According to a Law360 report, Sony Units Denied Coverage For Suits Tied To Cyber Attack (subscription required), a New York state judge ruled last Friday in the Zurich v. Sony insurance litigation that the stealing of consumer information through a cyber attack did not constitute “personal injury” under a commercial general liability policy because third-party hackers and not the insured committed the offense. If upheld on appeal, the decision would compliment other authority holding that personal injury coverage applies only to potential liability from the insured’s purposeful acts.
The Sony coverage litigation resulted from a 2011 data breach. Zurich American Insurance Company and Mitsui Sumitomo Insurance Company had issued primary commercial general liability policies to Sony. In April 2011, computer hackers broke into Sony networks and stole personal and financial information of over 100 million users.
Immediately following the breach, Sony was named as a defendant in numerous class actions. Sony tendered the defense of these actions to its insurers. Mitsui denied coverage. Zurich responded by filing a declaratory relief action in New York state court seeking a declaration that Zurich had no duty to defend.
The parties later filed cross-motions for partial summary judgment. The resolution of the motions turned on whether the data breach constituted a “personal injury” offense. Among other enumerated offenses, the policies provided coverage for a “publication, in any manner, of material that violates a person’s right of privacy”Continue Reading...