The recent cyber attack against Target stands as one of the largest and most public cyber attacks in history. Prior to December 2013, that unfortunate distinction may have belonged to Sony which, in 2011, suffered a breach
that compromised at least 70 million user accounts. The breach spawned an intense legal battle between several Sony companies (collectively Sony) and their insurers, including Zurich, regarding whether they must defend Sony against the various lawsuits brought in the aftermath of the breach. On February 21, 2014, Manhattan-based New York State Supreme Court Justice Jeffery K. Oing issued a key substantive ruling in favor of Zurich, finding that Sony’s commercial general liability (CGL) policy did not potentially cover events associated with the breach; therefore, Zurich had no duty to defend Sony.
Justice Oing ruled orally from the bench. His written ruling
merely incorporated by reference the statements made on the record. However, the basis
of his ruling apparently was that Sony, the insured, did not commit the breach—rather, hackers stole the data. Because the subject CGL policy only covered privacy violations committed by Sony, the insured, not a third-party hacker, the underlying suits could not satisfy the “personal and advertising injury” definition at issue, namely, publication of material that violates a person’s right of privacy. Sony is expected to appeal.
Justice Oing’s opinion begins to clarify whether CGL policies cover lawsuits resulting from cyber data breaches. That the Insurance Services Office promulgated a specific data breach endorsement for CGL policies further clarifies that such policies were not intended to cover this type of loss. Nonetheless, myriad insurers offer cyber insurance designed to cover expenses associated with a cyber data breach, including notification costs, regulatory enforcement actions, credit monitoring, and litigation costs. Companies of all sizes should contact their insurance brokers to investigate and purchase this coverage.