On August 24, 2014, Sony announced via its PlayStation Network Blog that users of the PlayStation Network and Sony Entertainment Network were experiencing difficulties accessing the networks and their services due to “an attempt to overwhelm our network with artificially high traffic.” The attack, known as a distributed denial-of-service attack, does not appear to have resulted in any access to personal information as of the time of this publication, but users experienced disrupted service for nearly 24 hours. Although a seemingly benign consequence, the effort required to respond and restore the network undoubtedly cost Sony significant time and expense. Moreover, the perpetrators behind this attack—a group known as “Lizard Squad”—took the ramifications of the attack to a new and terrifying level when a public tweet from the Lizard Squad Twitter account indicated that there were explosives on board the commercial flight carrying Sony Online Entertainment President John Smedly. The flight was diverted in response to the threat, certainly imposing additional expense and lost time on individuals and businesses unconnected with Sony.
Days later, media sources began reporting that JPMorgan Chase and at least four other U.S. banks were also targeted by hackers in a series of coordinated attacks. According to the New York Times, the hackers gained access to gigabytes of data, including checking and savings account information. Some news sources have reported that this attack was the work of Russian cyber criminals and was perpetrated in retaliation for government-sponsored sanctions against Russia. However, whether this is the case remains to be seen. Regardless of the cause, JPMorgan reports that it has experienced more frequent, sophisticated and dangerous cyber attacks in recent years than ever before, and has announced that it expects to increase annual expenditures on cybersecurity by 25 percent—to about $250 million—by the end of 2014.
These recent attacks suffered by major companies are nothing new. And with those issues of data security have come issues about the availability of insurance coverage for the resulting damages. Much of the insurance bar is familiar with the widely publicized case brought before the New York Supreme Court earlier this year in which Zurich American Insurance Company and Sony litigated the availability of insurance coverage for damages that resulted after a 2011 cyber attack. As discussed below, the court determined that there was no coverage for those claims. Other major corporations have also faced off against their insurers following data security mishaps. What seems to be the issue between insurers and their policyholders when it comes to coverage for claims like these? Oftentimes the debate centers around what at first glance appears to be a simple issue—did a publication occur? As this article will explain, the answer to this seemingly straightforward question is anything but a simple one.