Sony Data Breach Coverage Litigation Settles


This entry was posted by on .

As reported in news outlets, including Law360, Sony and its insurers have settled their data breach coverage litigation, two months after the New York appellate division heard oral argument.

Sony had sought coverage for numerous data breach class action lawsuits filed against it following the 2011 data breach into its PlayStation network.  Its general liability policies provided personal and advertising injury coverage for oral or written publication, in any manner, of material that violates a person’s right to privacy.  The trial court held that the insurers had no duty to defend because coverage applied only for violations of privacy committed by Sony, as the policyholder, and not by third parties who hacked into Sony’s network and stole personally identifiable information (“PII”).

The decision had other important aspects, often overlooked.  Analogizing the issue to the opening of Pandora’s Box, the trial court held that there mere accessing of information by the hackers constituted a “publication” under general liability policies.  The trial court also held that the phrase “in any manner” does not alter the meaning of the term “publication.”  Finally, the court held that in order for the “Insureds in Media and Internet Type of Business” exclusion to apply, the insured in question must solely be a content or service provider and not engage in other forms of business.  Here, because Sony engaged in other forms of business, the exclusion did not apply.

A more detailed discussion of the Sony decision may be found in an earlier Coverage Inkwell post located at: http://thecoverageinkwell.com/three-missed-takeaways-from-the-sony-data-breach-case/

My take is that the affect of the Sony settlement will be measured. For one thing, looking long term, the new personal data exclusions in CGL policies should shut the door on data breach coverage, to the extent it ever existed in the first place.  Second, Sony is a trial court decision without a written opinion, and the market already is shifting to cyber insurance.

Sony’s true legacy lay in the case’s publicity.  Sony showed that companies cannot look to general liability policies to cover data breaches.  They need to get cyber insurance.  The case was a Super Bowl ad for cyber liability insurance. That, and perhaps Target, showed companies that they have to get it.

Looking back, people will see Sony as the first big data breach coverage case.  It won’t be the last.

This entry was posted in Data Breach Insurance Coverage, Privacy Rights and tagged , .