Mitsui Sumitomo Prevails on Summary Judgment: No CGL Coverage for PlayStation Data Theft Lawsuits

Nicolaides Fink Thorpe Michaelides Sullivan LLP secured a major victory for client Mitsui Sumitomo Insurance Company of America on February 21, 2014 in a closely-watched case of first impression involving commercial general liability (“CGL”) coverage for cyber liability.  New York County Supreme Court Justice Jeffrey K. Oing ruled that Mitsui Sumitomo, the primary insurer, has no duty to defend Sony Corporation of America in connection with lawsuits brought on behalf of millions of PlayStation Network users whose personal information was stolen in a massive data security breach.

In April 2011, the Sony PlayStation and Sony Online Networks were the subjects of massive criminal cyber-attacks in which hackers breached the Networks' security and stole the personal account information of millions of Network users.  The users filed 65 lawsuits against various Sony entities, including Mitsui Sumitomo's insured, Sony Corporation of America.  These lawsuits were subsequently consolidated in Multi-District Litigation in the U.S. District Court for the Southern District of California.  The Sony companies tendered the lawsuits to their primary CGL carriers, Mitsui Sumitomo and Zurich American Insurance Company.  Sony claimed the lawsuits implicated “personal and advertising injury” coverage under the offense of “oral or written publication, in any manner, of material that violates a person's right of privacy.”  Sony took the position that CGL coverage was implicated in addition to the coverage available under cyber liability policies, through which Sony was already receiving a defense.

In granting Mitsui Sumitomo and Zurich's cross-motions for summary judgment against Sony Corporation of America and Sony Computer Entertainment America, the Court rejected Sony's effort to expand the scope of “personal and advertising injury” coverage to an insured's liability for theft of personal data by third-party hackers.  This ruling marks the first instance in which a court has addressed the issue of whether liability for data theft potentially involves a “publication, in any manner, of material that violates a person's right of privacy,” within the meaning of the covered offense.  

“The decision is a first in drawing the boundary between CGL coverage and cyber liability coverage.  Its implications are significant for the law of insurance coverage in light of the emerging and growing risks presented by cyber-crimes,” noted Robert Marshall, the lead partner representing Mitsui Sumitomo.

[Zurich American Ins. Co. v. Sony Corporation of America, et al., Case No. 651982/2011 in the New York County Supreme Court]