Sony Data Breach: No Publication By Sony, No Coverage


This entry was posted by on .

Today, as reported by Law360, the New York Supreme Court (New York’s trial court) held that two insurers have no duty to defend Sony Corporation in approximately 60 underlying lawsuits filed in connection with the 2011 data breach of Sony’s PlayStation Network.  There is no written opinion available.

Following oral arguments, Judge Oing ruled from the bench that Sony’s liability policies, which provide personal and advertising injury coverage for oral or written publication of material that violates a person’s right to privacy, applies only to actions committed by Sony, as the policyholder, and not to the actions of third-parties who hacked into the network and stole personally identifiable information (PII).

Sony argued that the policies did not possess language excluding coverage on the basis that the policyholder, itself, was not the entity accused of disseminating or publishing the material at issue.  Zurich, on the other hand, argued that because there were no allegations that Sony disseminated the stolen PII, there was no “publication” of material to implicate coverage.   As quoted in Law360, Zurich distinguished the authorities cited by Sony, stating that “[i]n every case cited by Sony in support of the proposition that negligent security equals publication, the conduct has been by the insured.”

What does this case mean?  Further analysis will be provided as more information on the New York court’s holding becomes available.  If the existence of coverage is to be demarcated by whether or not the policyholder itself published the lost or stolen information, most data breach lawsuits will fall outside the scope of personal and advertising injury coverage.

The holding does have some similarities with two other recent data breach cases, Recall Total Info. Management, Inc. v. Fed. Ins. Co., — A.3d –, 2014 WL 43529 (Conn. App. Ct. Jan. 14, 2014) and Galaria v. Nationwide Mut. Ins. Co., No. 13-118 (S.D. Ohio Feb. 10, 2014), each of which essentially held that the theft or loss of information in of itself does not constitute a publication.

This entry was posted in Data Breach Insurance Coverage.