Companies should not assume that their general liability policies cover cyber attacks, and they should anticipate disputes from insurers when seeking defense and/or indemnity under these policies. This is illustrated by a Complaint filed by Zurich Insurance Company in the Supreme Court of New York against various Sony entities relating to claims for coverage after the cyber attacks that Sony experienced earlier this year. Zurich seeks a declaration that it is not obligated to defend or indemnify Sony for claims made against it because the damages are not covered by Sony’s commercial general liability policy. The Complaint highlights the need for companies to examine their insurance policies to determine the extent of coverage and whether additional cyber insurance is necessary.
Sony estimates its costs from the attacks- which exposed personal information for more than 100 million individuals and resulted in more than 50 class action lawsuits, potential actions by state attorneys general, and other claims- to be $170 million by the end of fiscal year 2011. The class action suits against Sony allege damages due to unauthorized access to personal information and Sony’s delay in notifying consumers. Sony’s commercial general liability policy covers bodily injury, property damage, and certain personal and advertising injury offenses.
The increase in cyber attacks, data breaches, and lawsuits (in particular class action suits) from aggrieved parties makes cyber insurance an attractive option, but there are many factors to consider. In addition, the uncertainty associated with general liability insurance and cyber attacks underscores that insurance cannot and should not be relied upon in lieu of internal privacy and data security programs, training, and risk assessments to mitigate the impact of cyber incidents.
An article on this issue prepared by Keller and Heckman LLP attorneys is available on our website.