July 25, 2011, 11:15 AM — The insurance company is always the bad guy when the time comes to pay the bill for any big disaster. Usually it's just trying to save money. Sometimes it's trying to point out that it shouldn't really have to pay for your decision to strap a rocket on your car and take off like Wile E. Coyote, flying over the desert into a cliff face and a featured spot on next year's Darwin Awards.
People (and companies) sometimes do stupid or negligent things for which other people should not be required to pay.
Still, it's hard not to sympathize with Zurich American Insurance Co., which asked a New York court last week to confirm its own judgment that it should not have to pay all the cost of lawsuits resulting from a total of 18 data breaches at Sony in April and May.
In its complaint, Zurich American (PDF) cites a total of 55 class-action lawsuits so far, especially from customers claiming damage from attacks, especially on the PlayStation Network, Sony Online Entertainment and Sony Pictures, which resulted in weeks-long shutdown of some sites and the threat of identity theft to customers of others.
Some of the costs to Sony will be covered under policies issued by Zurich and other companies, but possibly not the full $178 million Sony estimated in May the attacks would cost it during this fiscal year.
Judging from information in documents filed in the lawsuit, Zurich American is likely to argue that the general liability policies it wrote for Sony cover most business setbacks, but not most of those resulting from digital attacks, according to a Reuters story sourced on the expertise of Richard Bortnick, an attorney at Cozen O'Connor. Bortnick publishes the digital law blog CyberInquirer but is not involved in the Sony case.
Sony said in May it would ask insurance companies to help it recover at least some of the costs stemming from a series of SQL injection attacks on various Sony web sites and lost it personal-identification data from as many as 100 million customer accounts and may have compromised 12.3 million credit-card numbers as well.
The attacks eventually forced Sony to take down several of its online gaming and entertainment sites during the weeks of the attack and recovery, though it tried to reassure customers several times during that period that it had taken steps to stem any further attacks.