New York’s Appellate Division Examines Data Breach Policy


In Zurich American Insurance Co. v. Sony Corp., the New York State Appellate Division is primed to issue one of its first decisions regarding the availability of insurance coverage under a comprehensive general liability (“CGL”) policy for losses due to a data breach.

The underlying lawsuits arise from cyber-attacks that occurred against Sony’s online networks on or around April 2011, which resulted in the unauthorized release of personal and confidential information belonging to over 100 million of Sony’s customers and users. As a result of the attacks, sixty-five putative class action suits were filed against Sony asserting claims for, among other things, violations of the right of privacy.  Sony sought coverage from their primary insurers under their CGL policies which covered exposure for privacy liability, specifically for “oral or written publication, in any manner, of material that violates a person’s right of privacy.”  The insurers denied coverage under their policies, and filed a declaratory judgment action in the Supreme Court of New York, New York County, asserting that it had no duty to defend or indemnify the class actions.

In a significant ruling, the trial court determined that the insurers did not have a duty to defend or indemnify Sony under the language of the CGL policies.  Judge Jeffrey K. Oing, J.S.C. reasoned that although a “publication” had occurred when personal information was accessed and opened by computer hackers, the policy was not triggered because the language of the policy required the “publication” to have been conducted or perpetrated by the policyholder itself.  Accordingly, because third-party hackers, and not Sony, committed the publication of the private information, the court found that the policy was not triggered and the insurers did not have to provide coverage.  Judge Oing’s bench Opinion, excerpts of which are attached to this post, was quickly appealed.

The New York Appellate Division, First Department, is now faced with determining, among other things: (1) whether a “publication” occurs when private information is accessed and/or opened; and (2) whether insurance coverage is available under a CGL policy if the publication of a person’s private information is committed by a person or entity other than the policyholder. 

The Appellate Division’s ruling will likely influence courts decisions in other jurisdictions faced with similar data breach coverage issues.  For example, the federal court in Connecticut will need to analyze similar policy language in a declaratory action in which an insurer is currently seeking a declaration that it is not obligated to provide coverage to the P.F. Chang chain of restaurants under a CGL policy in relation to litigation arising out of alleged thefts of customer’s financial information.  The Insurer’s Complaint is also attached to this post.

Although it is unclear when the New York Appellate Division will issue their ruling, it is clear that the ruling will have a broad impact on future data breach litigation and the issuance of data breach insurance policies across all industries.