New York Supreme Court Finds that GL Insurers Have No Duty to Defend Sony for Class Actions Arising out of PlayStation Data Breach

In February of this year, in the matter of Zurich American Ins. Co. v. Sony Corp. of America, et al., case number 651982/2011, the New York Supreme Court ruled in favor of Zurich American Insurance Co. and Mitsui Sumitomo Insurance Co. of America, finding that these general liability insurers had no duty to defend the Sony Corporation in connection with at least 55 underlying putative class-action lawsuits relating to the infamous April 2011 occurrence of unauthorized access of millions of online video game users’ personal information and credit card numbers from Sony’s PlayStation product.

Zurich and Mitsui Sumitomo Insurance Co. both issued primary general liability policies to Sony that included coverage for “personal and advertising injury” defined in relevant part as follows:

“Personal and advertising injury” means injury including consequential bodily injury arising out of one or more of the following offenses:

*   *   *

Oral or written publication, in any manner, of material that violates a person’s right of privacy.

Zurich and Mitsui argued the above provision did not afford coverage for either a defense or indemnity in Sony’s favor in connection with the underlying complaints. Specifically, Zurich argued that “personal and advertising injury” coverage is limited to protect against the purposeful and intentional acts committed by the insured, not by third parties. Sony argued no such affirmative act requirement exists in the Zurich policy and its “act” was the alleged failure to properly secure its customers’ information.

Judge Jeffrey K. Oing ruled from the bench in favor of Zurich and Mitsui and found that while there was, in fact, a publication, coverage was only afforded to the extent Sony was responsible for the publishing and not, as was the case at hand, due to the actions of the third-party hackers.  In so ruling, the court stated that to find otherwise would improperly expand the policies’ coverage grants.

The court memorialized its holding by court transcript filed on March 4, 2014. Note the following comments from Judge Oing:

We are talking about the internet now. We are talking about the electronic age that we live in. So that in itself, by just merely opening up that safeguard or that safe box where all of the information was, in my mind my finding is that is a publication. It’s done.

The question now becomes, was that a publication that was perpetrated by Sony or was that done by the hackers. There is no way I can find that Sony did that. As Mitsui’s counsel said, this would have been a totally different case if Sony negligently opened the box and let all of that information out. I don’t think we would be here today if that were the case. This is a case where Sony tried or continued to maintain security for this information. It was to no avail. Hackers got in, criminally got in. They opened up and they took the information.

February 21, 2014 Court Proceedings, 77:4-20.

Sony is widely expected to appeal the ruling. To the extent it does, the Sony case may be the first appellate decision to tackle this issue and will likely be cited by future policyholders or insurers moving forward on such issues.