By Patricia Vowinkel,
who has worked for national publications for more than 20 years
File this under the heading, It never hurts to file a claim under the wrong policy. You never know, you might just get lucky.
Sony Corp.'s effort to find coverage under its insurance policy with Zurich North America for recent computer hacking attacks is meeting with resistance from the insurance company because the policy at the heart of the dispute was a commercial general liability (CGL) policy and not a cyber-risk policy.
In a lawsuit filed in July in New York State Supreme Court, Zurich said it was not obligated to indemnify or defend Sony for the hacking of Sony's PlayStation Network, which led to the theft of personal identification and financial information of millions of customers.
Sony's primary policy with Zurich is a commercial general liability policy, according to the lawsuit, and those policies were not designed to cover cyber-events.
"A GL is the wrong policy for a cyber event," said Jennifer G. Smith, vice president, senior client advisor in the Global Technology and Privacy Risks Practice at insurance broker Lockton Cos.
A commercial general liability policy provides businesses with coverage for liabilities arising from bodily injury, property damage or advertising injury, insurance experts said. The lawsuits filed against Sony, however, do not claim that people suffered any bodily injury or property damage, Zurich said in the lawsuit.
"I would not have expected to see coverage in a CGL policy," said Rick Betterley, who is president of Betterley Risk Consultants in Sterling, Mass., and a specialist in computer network risk issues.
"The problem with looking on the CGL policy is the need for bodily injury, property damage or personal injury, to have occurred," said Betterley, who said he does not have direct knowledge of the case.
In addition to the fact that coverage would not usually be triggered under a commercial general liability policy, most commercial general liability policies also have exclusions that go into more detail explaining the types of network risks the policy will not cover, Smith said.
Sony also has an excess liability policy with Zurich, but coverage does not apply until the insured's underlying insurance has been exhausted, according to the court documents.Zurich also has no duty to defend Sony even upon the exhaustion of the underlying insurance according to the terms of the policy, according to the lawsuit.
Network risk insurance policies, which have been available in the insurance market for about a decade, would cover liability and other costs related to data breaches and computer hacking incidents, according to Robert Parisi, a senior vice president and cyber and technology product leader within Marsh Inc.'s financial and professional liability (FINPRO) practice.
"That is exactly the type of thing these policies were meant to cover," he said. Network risk policies were designed to provide coverage for operational risk in the virtual or technological world, he said.
It is entirely possible that Sony has a network risk insurance policy. Sony did not respond to a request for comment, and Zurich declined comment.
While many companies still do not have a network security policy or an information risk policy, it would make sense that a large, technology company like Sony would have one in addition to its commercial general liability coverage.
If it does have a network security policy, that insurer may indeed be obligated to pay claims and may be facing a significant loss.
There are three fundamental coverage types available with a network risk policy: liability for loss or breach of the data, coverage for remediation costs to respond to the breach, and coverage for fines and/or penalties imposed by law or regulation, according to a recent Betterley report on the cyber market.
These policies offer coverage for forensic costs associated with investigating what happened in the cyber attack, the costs associated with hiring public relations firms, as well as costs to notify the people who were potentially affected by the breach, Smith said.
Any time there is a loss, however, it is not unusual for companies to look for coverage under their commercial general liability policy in the hope that the attorneys may be able to come up with a new argument or that language may be ambiguous enough to allow for coverage, Parisi said.
Although it is the exception to the rule, attorneys and insurance brokers in the past have, on occasion, had success making unusual arguments that their clients had suffered property damage as result of a network incident, winning coverage under their commercial general liability policies, Smith said.
Most courts, however, have held that data is intangible property, making it difficult to have a successful claim on a commercial general liability policy, she said.
The insurance market is anxious to draw a line in the sand and make clear that there is no coverage for cyber risks under commercial general liability policies, Parisi said, and are likely to take legal action when necessary. They are also likely to add ever more strongly worded exclusions to commercial general liability policies to defend this point, he said.
August 1, 2011
Copyright 2011© LRP Publications