Zurich lawsuit against Sony highlights cyber insurance shortcomings
Zurich Insurance's argument that it isn't responsible for Sony's data breach losses holds a lesson for others
Computerworld - A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents.
Zurich American Insurance Co. asked the New York State Supreme Court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company.
The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised.
The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs.
But the company's attempts to get Zurich to defend it against the claims have run into a roadblock.
According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyberattacks Sony experienced.
The lawsuit is similar to one filed last year by the Colorado Casualty Insurance Co. against the University of Utah in another data breach incident. In its lawsuit, Colorado Casualty, like Zurich, argued that it wasn't responsible for reimbursing the university for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.
In that case, however, Colorado Casualty offered no reasons for its position, which later resulted in a motion for dismissal by the third-party service provider.
The position that Zurich has taken in its lawsuit is likely to be substantiated by the court, predicted Dana Coates, a cyber liability insurance specialist with United Agencies, an insurance brokerage company based in California.
"Personal and advertising injury liability coverage, as provided by typical General Liability policies, is specifically intended to cover resulting bodily injury and property damage liability," Coates said. Cyber attacks and data breaches are not defined or considered as bodily injury or property damage, he said via email.
Quite often, cyber incidents are specifically excluded by some policies to underscore the carrier's intention to not consider such allegations as being covered, Coates said. Sony needed to have specifically purchased cyber liability coverage for its claims to be considered, Coates said.
Part of the problem is that companies sometimes mistakenly assume that any general insurance coverage they have also offers protection against cyber incidents, said Alan Paller, director of research at the SANS Institute.
Companies, for instance, sometimes assume that the insurance coverage they have in place to compensate them in case financial or business records get destroyed also protects them in the event of a cyber breach. In reality, such business records insurance coverage does not extend to data losses stemming from cyber incidents, though it might have in the past, he said.
Now if a company wants business records coverage that includes protection against data breaches, it needs to buy a separate cyber insurance policy, Paller said.
- Nine charged with distributing Zeus malware
- The new security perimeter: Human Sensors
- Cyberattacks could paralyze U.S., former defense chief warns
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- IT Security - Fighting the Silent Threat "IT Security - Fighting the Silent Threat" is a global report into business attitudes and opinions on IT security. Download the report now...
- Cutting Complexity - Simplifying Security This white paper looks at how the latest IT Systems Management solutions can simplify and automate a vast range of routine IT management...
- Your Data under Siege: Defeating the Enemy of Complexity Even if you have adequate antivirus protection, are there still holes in your IT security armor? Is lack of bandwidth to manage the...
- Build Your IT Security Business Case In this latest whitepaper from Kaspersky Lab, you'll find useful facts, examples and business case arguments to help you get buy-in and commitment...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now All Disaster Recovery White Papers | Webcasts