend it in the various lawsuits.
Zurich’s Complaint describes the class plaintiffs’ claims, as follows:
34. The Class Action Complaints generally allege that the named plaintiffs and putative class members have suffered damages as a result of the unauthorized access to and alleged theft of their personal identification and financial information that was maintained by the Sony Defendants on the PSN and SOE Network.
35. The Class Action Complaints also generally allege that the named plaintiffs and putative class members suffered damages as a result of the Sony Defendants’ delay in notifying them of the cyber attack and unauthorized access to and theft of their personal identification and financial information.
Zurich’s Complaint states that the company insures Sony under an American CGL policy and a Canadian CGL policy, both subject to a self-insured retention. Zurich also insures Sony under an excess policy. Subject to various exclusions, the American CGL policy provides coverage for “bodily injury” and “property damage” caused by an “occurrence”, as those terms are defined under the policy. It also provides coverage for “personal and advertising injury”, which is defined to include only specifically enumerated “personal and advertising injury” offences. The Canadian CGL policy also includes coverage for “bodily injury”, “property damage”, “advertising injury”, and “personal injury liability” covered under the terms of the policy.
Among other arguments in its Complaint (priority of coverage amongst various other insurers, etc.), Zurich asserts that the class action plaintiffs have not claimed damages arising from “bodily injury,” “property damage” or “personal and advertising injury” arising out of the cyber attacks against Sony and the unauthorized access/theft of their personal information.
More importantly, Zurich claims that even if the class plaintiffs claimed damages for “bodily injury”, etc., the exclusions under the CGL and excess policies would apply to exclude coverage for the claims asserted. That said, Zurich has not identified the exclusions that it says would apply against Sony in this matter.
There is little doubt that the insurance industry will be seeing increased claims from insureds facing “cyber liability”. Insurers responding to such claims need to turn their minds to coverage issues for liability claims that contain a technology component. The Sony case underscores how such claims may not necessarily be covered under the liability section of the policy under which the claim is being advanced.
It will be interesting to see how the court grapples with Zurich’s coverage issue, and whether other insurers pursue similar declaratory relief in Canada. Stay tuned!
