News

New York Trial Court Denies Sony's Claims Against Primary CGL Insurers to Pay For Defense Costs Related to Cyber-Attack Litigation

By: Kevin Coughlin, Robert J. Kelly, Steven D. Cantarutti
March 3, 2014

On February 21, 2014, a New York trial court (Hon. Jeffrey K. Oing, J.S.C.) in Zurich Amer. Ins. Co. v. Sony Corp. of Amer., et al., Index No. 651982/2011 (N.Y. Sup. Ct., N.Y. Cnty.), made a significant ruling in the area of cyber risk coverage. 

The Court rejected claims by Sony Computer Entertainment America LLC (“SCEA”) and Sony Corporation of America (“SCA”) (collectively, “Sony”)  to have their respective primary general liability insurers -- Zurich American Insurance Company (“Zurich”) and Mitsui Sumitomo Insurance Company of America (“Mitsui”) – pay for Sony’s defense costs incurred in numerous pending underlying class action lawsuits.  The lawsuits arise from cyber-attacks that occurred against Sony’s online networks in or about April 2011, which resulted in access to information belonging to over 100 million of Sony’s customers and users -- one of the largest reported data breaches of information at that time.  The trial court’s decision is the first of its kind by a New York court that addresses whether a comprehensive general liability (“CGL”) policy may be liable to cover claims involving cyber-related risks.  Zurich is represented by Coughlin Duffy LLP.    

In this case, the SCEA, SCA and other Sony entities tendered 65 class action lawsuits (the “Individual Class Action Lawsuits”) that were filed in several jurisdictions across the United States to Zurich, Mitsui and other umbrella/excess CGL insurers.  The complaints in the Individual Class Action Lawsuits allege that criminal computer hackers launched cyber-attacks against the PlayStation Network and Sony Online Entertainment Network, which resulted in the illegal access to and theft of plaintiffs’ personal and financial information (the “Personal Information”).  In each of the lawsuits, the core factual predicate for the named plaintiffs and class members’ claims against SCEA and SCA is that they failed to properly protect and safeguard the Personal Information against the cyber-attacks.  The Individual Class Action Lawsuits were transferred and consolidated into one action for the purposes of pre-trial proceedings in the Multi-District Litigation, captioned In re Sony Gaming Networks and Data Security Breach Litigation, MDL No. 2258, pending in the U.S. District Court in the Southern District of California (“MDL Action”).  Sony also tendered the Individual Class Action Lawsuits and MDL Action to their “cyber risk insurers,” which issued policies that covered internet data breaches. 

In July 2011, Zurich commenced the declaratory judgment action against SCEA, SCA and other Sony entities, and included Mitsui and other umbrella/excess insurers, seeking, inter alia, a judgment that Zurich’s primary general liability policy issued to SCEA (the “Zurich Primary Policy”) and excess general liability policy issued to SCA have no duty to defend or indemnify the Individual Class Action Lawsuits or MDL Action.  Before the initial discovery period had been completed, SCEA and SCA moved for partial summary judgment against Zurich and Mitsui with respect to the duty to defend issue.  SCEA and SCA both argued that under Coverage B (Personal and Advertising Injury) of the Zurich Primary Policy issued to SCEA and the Mitsui primary CGL policy issued to SCA (the “Mitsui Primary Policy”), the Individual Class Action Lawsuits and MDL Action allege a potentially covered offense of an “oral or written publication, in any manner, of material that violates a person’s right of privacy” (the “Oral or Written Publication Offense”).  Zurich and Mitsui opposed the motions and filed cross-motions for a declaratory judgment that their respective primary policies do not afford coverage under the Oral or Written Publication Offense.  Zurich also argued that coverage was barred against SCEA under the “Insureds In Media And Internet Type Businesses” exclusion (the “Internet Business Exclusion”), which excludes certain Coverage B offenses, including the Oral or Written Publication Offense, committed by an insured whose business is “[a]n Internet search, access, content or service provider.”

During oral argument on the motions, Sony argued that the complaints in the Individual Class Action Lawsuits and MDL Action contain allegations that the private information had been “disclosed” in violation of privacy rights, which are sufficient to trigger coverage under the Oral or Written Publication Offense despite the fact that the breach itself was not the result of any intentional or purposeful act on the part of the Sony.  In other words, Sony contended that allegations of negligence in failing to protect the “disclosure” of information from third-parties are sufficient to trigger coverage under the Oral or Written Publication Offense.  Sony also contended that the Internet Business Exclusion was not applicable to SCEA because it was not responsible for operating the PlayStation Network at the time of the cyber-attacks and that only a small fraction of its revenues came from this online network. Zurich responded that the coverage grant requires an “oral or written publication” that is not alleged in the complaints for the Individual Class Action Lawsuits or MDL Action.  Zurich further argued that all cases that have considered the Oral or Written Publication Offense in the context of data breaches or similar situations have required that the publication must be due to an affirmative or purposeful act by the insured, which is not alleged in the underlying cases.  Zurich also pointed to the decision in County of Columbia v. Continental Ins. Co., 189 A.D.2d 391 (3d Dept.), aff’d, 83 N.Y.2d 618 (1994), wherein the New York Appellate Division, First Department, and New York Court of Appeals both held that in order to trigger coverage under the enumerated offenses within Coverage B, the complaints must allege an affirmative or intentional act by the insured or its agents.  As for the Internet Business Exclusion, Zurich argued that SCEA’s activities did fall within this exclusion because SCEA has admittedly been involved in the development and operation of the PlayStation Network since its inception.   

At the conclusion of the arguments, the Court issued its decision on the record by first ruling that the Internet Business Exclusion did not apply against SCEA because its business is not entirely based on internet-related activities.  As for the ruling on the “publication” issue, the Court ruled in favor of Zurich and Mitsui because: (a) to grant coverage would be to write the “oral or written publication, in any manner” language out of the coverage grant; and (b) County of Columbia and other case law uniformly requires an affirmative act of a publication by the insured to trigger coverage under the offense.  In particular, the Court held that the issue is whether the “publication” offense requires that the insured act to release the information.  The Court found that the underlying complaints contain allegations of a hacking incident where third parties obtained access to proprietary information that Sony was seeking to keep safe.  When the information was accessed and stolen by the criminal computer hackers, there was a “publication”.  However, the “publication” offense can only be read to require that the insured act to cause the publication, and cannot be expanded (as Sony argued) to allegations of “negligence” leading to a publication caused by a third party.  The Court found in this case that there was not an “oral or written publication” by Sony, but rather the “oral or written publication” was made by the criminal computer hackers.  Thus, the Court concluded that SCEA and SCA were not entitled to coverage for the Individual Class Action Lawsuits or MDL Action under the primary policies issued by Zurich and Mitsui and granted their cross-motions.  

If you have any questions about the decision, please feel free to contact Kevin T. Coughlin (973)-631-6001, kcoughlin@coughlinduffy.com), Robert J. Kelly (212-612-4984, rkelly@coughlinduffy.com), or Steven D. Cantarutti (973-631-6060, scantarutti@coughlinduffy.com).