Early reports indicate that Sony Corp. of America and Zurich American Insurance Company (along with other insurers) have reached settlement terms today in their data breach case involving a hack of the online services for the Sony PlayStation in April 2011. These data breaches, which were unrelated to the Sony Pictures cyber attack, resulted in hackers accessing personal information for nearly 100 million individuals. The PlayStation hacks gave rise to at least 55 putative class-action lawsuits filed against Sony in the U.S with expectations that the breaches would cost Sony nearly $180 million in the next year.
This insurance coverage case, which many anticipated would be one of the most important decisions in 2015, gave rise to a ruling by a New York trial court that Zurich had no duty to defend under a commercial general liability policy issued to Sony. The New York trial court held Sony’s insurers did not owe a defense to Sony under CGL policies because there was no “publication” under Coverage B of the CGL policy. Specifically, the court held that while a wide-scale data breach represents a “publication” of private information within the meaning of the “personal and advertising injury” coverage, the PlayStation breach did not fall within coverage of Sony’s CGL policy because the policy covered only publications by the insured itself—not by third-party hackers. That is, while the trial court held the breach was arguably a publication under Coverage B of the Zurich policies, it was not a “publication” by Sony, the insured under the policy.
This decision was widely considered to be the best opportunity to get a glimpse into how appellate courts would treat data breach claims under CGL policies. Unfortunately, as data breaches and cybersecurity issues become more prevalent, we can expect to see litigation of these issues continue despite this settlement. Coincidently, this settlement comes on the heels of another important potential settlement in the Target litigation. Nevertheless, the need for guidance on this issue may be diminished as more CGL policies include cyber liability exclusions.