Cyber attacks and the need for adequate protection
Miles R. Afsharnik
March 1, 2014
The issue of cyber attacks and employee and customer privacy has been a hot topic in the media since the T.J. Maxx network breach in 2007, to the most recent retail giant Target in December 2013. Unfortunately, these cyber attacks continue unabated and unless the intended target of the attack is a high profile consumer brand, it is typically not advertised.
For instance, in a recent study by NetDiligence®*, analyzing cyber liability insurance claims over a two-year period (2010– 2012), the company found that small cap companies (those identified with a market capitalization of $300 million to -$2 billion) and nano-cap (those with a market capitalization of less than $50 million) experienced the most incidents at 22.9% and 22.1% respectively. The average number of records lost was 2.3 million. Crisis services, which include forensics, notification, and monitoring costs, represented the largest component of costs, averaging $737,473. Defense costs were next at 35.6% of total claim payouts averaging $574,984.
Sony PlayStation Litigation
The high profile cyber-attack against Sony was covered quite extensively by the media. In April 2011, the networks operated by Sony for the benefit of its PlayStation® owners were hacked. More than one hundred million records with nonpublic personal and financial account information were stolen. Sony was hit with numerous class-action lawsuits. After it exhausted the limits of its cyber and network security policies, Sony turned to its general liability insurers for coverage. The commercial general liability (CGL) insurers denied coverage and litigation ensued.
In a recent decision, a New York trial court denied Sony’s request for coverage and found that the claim did not fall within the personal and advertising injury coverage of the CGL policies. Zurich American Ins. Co. v. Sony Corp. of America, case no. 651982/2011 (N.Y. Sup. Ct. February 21, 2014).
Sony had argued that the class-action allegations fell within the personal and advertising injury coverage part because the claims were basically an offense of oral or written publication that violated a person’s right of privacy. The insurers, however, argued that the publication should have been done by the insured and not a third party. The trial court ruled in favor of the insurer and found no coverage for these types of claims under a CGL policy.
Risk Management Implications
The trial court’s decision was focused on New York law and will be appealed to higher courts undoubtedly. CGL insurers are also modifying their policy language to exclude such publication of material that may violate a person’s right of privacy.