Sony and Its Insurers Wrangle over Coverage for Data Breach

According to a Law360 report, Sony Corp.’s lawyers recently asked a New York appeals court to overturn a trial court’s ruling that a data breach did not involve the “publication” of private information within the meaning of Sony’s commercial general liability policy.

The dispute, entitled Zurich American Insurance Co. v. Sony Corp. of America et al., stems from a 2011 cyberattack in which computer hackers broke into Sony networks and stole personal information of over 100 million users.  A key legal issue is whether Sony’s negligent failure to prevent the data breach constituted a “publication.”  The trial court ruled that coverage for a “publication, in any manner, of material that violates a person’s right of privacy” applied only to Sony’s own publications, not to those committed by third-party hackers.

During oral arguments before the appellate panel, Sony stressed that the right of privacy provision covers publications “in any manner” and that the policy language does not expressly limit coverage to liability from the insured’s own publications. In response, the insurers maintained that the “in any manner” language refers to the medium for the publication, not the entity that made it.  The insurers contended that the “publication” requirement should be construed in the context of the policy’s other offense-based coverages – such as malicious prosecution, wrongful eviction, and false arrest – which contemplate purposeful conduct by the insured.

The insurers’ briefing relied on the New York Court of Appeals decision in Columbia v. Continental Ins. Co., 83 N.Y.2d 618, 634 N.E.2d 946 (1994).  There, Columbia County sought coverage for environmental contamination under a personal injury endorsement.  Personal injury was defined to include “wrongful entry or eviction or other invasion of the right of private occupancy.”  The policy’s pollution exclusion barred coverage under an occurrence-based property damage theory.  Upholding a dismissal in the insurer’s favor, the Court of Appeals interpreted personal injury coverage to reach only the insured’s “purposeful acts” not indirect, incremental harm from environmental pollution.  Under this reasoning, the right of privacy prong would cover only an insured’s affirmative publications not its negligent failure to prevent a data breach.

The resolution of the Sony coverage litigation will have little impact on coverage for data breaches under most commercial general liability policies.  Insurers have significantly expanded the exclusions in traditional liability policies to preclude coverage for almost all cyber-related risks.  As a result, insureds will have to purchase specialty cyber policies to obtain protection for data breaches.

Nonetheless, the final decision in the Zurich v. Sony litigation should address significant issues bearing on the interpretation of “personal and advertising injury” coverage in standard liability policies – namely, the “publication” requirement and whether the “personal injury” offenses cover only the insured’s purposeful conduct.