Insurance company Zurich American refuses to pay damages for Sony’s massive data breach, as the yet-unregulated world of cyber-insurance collides with the reality of persistent hacks.
Zurich said it never signed up to pay for the 55 class action lawsuits now arrayed against Sony, which could cost the company around $178 million in damages. To plead its case, Zurich filed papers in a New York court denying responsibility for the bill.
The insurance firm insists Sony’s policy did not cover “bodily injury, property damage, or personal and advertising injury,” and therefore argues it should not have to cover the class action lawsuits.
Sony feels differently about the matter, filing a claim requesting Zurich pay for breach-related expenses.
This type of dispute may soon become common if hacks continue and cyber-attacks become a likely liability to insure against, giving momentum to the cyber-insurance industry.
Insurance companies like Travelers Companies and Chubb are taking advantage of new opportunities, now that hackers steal the spotlight with exploits against corporations and even governments. Groups like Anonymous and LulzSec have targeted everything from Rupert Murdoch’s “The Sun” tabloid and Fox News to the Turkish government and the C.I.A.
The reality of online vulnerability is a relatively new concept for businesses, as is the related idea of cyber-insurance, a young field that remains largely unregulated.
But while the cyber-insurance business has thus far enjoyed large profit margins and few expenses for insuring databases and servers, this may change as hacked companies try to cash in on their policies. If cyber-insurance firms want to attract more customers, they may need to start covering breaches or at least clear up the fine print to indicate exactly when they don’t intend to do so, updating their policies to include the latest technology.
In Sony’s case, the New York court’s interpretation of Zurich’s fine print will make a big difference to its coffers.
Plaintiffs allege Sony failed to adequately protect their personal data for months after hackers first ravaged the company and exposed millions of customer accounts from April 16 to 19. Sony, they claim, stored passwords in an unencrypted format that presented hackers with an easy target.
If they win, Sony may be stuck with a $178 million or higher bill unless Zurich comes to the rescue. But in this high-stakes game, neither party is likely to grudge such a big payment without a big fight.