Zurich America Insurance Co. is not obligated to cover Sony Corp. of America for litigation related to the 2011 hacking of its PlayStation Network, said a New York judge in a bench ruling.
Zurich America and Zurich Insurance Co. Ltd. had filed suit against New York-based Sony Corp. of America in New York State Supreme Court in Manhattan in 2011, stating they were not obligated to “defend and potentially indemnify” Sony from class action lawsuits, miscellaneous claims and possible investigations by state attorneys general related to the hacking attacks on its network.
According to court documents, the insurer said in its 2011 filing that it is not obligated to defend or indemnify Sony because Sony's primary commercial general liability policy and its excess policy with Zurich do not qualify for such coverage.
Zurich also alleged in its suit that primary coverage for the data breach lies with Sony's other cyber risk insurers, who are listed in the lawsuit. They include Mitsui Sumitomo Insurance Co. of America; National Union Fire Insurance Co. of Pittsburgh, Pa.; and Ace American Insurance Co., a unit of Ace Ltd., among others.
The data breach was reportedly the second-largest such breach in U.S. history at the time, with losses estimated as high as $2 billion.
According to a report by Law360, New York Supreme Court Justice Jeffrey K. Oing issued his ruling after hearing oral arguments on Friday, stating a policy provision that gives litigation coverage for oral or written publication of materials that violate a person's right to privacy only applies to material published by Sony as the policyholder, not to the hackers who stole users' confidential information. The ruling also applies to Warren, N.J.-based Mitsui, according to the report.
Sony officials and a spokesman for Zurich America had no comment. Mitsui declined comment.
Commenting on the ruling, Joshua A. Mooney, of counsel at law firm White & Williams L.L.P. in Philadelphia, who represents insurers, said a ruling such as this “will push policyholders towards cyber liability policies” that are “meant to reach data breach claims.”