Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Sony Insurer Suing To Deny Data Breach Coverage

Comments Filter:
  • by mat catastrophe (105256) on Friday July 22, 2011 @08:37AM (#36844364) Homepage

    We won't all one day drive our Sony to the Sony to pick up more Sony?

    • by elrous0 (869638) *

      I'm sorry, the use of the Sony Internet(tm) to post articles criticizing or questioning Sony is not permitted. Please report to your Sony ISP(tm) to appeal your disconnection.

  • by snookerhog (1835110) on Friday July 22, 2011 @08:38AM (#36844376)
    I was just thinking to myself, what this story needs is some more lawyers.
    • I was just thinking to myself, what this story needs is some more lawyers.

      In this case, maybe.

      On the one hand, I would hate to be a SONY shareholder right now, or to be the big guys at SONY and realize (probably) that you had hired someone incapable of managing the security you need for a target that large--or given them too little power to do it--and be hit with the double whammy of insurance refusing to cover you. I would also hate to be sony's lawyers who approved either their security policies or their insurance policies.

      But on the other hand, companies that are big targets *

      • that you had hired someone incapable of managing the security you need for a target that large

        *that large*? really? Their security wasn't up to snuff if they were a small business. Running old software with known security vulnerabilities isn't just poor practice it is just flat out lazy.

      • by swv3752 (187722)

        You really think the IT admins were at fault? And not the managers that almost assuredly would not approve the downtime, overtime, etc, to upgrade the servers? This is management at fault.

        • Not necessarily. If you reread the post, you'll see I allow for the possibility that Management had not given their security people enough authority to do their job. See the disjunction between the em-dashes.

  • I wonder how many Zurich American executives' kids were affected by the outage?
    • by DarkOx (621550)

      Probably but I am sure what this comes down to is if their contract covers damages from this loss or not.

      My guess is they have some clause that says the insured party is supposed to take reasonable steps to prevent losses as result of security compromises. Your home owners policy has something similar. If you leave your doors unlocked for instance you might have a serious problem with a claim for loss by theft.

      The issue here is going to probably be what constitutes reasonable, and given the problem was es

      • by Dishevel (1105119)

        I think they will have an easy time finding an "IT Security Expert" who will say whatever they pay him to.
        That is what "Experts" do.

    • i think that is not a problem, they try to get out on the fact that sony security was crap (which it was). same way as my insurer would not pay up if i crash my car (fully insured) while i was driving without one wheel and my windshield was so dirty nothing could be seen trough

      • Here is the thing though. Zurich sold them a policy. It was up to Zurich to identify risks such as bad security and price the insurance correctly. The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.
        • Re:Go Figure (Score:4, Interesting)

          by cwebster (100824) on Friday July 22, 2011 @10:28AM (#36845614)

          Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

          • by RsG (809189)

            Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

            ^What he said.^

            If you put fire insurance on a building and then take no measures to prevent a fire from breaking out, you won't be able to collect. If you take theft insurance on a car and leave it with the keys in the ignition in a bad neighbourhood overnight, you won't be able to collect. Insurance covers accident or malicious action by a third party; it doesn't usually cover gross negligence on the part of the insured party.

            It isn't that the insurance companies are arbitrarily refusing to pay out, it's

          • by LibRT (1966204)
            Firstly, I don't think anyone here knows what was in the contract. Maybe it was covered. Maybe it was excluded. Maybe the specific contract language excludes this loss. Maybe it doesn't. I don't know. You don't either.

            Secondly, Sony's insurance broker is the one who is paid to ensure Sony gets the coverage they need. If coverage was available but the broker didn't present it as an option to Sony, then the broker is going to face a very expensive errors and omissions claim.

            Thirdly, the purpose of all insur
        • by tompaulco (629533)
          The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.
          No, the whole point of liability insurance is that you pay your premiums and they give you a certificate that says you have it, so people will do business with you. You're not supposed to actually make claims against it.
          But seriously, Sony is large enough where they shouldn't even have to have liability insurance. They should just maintain a huge bond.
        • Up to a point, yes, but ... could simply be that their security was better at the time they got the insurance, and then deteriorated, in which case the insurance company can reasonably take issue with 100% liability.

          As an analogy, for example, I insured my car at the beginning of the year when the tyres still had more than the minimum legally required tread depth. I've covered about 30000km since then, my tyres[1] are no longer street-legal. If I now get involved in an accident due to being unable to stop i

        • by Nevo (690791)
          Yes, but....

          Most liability contracts have clauses that require the insured to take certain measures to reduce their risk. If this policy does contain such clauses, and Sony didn't take those measures, it certainly stands to reason that the policy won't pay out.

          It all comes down to what the contract says. Since that contract hasn't (as far as I'm aware) been released, all we can do here is guess.

    • I wonder how many Zurich American executives' kids were affected by the outage?

      And I wonder how this might be worked into Zurich's next ad campaign. "Zurich: Because shit happenz."

    • I think it would be funny if Lulzsec/Anonymous also hacked Zurich American for the lulz. Hopefully their security is better than Sony's

  • I mean, can you imagine the shareholders meeting? I get a image of a guy who has taken up drinking and is developing a bad ulcer. I doubt this will work, but it's still interesting that they try.
    • by bluefoxlucid (723572) on Friday July 22, 2011 @08:53AM (#36844506) Journal

      Well, they have a valid case. It's going to get heard by a judge, for sure; this isn't some ridiculous "Oh we don't feel like holding up to our contract because it's bad for us today" kind of thing. What happened here is Sony took out insurance and then caused a massive problem leading to a massive claim through unimaginably gross negligence. It's like if you insure a car and then proceed to speed at 180mph and slam into shit ... your insurer will go, "Oh HELL no," and try to wiggle out of the claims. Often they have clauses that vaguely let them do so, on a good day; whereas basic neglect and driver failure will get them slapped around because that's what you're insured for.

      Basically Sony did the equivalent of buying 100k/300k liability insurance and then organizing a massive illegal street race through a complicated course in the city. Gross, gross negligence. Now their insurers are going, "There is no way in Hell we should have to pay for this!" Sony looks like it didn't even try to secure its networks, just like someone running an Indy 500 on open roads looks like they've bought car insurance to avoid having to care about all the damage they know's going to eventually happen.

      It's tricky, but it's good enough to get you a day in court. If you just show up like "Well we have a contract but we don't wanna pay..." the judge won't even hear your case.

      • by vegiVamp (518171)

        Yes, but... Going 180 in your car is illegal, and you cannot insure yourself against your own willing illegal actions. While they insurance may manage to build a good case based off gross negligence, Sony didn't actually do anything strictly illegal, they were the victim of illegal action.

        That being said, if you leave your car unlocked the insurance sure as hell isn't going to cough up for your stolen laptop - if there's no signs of breakage they'll claim negligence and not pay out.

        The trick here is going t

        • If you're illegally speeding at 60 in a 30mph zone, insurance will typically pay out liability. As well, aggressive driving and the like. ... liability means you're at fault.

          Gross negligence is different. In the event that your insurer can show that you weren't just irresponsible, but in fact engaged in such unreasonable behavior that it's patently absurd to leave the insurer to pick up the bill, the judge is probably going to want to hear this--and he'll probably look for a damn good reason to grant re

        • by wkcole (644783)

          The trick here is going to be proving that Sony was negligent with their security.

          No, it isn't. That is not what the suit is about at all. No reasonably intelligent adult reading the article would believe that it is.

          Zurich's suit is actually about what constitutes "property damage" and other issues specific to the Zurich policy covering Sony, as well as the other insurance policies that Sony may have in place. Zurich is also suing Sony's other insurers as a second line of defense, so that even if the court decides that the policy written by Zurich includes coverage for the specific s

      • by Bengie (1121981)

        Hopefully the contract has some sort of exit clause. I know my car insurance does. You do stupid shit and they don't have to cover.

        Black-box shows you speeding, no coverage, no seat-belt on, no coverage. And many more examples.

        Once could even argue definitions of words. If your car insurance covers "accidents" and you're speeding, it may no longer be considered an "accident" as your speeding was deliberate.

        Accident != Negligence

        Just tossing around some ideas.

      • But what are the insurers suing? You don't normally sue in order to not do something, you sue in order to make someone else do (or stop doing) something. Surely they should just be refusing to pay and inviting Sony to sue them...
    • lol, in our country if you're drunk you automatically lose insurance in case of crash. and sony security was in the same state

  • by Superken7 (893292) on Friday July 22, 2011 @08:43AM (#36844420) Journal

    ... the worst ever handled online security breach, here comes the plain-text captcha: http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp [sony.com]

    Yes, you heard well. The catpcha is not an image, but HTML text with CSS to distort the text style! That is how things must be done in Sony, that explains SO MUCH!

    The headline is not surprising at all, IMHO.

    • by Anonymous Coward

      No. Its completely secure, they have disabled right-click menus, so you can't view the source. Nobody would be clever enough to get to see the source any other way.

    • by Satis (769614)

      Oh man, that is absolutely classic. Thank you so much for finding that. I think you just made my day.

    • by Wiarumas (919682)
      I'm not sure if this is done out of ignorance or that things are so bad, a functioning captcha isn't going to make a difference. A bit of security theater while they tackle more fundamental issues? Either way its hilariously pathetic.
      • things... are... that... bad

        just remember
        int getRandomNumber() { return(4); }

        • by Inda (580031)
          I thought "var somediv", in Sony's code towards the bottom, was the authors signature.

          I still think the same.
      • by tixxit (1107127) on Friday July 22, 2011 @09:44AM (#36845016)
        Regardless if it is security theatre, the fact remains that there are lots of great, free, functional captcha generators out there they could've used instead. The fact that they made their own shitty captcha, rather than just saving time and money and reusing an existing library says more about their security policy than the actual ineffectiveness of the captcha itself.
    • by erroneus (253617)

      This is hilarious!!! Javascript is disabled for me by default thanks to that noscript thing so I was able to see the source code without difficulty. What I saw in there was astounding.

      • by todrules (882424)
        Even if you have JS enabled, you can always view source just using the menu.
        • by tepples (727027)
          If your web browser even has menus. The way Firefox and Chrome are cutting down on user interface controls, it'll be harder and harder to view a page's source unless the user goes out of his way to install web developer extensions.
          • Or you could just hit Ctrl-U from about any modern browser.
            Or F12 in Chrome to bring up the included developer tools.
            • Ctrl-U [...] F12

              Discoverable how?

              • In the manual/help file.

                I bet you don't read the manual before you drive your new car either.

              • If you go to the only menu on Chrome, Tools, View Source, you'll see the shortcut too. Anyone who can't find it won't have much use to see the HTML source of any given webpage.
              • In Chrome you can click the wrench icon and go down to Tools, under there you see View Source (Ctrl-U). There doesn't appear to be a way to bring up the developer tools from that menu, nor a clue to the keyboard shortcut, though I usually open them with right-click -> Inspect Element on what I want to look at.
    • by Aladrin (926209)

      It's also a perfect example of management asking for something they don't fully understand, and the developers providing them exactly what they asked for, rather than what they want or need. I would love to know the exact details that they asked for.

    • by todrules (882424)
      But they disabled right-click!! There's no way you can get past that! ...Oh, wait.
    • by Baloroth (2370816)

      Best part about this, as others mentioned, is that if you disable javascript, you can not only get to the right click menu, you can select/copy/paste the characters. In fact, I was able to do that even with Javascript in Opera. And then for the hell of it I removed the section disabling the right-click, which is conveniently labeled in the source, enabled Javascript, and right-clicked on the page. I just hacked Sony!

      BTW, what do they actually use this for? Do they really use it for all their online signups?

    • by mfh (56)

      They are so incompetent. I would say, if I was a major stockholder at Sony, that it was time to fire everyone and start over. Rebrand, reimage and retool everything.

      They have no enforced information policy, or if they do there is no accountability.

    • by ledow (319597)

      Oh, thank you, thank you, thank you. That's made my day, that has.

      Some web programmer was pissed at them - he gave them exactly what they wanted in a way that completely defeated the original object of the exercise. Fabulous.

    • It's just Sony taking SEO very seriously ;)
    • Re: (Score:2, Redundant)

      by Shompol (1690084)
      That's amazing - I've got the same combination on my luggage!

              <b>T</b></span></td>
              <b>E</b></span></td>
              <b>L</b></span></td>
              <b>U</b></span></td>
              <b>G</b></span></td>
  • Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence. Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance
    • Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence.

      Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

      That would be so fun to do...

      (Well, if you had other wheelbarrows.)

    • by Hatta (162192)

      Indeed. This is like buying fire insurance for your home, and then getting drunk and doing poi in your living room with liquor bottles stacked on every wall. Insurance shouldn't be license for negligence.

  • by AngryDeuce (2205124) on Friday July 22, 2011 @08:55AM (#36844534)

    If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

    If Sony was a person this wouldn't even be a question...

    • Because its liability insurance. Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent. It doesn't protect against anything else.
      • A common example is your collision insurance. It pays out to the other driver when you run a red light and cause an accident. Or pull out in front of someone. These policies have limits though. Most don't pay out if your drunk.

        The fact that these hackers were able to hack other companies and governments will help Sony.

      • by Nevo (690791)

        No, liability insurance pays out according to the terms of the contract.

        If I were writing an insurance policy to protect a company against hacking, I'd sure as heck include clauses that require the insured party to take certain steps to protect that data. *If* such terms were part of the contract, and *if* Sony didn't abide by the terms of the contract, then the insurer isn't under any obligation to pay out.

        It all comes down to: what were the terms of the policy? None of us knows that, so we're all just tak

      • by guspasho (941623)

        "Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent."

        That is a really dumb business model.

      • by Solandri (704621)
        From TFA, it was a general liability insurance policy. Those are supposed to cover medical bills in case of injury, property damage, and legal costs [dandb.com] if you're sued. It's not an umbrella insurance policy. Zurich is arguing that Sony's customers becoming more vulnerable to identity theft does not constitute an "injury" nor "property damage", and thus is not covered.

        It's actually going to be a fairly interesting case from the standpoint of defining what exactly identity theft is. If the courts decide it
    • by leswt (1807216)
      One issue is whether it is in the public interest to allow one to insure against this type of loss (gross negligence) Here is a question, should a company be allowed to have insurance against punitive damages, again a not in the public interest thing
    • by Jeng (926980)

      Devils advocate here.

      Perhaps the insurance company should have had an audit done so that they would know what they were insuring.

      When I get my car insured one of the things that the insurance company does is take pictures of my car so they know what they are insuring.

      If the insurance company did not state how or to what degree the website was to be secured is it fair for them to say after the fact that they will not pay?

    • Another example: all (US) doctors have malpractice insurance, because despite being trained professionals, they sometimes screw up, or do something that can be made to look like a screwup by a good lawyer. I imagine Sony's insurance has similar goals.
    • by wkcole (644783)

      If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

      That's a lousy analogy because drunk driving is a criminal behavior. In many places it is illegal for an insurance company to write a policy that covers personal liability for criminal acts, but they frequently can cover extremely stupid acts of negligence or even (rarely) corporate liability for the crimes of individuals.

      But that doesn't seem to be relevant in this case, since Zurich seems to be suing over finer points of coverage terms rather than over whether Sony was negligent in their sloppy securit

  • by erroneus (253617) on Friday July 22, 2011 @08:56AM (#36844548) Homepage

    This makes me respect the attacks on Sony all the more. The attacks on Sony did more damage than the temporary breeches and outages. Those can be forgotten in a short time. But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

    An insurance company will often deny coverage to parties who are risky. If a party engages in behavior that, for example, makes them a target of angry people, they are a higher risk. Sony has made many, many parties angry and in this case, they made themselves target. What's more, they failed to improve security at any site or location that bears the Sony brand. This makes them more than risky, it makes them negligent.

    I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

    • by mfh (56)

      I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

      No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing. They have lost reputation here and that's invaluable. Not many people would trust them after this. They are seen everywhere as being largely incompetent.

      This changes their business model. No longer are they going to be capable of running online shops, for exa

      • by jimicus (737525)

        No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing.

        I'd be more surprised if Sony haven't violated their insurance coverage. As others have already said, virtually any insurance policy for any sort of risk - whether it's for your car, your home, your professional indemnity - includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

        It's entirely possible that a company the size of Sony might have been able to negotiate a special policy rather than getting stuck with the "t

        • by mfh (56)

          includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

          The judge in order to exercise due diligence is going to need to see records where the insurer took steps to monitor compliance. IANAL but I have seen this in my own business where the insurer has no case if they didn't try to check up and see if Sony was being compliant. Can you guess where that's gonna go?

          Of course if Sony's legal team is as competent as their pr

        • by AlecC (512609)

          That is not the point. Zurich is claiming they never covered for cyberdamage, so it is irrelevant whether the security was good or not.

    • Oh well since this produced what you consider favorable results lets just let the criminals decide if their cause is righteous enough to justify breaking the law. Debating the righteousness of a cause and using the results of that debate on an ad-hoc basis after a crime has been committed will just ensure that the laws will not be applied equally.
      • by erroneus (253617)

        Technically, the founding fathers of the United States of America were treasonous criminals and should have been hanged.

        There are unquestionably some forms of justice in this world that do not fit within the justice system.

      • by HiThere (15173)

        The problem is, the laws are systematically unjust. So you can't presume that just because someone broke the law they acted incorrectly. (Recklessly, perhaps. But many reckless actions are quite defensible, and many are also legal. Not always the same ones.)

        You are right. I won't let the perpetrators of an action decide whether it was moral or ethical. But I won't let the legislators decide that either. *I* decide whether I consider an action to be moral or ethical.

        It would be nice if we could depend

        • I have never implied that the laws or justice system are always correct and just. I believe the system is constantly evolving, sometimes for good and sometimes for bad. There are times when someone technically breaks a law but committed no crime due to the circumstances of the situation. There have been innocent people wrongly convicted. The legislature may create the laws of the land but the judicial branch has the final word on whether the law gets applied. There have been many cases of the court system r
          • by HiThere (15173)

            If it were required that jury nullification be explained to prospective jurors, then I would have a lot less trouble with the laws. As it is, instead, prohibited... well, then the laws have to be nearly perfect before I'll think then defensible.

            N.B.: Even with jury nullification, there will still be many miscarriages of justice. Perfection does not exist in this world. And even then the system would be shamelessly tilted in favor of the rich and the powerful.

    • by Solandri (704621)

      But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

      If it works like it does for small businesses, Sony is in for a world of hurt even if the insurance ends up covering it. General liability is priced partly based on how much has been paid out in claims for that company in recent years. So if the insurance is denied, Sony has to foot the bill. If the insurance covers it, Sony's insurance premiums will go up in the future. And for a company Sony's size, even a f

  • I guess that'll teach some punk to try to jailbreak one of your consoles!

  • When they removed Linux capabilities from the PS3 it was supposed to enhance enhance security. April fools on them!
  • It's the corporate way...

    It's just some silly data, what's the big deal?

    All your $ are mine.

  • Sony = We're not responsible, someone illegally accessed your data.

    Sony = We have insurance for that, collect from them >>>>

    Insurance Co = (professional non-payer of fees, obsfucator and dragger of feet) We're not paying, Sony was criminally negligent. Go collect from them >>>>>

    Sony = OMG! The government must protect us from the evil haxors and get your restitution from our insurance.

    Insurance Co = Restitution shmestitution, it is us who got hurt here! The gov't must protect us fr

  • Zurich are not trying to get out because of Sony's gross negligence in their security. This is what the various drunk driving and lunatic driving analogies would imply.

    From TFA, Zurich are saying 'it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general."' I.e. that the policy was never insurance against cyber-damage, but against property or personal damage caused by Sony

  • by Anonymous Coward

    ( curl http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp 2>/dev/null | grep "<b>" | sed "s/[<>]/ /g" | awk '{printf($2)}'; echo )

The universe is all a spin-off of the Big Bang.

Working...