Despite Sony’s current breach, one of the biggest data breaches of all time involved that of Sony Corps past breach. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.
And why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.
Related Article: Does Your Business Need Insurance for Social Media?
It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.
To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.
Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.
Insurers all across the nation want to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.
Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.
K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”
It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.
Cyber insurance is now booming, with about 50 carriers in the industry. An increasing number of companies have cyber insurance to protect against cyber crime. However, businesses claim it’s not easy to get adequate coverage.
Losses from data breaches are difficult to quantify. The tangible losses are more easily insured, says a New York Times online report. When it comes to a data breach, there are often related losses such as reputational damage and loss of customer loyalty that are harder to quantify.
Add to this the fact that underwriters don’t yet have sufficient data to estimate the likeliness or cost of an attack; most breaches get missed or aren’t reported publicly.
While an insurance company can tell you the precise odds of a major city office building burning down, nobody knows when the next giant retailer will be hacked. Statistics on hacking risks aren’t constant due to the continuous evolution of cyber crimes.
According to New York Times estimates, companies seeking coverage can only hope for, at best, a $300 million policy -- peanuts compared to the billions devoted to property protection. Though this still sounds generous, the cost of a major breach can easily exceed it. Target’s situation is on course for just that, says the New York Times online article. The 2011 Sony breach has already exceeded $2 billion in fallout.
The best policies cover costs associated with alerting customers, plus forensics, call center setups, consumer identity monitoring, legal fees and a crisis management firm. But that may only dent the disaster. Policies don’t address loss in profits due to customers jumping ship. A policy can’t prevent a marred brand reputation. “Although a solid cyber policy will cover notification, crisis management expenses, defense costs, damages and the costs associated with regulatory action, it would not cover other, potentially much larger losses, such as reputational injury and loss of brand and market share,” says Roberta Anderson, an insurance coverage and cybersecurity attorney with the law firm of K&L Gates, LLP. “Those losses are difficult to value and remain uninsurable in the market today.”
Expect the cyber insurance industry to continue swelling while cyber crime continues to remain several steps ahead of businesses and security systems.