Insurer doesn't want to defend Sony for cyberattack; suit could impact all web-site owners

Is disaster from a hack attack the same as a hurricane? Insurer says no.

The insurance company is always the bad guy when the time comes to pay the bill for any big disaster. Usually it's just trying to save money. Sometimes it's trying to point out that it shouldn't really have to pay for your decision to strap a rocket on your car and take off like Wile E. Coyote, flying over the desert into a cliff face and a featured spot on next year's Darwin Awards.

People (and companies) sometimes do stupid or negligent things for which other people should not be required to pay.

Still, it's hard not to sympathize with Zurich American Insurance Co., which asked a New York court last week to confirm its own judgment that it should not have to pay all the cost of lawsuits resulting from a total of 18 data breaches at Sony in April and May.

In its complaint, Zurich American (PDF) cites a total of 55 class-action lawsuits so far, especially from customers claiming damage from attacks, especially on the PlayStation Network, Sony Online Entertainment and Sony Pictures, which resulted in weeks-long shutdown of some sites and the threat of identity theft to customers of others.

Some of the costs to Sony will be covered under policies issued by Zurich and other companies, but possibly not the full $178 million Sony estimated in May the attacks would cost it during this fiscal year.

Judging from information in documents filed in the lawsuit, Zurich American is likely to argue that the general liability policies it wrote for Sony cover most business setbacks, but not most of those resulting from digital attacks, according to a Reuters story sourced on the expertise of Richard Bortnick, an attorney at Cozen O'Connor. Bortnick publishes the digital law blog CyberInquirer but is not involved in the Sony case.

Sony said in May it would ask insurance companies to help it recover at least some of the costs stemming from a series of SQL injection attacks on various Sony web sites and lost it personal-identification data from as many as 100 million customer accounts and may have compromised 12.3 million credit-card numbers as well.

The attacks eventually forced Sony to take down several of its online gaming and entertainment sites during the weeks of the attack and recovery, though it tried to reassure customers several times during that period that it had taken steps to stem any further attacks.

Zurich American also sued units of Mitsui Sumitomo Insurance, AIG and ACE Ltd. in an effort to get the same court to define which company is responsible for what type of claims under policies each sold to Sony.

If policies written with real-world disasters in mind do apply online – making the insurance companies liable not only for property damage, but also loss of business and potential lawsuits from customers and state attorneys general, it will significantly change the assumptions under which most business insurance products are written and sold.

Demand is soaring for "cyberinsurance" policies specifically designed to protect businesses against online disasters.

Many companies – buyers of insurance, you can be sure, not sellers – argue that business is business, whether conducted online or IRL, so business insurance policies should cover both equally. Or at least U.S. courts should require that the be held partially liable when disasters costing hundreds of millions come not from hurricanes, international crises, or fraud, embezzlement and other forms of theft of the old-fashioned analog variety.

Unfortunately, at least within the bounds of the lawsuit Zurich American has already filed, the court is not being asked to define how bad a company's security or response has to be before an insurance company can define an online catastrophe as "your own damn fault," and refuse to pay the full cost of recovery.

It's rare that insurance companies are on the sympathetic side of any dispute over money; the injured party, by definition, is hurt and in need of help to recover.

Sometimes the fault really is the victim's, however. Sometime soon a court considering data breaches, cyberinsurance and the quality of security is going to have to decide just where the line is between adventurous but reasonable behavior for which the victim should be covered, and an attempt to win a Darwin Award that ended with an application for compensation only because the perpetrator wasn't quite committed enough to a fatally stupid plan to follow it all the way to its conclusion.

There does seem to be a bright, shining line between the two in the Sony case, but Sony is on the wrong side of it, tank full of gas and foot to the floor as the car picks up speed toward a distant cliff face and the driver reaches over to flip the switch on the big rocket engine.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies