Sony Insurer Suing To Deny Data Breach Coverage

idontgno writes "It keeps getting better and better for Sony and its business units. Reuters reports that Sony's insurer, Zurich American, is suing to avoid paying out on Sony's legal liability which may arise from its spectacular online security breaches a few months ago."

So, maybe, if we're lucky...

[mat+catastrophe]

We won't all one day drive our Sony to the Sony to pick up more Sony?

I was just thinking to myself...

[snookerhog]

I was just thinking to myself, what this story needs is some more lawyers.

Re:I was just thinking to myself...

[Oxford_Comma_Lover]

I was just thinking to myself, what this story needs is some more lawyers.

In this case, maybe.

On the one hand, I would hate to be a SONY shareholder right now, or to be the big guys at SONY and realize (probably) that you had hired someone incapable of managing the security you need for a target that large--or given them too little power to do it--and be hit with the double whammy of insurance refusing to cover you. I would also hate to be sony's lawyers who approved either their security policies or their insurance policies.

But on the other hand, companies that are big targets *will not* take the necessary risk mitigation steps if they are not financially accountable for their actions. If Sony's only loss is to income and share price, it is still a big loss, but it is a much bigger incentive for smaller companies to protect user data if the ability to insure against data theft is limited.

From the company that brought you..

[Superken7]

... the worst ever handled online security breach, here comes the plain-text captcha: http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp

Yes, you heard well. The catpcha is not an image, but HTML text with CSS to distort the text style! That is how things must be done in Sony, that explains SO MUCH!

The headline is not surprising at all, IMHO.

Re:From the company that brought you..

[tixxit]

Regardless if it is security theatre, the fact remains that there are lots of great, free, functional captcha generators out there they could've used instead. The fact that they made their own shitty captcha, rather than just saving time and money and reusing an existing library says more about their security policy than the actual ineffectiveness of the captcha itself.

Shouldn't have to pay.

[bioster]

Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence. Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

Re:I'd hate to be the head of that company......

[bluefoxlucid]

Well, they have a valid case. It's going to get heard by a judge, for sure; this isn't some ridiculous "Oh we don't feel like holding up to our contract because it's bad for us today" kind of thing. What happened here is Sony took out insurance and then caused a massive problem leading to a massive claim through unimaginably gross negligence. It's like if you insure a car and then proceed to speed at 180mph and slam into shit ... your insurer will go, "Oh HELL no," and try to wiggle out of the claims. Often they have clauses that vaguely let them do so, on a good day; whereas basic neglect and driver failure will get them slapped around because that's what you're insured for.

Basically Sony did the equivalent of buying 100k/300k liability insurance and then organizing a massive illegal street race through a complicated course in the city. Gross, gross negligence. Now their insurers are going, "There is no way in Hell we should have to pay for this!" Sony looks like it didn't even try to secure its networks, just like someone running an Indy 500 on open roads looks like they've bought car insurance to avoid having to care about all the damage they know's going to eventually happen.

It's tricky, but it's good enough to get you a day in court. If you just show up like "Well we have a contract but we don't wanna pay..." the judge won't even hear your case.

But If they're negligent...

[AngryDeuce]

If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

If Sony was a person this wouldn't even be a question...

Re:But If they're negligent...

[AngryDeuce]

The difference is your drunk driving is illegal, Sony, the target of hackers, isn't.

Well, I think the case could be made that Sony was criminally negligent due to their lack of security (if I recall correctly, wasn't some of the customer data breached stored in plaintext completely unprotected on their servers?) and the fact that they're a multi-billion dollar organization that is in the industry, meaning they likely knew full well that they were cutting corners and leaving themselves open to these attacks, but I'm not sure if it could be proven beyond a doubt without a whistle-blower or leaked internal information.

It probably doesn't matter as the only way to really get to the bottom of this is for the people effected to get together and file a class action lawsuit against Sony, but I also seem to remember a ruling not long ago that basically gave major corporations the right to destroy any chance for a class action by including language forbidding them in their EULA's, so I doubt that will ever happen, but it should happen.

At the very least, the fact that Sony tried to squash this from getting out for 10 days or whatever before informing their customers that their credit card data had been compromised is extremely damning in itself. That in itself deserves a criminal negligence trial, if there exists any lawyers willing to take on a multibillion dollar corporation to prove it, that is.

Re:But If they're negligent...

[ZombieBraintrust]

I really impossible to arm chair lawyer this without the contracts.

Insurance damage was not one I considered

[erroneus]

This makes me respect the attacks on Sony all the more. The attacks on Sony did more damage than the temporary breeches and outages. Those can be forgotten in a short time. But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

An insurance company will often deny coverage to parties who are risky. If a party engages in behavior that, for example, makes them a target of angry people, they are a higher risk. Sony has made many, many parties angry and in this case, they made themselves target. What's more, they failed to improve security at any site or location that bears the Sony brand. This makes them more than risky, it makes them negligent.

I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

Re:Insurance damage was not one I considered

[jimicus]

No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing.

I'd be more surprised if Sony haven't violated their insurance coverage. As others have already said, virtually any insurance policy for any sort of risk - whether it's for your car, your home, your professional indemnity - includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

It's entirely possible that a company the size of Sony might have been able to negotiate a special policy rather than getting stuck with the "take it or leave it" wording you or I would get, but I'd be surprised if the insurer would omit such a clause. IANAL, but in theory all the insurance company has to do is wheel out a few experts to testify that this many breaches suggest systemic negligence at a high level rather than one rogue department and Sony are stuck.

Re:Insurance damage was not one I considered

[mfh]

includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

The judge in order to exercise due diligence is going to need to see records where the insurer took steps to monitor compliance. IANAL but I have seen this in my own business where the insurer has no case if they didn't try to check up and see if Sony was being compliant. Can you guess where that's gonna go?

Of course if Sony's legal team is as competent as their programming teams, then this will be open/shut for the insurer.

Re:Go Figure

[justsomebody]

i think that is not a problem, they try to get out on the fact that sony security was crap (which it was). same way as my insurer would not pay up if i crash my car (fully insured) while i was driving without one wheel and my windshield was so dirty nothing could be seen trough

Re:Go Figure

[cwebster]

Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.