"Hello, Mr. Jones. Did you just try to make a $10,000 jewelry purchase in Brazil?" To put it mildly, that is not the type of question that want your customers-- or as an insurance company, the customers of your policyholder-- to receive. All too often, however, despite the best security efforts, data breaches of sensitive personal information, like credit card data, do occur.
The insurance industry sells a variety of differing products designed specifically to provide coverage for these types of claims and losses. But, would liability for such a data breach be covered by the backbone of most companies' insurance programs-- the commercial general liability or CGL policy? Insurance carriers instinctively say, "No." Policyholders take a different view.
That issue was the subject of a New York trial judge's recent decision in Zurich American Insurance v. Sony Corporation of America. Zurich filed that declaratory judgment action against Sony to determine whether it had any liability coverage obligations to Sony in connection with the 2011 data breach of Sony's Playstation network. An underlying class action had been filed against Sony on behalf of users of the online video game network alleging that they had been damaged by the theft of their personally identifiable information, such as credit card information.
The New York judge's answer to this coverage question focused on whether the claims against Sony sought damages because of "personal and advertising injury". Zurich had agreed in Coverage B of its CGL policy with Sony to “pay those sums that [Sony] becomes legally obligated to pay as damages because of ‘personal and advertising injury’". The policy defined "personal and advertising injury" to include “injury... arising out of... [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”
The court seemed in some sense to agree that the "publication" requirement had been met:
In this case here I have a situation where we have a hacking, an illegal intrusion into the defendant Sony's secured sites where they had all of the information... That information is there. It's supposed to be safeguarded. That is the agreement that they had with the consumers that partake or participated in that system... So that in the box it is safe and it is secured. Once it is opened, it comes out... And that is where I believe ... the publication comes in. It's been opened. It comes out. It doesn't matter if it has to be oral or written.
We are talking about the internet now. We are talking about the electronic age that we live in. So that in itself, by just opening up that safeguard or that safe box where all of the information was, in my mind ... publication.
The problem for the trial judge, however, was that the publication was conducted not by Sony, but by outside hackers. Sony argued that the policy did not require Sony to engage in wrongdoing in order for coverage to apply. They argued that the definition of "personal and advertising injury" did not require the insured to publish material that violated a person's right of privacy. They contended that they just had to "become legally obligated" to pay damages for “injury... arising out of... [o]ral or written publication, in any manner, of material that violates a person’s right of privacy.
The New York judge disagreed. He held that reading the "entire policy", the "personal and advertising injury" definition requires "some kind of act or conduct by the policyholder in order for coverage to be present". Because "there was no act or conduct perpetuated by Sony", but rather third party "hackers breaking into that security system", the court held that Zurich's CGL policy did not afford coverage for the class action claims against Sony.
The court's summary judgment in favor of Zurich is currently on appeal.
How would a Missouri or Illinois court rule on these coverage issues in a data breach situation? Stay tuned.