Sony Data Breaches Renew Enterprise Interest in Liability Insurance
Recent high-profile cyber-attacks have renewed interest in cyber-insurance as CEOs worry about covering the cost of a data breach if, or when, they get attacked. However, the policies they are buying may not help them in case of a large-scale breach.
Sony is discovering this the hard way as the embattled Japanese entertainment giant struggles to recover from the series of cyber-attacks in April and May on several of its online entertainment services and over 100 million user accounts were compromised. At least 55 putative class action lawsuits from irate consumers about the breach have been filed against the company in the United States.
Sony has estimated it will cost $178 million to deal with the breach this year, which includes implementing new security measures, but doesn't include legal fees or potential compensation awards. Sony said in May it would depend on its insurers to help pay for the breach.
Sony's insurance company, Zurich American Insurance, is balking at the prospect of paying the legal fees and claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general," according to court documents filed July 20 with the Supreme Court of New York. Zurich claimed the commercial general liability insurance policy that Sony bought does not cover damages arising from cyber-incidents.
The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyber-attacks Sony experienced. It seems insurance company coverage, when it does extend to cyber-coverage, normally only covers the cost of re-creating the data, not the legal liability and other collateral damage involved, Cameron Camp, a malware researcher at ESET, wrote on the company blog.
Cyber-insurance can cover anything from the cost of notifying customers after a data breach to the cost of defending against lawsuits. Many businesses assume a general policy will have them covered, only to find out the hard way after a data breach occurs, Camp said.