Sony Insurer Suing To Deny Data Breach Coverage 122
idontgno writes "It keeps getting better and better for Sony and its business units. Reuters reports that Sony's insurer, Zurich American, is suing to avoid paying out on Sony's legal liability which may arise from its spectacular online security breaches a few months ago."
So, maybe, if we're lucky... (Score:3)
We won't all one day drive our Sony to the Sony to pick up more Sony?
Re: (Score:2)
I'm sorry, the use of the Sony Internet(tm) to post articles criticizing or questioning Sony is not permitted. Please report to your Sony ISP(tm) to appeal your disconnection.
Re: (Score:1)
I can't, because my Sony internet-connected door lock won't open for some reason.
I was just thinking to myself... (Score:5, Funny)
Re: (Score:2)
I was just thinking to myself, what this story needs is some more lawyers.
In this case, maybe.
On the one hand, I would hate to be a SONY shareholder right now, or to be the big guys at SONY and realize (probably) that you had hired someone incapable of managing the security you need for a target that large--or given them too little power to do it--and be hit with the double whammy of insurance refusing to cover you. I would also hate to be sony's lawyers who approved either their security policies or their insurance policies.
But on the other hand, companies that are big targets *
Re: (Score:2)
that you had hired someone incapable of managing the security you need for a target that large
*that large*? really? Their security wasn't up to snuff if they were a small business. Running old software with known security vulnerabilities isn't just poor practice it is just flat out lazy.
Re: (Score:2)
You really think the IT admins were at fault? And not the managers that almost assuredly would not approve the downtime, overtime, etc, to upgrade the servers? This is management at fault.
Re: (Score:1)
Not necessarily. If you reread the post, you'll see I allow for the possibility that Management had not given their security people enough authority to do their job. See the disjunction between the em-dashes.
Go Figure (Score:1)
Re: (Score:2)
Probably but I am sure what this comes down to is if their contract covers damages from this loss or not.
My guess is they have some clause that says the insured party is supposed to take reasonable steps to prevent losses as result of security compromises. Your home owners policy has something similar. If you leave your doors unlocked for instance you might have a serious problem with a claim for loss by theft.
The issue here is going to probably be what constitutes reasonable, and given the problem was es
Re: (Score:1)
I think they will have an easy time finding an "IT Security Expert" who will say whatever they pay him to.
That is what "Experts" do.
Re: (Score:3)
i think that is not a problem, they try to get out on the fact that sony security was crap (which it was). same way as my insurer would not pay up if i crash my car (fully insured) while i was driving without one wheel and my windshield was so dirty nothing could be seen trough
Re: (Score:2)
Re:Go Figure (Score:4, Interesting)
Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.
Re: (Score:2)
Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.
^What he said.^
If you put fire insurance on a building and then take no measures to prevent a fire from breaking out, you won't be able to collect. If you take theft insurance on a car and leave it with the keys in the ignition in a bad neighbourhood overnight, you won't be able to collect. Insurance covers accident or malicious action by a third party; it doesn't usually cover gross negligence on the part of the insured party.
It isn't that the insurance companies are arbitrarily refusing to pay out, it's
Re: (Score:2)
Secondly, Sony's insurance broker is the one who is paid to ensure Sony gets the coverage they need. If coverage was available but the broker didn't present it as an option to Sony, then the broker is going to face a very expensive errors and omissions claim.
Thirdly, the purpose of all insur
Re: (Score:2)
No, the whole point of liability insurance is that you pay your premiums and they give you a certificate that says you have it, so people will do business with you. You're not supposed to actually make claims against it.
But seriously, Sony is large enough where they shouldn't even have to have liability insurance. They should just maintain a huge bond.
Re: (Score:2)
Up to a point, yes, but ... could simply be that their security was better at the time they got the insurance, and then deteriorated, in which case the insurance company can reasonably take issue with 100% liability.
As an analogy, for example, I insured my car at the beginning of the year when the tyres still had more than the minimum legally required tread depth. I've covered about 30000km since then, my tyres[1] are no longer street-legal. If I now get involved in an accident due to being unable to stop i
Re: (Score:2)
Most liability contracts have clauses that require the insured to take certain measures to reduce their risk. If this policy does contain such clauses, and Sony didn't take those measures, it certainly stands to reason that the policy won't pay out.
It all comes down to what the contract says. Since that contract hasn't (as far as I'm aware) been released, all we can do here is guess.
Zurich: Because shit happenz. (Score:2)
I wonder how many Zurich American executives' kids were affected by the outage?
And I wonder how this might be worked into Zurich's next ad campaign. "Zurich: Because shit happenz."
Re: (Score:2)
I think it would be funny if Lulzsec/Anonymous also hacked Zurich American for the lulz. Hopefully their security is better than Sony's
I'd hate to be the head of that company...... (Score:2)
Re:I'd hate to be the head of that company...... (Score:4, Insightful)
Well, they have a valid case. It's going to get heard by a judge, for sure; this isn't some ridiculous "Oh we don't feel like holding up to our contract because it's bad for us today" kind of thing. What happened here is Sony took out insurance and then caused a massive problem leading to a massive claim through unimaginably gross negligence. It's like if you insure a car and then proceed to speed at 180mph and slam into shit ... your insurer will go, "Oh HELL no," and try to wiggle out of the claims. Often they have clauses that vaguely let them do so, on a good day; whereas basic neglect and driver failure will get them slapped around because that's what you're insured for.
Basically Sony did the equivalent of buying 100k/300k liability insurance and then organizing a massive illegal street race through a complicated course in the city. Gross, gross negligence. Now their insurers are going, "There is no way in Hell we should have to pay for this!" Sony looks like it didn't even try to secure its networks, just like someone running an Indy 500 on open roads looks like they've bought car insurance to avoid having to care about all the damage they know's going to eventually happen.
It's tricky, but it's good enough to get you a day in court. If you just show up like "Well we have a contract but we don't wanna pay..." the judge won't even hear your case.
Re: (Score:2)
Yes, but... Going 180 in your car is illegal, and you cannot insure yourself against your own willing illegal actions. While they insurance may manage to build a good case based off gross negligence, Sony didn't actually do anything strictly illegal, they were the victim of illegal action.
That being said, if you leave your car unlocked the insurance sure as hell isn't going to cough up for your stolen laptop - if there's no signs of breakage they'll claim negligence and not pay out.
The trick here is going t
Re: (Score:2)
If you're illegally speeding at 60 in a 30mph zone, insurance will typically pay out liability. As well, aggressive driving and the like. ... liability means you're at fault.
Gross negligence is different. In the event that your insurer can show that you weren't just irresponsible, but in fact engaged in such unreasonable behavior that it's patently absurd to leave the insurer to pick up the bill, the judge is probably going to want to hear this--and he'll probably look for a damn good reason to grant re
Re: (Score:2)
The trick here is going to be proving that Sony was negligent with their security.
No, it isn't. That is not what the suit is about at all. No reasonably intelligent adult reading the article would believe that it is.
Zurich's suit is actually about what constitutes "property damage" and other issues specific to the Zurich policy covering Sony, as well as the other insurance policies that Sony may have in place. Zurich is also suing Sony's other insurers as a second line of defense, so that even if the court decides that the policy written by Zurich includes coverage for the specific s
Re: (Score:2)
Hopefully the contract has some sort of exit clause. I know my car insurance does. You do stupid shit and they don't have to cover.
Black-box shows you speeding, no coverage, no seat-belt on, no coverage. And many more examples.
Once could even argue definitions of words. If your car insurance covers "accidents" and you're speeding, it may no longer be considered an "accident" as your speeding was deliberate.
Accident != Negligence
Just tossing around some ideas.
Re: (Score:2)
Re: (Score:2)
lol, in our country if you're drunk you automatically lose insurance in case of crash. and sony security was in the same state
From the company that brought you.. (Score:5, Informative)
... the worst ever handled online security breach, here comes the plain-text captcha: http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp [sony.com]
Yes, you heard well. The catpcha is not an image, but HTML text with CSS to distort the text style! That is how things must be done in Sony, that explains SO MUCH!
The headline is not surprising at all, IMHO.
Re: (Score:1)
No. Its completely secure, they have disabled right-click menus, so you can't view the source. Nobody would be clever enough to get to see the source any other way.
Re: (Score:2)
Re: (Score:1)
What about ctrl-s ?
Re: (Score:1)
Oh man, that is absolutely classic. Thank you so much for finding that. I think you just made my day.
Re: (Score:2)
Re: (Score:2)
things... are... that... bad
just remember
int getRandomNumber() { return(4); }
Re: (Score:2)
I still think the same.
Re:From the company that brought you.. (Score:4, Interesting)
Re: (Score:2)
This is hilarious!!! Javascript is disabled for me by default thanks to that noscript thing so I was able to see the source code without difficulty. What I saw in there was astounding.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Or F12 in Chrome to bring up the included developer tools.
UI discoverability (Score:2)
Ctrl-U [...] F12
Discoverable how?
Re: (Score:1)
In the manual/help file.
I bet you don't read the manual before you drive your new car either.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
It's also a perfect example of management asking for something they don't fully understand, and the developers providing them exactly what they asked for, rather than what they want or need. I would love to know the exact details that they asked for.
Re: (Score:2)
Re: (Score:2)
Best part about this, as others mentioned, is that if you disable javascript, you can not only get to the right click menu, you can select/copy/paste the characters. In fact, I was able to do that even with Javascript in Opera. And then for the hell of it I removed the section disabling the right-click, which is conveniently labeled in the source, enabled Javascript, and right-clicked on the page. I just hacked Sony!
BTW, what do they actually use this for? Do they really use it for all their online signups?
Re: (Score:1)
They are so incompetent. I would say, if I was a major stockholder at Sony, that it was time to fire everyone and start over. Rebrand, reimage and retool everything.
They have no enforced information policy, or if they do there is no accountability.
Re: (Score:2)
Oh, thank you, thank you, thank you. That's made my day, that has.
Some web programmer was pissed at them - he gave them exactly what they wanted in a way that completely defeated the original object of the exercise. Fabulous.
Re: (Score:1)
Re: (Score:2, Redundant)
<b>T</b></span></td>
<b>E</b></span></td>
<b>L</b></span></td>
<b>U</b></span></td>
<b>G</b></span></td>
Re: (Score:1)
HTML 4 Strict has no li value (Score:2)
HTML 4 TRANSITIONAL.
The biggest reason I've used HTML 4 Transitional is because W3C mistakenly deprecated the value attribute of the li element and removed it from the HTML 4 Strict and XHTML Strict DTDs entirely without giving a viable alternative at the time. (CSS counters aren't it for two reasons that; I can explain.) It's been added back to HTML5 though.
Shouldn't have to pay. (Score:2)
Re: (Score:1)
Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence.
Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.
That would be so fun to do...
(Well, if you had other wheelbarrows.)
Re: (Score:2)
Indeed. This is like buying fire insurance for your home, and then getting drunk and doing poi in your living room with liquor bottles stacked on every wall. Insurance shouldn't be license for negligence.
But If they're negligent... (Score:5, Insightful)
If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?
If Sony was a person this wouldn't even be a question...
Re: (Score:3)
The difference is your drunk driving is illegal, Sony, the target of hackers, isn't.
Well, I think the case could be made that Sony was criminally negligent due to their lack of security (if I recall correctly, wasn't some of the customer data breached stored in plaintext completely unprotected on their servers?) and the fact that they're a multi-billion dollar organization that is in the industry, meaning they likely knew full well that they were cutting corners and leaving themselves open to these attacks, but I'm not sure if it could be proven beyond a doubt without a whistle-blower or l
Re: (Score:2)
Added to all of that is the problem that there was not just a single attack, there was a long series of them stretched out over multiple months, all of which made use of exactly the same flaw, which remained unpatched through the entire time period.
They may have been able to excuse the first attack as "Oh, we didn't know about it, we're fixing it now!", but the ones that followed? One, or even two months later? That's like having your first car stolen because you left it unlocked, and responding by parking
Re: (Score:2)
Re: (Score:2)
A common example is your collision insurance. It pays out to the other driver when you run a red light and cause an accident. Or pull out in front of someone. These policies have limits though. Most don't pay out if your drunk.
The fact that these hackers were able to hack other companies and governments will help Sony.
Re: (Score:2)
No, liability insurance pays out according to the terms of the contract.
If I were writing an insurance policy to protect a company against hacking, I'd sure as heck include clauses that require the insured party to take certain steps to protect that data. *If* such terms were part of the contract, and *if* Sony didn't abide by the terms of the contract, then the insurer isn't under any obligation to pay out.
It all comes down to: what were the terms of the policy? None of us knows that, so we're all just tak
Re: (Score:2)
"Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent."
That is a really dumb business model.
Re: (Score:2)
It's actually going to be a fairly interesting case from the standpoint of defining what exactly identity theft is. If the courts decide it
Re: (Score:1)
Re: (Score:2)
Devils advocate here.
Perhaps the insurance company should have had an audit done so that they would know what they were insuring.
When I get my car insured one of the things that the insurance company does is take pictures of my car so they know what they are insuring.
If the insurance company did not state how or to what degree the website was to be secured is it fair for them to say after the fact that they will not pay?
Re: (Score:1)
Re: (Score:2)
If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?
That's a lousy analogy because drunk driving is a criminal behavior. In many places it is illegal for an insurance company to write a policy that covers personal liability for criminal acts, but they frequently can cover extremely stupid acts of negligence or even (rarely) corporate liability for the crimes of individuals.
But that doesn't seem to be relevant in this case, since Zurich seems to be suing over finer points of coverage terms rather than over whether Sony was negligent in their sloppy securit
Re: (Score:3)
Insurance damage was not one I considered (Score:5, Insightful)
This makes me respect the attacks on Sony all the more. The attacks on Sony did more damage than the temporary breeches and outages. Those can be forgotten in a short time. But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.
An insurance company will often deny coverage to parties who are risky. If a party engages in behavior that, for example, makes them a target of angry people, they are a higher risk. Sony has made many, many parties angry and in this case, they made themselves target. What's more, they failed to improve security at any site or location that bears the Sony brand. This makes them more than risky, it makes them negligent.
I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.
Re: (Score:1)
No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing. They have lost reputation here and that's invaluable. Not many people would trust them after this. They are seen everywhere as being largely incompetent.
This changes their business model. No longer are they going to be capable of running online shops, for exa
Re: (Score:3)
No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing.
I'd be more surprised if Sony haven't violated their insurance coverage. As others have already said, virtually any insurance policy for any sort of risk - whether it's for your car, your home, your professional indemnity - includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.
It's entirely possible that a company the size of Sony might have been able to negotiate a special policy rather than getting stuck with the "t
Re: (Score:2)
The judge in order to exercise due diligence is going to need to see records where the insurer took steps to monitor compliance. IANAL but I have seen this in my own business where the insurer has no case if they didn't try to check up and see if Sony was being compliant. Can you guess where that's gonna go?
Of course if Sony's legal team is as competent as their pr
Re: (Score:1)
That is not the point. Zurich is claiming they never covered for cyberdamage, so it is irrelevant whether the security was good or not.
Re: (Score:2)
Re: (Score:2)
Technically, the founding fathers of the United States of America were treasonous criminals and should have been hanged.
There are unquestionably some forms of justice in this world that do not fit within the justice system.
Re: (Score:2)
The problem is, the laws are systematically unjust. So you can't presume that just because someone broke the law they acted incorrectly. (Recklessly, perhaps. But many reckless actions are quite defensible, and many are also legal. Not always the same ones.)
You are right. I won't let the perpetrators of an action decide whether it was moral or ethical. But I won't let the legislators decide that either. *I* decide whether I consider an action to be moral or ethical.
It would be nice if we could depend
Re: (Score:2)
Re: (Score:2)
If it were required that jury nullification be explained to prospective jurors, then I would have a lot less trouble with the laws. As it is, instead, prohibited... well, then the laws have to be nearly perfect before I'll think then defensible.
N.B.: Even with jury nullification, there will still be many miscarriages of justice. Perfection does not exist in this world. And even then the system would be shamelessly tilted in favor of the rich and the powerful.
Re: (Score:2)
Re: (Score:2)
If it works like it does for small businesses, Sony is in for a world of hurt even if the insurance ends up covering it. General liability is priced partly based on how much has been paid out in claims for that company in recent years. So if the insurance is denied, Sony has to foot the bill. If the insurance covers it, Sony's insurance premiums will go up in the future. And for a company Sony's size, even a f
Yeah, you really showed GeoHot, Sony! (Score:2)
I guess that'll teach some punk to try to jailbreak one of your consoles!
Re: (Score:2)
So pirates really are putting them out of business.
Re: (Score:2)
April Fools (Score:1)
No Accountability (Score:2)
It's the corporate way...
It's just some silly data, what's the big deal?
All your $ are mine.
It's a shell game (Score:2)
Sony = We're not responsible, someone illegally accessed your data.
Sony = We have insurance for that, collect from them >>>>
Insurance Co = (professional non-payer of fees, obsfucator and dragger of feet) We're not paying, Sony was criminally negligent. Go collect from them >>>>>
Sony = OMG! The government must protect us from the evil haxors and get your restitution from our insurance.
Insurance Co = Restitution shmestitution, it is us who got hurt here! The gov't must protect us fr
To clarify: (Score:1)
Zurich are not trying to get out because of Sony's gross negligence in their security. This is what the various drunk driving and lunatic driving analogies would imply.
From TFA, Zurich are saying 'it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general."' I.e. that the policy was never insurance against cyber-damage, but against property or personal damage caused by Sony
Grabs Captcha Text (Score:1)
( curl http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp 2>/dev/null | grep "<b>" | sed "s/[<>]/ /g" | awk '{printf($2)}'; echo )
Re: (Score:2)
since you seem to judge laptop quality by GPU, you get my sympathy