Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Insurer Suing To Deny Data Breach Coverage

Posted by timothy on from the liability-for-someone-only-not-you dept.

idontgno writes "It keeps getting better and better for Sony and its business units. Reuters reports that Sony's insurer, Zurich American, is suing to avoid paying out on Sony's legal liability which may arise from its spectacular online security breaches a few months ago."

94 of 122 comments (clear)

  1. So, maybe, if we're lucky... by mat+catastrophe · · Score: 2

    We won't all one day drive our Sony to the Sony to pick up more Sony?

    --
    sig not found
    1. Re:So, maybe, if we're lucky... by elrous0 · · Score: 1

      I'm sorry, the use of the Sony Internet(tm) to post articles criticizing or questioning Sony is not permitted. Please report to your Sony ISP(tm) to appeal your disconnection.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    2. Re:So, maybe, if we're lucky... by davester666 · · Score: 1

      I can't, because my Sony internet-connected door lock won't open for some reason.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. I was just thinking to myself... by snookerhog · · Score: 4, Funny

    I was just thinking to myself, what this story needs is some more lawyers.

    1. Re:I was just thinking to myself... by Oxford_Comma_Lover · · Score: 2

      I was just thinking to myself, what this story needs is some more lawyers.

      In this case, maybe.

      On the one hand, I would hate to be a SONY shareholder right now, or to be the big guys at SONY and realize (probably) that you had hired someone incapable of managing the security you need for a target that large--or given them too little power to do it--and be hit with the double whammy of insurance refusing to cover you. I would also hate to be sony's lawyers who approved either their security policies or their insurance policies.

      But on the other hand, companies that are big targets *will not* take the necessary risk mitigation steps if they are not financially accountable for their actions. If Sony's only loss is to income and share price, it is still a big loss, but it is a much bigger incentive for smaller companies to protect user data if the ability to insure against data theft is limited.

      --
      -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    2. Re:I was just thinking to myself... by datapharmer · · Score: 1

      that you had hired someone incapable of managing the security you need for a target that large

      *that large*? really? Their security wasn't up to snuff if they were a small business. Running old software with known security vulnerabilities isn't just poor practice it is just flat out lazy.

      --
      Get a web developer
    3. Re:I was just thinking to myself... by swv3752 · · Score: 1

      You really think the IT admins were at fault? And not the managers that almost assuredly would not approve the downtime, overtime, etc, to upgrade the servers? This is management at fault.

      --
      Just a Tuna in the Sea of Life
    4. Re:I was just thinking to myself... by Oxford_Comma_Lover · · Score: 1

      Not necessarily. If you reread the post, you'll see I allow for the possibility that Management had not given their security people enough authority to do their job. See the disjunction between the em-dashes.

      --
      -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
  3. Go Figure by dmmiller2k · · Score: 1

    I wonder how many Zurich American executives' kids were affected by the outage?

    --

    "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin

    1. Re:Go Figure by DarkOx · · Score: 1

      Probably but I am sure what this comes down to is if their contract covers damages from this loss or not.

      My guess is they have some clause that says the insured party is supposed to take reasonable steps to prevent losses as result of security compromises. Your home owners policy has something similar. If you leave your doors unlocked for instance you might have a serious problem with a claim for loss by theft.

      The issue here is going to probably be what constitutes reasonable, and given the problem was essentially they failed to patch servers, Sony will most likely lose. Its going to be really hard for Sony to locate IT security experts who will testify that having a patch management plan the covers all assets and following it is not a basic measure everyone should employ.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Go Figure by justsomebody · · Score: 2

      i think that is not a problem, they try to get out on the fact that sony security was crap (which it was). same way as my insurer would not pay up if i crash my car (fully insured) while i was driving without one wheel and my windshield was so dirty nothing could be seen trough

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
    3. Re:Go Figure by ZombieBraintrust · · Score: 1

      Here is the thing though. Zurich sold them a policy. It was up to Zurich to identify risks such as bad security and price the insurance correctly. The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.

    4. Re:Go Figure by cwebster · · Score: 3, Interesting

      Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

    5. Re:Go Figure by LoverOfJoy · · Score: 1

      I think it would be funny if Lulzsec/Anonymous also hacked Zurich American for the lulz. Hopefully their security is better than Sony's

    6. Re:Go Figure by tompaulco · · Score: 1

      The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.
      No, the whole point of liability insurance is that you pay your premiums and they give you a certificate that says you have it, so people will do business with you. You're not supposed to actually make claims against it.
      But seriously, Sony is large enough where they shouldn't even have to have liability insurance. They should just maintain a huge bond. In the long run, that is cheaper than paying an insurance carrier basically the same amount plus operating costs and profit of the insurance company.

      --
      If you are not allowed to question your government then the government has answered your question.
    7. Re:Go Figure by goose-incarnated · · Score: 1

      Up to a point, yes, but ... could simply be that their security was better at the time they got the insurance, and then deteriorated, in which case the insurance company can reasonably take issue with 100% liability.

      As an analogy, for example, I insured my car at the beginning of the year when the tyres still had more than the minimum legally required tread depth. I've covered about 30000km since then, my tyres[1] are no longer street-legal. If I now get involved in an accident due to being unable to stop in time, my insurance would (quite reasonably) refuse to pay me 100% of the insured value.

      The liability insurance is for my lack of judgement while driving. I will need different insurance (and possibly won't find any takers) if I want to insure against my lack of maintenance of the car.

      [1] Tyres were replaced last week, before they wore below the minimum tread depth that is legally required

      --
      I'm a minority race. Save your vitriol for white people.
    8. Re:Go Figure by Dishevel · · Score: 1

      I think they will have an easy time finding an "IT Security Expert" who will say whatever they pay him to.
      That is what "Experts" do.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    9. Re:Go Figure by RsG · · Score: 1

      Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

      ^What he said.^

      If you put fire insurance on a building and then take no measures to prevent a fire from breaking out, you won't be able to collect. If you take theft insurance on a car and leave it with the keys in the ignition in a bad neighbourhood overnight, you won't be able to collect. Insurance covers accident or malicious action by a third party; it doesn't usually cover gross negligence on the part of the insured party.

      It isn't that the insurance companies are arbitrarily refusing to pay out, it's that they're smart enough to have clauses in the contracts that they can invoke when the insured party is clearly at fault. Now, some insurance companies are utter bastards and will try to invoke these clauses at the drop of a hat. But everything I've read about Sony's data security leads me to conclude that their insurers are probably in the right here, always assuming the contract had a "here are the duties of the insured party" clause in it.

      --
      Erotic is when you use a feather. Exotic is when you use the whole chicken.
    10. Re:Go Figure by Nevo · · Score: 1
      Yes, but....

      Most liability contracts have clauses that require the insured to take certain measures to reduce their risk. If this policy does contain such clauses, and Sony didn't take those measures, it certainly stands to reason that the policy won't pay out.

      It all comes down to what the contract says. Since that contract hasn't (as far as I'm aware) been released, all we can do here is guess.

    11. Re:Go Figure by LibRT · · Score: 1

      Firstly, I don't think anyone here knows what was in the contract. Maybe it was covered. Maybe it was excluded. Maybe the specific contract language excludes this loss. Maybe it doesn't. I don't know. You don't either.

      Secondly, Sony's insurance broker is the one who is paid to ensure Sony gets the coverage they need. If coverage was available but the broker didn't present it as an option to Sony, then the broker is going to face a very expensive errors and omissions claim.

      Thirdly, the purpose of all insurance is to rent a balance sheet from insurance companies to use in the event of an insured loss. But that doesn't mean you don't have to take steps to mitigate exposures (as others have pointed out). That's really the reason for things like deductibles: to make sure the insured has some skin in the game and shares a vested interest in protecting the balance sheet being rented.

      What's interesting to note is that, as far as I know, Zurich was one of the subscribers on the policy in question. Usually in these cases, there is a single contract underwritten by various insurers at various percentages of the policy. If that's the case here, then it is curious that only Zurich has chosen to decline the loss.

  4. I'd hate to be the head of that company...... by allaunjsilverfox2 · · Score: 1

    I mean, can you imagine the shareholders meeting? I get a image of a guy who has taken up drinking and is developing a bad ulcer. I doubt this will work, but it's still interesting that they try.

    --
    Restore the madness of youth's lechery
    1. Re:I'd hate to be the head of that company...... by bluefoxlucid · · Score: 3, Insightful

      Well, they have a valid case. It's going to get heard by a judge, for sure; this isn't some ridiculous "Oh we don't feel like holding up to our contract because it's bad for us today" kind of thing. What happened here is Sony took out insurance and then caused a massive problem leading to a massive claim through unimaginably gross negligence. It's like if you insure a car and then proceed to speed at 180mph and slam into shit ... your insurer will go, "Oh HELL no," and try to wiggle out of the claims. Often they have clauses that vaguely let them do so, on a good day; whereas basic neglect and driver failure will get them slapped around because that's what you're insured for.

      Basically Sony did the equivalent of buying 100k/300k liability insurance and then organizing a massive illegal street race through a complicated course in the city. Gross, gross negligence. Now their insurers are going, "There is no way in Hell we should have to pay for this!" Sony looks like it didn't even try to secure its networks, just like someone running an Indy 500 on open roads looks like they've bought car insurance to avoid having to care about all the damage they know's going to eventually happen.

      It's tricky, but it's good enough to get you a day in court. If you just show up like "Well we have a contract but we don't wanna pay..." the judge won't even hear your case.

      --
      Support my political activism on Patreon.
    2. Re:I'd hate to be the head of that company...... by justsomebody · · Score: 1

      lol, in our country if you're drunk you automatically lose insurance in case of crash. and sony security was in the same state

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
    3. Re:I'd hate to be the head of that company...... by vegiVamp · · Score: 1

      Yes, but... Going 180 in your car is illegal, and you cannot insure yourself against your own willing illegal actions. While they insurance may manage to build a good case based off gross negligence, Sony didn't actually do anything strictly illegal, they were the victim of illegal action.

      That being said, if you leave your car unlocked the insurance sure as hell isn't going to cough up for your stolen laptop - if there's no signs of breakage they'll claim negligence and not pay out.

      The trick here is going to be proving that Sony was negligent with their security. This may run for a pretty long time while bureaucrats on both sides comb over tons of server logs.

      --
      What a depressingly stupid machine.
    4. Re:I'd hate to be the head of that company...... by bluefoxlucid · · Score: 1

      If you're illegally speeding at 60 in a 30mph zone, insurance will typically pay out liability. As well, aggressive driving and the like. ... liability means you're at fault.

      Gross negligence is different. In the event that your insurer can show that you weren't just irresponsible, but in fact engaged in such unreasonable behavior that it's patently absurd to leave the insurer to pick up the bill, the judge is probably going to want to hear this--and he'll probably look for a damn good reason to grant relief. You will offend the judge by showing up in his court room claiming that the insured was doing 60mph in a 45mph zone and you thus don't want to pay liability; but if the insured was staging a highly illegal street race--not down the back roads or something, but down open city streets, Tokyo Drift style, for a 40 mile circuit from one end of the city to another, through populated areas, at excessively high speeds--he will be very willing to put fort effort to weasel you out of paying for this shit, (hopefully) to the strict extent of the law (so too bad, you might have to cough up anyway).

      The core argument here will be that Sony took out an insurance policy and then proceeded to cease to care about the well being of their clients. They became grossly and possibly criminally negligent, under the assumption that all negative effects of this would fall to the insurance company and thus that they paid to be freed of responsibility for their actions. Insurance will argue that Sony's actions were irresponsible, a public danger, and possibly illegal or fraudulent (depending on what security claims they made to the payment card industry, which actually cares about this sort of thing).

      They may not have a legal leg to stand on; but they have enough of an argument for a judge to want to hear it. He might rule against it in the end, but he'll allow it to be heard in his court.

      --
      Support my political activism on Patreon.
    5. Re:I'd hate to be the head of that company...... by Bengie · · Score: 1

      Hopefully the contract has some sort of exit clause. I know my car insurance does. You do stupid shit and they don't have to cover.

      Black-box shows you speeding, no coverage, no seat-belt on, no coverage. And many more examples.

      Once could even argue definitions of words. If your car insurance covers "accidents" and you're speeding, it may no longer be considered an "accident" as your speeding was deliberate.

      Accident != Negligence

      Just tossing around some ideas.

    6. Re:I'd hate to be the head of that company...... by TheRaven64 · · Score: 1

      But what are the insurers suing? You don't normally sue in order to not do something, you sue in order to make someone else do (or stop doing) something. Surely they should just be refusing to pay and inviting Sony to sue them...

      --
      I am TheRaven on Soylent News
    7. Re:I'd hate to be the head of that company...... by wkcole · · Score: 1

      The trick here is going to be proving that Sony was negligent with their security.

      No, it isn't. That is not what the suit is about at all. No reasonably intelligent adult reading the article would believe that it is.

      Zurich's suit is actually about what constitutes "property damage" and other issues specific to the Zurich policy covering Sony, as well as the other insurance policies that Sony may have in place. Zurich is also suing Sony's other insurers as a second line of defense, so that even if the court decides that the policy written by Zurich includes coverage for the specific sorts of damages claimed by customers for a criminal security breach at the particular Sony unit in question. The article doesn't include filings, but it says nothing at all about Zurich claiming negligence. Zurich actually markets their coverage as handling the gaps between other sorts of more specific corporate liability insurance, and their policy may well have a much more forgiving standard for negligence than they want to fight over. For example, it might be that they explicitly insure the corporate entity against individual negligence below a particular level of the corporate bureaucracy, in which case they'd have to show that particular higher-ups at Sony knew that security was inadequate.

      Based on the article, this looks more like Zurich is saying that online security breaches simply are not covered by their policy at all. They may be covering incidents like a Bravia power supply shorting out and burning down a house, but not covering the emotional trauma of having to abandon whatever value might exist in a Sony online account.

  5. From the company that brought you.. by Superken7 · · Score: 5, Informative

    ... the worst ever handled online security breach, here comes the plain-text captcha: http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp

    Yes, you heard well. The catpcha is not an image, but HTML text with CSS to distort the text style! That is how things must be done in Sony, that explains SO MUCH!

    The headline is not surprising at all, IMHO.

    1. Re:From the company that brought you.. by Anonymous Coward · · Score: 1

      No. Its completely secure, they have disabled right-click menus, so you can't view the source. Nobody would be clever enough to get to see the source any other way.

    2. Re:From the company that brought you.. by Satis · · Score: 1

      Oh man, that is absolutely classic. Thank you so much for finding that. I think you just made my day.

      --
      Satis clankiller.com
    3. Re:From the company that brought you.. by Wiarumas · · Score: 1

      I'm not sure if this is done out of ignorance or that things are so bad, a functioning captcha isn't going to make a difference. A bit of security theater while they tackle more fundamental issues? Either way its hilariously pathetic.

      --
      I will bend like a reed in the wind.
    4. Re:From the company that brought you.. by erroneus · · Score: 1

      This is hilarious!!! Javascript is disabled for me by default thanks to that noscript thing so I was able to see the source code without difficulty. What I saw in there was astounding.

    5. Re:From the company that brought you.. by Aladrin · · Score: 1

      It's also a perfect example of management asking for something they don't fully understand, and the developers providing them exactly what they asked for, rather than what they want or need. I would love to know the exact details that they asked for.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    6. Re:From the company that brought you.. by todrules · · Score: 1

      But they disabled right-click!! There's no way you can get past that! ...Oh, wait.

    7. Re:From the company that brought you.. by todrules · · Score: 1

      Even if you have JS enabled, you can always view source just using the menu.

    8. Re:From the company that brought you.. by Baloroth · · Score: 1

      Best part about this, as others mentioned, is that if you disable javascript, you can not only get to the right click menu, you can select/copy/paste the characters. In fact, I was able to do that even with Javascript in Opera. And then for the hell of it I removed the section disabling the right-click, which is conveniently labeled in the source, enabled Javascript, and right-clicked on the page. I just hacked Sony!

      BTW, what do they actually use this for? Do they really use it for all their online signups? Not that I would be surprised, just wondering if anyone has a page where this is actually being used so I can laugh even more at Sony.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    9. Re:From the company that brought you.. by justsomebody · · Score: 1

      things... are... that... bad

      just remember
      int getRandomNumber() { return(4); }

      --
      Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
    10. Re:From the company that brought you.. by mfh · · Score: 1

      They are so incompetent. I would say, if I was a major stockholder at Sony, that it was time to fire everyone and start over. Rebrand, reimage and retool everything.

      They have no enforced information policy, or if they do there is no accountability.

      --
      The dangers of knowledge trigger emotional distress in human beings.
    11. Re:From the company that brought you.. by tixxit · · Score: 3, Interesting

      Regardless if it is security theatre, the fact remains that there are lots of great, free, functional captcha generators out there they could've used instead. The fact that they made their own shitty captcha, rather than just saving time and money and reusing an existing library says more about their security policy than the actual ineffectiveness of the captcha itself.

    12. Re:From the company that brought you.. by ledow · · Score: 1

      Oh, thank you, thank you, thank you. That's made my day, that has.

      Some web programmer was pissed at them - he gave them exactly what they wanted in a way that completely defeated the original object of the exercise. Fabulous.

    13. Re:From the company that brought you.. by tepples · · Score: 1

      If your web browser even has menus. The way Firefox and Chrome are cutting down on user interface controls, it'll be harder and harder to view a page's source unless the user goes out of his way to install web developer extensions.

    14. Re:From the company that brought you.. by Inda · · Score: 1

      I thought "var somediv", in Sony's code towards the bottom, was the authors signature.

      I still think the same.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    15. Re:From the company that brought you.. by phatcabbage · · Score: 1

      Or you could just hit Ctrl-U from about any modern browser.
      Or F12 in Chrome to bring up the included developer tools.

    16. Re:From the company that brought you.. by Imbrondir · · Score: 1

      It's just Sony taking SEO very seriously ;)

    17. Re:From the company that brought you.. by Shompol · · Score: 1, Redundant

      That's amazing - I've got the same combination on my luggage!

              <b>T</b></span></td>
              <b>E</b></span></td>
              <b>L</b></span></td>
              <b>U</b></span></td>
              <b>G</b></span></td>

    18. Re:From the company that brought you.. by PRMan · · Score: 1

      It works in FF with NoScript just fine. I looked at the source by right-clicking...

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    19. Re:From the company that brought you.. by PwnzerDragoon · · Score: 1

      The best part is, after using Ctrl+A to select it, due to the JS I can't even unselect it.

    20. Re:From the company that brought you.. by krishkrish · · Score: 1

      What about ctrl-s ?

  6. Shouldn't have to pay. by bioster · · Score: 2

    Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence. Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

    1. Re:Shouldn't have to pay. by Oxford_Comma_Lover · · Score: 1

      Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence.

      Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

      That would be so fun to do...

      (Well, if you had other wheelbarrows.)

      --
      -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    2. Re:Shouldn't have to pay. by Hatta · · Score: 1

      Indeed. This is like buying fire insurance for your home, and then getting drunk and doing poi in your living room with liquor bottles stacked on every wall. Insurance shouldn't be license for negligence.

      --
      Give me Classic Slashdot or give me death!
  7. But If they're negligent... by AngryDeuce · · Score: 4, Insightful

    If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

    If Sony was a person this wouldn't even be a question...

    1. Re:But If they're negligent... by AngryDeuce · · Score: 2

      The difference is your drunk driving is illegal, Sony, the target of hackers, isn't.

      Well, I think the case could be made that Sony was criminally negligent due to their lack of security (if I recall correctly, wasn't some of the customer data breached stored in plaintext completely unprotected on their servers?) and the fact that they're a multi-billion dollar organization that is in the industry, meaning they likely knew full well that they were cutting corners and leaving themselves open to these attacks, but I'm not sure if it could be proven beyond a doubt without a whistle-blower or leaked internal information.

      It probably doesn't matter as the only way to really get to the bottom of this is for the people effected to get together and file a class action lawsuit against Sony, but I also seem to remember a ruling not long ago that basically gave major corporations the right to destroy any chance for a class action by including language forbidding them in their EULA's, so I doubt that will ever happen, but it should happen.

      At the very least, the fact that Sony tried to squash this from getting out for 10 days or whatever before informing their customers that their credit card data had been compromised is extremely damning in itself. That in itself deserves a criminal negligence trial, if there exists any lawyers willing to take on a multibillion dollar corporation to prove it, that is.

    2. Re:But If they're negligent... by ZombieBraintrust · · Score: 1

      Because its liability insurance. Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent. It doesn't protect against anything else.

    3. Re:But If they're negligent... by ZombieBraintrust · · Score: 1

      A common example is your collision insurance. It pays out to the other driver when you run a red light and cause an accident. Or pull out in front of someone. These policies have limits though. Most don't pay out if your drunk.

      The fact that these hackers were able to hack other companies and governments will help Sony.

    4. Re:But If they're negligent... by leswt · · Score: 1

      One issue is whether it is in the public interest to allow one to insure against this type of loss (gross negligence) Here is a question, should a company be allowed to have insurance against punitive damages, again a not in the public interest thing

    5. Re:But If they're negligent... by ZombieBraintrust · · Score: 2

      I really impossible to arm chair lawyer this without the contracts.

    6. Re:But If they're negligent... by Nevo · · Score: 1

      No, liability insurance pays out according to the terms of the contract.

      If I were writing an insurance policy to protect a company against hacking, I'd sure as heck include clauses that require the insured party to take certain steps to protect that data. *If* such terms were part of the contract, and *if* Sony didn't abide by the terms of the contract, then the insurer isn't under any obligation to pay out.

      It all comes down to: what were the terms of the policy? None of us knows that, so we're all just taking WAGs on this issue.

    7. Re:But If they're negligent... by Jeng · · Score: 1

      Devils advocate here.

      Perhaps the insurance company should have had an audit done so that they would know what they were insuring.

      When I get my car insured one of the things that the insurance company does is take pictures of my car so they know what they are insuring.

      If the insurance company did not state how or to what degree the website was to be secured is it fair for them to say after the fact that they will not pay?

      --
      Don't know something? Look it up. Still don't know? Then ask.
    8. Re:But If they're negligent... by guspasho · · Score: 1

      "Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent."

      That is a really dumb business model.

    9. Re:But If they're negligent... by HappyHead · · Score: 1

      Added to all of that is the problem that there was not just a single attack, there was a long series of them stretched out over multiple months, all of which made use of exactly the same flaw, which remained unpatched through the entire time period.

      They may have been able to excuse the first attack as "Oh, we didn't know about it, we're fixing it now!", but the ones that followed? One, or even two months later? That's like having your first car stolen because you left it unlocked, and responding by parking your other car(s) out in the same unmonitored parking lot with the doors unlocked and the windows open. Their insurance might be at least partly on the hook for the first one, but the ones after that where they _knew_ about the problem, and deliberately did nothing to fix it? I strongly suspect that "Driving Drunk" is a very very apt analogy to what Sony's IT department management was doing there.

      As for the EULA, the only possible way around that would be if Sony (mistakenly) made promises about their own behavior in their EULA, regarding data security or even "We won't give your personal data to spammers", which these breaches could be ruled as a violation of, thus nullifying the EULA. Having never actually read Sony's EULA for these services, I have no idea if it actually says that. You can bet however, that once they came back online, the EULA was updated to include immunity to prosecution (or persecution) for data breaches.

    10. Re:But If they're negligent... by purplepolecat · · Score: 1

      Another example: all (US) doctors have malpractice insurance, because despite being trained professionals, they sometimes screw up, or do something that can be made to look like a screwup by a good lawyer. I imagine Sony's insurance has similar goals.

    11. Re:But If they're negligent... by Solandri · · Score: 1

      From TFA, it was a general liability insurance policy. Those are supposed to cover medical bills in case of injury, property damage, and legal costs if you're sued. It's not an umbrella insurance policy. Zurich is arguing that Sony's customers becoming more vulnerable to identity theft does not constitute an "injury" nor "property damage", and thus is not covered.

      It's actually going to be a fairly interesting case from the standpoint of defining what exactly identity theft is. If the courts decide it is property damage, that opens up a whole slew of possible legal avenues for getting compensation from e.g. banks which fail to protect your personal information.

    12. Re:But If they're negligent... by wkcole · · Score: 1

      If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

      That's a lousy analogy because drunk driving is a criminal behavior. In many places it is illegal for an insurance company to write a policy that covers personal liability for criminal acts, but they frequently can cover extremely stupid acts of negligence or even (rarely) corporate liability for the crimes of individuals.

      But that doesn't seem to be relevant in this case, since Zurich seems to be suing over finer points of coverage terms rather than over whether Sony was negligent in their sloppy security. Zurich is expert in the finer points of defining degrees and scopes of negligence and writing them into umbrella corporate liability insurance policies, so that seems an unlikely area for them to be litigating. The article says nothing about negligence, but it does imply that Zurich is looking to get a grey area settled over where security breach harm sits in the legal taxonomy of torts. They are claiming that their policy doesn't cover any of the claimed harm in the suits against Sony, and that if it does then Sony's other insurers are also on the hook.

      If Sony was a person this wouldn't even be a question...

      Right, because a person cannot run a global conglomerate business doing billions of dollars of commerce daily with hundreds of millions of customers. If Sony was a person the underlying event could not have occurred.

      More to the point you were trying to make and stipulating your dubious theory that this is about negligence... A business entity has more complicated liabilities and needs more complex insurance than an individual because it is made up of many people with non-homogeneous knowledge and motivations and distinct functions and responsibilities as part of the business. A corporation can sometimes be held liable for damage from intentional actions by low-level employees that were unforeseen, unpreventable, and in violation of corporate policy. That doesn't even have an analogy in an individual person. However, if a person is negligent in a way that contributes to harm to others, it can be a complicated process involving both fact and law to determine whether a particular insurance policy will cover that harm. For example, suppose that I had a swimming pool in my back yard that I let neighborhood kids use without any real supervision. One day the local bully comes by, pulls out the pump power line, tosses it in the pool, and starts pushing kids in. They all get scared out of their skulls and get minor shocks, maybe a lot of bruises, maybe even a few broken bones. I would get sued. If my homeowner's insurance had a specific rider covering harm to guests in my swimming pool, my insurance company would probably make some judgment as to whether to defend those suits or settle them, no matter how careless I was, and go after the bully on the other end. If my homeowner's policy didn't explicitly acknowledge the pool or explicitly excluded pool-related liability, I could have a problem much like the one Sony now has with Zurich.

      The slimeballs who cracked Sony should be hoping for a Zurich win against Sony and subsequent wins in similar escape suits by the other insurers. Insurers have terrifying legal teams and a lot of law tilting the playing field in their favor. In many cases, the direct perpetrators of a harmful act can be pursued by an insurer to cover whatever the insurer paid on claims plus legal fees, while lacking the protections that a criminal defendant gets when being prosecuted by the government. Sony could go after them as well, but they probably would be as good at it.

  8. Insurance damage was not one I considered by erroneus · · Score: 4, Insightful

    This makes me respect the attacks on Sony all the more. The attacks on Sony did more damage than the temporary breeches and outages. Those can be forgotten in a short time. But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

    An insurance company will often deny coverage to parties who are risky. If a party engages in behavior that, for example, makes them a target of angry people, they are a higher risk. Sony has made many, many parties angry and in this case, they made themselves target. What's more, they failed to improve security at any site or location that bears the Sony brand. This makes them more than risky, it makes them negligent.

    I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

    1. Re:Insurance damage was not one I considered by mfh · · Score: 1

      I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

      No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing. They have lost reputation here and that's invaluable. Not many people would trust them after this. They are seen everywhere as being largely incompetent.

      This changes their business model. No longer are they going to be capable of running online shops, for example. Nobody is gonna shop there and they won't get insurance so it's gonna be a done deal.

      Sony will be stuck manufacturing products for sale to resellers and that's going to be their limitation now. No more networking stuff for them. Just watch! :)

      --
      The dangers of knowledge trigger emotional distress in human beings.
    2. Re:Insurance damage was not one I considered by cavreader · · Score: 1

      Oh well since this produced what you consider favorable results lets just let the criminals decide if their cause is righteous enough to justify breaking the law. Debating the righteousness of a cause and using the results of that debate on an ad-hoc basis after a crime has been committed will just ensure that the laws will not be applied equally.

    3. Re:Insurance damage was not one I considered by jimicus · · Score: 2

      No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing.

      I'd be more surprised if Sony haven't violated their insurance coverage. As others have already said, virtually any insurance policy for any sort of risk - whether it's for your car, your home, your professional indemnity - includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

      It's entirely possible that a company the size of Sony might have been able to negotiate a special policy rather than getting stuck with the "take it or leave it" wording you or I would get, but I'd be surprised if the insurer would omit such a clause. IANAL, but in theory all the insurance company has to do is wheel out a few experts to testify that this many breaches suggest systemic negligence at a high level rather than one rogue department and Sony are stuck.

    4. Re:Insurance damage was not one I considered by mfh · · Score: 2

      includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

      The judge in order to exercise due diligence is going to need to see records where the insurer took steps to monitor compliance. IANAL but I have seen this in my own business where the insurer has no case if they didn't try to check up and see if Sony was being compliant. Can you guess where that's gonna go?

      Of course if Sony's legal team is as competent as their programming teams, then this will be open/shut for the insurer.

      --
      The dangers of knowledge trigger emotional distress in human beings.
    5. Re:Insurance damage was not one I considered by AlecC · · Score: 1

      That is not the point. Zurich is claiming they never covered for cyberdamage, so it is irrelevant whether the security was good or not.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    6. Re:Insurance damage was not one I considered by erroneus · · Score: 1

      Technically, the founding fathers of the United States of America were treasonous criminals and should have been hanged.

      There are unquestionably some forms of justice in this world that do not fit within the justice system.

    7. Re:Insurance damage was not one I considered by cavreader · · Score: 1

      Poor baby did someone hurt your feelings and treat you badly? Chances are you probably deserved it. Equality is an ongoing process not a static result.

    8. Re:Insurance damage was not one I considered by HiThere · · Score: 1

      The problem is, the laws are systematically unjust. So you can't presume that just because someone broke the law they acted incorrectly. (Recklessly, perhaps. But many reckless actions are quite defensible, and many are also legal. Not always the same ones.)

      You are right. I won't let the perpetrators of an action decide whether it was moral or ethical. But I won't let the legislators decide that either. *I* decide whether I consider an action to be moral or ethical.

      It would be nice if we could depend on the laws to be just, and the legal system to promote justice. They don't. The legal system no longer even claims to promote justice. They promote following the laws, or at least the bureaucratic procedures. (Having followed the laws isn't sufficient. You can be convicted in a blatantly obvious miscarriage of justice, but until the proper procedures have been followed, being obviously innocent will not save you from being punished. Not even for a capital offense.)

      The basic problem is that those who make the laws are beholden to a small minority of the population for the majority of their support. These are the people who control their access to the means to communicate with the voters, and the controllers of who will be offered as a candidate for selection by the parties. Another problem is that you need to be crazy in one way or another to be willing to devote enough effort to get elected. (Note that these are independent problems, which are both active.) There are others, but the end result is that the people who get elected are all control freaks, and they are beholden to a small, largely wealthy, segment of the population. This is reflected in the laws that they pass.

      I'm not about to let those characters define what *I* consider just.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    9. Re:Insurance damage was not one I considered by Solandri · · Score: 1

      But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

      If it works like it does for small businesses, Sony is in for a world of hurt even if the insurance ends up covering it. General liability is priced partly based on how much has been paid out in claims for that company in recent years. So if the insurance is denied, Sony has to foot the bill. If the insurance covers it, Sony's insurance premiums will go up in the future. And for a company Sony's size, even a fraction of a percent increase would be a huge sum.

    10. Re:Insurance damage was not one I considered by cavreader · · Score: 1

      I have never implied that the laws or justice system are always correct and just. I believe the system is constantly evolving, sometimes for good and sometimes for bad. There are times when someone technically breaks a law but committed no crime due to the circumstances of the situation. There have been innocent people wrongly convicted. The legislature may create the laws of the land but the judicial branch has the final word on whether the law gets applied. There have been many cases of the court system ruling in favor of the accused because of a problem with the law being applied to them. There has also been jury nullification when the situation warranted it. Like every thing else in the world it is not a pefect system but it is a hell of a lot better than lawless anarchy.

    11. Re:Insurance damage was not one I considered by HiThere · · Score: 1

      If it were required that jury nullification be explained to prospective jurors, then I would have a lot less trouble with the laws. As it is, instead, prohibited... well, then the laws have to be nearly perfect before I'll think then defensible.

      N.B.: Even with jury nullification, there will still be many miscarriages of justice. Perfection does not exist in this world. And even then the system would be shamelessly tilted in favor of the rich and the powerful.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  9. Yeah, you really showed GeoHot, Sony! by elrous0 · · Score: 1

    I guess that'll teach some punk to try to jailbreak one of your consoles!

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Yeah, you really showed GeoHot, Sony! by hedwards · · Score: 1

      So pirates really are putting them out of business.

  10. Re:I hate Sony by justsomebody · · Score: 1

    since you seem to judge laptop quality by GPU, you get my sympathy

    --
    Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
  11. Zurich: Because shit happenz. by tepples · · Score: 1

    I wonder how many Zurich American executives' kids were affected by the outage?

    And I wonder how this might be worked into Zurich's next ad campaign. "Zurich: Because shit happenz."

  12. UI discoverability by tepples · · Score: 1

    Ctrl-U [...] F12

    Discoverable how?

    1. Re:UI discoverability by happylight · · Score: 1

      In the manual/help file.

      I bet you don't read the manual before you drive your new car either.

    2. Re:UI discoverability by vgerclover · · Score: 1

      If you go to the only menu on Chrome, Tools, View Source, you'll see the shortcut too. Anyone who can't find it won't have much use to see the HTML source of any given webpage.

    3. Re:UI discoverability by vgerclover · · Score: 1

      And let's not forget that you can right-click on the webpage and there it is, View Page Source.

    4. Re:UI discoverability by TheRaven64 · · Score: 1

      You really need to look up what a discoverable user interface is...

      --
      I am TheRaven on Soylent News
    5. Re:UI discoverability by PwnzerDragoon · · Score: 1

      In Chrome you can click the wrench icon and go down to Tools, under there you see View Source (Ctrl-U). There doesn't appear to be a way to bring up the developer tools from that menu, nor a clue to the keyboard shortcut, though I usually open them with right-click -> Inspect Element on what I want to look at.

  13. April Fools by wrightrocket · · Score: 1

    When they removed Linux capabilities from the PS3 it was supposed to enhance enhance security. April fools on them!

  14. No Accountability by Grand+Facade · · Score: 1

    It's the corporate way...

    It's just some silly data, what's the big deal?

    All your $ are mine.

    --
    Rick B.
  15. It's a shell game by Grand+Facade · · Score: 1

    Sony = We're not responsible, someone illegally accessed your data.

    Sony = We have insurance for that, collect from them >>>>

    Insurance Co = (professional non-payer of fees, obsfucator and dragger of feet) We're not paying, Sony was criminally negligent. Go collect from them >>>>>

    Sony = OMG! The government must protect us from the evil haxors and get your restitution from our insurance.

    Insurance Co = Restitution shmestitution, it is us who got hurt here! The gov't must protect us from the evil haxors. We're not paying.

    Lawyers = PROFIT!!!!

    --
    Rick B.
  16. To clarify: by AlecC · · Score: 1

    Zurich are not trying to get out because of Sony's gross negligence in their security. This is what the various drunk driving and lunatic driving analogies would imply.

    From TFA, Zurich are saying 'it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general."' I.e. that the policy was never insurance against cyber-damage, but against property or personal damage caused by Sony's products. If Sony's products exploded, or polluted the environment, or jammed radios, Zurich would have to pay up. But they claim that the policy they sold was never intended to cover Sony's databases.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
  17. Grabs Captcha Text by Anonymous Coward · · Score: 1

    ( curl http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp 2>/dev/null | grep "<b>" | sed "s/[<>]/ /g" | awk '{printf($2)}'; echo )

  18. Re:Interesting Precdent by Nevo · · Score: 1

    A very interesting point, and one on which I agree. To date, companies haven't cared much about cybersecurity because there's no fiscal benefit to spending all that money. This case may indeed change that.

  19. HTML 4 Strict has no li value by tepples · · Score: 1

    HTML 4 TRANSITIONAL.

    The biggest reason I've used HTML 4 Transitional is because W3C mistakenly deprecated the value attribute of the li element and removed it from the HTML 4 Strict and XHTML Strict DTDs entirely without giving a viable alternative at the time. (CSS counters aren't it for two reasons that; I can explain.) It's been added back to HTML5 though.