Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Sony The Courts IT

Lawsuit Against Sony Highlights Cyber Insurance Shortcomings 99

CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"
This discussion has been archived. No new comments can be posted.

Lawsuit Against Sony Highlights Cyber Insurance Shortcomings

Comments Filter:
  • Maybe they should just throw in the towel and hire LulzSec to handle their online security.

  • by TheGratefulNet ( 143330 ) on Wednesday July 27, 2011 @12:59PM (#36898788)

    hmmm, on one side, an insurance company.

    on the other side, sony.

    hey, why does it have to be one or the other, though? can't they both lose? please?

    (for great justice. and a plate of shrimp, to go.)

    • by Rolgar ( 556636 )

      OT rant: What's wrong with the insurance company? Is it that some insurance companies are inclined to not pay on health?

      Realize, different types of insurance are sold by different companies. For instance, Blue Cross and other insurance companies don't cover property damage or sell life insurance policies. With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance. Why? Probably because you can easily switch insurance provider

      • >> With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance.

        Tell that to Katrina Victims .. and yes, I know the Flood Policy deal. But, there were people that loss whole houses to WIND ONLY and I am sorry, floods don't blow roofs away. Oh.. there was water in the wind so it doesn't count? WTF?

        http://www.centerjd.org/air/pr/KATRINAREPORT.pdf [centerjd.org]

        • Or the ones who had wind insurance, but the company refused to cover any water damage, claiming it was caused by the flood and not the fact that the roof blew off.
      • Is it that some insurance companies are inclined to not pay on health?

        I lost my job and was on COBRA. that ran out and to keep health insurance, I had to buy 'private insurance'. if you don't, then the 'pre-existing condition exclusions' can really bite you. its a huge risk, in the US, to not have 'continuous insurance'.

        anyway, I was a month into my new fairly expensive private no-group plan when I had a dental emergency. fortunately, I did have the dental coverage (thought I). I went to the dentist (o

        • by rworne ( 538610 )

          go ahead and tell me this isn't evil to the core

          I can.

          Look at this hypothetical situation, and it is hypothetical, I'm not saying it's you:

          Someone does not want to pay for insurance because they view it as a waste of money. Then, one day their tooth starts to hurt and it looks like it may need a root canal.

          So they call and sign up for dental insurance and with the $96/year plan, they go ahead and get a $1500 (or whatever the cost) procedure done. Then cancel at the earliest convenience and wait until the

          • what would be fair: pay for the emergency stuff as long as I'm covered. I AM covered, why deny me?

            now, you can ask^Hforce me to repay if I leave 'early'. its like getting corporate relocation on a new job. if you leave that job before X amount of months, you pay back that 'earned benefit' of relo.

            why can't this be that way? sure, I'd be 'happy' to keep current for the next 6mos. I will anyway, dammit! why deny me coverage NOW for emergency stuff?

            it cold and heartless and evil. its not the only way to

          • by AmiMoJo ( 196126 )

            This is why a mandatory insurance scheme is such a good idea. In the UK we pay national insurance directly from our pay packets as part of the deducted tax. Everyone gets free treatment on the National Health Service, but you are of course free to sign up for private care too.

        • Not that I ever want to be on the side of the insurers.
          Surely though you can see that you would never want to pass a law stating that there could be no waiting period.

          The cost of insurance would skyrocket.

          Smart people who are healthy would wait till they need some major work done. Then buy insurance. Keep it long enough to get the work done then drop it.

          I know insurance companies can be evil. Just make sure when figuring how things should be to remember that people can be evil as well.

        • by Rolgar ( 556636 )

          Sorry to hear about your situation. I have an opinion on why things are the way they are, and as I specified in my post, not having a choice is part of what is killing us, along with government underpaying on medicare which passes on the cost for medicare covered individuals on to the rest of us, as well as not going after tort reform, which forces doctors to bump their rates up $25 dollars an hour.

          However, those companies are not the same company that's providing this insurance, although I suppose they cou

      • by swb ( 14022 )

        Well, it's the annoying habit insurance companies have collecting on insurance premiums and not paying claims, in all realms, not just health insurance. Health claims are just more pernicious because it deals with life and death.

        I've personally had pretty good luck with car insurance, but my claims have almost always been totally one-sided (as in rear-ended or parked) and the fault 100% of the other driver.

      • OT rant: What's wrong with the insurance company? Is it that some insurance companies are inclined to not pay on health?

        Realize, different types of insurance are sold by different companies. For instance, Blue Cross and other insurance companies don't cover property damage or sell life insurance policies. With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance. Why? Probably because you can easily switch insurance providers for property insurance, and you had a choice when you bought your life insurance. Unfortunately, with health, most people are tied, by virtue of employer selected health care plans to a provider that they don't have any say in. I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal. I hear health insurance coops are a good alternative, although they have similar restrictions as the for profit organizations.

        I think basically it's because the whole (non health) insurance industry has a reputation for doing whatever they can to screw their customers when a claim is actually filed. Couple that with the fact that in many locations insurance (auto insurance for example) is required by law and you can begin to see why people do not like insurance companies. They take your money from you and then do everything in their power to not pay out when they should.

      • I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal.

        Wrong, unless you go buy very bad coverage. Most of the time, employer-based health insurance has serious advantages. First, the rates are much lower because there's a bigger risk pool (at least that's the theory--in reality, they are lower because it's a collective plan, which is related, but is also about bargaining power). An individual plan w

    • It's one of those "If they both jump off a tower, who hits the ground first?" "Who cares, as long as they both jump!" things, ain't it?

    • And they managed to involve the third devil: lawyers !

  • When I hear about things like this, I think back to why insurance was created, namely to protect you in case of a loss that you cannot afford. Think about what you insure, your home, your liability in a car accident or your life (and income potential therein). It appears that in this case, Sony can afford this failure, they're just trying to use insurance as a cost offset. Given what would seem to me like the relative ease of the insurance company denying coverage ("Were you fully patched and protected i
    • by sribe ( 304414 )

      Is there possibly some fiduciary responsibility to shareholders that is the cause?

      Yes. Sony is obligated to check out every avenue to offset this cost.

    • Re:Why bother? (Score:4, Insightful)

      by fuzzyfuzzyfungus ( 1223518 ) on Wednesday July 27, 2011 @01:17PM (#36899044) Journal
      I suspect that it is a managerial/cultural matter: "Risk management"(in the finance sense, not the engineering sense) is extremely popular and consists largely of attempting to quantify the costs of various risks and then construct a wide assortment of various financial instruments(insurance contracts among them; but by no means limited to insurance) in order to minimize your risk exposure number.

      Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...
      • by afidel ( 530433 )
        It's mostly because of the shift in market focus to quarterly profits, in the history of Sony and even PSN the costs are fairly trivial but if they all come in two or three quarters instead of the monthly insurance premium it upsets the street.
    • by Rolgar ( 556636 )

      Do you know when such an event will happen, how often, or how expensive one or more incidents may be? With insurance, you can balance the cost. You pay a set amount, and when it happens, you've already been paying for it over time. So this smooths out the lumps by spreading the cost over many years instead of focusing the cost all in one or two quarters.

      For instance, as an individual, with health insurance, I know that at some point, I or someone in my household will end up in the hospital. I can either buy

      • Here's where I have a hard time trying to justify the insurance piece. Insurance companies will do anything and everything to get out of paying. In the security world, insuring against a breach just seems to be fraught with an insanely high standard to receive compensation from the insurance company. In this case, I'm imagining a scenario where you have to PROVE to the insurance company that you did all you could to avoid such a breach, including up-to-date patches, social engineering training, penetrati
  • by timeOday ( 582209 ) on Wednesday July 27, 2011 @01:00PM (#36898818)
    The whole point of insurance is to make a variable cost into a fixed cost. Even if better security substantially reduces your average cost over an infinte time horizon, it does not make the associated costs predictable. It's like saying, don't get homeowners insurance in case your house burns down, just remember to turn off the iron when you leave home.
    • Yes, but insurers don't typically give you a blank check to replace what you like for whatever happened. There are typically restrictions to what they'll cover and if you're behaving in an irresponsible fashion they aren't necessarily obligated to pay out. More commonly though they'll pay the claim then cancel the coverage.

      Insurance fraud is a serious issue which causes all the other insured parties to have to pay more. I'm personally curious if they'll get away with refusing to pay, but given the degree of

      • by Daniel_Staal ( 609844 ) <DStaal@usa.net> on Wednesday July 27, 2011 @01:14PM (#36898992)

        Actually, from what I've read, the insurance company is trying to claim that cybersecurity breaches (or whatever you wanted to call this) wasn't part of the policy. So it's not that Sony was negligent, it's that Sony wasn't insured at all. (According to the insurance company, at least.)

        • You seem to be correct, Sony was covered for property damage and personal injury, not cybersecurity breeches. So, I'm guessing that this wouldn't be considered property damage or at least only a very small amount of the claim could be considered property damage.

        • by AmiMoJo ( 196126 )

          Not being insured is the same thing as being negligent. If you are a large company doing something risky like storing personal data you need to have insurance to cover loss. In fact we should make it a law in the same way that car drivers must have insurance.

          • Only if they can't cover it out of pocket. (Car drivers are a special case: Increasing access to private transportation has massive economic advantages, but an accident can cause hundreds of thousands of dollars worth of damages, more than 90% of the population would be able to pay. By requiring insurance, we keep the cost of insurance down and make sure that someone can pay for damages in case of a massive accident.)

    • Or to put it a different way it is a hedge against potential losses. This is the prudent thing to do as you pointed out it give you a fixed cost all be it at probably a higher total cost. Airlines have been know to do similar things when they purchase futures contracts for fuel, some times it works in their favor some times it doesn't but in either case they know their cost going forward.
  • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday July 27, 2011 @01:01PM (#36898826) Journal
    Not that bad things are happening to Sony, who deserves it; but that even giant bloodsucking multinationals with legions of attack lawyers can't keep insurance companies in line(arguably, if you count CDOs, neither can nation states. Why don't we shoot these people again?). Makes me feel a whole lot better about the inevitable hassles that will arise from my next claim form...
    • I'm not sure who you are desiring to shoot, unless it's "Kill them all and let god sort it out". However, this is total standard operating procedure for an insurance company. Faced with a big loss you take some of your already paid for legal staff and obfuscate for a while, hoping to get the whole thing knocked off or, much more likely, come up with a mutually disagreeable solution of some lesser value.

      These are not the higher principles you are looking for....
      • There is this thing called reinsurance [wikipedia.org] that insurance companies can purchase that lets them hedge the risk from their own policies. This call to be able to dump the Sony claim might be coming from the reinsurance company or companies. To put things in perspective reinsurance companies make your standard insurance companies look like paupers.
        • by afidel ( 530433 )
          Zurich is a large reinsurer as well as a large scale insurer. A former company did a lot of work for them doing forensic accounting on companies claiming business losses after Katrina, Zurich was not the holder of those policies but rather was insuring the basket of policies that were being claimed against.
    • Why don't we shoot these people again?

      Because we can't get good insurance salesperson shooting insurance for some reason...

  • by Baloroth ( 2370816 ) on Wednesday July 27, 2011 @01:08PM (#36898910)

    At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? [slashdot.org] These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

    Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      (posting anon so I don't get sued by former employers - mega tech, mega bank, mega networking...)

      This sort of crap is why I got out of IT security and secure network protocols as a formerly fun career path. The big companies don't give a flying ^&%# about actual security anymore, the MBA mentality has determined its cheaper to declare it secure and buy an insurance policy. HSM? That's too expensive... Password database, PKI? No, the spec says "encrypted", it doesn't specify anything about key manag

    • One should not attribute to malfeasance what can adequately explained by stupidity. Although, I have to agree, Sony is really pushing it here.
    • competent security designers where lay offed and they where not given the tools / funds to do there job.

    • Most points have already been made, but allow me to elaborate why I do not necessarily see Sony's security team as incompetent. Chances are, they couldn't do a better job. Or rather, a combination of "they were not allowed to" and "they didn't get what's necessary to do it".

      First of all, security is a cost position without revenue. It costs money but doesn't make any. It's a bit like an insurance, you pay for it to reduce the risk of something bad happening. When times are dire and money is short, what's th

      • I don't buy it. Patching Apache doesn't cost money, is extremely easy to do, is usually quite safe. Adding a firewall can cost as little as zero. Windows and Linux operating systems all come with reasonable firewalls that might not be as robust as a dedicated solution, but are certainly better than nothing, and are trivial to setup. The only cost for those two "fixes" was perhaps a few thousand dollars worth of IT guy time, at most, and likely it would have cost zero, as you simply do it at install time

        • by vux984 ( 928602 )

          Patching Apache doesn't cost money, is extremely easy to do, is usually quite safe.

          Time is money. Patching takes time.
          And "usually quite safe" is not "safe". It means once in a while the time you spend doing it balloons into a lot more time, or even worse system downtime... I've got a server that we don't do OS updates nearly as often as we should because the damned database server on it flakes out, and some of the tools don't work with new versions of Java and flake out if java updates are installed. So it

          • You already have the employees on the payroll. You can't say it cost more than their salaries if the time they spent setting it up is trivial.

            And as for your shitty accounting software, that isn't comparable to a web server. In general, web servers use two port that are well documented, not 40 that are not well documented. Setting up the firewall for database is also very easy. I'm literally talking about a few minutes in Linux, just a few lines for exceptions in iptables.

            I get that in some instances it

            • You sure you already have them on the payroll? Unless you're some REALLY big company, you might not have a guru for every kind of software you want to install, even if you might have someone who knows your chosen firewall appliance inside out, which is also anything but a given. Most are already overwhelmed when trying to configure something like Astaro sensibly.

              And while your webpage example works as long as your web server only serves pages and nothing else, it already becomes a very different game as soo

              • So you have people who know how to load balance a range of services through multiple systems, but can't configure a firewall?

                • Not as odd as it may sound at first. Especially in this time and age where "knowing how to set something up" pretty much translates as "knowing where to push buttons in a given tool".

                  I'm actually the other way 'round. I can tighten your firewall (provided it's at least somehow related to any firewall technology that I'm familiar with, I try to avoid too proprietary solutions that have nothing in common with generic implementations anymore), but I doubt I could configure a load balancer sensibly. I'm not rea

                  • I sum it up with my boss this way...

                    When it comes to network security, there are two kinds of people:
                    1. Paranoids
                    2. Idiots

                    Either you are one, or you are the other.

                    • Oh, I know a lot of people who fit into both groups. Who have no idea, and hence are scared of whatever boogeyman some sales drone paints when he has some security snakeoil to peddle.

        • It costs time. And time is maybe the most valuable resource in a company environment. You'll rather see management approve buying something than having you spend time on doing something. Especially if your annual salary is in the 6 digits or at least getting close to it.

          And please allow me to dispel the myth that firewalls don't need updating. They do. I wouldn't say that it's a sizable amount of audits that fail due to outdated firewall settings, but it does happen, especially in high security areas where

    • Indeed, many automotive policies do not cover you in cases such as:
      a) You have been drinking/driving and get into an accident
      b) Your car is stolen when you leave the keys in the ignition (or leave it running, etc)

      Depends on what's in Sony's policy, but I wouldn't be surprised if they had an anti-negligence clause.

    • At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. ... Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

      The issue is, if yo

    • by AmiMoJo ( 196126 )

      Never attribute to malice what can adequately be explained by incompetence.

      A few years back I used to work in IT. This guy who was in charge of a multi-million pound turnover company's servers as a contractor was too scared to patch them. If the update went wrong he might have to take a trip up to London on the weekend to fix it, and being Server 2003 that occasionally did happen. Whenever there was a problem the staff would be on the phone every five minutes screaming at him and threatening lawsuits for lo

  • Um, better security as an insurance policy maybe?

    Yes. Every insurance policy you could possibly buy will require you to exercise the normal and accepted level of diligence with regard to security. No policy in the world will cover you if you're negligent, because insurers are sane; they're not going to accept that level of risk. They're only going to take on the risk that you do things reasonably well, and still get breached by some sophisticated and not-reasonably-expected attack.

    • They might write a policy for you but it would be put into the high risk pool. I do wonder if the company did any assessments of Sony's security since if they did and signed off on it then the insurance company is going to have a hard up hill battle. When I got my private life insurance they had a physical exam to verify that what I provided on their form so for an even larger policy I would assume that they would do auditing to at least verify that Sony was in the correct risk category when policy renewal
      • I do wonder if the company did any assessments of Sony's security since if they did and signed off on it then the insurance company is going to have a hard up hill battle

        Which is probably why you're not reading about "Sony's insurance company rejected the claim", but are instead reading about "Sony's insurance company is suing to be able to reject the claim". I'd speculate that Sony looked good enough on shallow inspection to validate their coverage, but Sony's hidden incompetence and malfeasance makes it

  • So a company is running unpatched servers with no firewall. Even if they do get insurance against cyber incidents, they are guaranteed to get absolutely nothing from this insurance, because they don't have any protection set up. Isn't insurance in this case essentially unjust enrichment for the insurance company?
    • Nope. This is exactly how cyber insurance should be: an incentive to keep your networks secure. If you can prove you have them up to industry standards (set by the insurance companies), then you are insured against extraordinary events. There's no point in insuring something that is guaranteed to happen eventually, like the breach of an unsecured network. This is exactly how health insurance works in the U.S., at least the better ones. It's in the insurance company's best interest to keep you healthy,
  • by Animats ( 122034 ) on Wednesday July 27, 2011 @01:18PM (#36899074) Homepage

    The actual court filing [state.ny.us] by the insurance companies says:

    Notwithstanding, the claims set forth in the Class Action Complaints filed against SCEA and the other Sony Defendants, as well as the miscellaneous claims, arising out of the cyber attacks on the PSN and SOE Network and the unauthorized access to and theft of the named plaintiffs and putative class members' personal identification and financial information, do not assert claims for "bodily injury," "property damage" or "personal and advertising injury" so as to entitle SCEA to defense and/or indemnity under the ZAIC Primary Policy.

    In other words, Sony didn't buy coverage against a liability of this type. They were covered if the product actually injured someone or damaged their property (shocked someone or caught on fire, for example) but not for an indirect financial loss.

    What they needed was an "errors and omissions policy". This covers financial screwups. Banks, accountants, tax advisors, and brokers usually carry such policies, because they handle other people's money. What Sony's people didn't realize is that, by handling so many credit card numbers (and, apparently, improperly holding more credit card info than they should have), they had the exposure of a financial institution.

    Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk.

    • Lesson: Insurance (the House) always wins.

      • by Anonymous Coward

        No, the lesson is "read the fucking contract." It's the same line SCEA themselves fell back on when they yanked OtherOS.

        I love the smell of schadenfreude in the morning.

    • Yeah, it sounds like Sony's policy with Zurich was General Liability Insurance [dandb.com]. That type of insurance only pays for injury, property damage, and litigation arising from those two. Sony is really pushing it trying to claim the data breach caused injury or property damage to its customers.

      OTOH, if the courts buy Sony's argument and classifies identity theft as injury or property damage, then the world gets a lot more interesting. Paypal loses your credit card and bank account info to hackers? Your ban
    • by Anonymous Coward

      No, what they need is a Cyber Risks Policy, which they actually have.

      "Sony does in fact have a cyber insurance policy, which covers losses related to the breach. But it is likely that the company was hoping to lean on Zurich to cover the expected high costs related to defending itself against the slew of class-action lawsuits."

      http://www.zimbio.com/SC+Magazine/articles/3Uy-tu7oydf/Zurich+seeking+immunity+covering+Sony+over

      Sony has a General Liability policy placed with Zurich, which has a clause that contai

    • by AmiMoJo ( 196126 )

      What I can't understand is why Visa and Mastercard are not suing Sony. It costs them money to deal with fraud. I guess Sony is too big a customer to piss off.

  • As much as I hate insurance companies I don't think that Zurich American Insurance Co. is as bad as some and is probably reasonable in trying to avoid paying in this case. From my understanding Sony didn't do due diligence in securing their network or even follow what would have been reasonable precautions that a rational actor would take. It is interesting that the insurance company is going to court which probably means they feel they have a strong case since usually they will just deny the claim.

    There i

  • Hasn't this already been confirmed as complete bullshit? I seem to remember you could get a google cache of the server information at the time which pretty much refuted all of the 'evidence' that Sony was running an insanely out of date server config? Why does this crap keep getting posted?
    • I don't know about a Google cache, but you could check the Apache release notes against the version of Apache running at the time. I did. And while the version was quite a few patchlevels old and there were quite a few bugs fixed in the more recent revisions, most of those bugs were for either denial-of-service vulnerabilities (attackers could use them to crash, lock up or overload the server but couldn't gain access to data through them) or vulnerabilities specific to Apache running on Windows (SOE was usi

  • I know Sony is making a $Billion every second of every minute of every hour of every day, but that nearly $180M sounds like a lot of money to me. Is Sony still coming out ahead after all of this? Seems like it's possible -- there was a story here recently talking about PS3 overtaking the Xbox360... (though my guess is the Xbox360 market is saturated and in order to get something new, they finally got a PS3 too)

    Whatever the case, I see the attacks on Sony not as a mere attack and security breech, but massi

  • Welcome Sony, to the world the little guys live in. The one where you need insurance insurance for when your insurer finds a way to weasel out of a perfectly legitimate claim even though they faithfully cashed your check every month since forever.

    Of course, since the only place you could get insurance insurance from is one of the weasels that looked even less reliable than where you bought your insurance from, good luck with that.

"Out of register space (ugh)" -- vi

Working...