Zurich lawsuit against Sony highlights cyber insurance shortcomings
Zurich Insurance's argument that it isn't responsible for Sony's data breach losses holds a lesson for others
Computerworld - A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents.
Zurich American Insurance Co. asked the New York State Supreme Court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company.
The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised.
The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs.
But the company's attempts to get Zurich to defend it against the claims have run into a roadblock.
According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyberattacks Sony experienced.
The lawsuit is similar to one filed last year by the Colorado Casualty Insurance Co. against the University of Utah in another data breach incident. In its lawsuit, Colorado Casualty, like Zurich, argued that it wasn't responsible for reimbursing the university for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.
In that case, however, Colorado Casualty offered no reasons for its position, which later resulted in a motion for dismissal by the third-party service provider.
The position that Zurich has taken in its lawsuit is likely to be substantiated by the court, predicted Dana Coates, a cyber liability insurance specialist with United Agencies, an insurance brokerage company based in California.
"Personal and advertising injury liability coverage, as provided by typical General Liability policies, is specifically intended to cover resulting bodily injury and property damage liability," Coates said. Cyber attacks and data breaches are not defined or considered as bodily injury or property damage, he said via email.
Quite often, cyber incidents are specifically excluded by some policies to underscore the carrier's intention to not consider such allegations as being covered, Coates said. Sony needed to have specifically purchased cyber liability coverage for its claims to be considered, Coates said.
Part of the problem is that companies sometimes mistakenly assume that any general insurance coverage they have also offers protection against cyber incidents, said Alan Paller, director of research at the SANS Institute.
Companies, for instance, sometimes assume that the insurance coverage they have in place to compensate them in case financial or business records get destroyed also protects them in the event of a cyber breach. In reality, such business records insurance coverage does not extend to data losses stemming from cyber incidents, though it might have in the past, he said.
Now if a company wants business records coverage that includes protection against data breaches, it needs to buy a separate cyber insurance policy, Paller said.
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Everything You Know About Enterprise Security Is Wrong
- UK man charged with hacking Federal Reserve
- McAfee Offers Global Response to Nationalized Malware
- Tech Industry Praises Cybersecurity Framework From White House
- Ransomware like Cryptolocker uses Bitcoin, other virtual currencies for payment
- Trial for alleged Silk Road creator Ross Ulbricht set for November
- Target attack shows danger of remotely accessible HVAC systems
- U.S. is investigating Target data breach, AG Holder says
- Russian man pleads guilty in SpyEye malware case
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Addressing the Broken State of Backup with a New Category of Disk-Based Backup Solutions Today, IT organizations are faced with a number of challenges when managing backup processes, including the need for faster backup, restore, tape copy,...
- Optimizing Approaches to Enterprise Backup and Recovery IT organizations are faced with ensuring that backups occur in the shortest amount of time and are not operationally disruptive as well as...
- How Backup Disk Architecture Impacts the Backup Window This paper compares disk based backup architectures, the impact that data deduplication has on backup performance, and how well the solution scales as...
- How Data Deduplication Impacts Recovery Data deduplication has clear benefits when it comes to efficiently retaining backup data on disk and replicating data offsite for disaster recovery --...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now All Disaster Recovery White Papers | Webcasts