Lawsuit Against Sony Highlights Cyber Insurance Shortcomings

CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"

the devil vs the devil

[TheGratefulNet]

hmmm, on one side, an insurance company.

on the other side, sony.

hey, why does it have to be one or the other, though? can't they both lose? please?

(for great justice. and a plate of shrimp, to go.)

Re:the devil vs the devil

[ginbot462]

>> With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance.

Tell that to Katrina Victims .. and yes, I know the Flood Policy deal. But, there were people that loss whole houses to WIND ONLY and I am sorry, floods don't blow roofs away. Oh.. there was water in the wind so it doesn't count? WTF?

http://www.centerjd.org/air/pr/KATRINAREPORT.pdf

Re:the devil vs the devil

[TheGratefulNet]

Is it that some insurance companies are inclined to not pay on health?

I lost my job and was on COBRA. that ran out and to keep health insurance, I had to buy 'private insurance'. if you don't, then the 'pre-existing condition exclusions' can really bite you. its a huge risk, in the US, to not have 'continuous insurance'.

anyway, I was a month into my new fairly expensive private no-group plan when I had a dental emergency. fortunately, I did have the dental coverage (thought I). I went to the dentist (on my group plan, so called 'in network') and they tell me that since I'm not on corporate-backed insurance (which I would have been if I was still on COBRA via my last employer) that there are 3mo, 6mo and 9mo waiting periods before you can qualify for coverage for this or that thing. only routine cleanings seem to be included and not part of this 'waiting list' stuff.

go ahead and tell me this isn't evil to the core. its only there to 'ensure' that the insurance company gets a good LONG series of my continuous monthy payments (that I can't even USE, basically; so I'm kind of 'pre-paying' in advance for the right to get emergency coverage!) and then, a year or portion of a year later, THEN I'm allowed to have an emergency and get some coverage for it.

the best I was able to do in this case was to get 'in network' negotiated fee price instead of the full price (it saved me some but still it was all out of pocket and I don't even think this payment counts *toward* my deductable).

if I could stand by and watch insurance execs suffer extreme pain, I'd stand by and watch. and watch. and maybe send for popcorn.

they are evil rotton bastards.

I'm not sure who I dispise more, IC's or sony. like I said, its not either/or, I hate them both, but for obviously different reasons.

Re:the devil vs the devil

[kelemvor4]

OT rant: What's wrong with the insurance company? Is it that some insurance companies are inclined to not pay on health?

Realize, different types of insurance are sold by different companies. For instance, Blue Cross and other insurance companies don't cover property damage or sell life insurance policies. With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance. Why? Probably because you can easily switch insurance providers for property insurance, and you had a choice when you bought your life insurance. Unfortunately, with health, most people are tied, by virtue of employer selected health care plans to a provider that they don't have any say in. I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal. I hear health insurance coops are a good alternative, although they have similar restrictions as the for profit organizations.

I think basically it's because the whole (non health) insurance industry has a reputation for doing whatever they can to screw their customers when a claim is actually filed. Couple that with the fact that in many locations insurance (auto insurance for example) is required by law and you can begin to see why people do not like insurance companies. They take your money from you and then do everything in their power to not pay out when they should.

Re:the devil vs the devil

[rworne]

go ahead and tell me this isn't evil to the core

I can.

Look at this hypothetical situation, and it is hypothetical, I'm not saying it's you:

Someone does not want to pay for insurance because they view it as a waste of money. Then, one day their tooth starts to hurt and it looks like it may need a root canal.

So they call and sign up for dental insurance and with the $96/year plan, they go ahead and get a $1500 (or whatever the cost) procedure done. Then cancel at the earliest convenience and wait until the next problem to sign up again.

Insurance companies won't stay in business very long with that kind of business plan. The waiting period is to make sure healthy people buy in, not people who (for one reason or another) wait until they have a problem then look for coverage.

Do honest people get screwed by this? Yes, they do.

Re:the devil vs the devil

[Dishevel]

Not that I ever want to be on the side of the insurers.
Surely though you can see that you would never want to pass a law stating that there could be no waiting period.

The cost of insurance would skyrocket.

Smart people who are healthy would wait till they need some major work done. Then buy insurance. Keep it long enough to get the work done then drop it.

I know insurance companies can be evil. Just make sure when figuring how things should be to remember that people can be evil as well.

Better security is no insurance

[timeOday]

The whole point of insurance is to make a variable cost into a fixed cost. Even if better security substantially reduces your average cost over an infinte time horizon, it does not make the associated costs predictable. It's like saying, don't get homeowners insurance in case your house burns down, just remember to turn off the iron when you leave home.

Re:Better security is no insurance

[hedwards]

Yes, but insurers don't typically give you a blank check to replace what you like for whatever happened. There are typically restrictions to what they'll cover and if you're behaving in an irresponsible fashion they aren't necessarily obligated to pay out. More commonly though they'll pay the claim then cancel the coverage.

Insurance fraud is a serious issue which causes all the other insured parties to have to pay more. I'm personally curious if they'll get away with refusing to pay, but given the degree of negligence on Sony's part in all of this I wouldn't be surprised if the courts reduced or eliminated the amount that Sony could receive for these incidents.

Re:Better security is no insurance

[Daniel_Staal]

Actually, from what I've read, the insurance company is trying to claim that cybersecurity breaches (or whatever you wanted to call this) wasn't part of the policy. So it's not that Sony was negligent, it's that Sony wasn't insured at all. (According to the insurance company, at least.)

How depressing...

[fuzzyfuzzyfungus]

Not that bad things are happening to Sony, who deserves it; but that even giant bloodsucking multinationals with legions of attack lawyers can't keep insurance companies in line(arguably, if you count CDOs, neither can nation states. Why don't we shoot these people again?). Makes me feel a whole lot better about the inevitable hassles that will arise from my next claim form...

Re:Plan B?

[fuzzyfuzzyfungus]

I think that the Lulz Boat is arguably already a form of of 'Sony Online Entertainment', albeit not of the kind that Sony intends to publish...

Shouldn't have to pay

[Baloroth]

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.

Re:Shouldn't have to pay

(posting anon so I don't get sued by former employers - mega tech, mega bank, mega networking...)

This sort of crap is why I got out of IT security and secure network protocols as a formerly fun career path. The big companies don't give a flying ^&%# about actual security anymore, the MBA mentality has determined its cheaper to declare it secure and buy an insurance policy. HSM? That's too expensive... Password database, PKI? No, the spec says "encrypted", it doesn't specify anything about key management, just bake a password into the firmware, or make it talk to AD... (sigh)

Re:Why bother?

[fuzzyfuzzyfungus]

I suspect that it is a managerial/cultural matter: "Risk management"(in the finance sense, not the engineering sense) is extremely popular and consists largely of attempting to quantify the costs of various risks and then construct a wide assortment of various financial instruments(insurance contracts among them; but by no means limited to insurance) in order to minimize your risk exposure number.

Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...

They didn't buy coverage for that.

[Animats]

The actual court filing by the insurance companies says:

Notwithstanding, the claims set forth in the Class Action Complaints filed against SCEA and the other Sony Defendants, as well as the miscellaneous claims, arising out of the cyber attacks on the PSN and SOE Network and the unauthorized access to and theft of the named plaintiffs and putative class members' personal identification and financial information, do not assert claims for "bodily injury," "property damage" or "personal and advertising injury" so as to entitle SCEA to defense and/or indemnity under the ZAIC Primary Policy.

In other words, Sony didn't buy coverage against a liability of this type. They were covered if the product actually injured someone or damaged their property (shocked someone or caught on fire, for example) but not for an indirect financial loss.

What they needed was an "errors and omissions policy". This covers financial screwups. Banks, accountants, tax advisors, and brokers usually carry such policies, because they handle other people's money. What Sony's people didn't realize is that, by handling so many credit card numbers (and, apparently, improperly holding more credit card info than they should have), they had the exposure of a financial institution.

Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk.

Re:They didn't buy coverage for that.

[Solandri]

Yeah, it sounds like Sony's policy with Zurich was General Liability Insurance. That type of insurance only pays for injury, property damage, and litigation arising from those two. Sony is really pushing it trying to claim the data breach caused injury or property damage to its customers.

OTOH, if the courts buy Sony's argument and classifies identity theft as injury or property damage, then the world gets a lot more interesting. Paypal loses your credit card and bank account info to hackers? Your bank loses a laptop with all your personal info on it? Sue them for injury or property damage.

Re:Extortion works too!

Don't worry, it's got Windows servers. They already know something's going to happen to it.

Re:Plan B?

[Opportunist]

They already did an audit, actually more than just a single one, what else do you expect from them to do for free?

Re:Why bother?

[SniperJoe]

Here's where I have a hard time trying to justify the insurance piece. Insurance companies will do anything and everything to get out of paying. In the security world, insuring against a breach just seems to be fraught with an insanely high standard to receive compensation from the insurance company. In this case, I'm imagining a scenario where you have to PROVE to the insurance company that you did all you could to avoid such a breach, including up-to-date patches, social engineering training, penetration tests, etc, etc etc. Most of us here know how difficult security can be, especially for a larger firm.

To continue your health insurance analogy, can you imagine if you asked your health insurance company to reimburse you for something and they ask you to prove the following:

- That you have exercised three times a week for the past 36 months
- That you have eaten a healthy diet, strictly following the food pyramid and abstained from drugs including caffeine, tobacco and all illegal drugs
- That you regularly visit the doctor, dentist and optometrist for checkups

If you failed to be able to show good faith in those criteria, they would refuse to pay for your health care.

The issue that keeps popping up in my mind isn't whether insurance is a good idea. The issue in my mind is why bother with it if you stand little-to-no chance of actually collecting any money from it?

Re:same as it ever was

[ArhcAngel]

Responding to an AC I know but in this case I believe Zurich has a case. Sony's was warned at least three months prior to the incident that led to their outage that their system was at severe risk.

Let's see if my car analogy works.
It would be like me leaving my car parked in a public parking lot with the windows slightly down and the keys in it. I let it sit there for months and several concerned individuals drop by to tell me there are undesirable elements in the hood and they have been stealing cars. I ignore these naysayers and go happily on my way until one day the car isn't there anymore. Then I go to my insurance company and ask them to pay me for a new car. They will say I was negligent and therefore they are not liable for my replacement costs.

Re:Extortion works too!

[hairyfeet]

Uhhh...AC dude? they were running unpatched servers with no firewall with access to the big bad web. You HONESTLY think a 3+ year old out of date unpatched Linux server with NO firewall or IPS would have done ANY better? I don't care what OS you use if you don't follow best practices and let Forest Gump run the network your ass is grass, the only question is when. If they had used a zero day you may have had a legitimate argument but this was script kiddie 101 crap, the kind of crap you see grandmas hit with NOT giant corps who are actually supposed to have admins to...well administer. WTF were their admins doing? Playing Little Big Planet?

As for TFA this is something in America we really really REALLY need to address: The way insurance companies are happy to take the payments, only to weasel out when it comes time to pay the bill. We see this happen every day in America, where a person pays for years, sometimes decades, for their insurance only to find when they actually need it to serve its intended purpose the company throws lawyers who pick through the forms with a fine toothed comb until they find a way to get out of paying.

Its a really nice scam these insurance companies have got going, you pay ever rising fees for a service you can't actually ever use. To use a /. car analogy it would be like you paying 20 years on a mint state Mustang I claim to have in my garage only to have a lawyer tell you that you can't have the car when the last payment arrives because you were 2 hours late on a payment in 1996. In both cases you end up paying for the illusion you have something that you don't.