Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sony Insurer Suing To Deny Data Breach Coverage

timothy posted more than 2 years ago | from the liability-for-someone-only-not-you dept.

Sony 122

idontgno writes "It keeps getting better and better for Sony and its business units. Reuters reports that Sony's insurer, Zurich American, is suing to avoid paying out on Sony's legal liability which may arise from its spectacular online security breaches a few months ago."

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

So, maybe, if we're lucky... (2)

mat catastrophe (105256) | more than 2 years ago | (#36844364)

We won't all one day drive our Sony to the Sony to pick up more Sony?

Re:So, maybe, if we're lucky... (1)

elrous0 (869638) | more than 2 years ago | (#36844642)

I'm sorry, the use of the Sony Internet(tm) to post articles criticizing or questioning Sony is not permitted. Please report to your Sony ISP(tm) to appeal your disconnection.

I was just thinking to myself... (4, Funny)

snookerhog (1835110) | more than 2 years ago | (#36844376)

I was just thinking to myself, what this story needs is some more lawyers.

Re:I was just thinking to myself... (2)

Oxford_Comma_Lover (1679530) | more than 2 years ago | (#36844512)

I was just thinking to myself, what this story needs is some more lawyers.

In this case, maybe.

On the one hand, I would hate to be a SONY shareholder right now, or to be the big guys at SONY and realize (probably) that you had hired someone incapable of managing the security you need for a target that large--or given them too little power to do it--and be hit with the double whammy of insurance refusing to cover you. I would also hate to be sony's lawyers who approved either their security policies or their insurance policies.

But on the other hand, companies that are big targets *will not* take the necessary risk mitigation steps if they are not financially accountable for their actions. If Sony's only loss is to income and share price, it is still a big loss, but it is a much bigger incentive for smaller companies to protect user data if the ability to insure against data theft is limited.

Re:I was just thinking to myself... (1)

datapharmer (1099455) | more than 2 years ago | (#36844620)

that you had hired someone incapable of managing the security you need for a target that large

*that large*? really? Their security wasn't up to snuff if they were a small business. Running old software with known security vulnerabilities isn't just poor practice it is just flat out lazy.

Re:I was just thinking to myself... (0)

Anonymous Coward | more than 2 years ago | (#36846250)

that you had hired someone incapable of managing the security you need for a target that large

*that large*? really? Their security wasn't up to snuff if they were a small business. Running old software with known security vulnerabilities isn't just poor practice it is just flat out lazy.

Yes! But they got Always the Low Price[TM] for all their IT needs!

Re:I was just thinking to myself... (1)

swv3752 (187722) | more than 2 years ago | (#36848382)

You really think the IT admins were at fault? And not the managers that almost assuredly would not approve the downtime, overtime, etc, to upgrade the servers? This is management at fault.

Re:I was just thinking to myself... (-1)

Anonymous Coward | more than 2 years ago | (#36844568)

Mod up +1 funny. Not jut funny but LMAO funny. Shoehornjob

Go Figure (1)

dmmiller2k (414630) | more than 2 years ago | (#36844382)

I wonder how many Zurich American executives' kids were affected by the outage?

Re:Go Figure (1)

DarkOx (621550) | more than 2 years ago | (#36844676)

Probably but I am sure what this comes down to is if their contract covers damages from this loss or not.

My guess is they have some clause that says the insured party is supposed to take reasonable steps to prevent losses as result of security compromises. Your home owners policy has something similar. If you leave your doors unlocked for instance you might have a serious problem with a claim for loss by theft.

The issue here is going to probably be what constitutes reasonable, and given the problem was essentially they failed to patch servers, Sony will most likely lose. Its going to be really hard for Sony to locate IT security experts who will testify that having a patch management plan the covers all assets and following it is not a basic measure everyone should employ.

Re:Go Figure (2)

Dishevel (1105119) | more than 2 years ago | (#36845900)

I think they will have an easy time finding an "IT Security Expert" who will say whatever they pay him to.
That is what "Experts" do.

Re:Go Figure (0)

Anonymous Coward | more than 2 years ago | (#36847598)

--
Fuck that pedo The Prophet Muhammad.

Is Muhammad a Roman Catholic priest?

Re:Go Figure (0)

Anonymous Coward | more than 2 years ago | (#36848050)

The difference is that people are allowed to disparage the Roman Catholic Church without fear of death.
And have been able to for a few hundred years.
My reasons for the attack on the Muslim prophet are solely to speak against a religion that kills people for speaking against it.
This is why My sig is not aimed at Christians, Catholics, Buddhists, Scientologists, or any of the other religions.

I have no particular love for any of the established religions.

I do personally believe that there is something more important than me out there. I also know enough to realize that I do not know what that is.

As long as a religion can get along with others I am fine with it.
As soon as they start crusading or cutting off fuckers heads in the name of the religion fuck em.

Re:Go Figure (2)

justsomebody (525308) | more than 2 years ago | (#36844738)

i think that is not a problem, they try to get out on the fact that sony security was crap (which it was). same way as my insurer would not pay up if i crash my car (fully insured) while i was driving without one wheel and my windshield was so dirty nothing could be seen trough

Re:Go Figure (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36845318)

Here is the thing though. Zurich sold them a policy. It was up to Zurich to identify risks such as bad security and price the insurance correctly. The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.

Re:Go Figure (3, Interesting)

cwebster (100824) | more than 2 years ago | (#36845614)

Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

Re:Go Figure (1)

RsG (809189) | more than 2 years ago | (#36845966)

Yea, they did sell them a policy, and this shows you why you need to actually read your policies before signing them. Many policies, perhaps even ones you have signed, contain clauses that limit the insurers liability if certain conditions aren't met.

^What he said.^

If you put fire insurance on a building and then take no measures to prevent a fire from breaking out, you won't be able to collect. If you take theft insurance on a car and leave it with the keys in the ignition in a bad neighbourhood overnight, you won't be able to collect. Insurance covers accident or malicious action by a third party; it doesn't usually cover gross negligence on the part of the insured party.

It isn't that the insurance companies are arbitrarily refusing to pay out, it's that they're smart enough to have clauses in the contracts that they can invoke when the insured party is clearly at fault. Now, some insurance companies are utter bastards and will try to invoke these clauses at the drop of a hat. But everything I've read about Sony's data security leads me to conclude that their insurers are probably in the right here, always assuming the contract had a "here are the duties of the insured party" clause in it.

Re:Go Figure (1)

tompaulco (629533) | more than 2 years ago | (#36845850)

The whole point of liability insurance is for problems that you yourself are liable for. No one needs this insurance if they don't ever do anything wrong.
No, the whole point of liability insurance is that you pay your premiums and they give you a certificate that says you have it, so people will do business with you. You're not supposed to actually make claims against it.
But seriously, Sony is large enough where they shouldn't even have to have liability insurance. They should just maintain a huge bond. In the long run, that is cheaper than paying an insurance carrier basically the same amount plus operating costs and profit of the insurance company.

Re:Go Figure (1)

goose-incarnated (1145029) | more than 2 years ago | (#36845880)

Up to a point, yes, but ... could simply be that their security was better at the time they got the insurance, and then deteriorated, in which case the insurance company can reasonably take issue with 100% liability.

As an analogy, for example, I insured my car at the beginning of the year when the tyres still had more than the minimum legally required tread depth. I've covered about 30000km since then, my tyres[1] are no longer street-legal. If I now get involved in an accident due to being unable to stop in time, my insurance would (quite reasonably) refuse to pay me 100% of the insured value.

The liability insurance is for my lack of judgement while driving. I will need different insurance (and possibly won't find any takers) if I want to insure against my lack of maintenance of the car.

[1] Tyres were replaced last week, before they wore below the minimum tread depth that is legally required

Re:Go Figure (1)

Nevo (690791) | more than 2 years ago | (#36846456)

Yes, but....

Most liability contracts have clauses that require the insured to take certain measures to reduce their risk. If this policy does contain such clauses, and Sony didn't take those measures, it certainly stands to reason that the policy won't pay out.

It all comes down to what the contract says. Since that contract hasn't (as far as I'm aware) been released, all we can do here is guess.

Zurich: Because shit happenz. (1)

tepples (727027) | more than 2 years ago | (#36845184)

I wonder how many Zurich American executives' kids were affected by the outage?

And I wonder how this might be worked into Zurich's next ad campaign. "Zurich: Because shit happenz."

Re:Go Figure (1)

LoverOfJoy (820058) | more than 2 years ago | (#36845718)

I think it would be funny if Lulzsec/Anonymous also hacked Zurich American for the lulz. Hopefully their security is better than Sony's

Re:Go Figure (0)

Anonymous Coward | more than 2 years ago | (#36846728)

You really think an insurer needs additional motivation to try to weasel out of paying? The fact that insurers don't like paying out is even more of a truism than lawyers loving money.

I'd hate to be the head of that company...... (1)

allaunjsilverfox2 (882195) | more than 2 years ago | (#36844392)

I mean, can you imagine the shareholders meeting? I get a image of a guy who has taken up drinking and is developing a bad ulcer. I doubt this will work, but it's still interesting that they try.

Re:I'd hate to be the head of that company...... (3, Insightful)

bluefoxlucid (723572) | more than 2 years ago | (#36844506)

Well, they have a valid case. It's going to get heard by a judge, for sure; this isn't some ridiculous "Oh we don't feel like holding up to our contract because it's bad for us today" kind of thing. What happened here is Sony took out insurance and then caused a massive problem leading to a massive claim through unimaginably gross negligence. It's like if you insure a car and then proceed to speed at 180mph and slam into shit ... your insurer will go, "Oh HELL no," and try to wiggle out of the claims. Often they have clauses that vaguely let them do so, on a good day; whereas basic neglect and driver failure will get them slapped around because that's what you're insured for.

Basically Sony did the equivalent of buying 100k/300k liability insurance and then organizing a massive illegal street race through a complicated course in the city. Gross, gross negligence. Now their insurers are going, "There is no way in Hell we should have to pay for this!" Sony looks like it didn't even try to secure its networks, just like someone running an Indy 500 on open roads looks like they've bought car insurance to avoid having to care about all the damage they know's going to eventually happen.

It's tricky, but it's good enough to get you a day in court. If you just show up like "Well we have a contract but we don't wanna pay..." the judge won't even hear your case.

Re:I'd hate to be the head of that company...... (1)

vegiVamp (518171) | more than 2 years ago | (#36845948)

Yes, but... Going 180 in your car is illegal, and you cannot insure yourself against your own willing illegal actions. While they insurance may manage to build a good case based off gross negligence, Sony didn't actually do anything strictly illegal, they were the victim of illegal action.

That being said, if you leave your car unlocked the insurance sure as hell isn't going to cough up for your stolen laptop - if there's no signs of breakage they'll claim negligence and not pay out.

The trick here is going to be proving that Sony was negligent with their security. This may run for a pretty long time while bureaucrats on both sides comb over tons of server logs.

Re:I'd hate to be the head of that company...... (1)

bluefoxlucid (723572) | more than 2 years ago | (#36846262)

If you're illegally speeding at 60 in a 30mph zone, insurance will typically pay out liability. As well, aggressive driving and the like. ... liability means you're at fault.

Gross negligence is different. In the event that your insurer can show that you weren't just irresponsible, but in fact engaged in such unreasonable behavior that it's patently absurd to leave the insurer to pick up the bill, the judge is probably going to want to hear this--and he'll probably look for a damn good reason to grant relief. You will offend the judge by showing up in his court room claiming that the insured was doing 60mph in a 45mph zone and you thus don't want to pay liability; but if the insured was staging a highly illegal street race--not down the back roads or something, but down open city streets, Tokyo Drift style, for a 40 mile circuit from one end of the city to another, through populated areas, at excessively high speeds--he will be very willing to put fort effort to weasel you out of paying for this shit, (hopefully) to the strict extent of the law (so too bad, you might have to cough up anyway).

The core argument here will be that Sony took out an insurance policy and then proceeded to cease to care about the well being of their clients. They became grossly and possibly criminally negligent, under the assumption that all negative effects of this would fall to the insurance company and thus that they paid to be freed of responsibility for their actions. Insurance will argue that Sony's actions were irresponsible, a public danger, and possibly illegal or fraudulent (depending on what security claims they made to the payment card industry, which actually cares about this sort of thing).

They may not have a legal leg to stand on; but they have enough of an argument for a judge to want to hear it. He might rule against it in the end, but he'll allow it to be heard in his court.

Re:I'd hate to be the head of that company...... (1)

Bengie (1121981) | more than 2 years ago | (#36847646)

Hopefully the contract has some sort of exit clause. I know my car insurance does. You do stupid shit and they don't have to cover.

Black-box shows you speeding, no coverage, no seat-belt on, no coverage. And many more examples.

Once could even argue definitions of words. If your car insurance covers "accidents" and you're speeding, it may no longer be considered an "accident" as your speeding was deliberate.

Accident != Negligence

Just tossing around some ideas.

Re:I'd hate to be the head of that company...... (1)

TheRaven64 (641858) | more than 2 years ago | (#36848776)

But what are the insurers suing? You don't normally sue in order to not do something, you sue in order to make someone else do (or stop doing) something. Surely they should just be refusing to pay and inviting Sony to sue them...

Re:I'd hate to be the head of that company...... (1)

justsomebody (525308) | more than 2 years ago | (#36844764)

lol, in our country if you're drunk you automatically lose insurance in case of crash. and sony security was in the same state

Re:I'd hate to be the head of that company...... (0)

Anonymous Coward | more than 2 years ago | (#36844788)

The had of that company? Most definitely not. No matter how badly he screws up, he'll still get his bonus; and in the worst case a golden parachute.

From the company that brought you.. (5, Informative)

Superken7 (893292) | more than 2 years ago | (#36844420)

... the worst ever handled online security breach, here comes the plain-text captcha: http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp [sony.com]

Yes, you heard well. The catpcha is not an image, but HTML text with CSS to distort the text style! That is how things must be done in Sony, that explains SO MUCH!

The headline is not surprising at all, IMHO.

Re:From the company that brought you.. (1)

Anonymous Coward | more than 2 years ago | (#36844478)

No. Its completely secure, they have disabled right-click menus, so you can't view the source. Nobody would be clever enough to get to see the source any other way.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36845860)

They also disabled text selection so you can't copy & paste the captcha. But you can copy & paste the source!

Re:From the company that brought you.. (1)

Satis (769614) | more than 2 years ago | (#36844492)

Oh man, that is absolutely classic. Thank you so much for finding that. I think you just made my day.

Re:From the company that brought you.. (1)

Wiarumas (919682) | more than 2 years ago | (#36844628)

I'm not sure if this is done out of ignorance or that things are so bad, a functioning captcha isn't going to make a difference. A bit of security theater while they tackle more fundamental issues? Either way its hilariously pathetic.

Re:From the company that brought you.. (1)

justsomebody (525308) | more than 2 years ago | (#36844820)

things... are... that... bad

just remember
int getRandomNumber() { return(4); }

Re:From the company that brought you.. (1)

Inda (580031) | more than 2 years ago | (#36845248)

I thought "var somediv", in Sony's code towards the bottom, was the authors signature.

I still think the same.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36846452)

Hey, that was chosen by a fair dice roll, it's guarantied to be random!

Re:From the company that brought you.. (3, Interesting)

tixxit (1107127) | more than 2 years ago | (#36845016)

Regardless if it is security theatre, the fact remains that there are lots of great, free, functional captcha generators out there they could've used instead. The fact that they made their own shitty captcha, rather than just saving time and money and reusing an existing library says more about their security policy than the actual ineffectiveness of the captcha itself.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36846022)

Not quite sure the blame totally lies on Sony.

Check the meta headers:

META name="GENERATOR" content="IBM Software Development Platform"

Re:From the company that brought you.. (1)

erroneus (253617) | more than 2 years ago | (#36844646)

This is hilarious!!! Javascript is disabled for me by default thanks to that noscript thing so I was able to see the source code without difficulty. What I saw in there was astounding.

Re:From the company that brought you.. (1)

todrules (882424) | more than 2 years ago | (#36844708)

Even if you have JS enabled, you can always view source just using the menu.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36845032)

I was able to freely right-click on the page, but not select the text. However, my context menu had as an option 'Search Google for "U R T E V"' - hopeless and hilarious

Re:From the company that brought you.. (1)

tepples (727027) | more than 2 years ago | (#36845144)

If your web browser even has menus. The way Firefox and Chrome are cutting down on user interface controls, it'll be harder and harder to view a page's source unless the user goes out of his way to install web developer extensions.

Re:From the company that brought you.. (1)

phatcabbage (986219) | more than 2 years ago | (#36845342)

Or you could just hit Ctrl-U from about any modern browser.
Or F12 in Chrome to bring up the included developer tools.

UI discoverability (1)

tepples (727027) | more than 2 years ago | (#36845374)

Ctrl-U [...] F12

Discoverable how?

Re:UI discoverability (1)

happylight (600739) | more than 2 years ago | (#36845494)

In the manual/help file.

I bet you don't read the manual before you drive your new car either.

Re:UI discoverability (1)

TheRaven64 (641858) | more than 2 years ago | (#36848814)

You really need to look up what a discoverable user interface is...

Re:UI discoverability (1)

vgerclover (1186893) | more than 2 years ago | (#36848678)

If you go to the only menu on Chrome, Tools, View Source, you'll see the shortcut too. Anyone who can't find it won't have much use to see the HTML source of any given webpage.

Re:UI discoverability (1)

vgerclover (1186893) | more than 2 years ago | (#36848706)

And let's not forget that you can right-click on the webpage and there it is, View Page Source.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36847772)

Just press the alt key.

Re:From the company that brought you.. (1)

Aladrin (926209) | more than 2 years ago | (#36844660)

It's also a perfect example of management asking for something they don't fully understand, and the developers providing them exactly what they asked for, rather than what they want or need. I would love to know the exact details that they asked for.

Re:From the company that brought you.. (1)

todrules (882424) | more than 2 years ago | (#36844692)

But they disabled right-click!! There's no way you can get past that! ...Oh, wait.

Re:From the company that brought you.. (1)

Baloroth (2370816) | more than 2 years ago | (#36844780)

Best part about this, as others mentioned, is that if you disable javascript, you can not only get to the right click menu, you can select/copy/paste the characters. In fact, I was able to do that even with Javascript in Opera. And then for the hell of it I removed the section disabling the right-click, which is conveniently labeled in the source, enabled Javascript, and right-clicked on the page. I just hacked Sony!

BTW, what do they actually use this for? Do they really use it for all their online signups? Not that I would be surprised, just wondering if anyone has a page where this is actually being used so I can laugh even more at Sony.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36845026)

I can't remember where, but I have seen it used. Sony really is that stupid.

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36845788)

Most of the time norightclick stuff (if it relies on message boxes opening) can be defeated just by holding down ENTER while you click, it closes the message box before the menu opens, which makes the menu open normally.

Re:From the company that brought you.. (1)

mfh (56) | more than 2 years ago | (#36844886)

They are so incompetent. I would say, if I was a major stockholder at Sony, that it was time to fire everyone and start over. Rebrand, reimage and retool everything.

They have no enforced information policy, or if they do there is no accountability.

Re:From the company that brought you.. (1)

ledow (319597) | more than 2 years ago | (#36845124)

Oh, thank you, thank you, thank you. That's made my day, that has.

Some web programmer was pissed at them - he gave them exactly what they wanted in a way that completely defeated the original object of the exercise. Fabulous.

Re:From the company that brought you.. (1)

Imbrondir (2367812) | more than 2 years ago | (#36845506)

It's just Sony taking SEO very seriously ;)

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36846396)

CTRL +A
CTRL +C
CTRL +V
Sony, are you even trying?

Re:From the company that brought you.. (1, Redundant)

Shompol (1690084) | more than 2 years ago | (#36846500)

That's amazing - I've got the same combination on my luggage!

        <b>T</b></span></td>
        <b>E</b></span></td>
        <b>L</b></span></td>
        <b>U</b></span></td>
        <b>G</b></span></td>

Re:From the company that brought you.. (0)

Anonymous Coward | more than 2 years ago | (#36847200)

Do you suppose all those people who use scripts to disable right-clicks and text selection and all that... do you suppose they've ever heard of ctrl-u?

I hate Sony (-1)

Anonymous Coward | more than 2 years ago | (#36844436)

Maybe they should stop making crappy laptops [youtube.com] and they'll get some sympathy from me...

Re:I hate Sony (1)

justsomebody (525308) | more than 2 years ago | (#36844938)

since you seem to judge laptop quality by GPU, you get my sympathy

Shouldn't have to pay. (2)

bioster (2042418) | more than 2 years ago | (#36844468)

Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence. Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

Re:Shouldn't have to pay. (1)

Oxford_Comma_Lover (1679530) | more than 2 years ago | (#36844522)

Yeah, I don't think they should have to pay either. Even if the policy specifically covered digital attacks, Sony still would have had to do their due diligence.

Most (all?) of the attacks I heard about were silly things Sony shouldn't have been vulnerable to, like SQL injections. This is an absolutely massive company, there is no excuse for not having proper penetration testing and security audits done on their sites, and making the insurance pay out in this case is kind of like trying to make insurance pay for a wheel barrel of money you left on your front porch.

That would be so fun to do...

(Well, if you had other wheelbarrows.)

But If they're negligent... (4, Insightful)

AngryDeuce (2205124) | more than 2 years ago | (#36844534)

If Sony's issues were due to their own negligence in securing their network, why should the insurance company have to pay? If I'm driving drunk my insurance company isn't going to cover my car when I get into an accident, so why the hell should an insurance company cover this?

If Sony was a person this wouldn't even be a question...

Re:But If they're negligent... (0)

Anonymous Coward | more than 2 years ago | (#36844626)

depends, maybe the insurance was specifically for "doing stupid illegal shit". in that case the premiums would have had to been pretty big though. more reasonable insurance maybe covered things like some employee just going batshit insane and stealing some data.. but just doing a shoddy work doesn't really count as such.

Re:But If they're negligent... (0)

Anonymous Coward | more than 2 years ago | (#36844698)

The difference is your drunk driving is illegal, Sony, the target of hackers, isn't. When many major corporation and governments are also falling foul, Sony is not a special case.

This is just an insurance company trying to worm out of paying up. They all do it, and it's particularly prevalent in the US.

Re:But If they're negligent... (2)

AngryDeuce (2205124) | more than 2 years ago | (#36844830)

The difference is your drunk driving is illegal, Sony, the target of hackers, isn't.

Well, I think the case could be made that Sony was criminally negligent due to their lack of security (if I recall correctly, wasn't some of the customer data breached stored in plaintext completely unprotected on their servers?) and the fact that they're a multi-billion dollar organization that is in the industry, meaning they likely knew full well that they were cutting corners and leaving themselves open to these attacks, but I'm not sure if it could be proven beyond a doubt without a whistle-blower or leaked internal information.

It probably doesn't matter as the only way to really get to the bottom of this is for the people effected to get together and file a class action lawsuit against Sony, but I also seem to remember a ruling not long ago that basically gave major corporations the right to destroy any chance for a class action by including language forbidding them in their EULA's, so I doubt that will ever happen, but it should happen.

At the very least, the fact that Sony tried to squash this from getting out for 10 days or whatever before informing their customers that their credit card data had been compromised is extremely damning in itself. That in itself deserves a criminal negligence trial, if there exists any lawyers willing to take on a multibillion dollar corporation to prove it, that is.

Re:But If they're negligent... (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36845376)

Because its liability insurance. Liability insurance pays out when your sued or lose a lawsuit. Its specifically there for when you do something illegal or negligent. It doesn't protect against anything else.

Re:But If they're negligent... (1)

ZombieBraintrust (1685608) | more than 2 years ago | (#36845484)

A common example is your collision insurance. It pays out to the other driver when you run a red light and cause an accident. Or pull out in front of someone. These policies have limits though. Most don't pay out if your drunk.

The fact that these hackers were able to hack other companies and governments will help Sony.

Re:But If they're negligent... (1)

Nevo (690791) | more than 2 years ago | (#36846552)

No, liability insurance pays out according to the terms of the contract.

If I were writing an insurance policy to protect a company against hacking, I'd sure as heck include clauses that require the insured party to take certain steps to protect that data. *If* such terms were part of the contract, and *if* Sony didn't abide by the terms of the contract, then the insurer isn't under any obligation to pay out.

It all comes down to: what were the terms of the policy? None of us knows that, so we're all just taking WAGs on this issue.

Re:But If they're negligent... (0)

Anonymous Coward | more than 2 years ago | (#36845390)

If you burn your house down by your own negligence, you're still covered by your fire insurance. Stupidity isn't a reason to deny coverage.

Whether Sony's lack of security was intentional or stupid might be up for debate, but I'd bet on stupidity more than insurance fraud purposes.

Posting AC 'cause I can't be bothere to login :p

Re:But If they're negligent... (1)

leswt (1807216) | more than 2 years ago | (#36845724)

One issue is whether it is in the public interest to allow one to insure against this type of loss (gross negligence) Here is a question, should a company be allowed to have insurance against punitive damages, again a not in the public interest thing

Re:But If they're negligent... (0)

Anonymous Coward | more than 2 years ago | (#36846078)

It is not whether they were negligent or by how much but what was the consequence of their negligence; Zurich argue they cover bodily injury and property damage, neither of which, they argue, has happened here and there is precedent for them. For a sad insurance broker like me, this will be an interesting story to follow.

Re:But If they're negligent... (2)

ZombieBraintrust (1685608) | more than 2 years ago | (#36846380)

I really impossible to arm chair lawyer this without the contracts.

Re:But If they're negligent... (1)

Jeng (926980) | more than 2 years ago | (#36846666)

Devils advocate here.

Perhaps the insurance company should have had an audit done so that they would know what they were insuring.

When I get my car insured one of the things that the insurance company does is take pictures of my car so they know what they are insuring.

If the insurance company did not state how or to what degree the website was to be secured is it fair for them to say after the fact that they will not pay?

Insurance damage was not one I considered (4, Insightful)

erroneus (253617) | more than 2 years ago | (#36844548)

This makes me respect the attacks on Sony all the more. The attacks on Sony did more damage than the temporary breeches and outages. Those can be forgotten in a short time. But when insurance coverage is being denied, real and long-lasting damage has indeed occurred.

An insurance company will often deny coverage to parties who are risky. If a party engages in behavior that, for example, makes them a target of angry people, they are a higher risk. Sony has made many, many parties angry and in this case, they made themselves target. What's more, they failed to improve security at any site or location that bears the Sony brand. This makes them more than risky, it makes them negligent.

I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

Re:Insurance damage was not one I considered (1)

mfh (56) | more than 2 years ago | (#36844864)

I only wish "arrogance" were enough cause to raise insurance rates... but then again, insurance companies would all be uninsurable.

No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing. They have lost reputation here and that's invaluable. Not many people would trust them after this. They are seen everywhere as being largely incompetent.

This changes their business model. No longer are they going to be capable of running online shops, for example. Nobody is gonna shop there and they won't get insurance so it's gonna be a done deal.

Sony will be stuck manufacturing products for sale to resellers and that's going to be their limitation now. No more networking stuff for them. Just watch! :)

Re:Insurance damage was not one I considered (2)

jimicus (737525) | more than 2 years ago | (#36845094)

No judge is going to throw out legally binding coverage. If Sony violated their insurance coverage that would be amazing.

I'd be more surprised if Sony haven't violated their insurance coverage. As others have already said, virtually any insurance policy for any sort of risk - whether it's for your car, your home, your professional indemnity - includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

It's entirely possible that a company the size of Sony might have been able to negotiate a special policy rather than getting stuck with the "take it or leave it" wording you or I would get, but I'd be surprised if the insurer would omit such a clause. IANAL, but in theory all the insurance company has to do is wheel out a few experts to testify that this many breaches suggest systemic negligence at a high level rather than one rogue department and Sony are stuck.

Re:Insurance damage was not one I considered (2)

mfh (56) | more than 2 years ago | (#36845152)

includes a clause which essentially says that you're meant to take reasonable steps to minimise the risk of a claim happening in the first place.

The judge in order to exercise due diligence is going to need to see records where the insurer took steps to monitor compliance. IANAL but I have seen this in my own business where the insurer has no case if they didn't try to check up and see if Sony was being compliant. Can you guess where that's gonna go?

Of course if Sony's legal team is as competent as their programming teams, then this will be open/shut for the insurer.

Re:Insurance damage was not one I considered (1)

AlecC (512609) | more than 2 years ago | (#36846032)

That is not the point. Zurich is claiming they never covered for cyberdamage, so it is irrelevant whether the security was good or not.

Re:Insurance damage was not one I considered (1)

cavreader (1903280) | more than 2 years ago | (#36844926)

Oh well since this produced what you consider favorable results lets just let the criminals decide if their cause is righteous enough to justify breaking the law. Debating the righteousness of a cause and using the results of that debate on an ad-hoc basis after a crime has been committed will just ensure that the laws will not be applied equally.

Re:Insurance damage was not one I considered (1)

erroneus (253617) | more than 2 years ago | (#36846842)

Technically, the founding fathers of the United States of America were treasonous criminals and should have been hanged.

There are unquestionably some forms of justice in this world that do not fit within the justice system.

Re:Insurance damage was not one I considered (0)

Anonymous Coward | more than 2 years ago | (#36846892)

ensure that the laws will not be applied equally.

Oh how quaint. This one believes that laws are for equal application. By definition laws exist to force one party to do something differently. Unequal pressure on one party never produces equality.

Re:Insurance damage was not one I considered (1)

cavreader (1903280) | more than 2 years ago | (#36847416)

Poor baby did someone hurt your feelings and treat you badly? Chances are you probably deserved it. Equality is an ongoing process not a static result.

Re:Insurance damage was not one I considered (0)

Anonymous Coward | more than 2 years ago | (#36846840)

An insurance company will often deny coverage to parties who are risky.

Well, to be precise, insurance is a game of statistics. Gambling in the most literal sense. A contract exists between insurer and insured to cover potential loss. Insurers make their money by calculating the odds of a payout and how big it would be and price the product accordingly. "Denied coverage" implies denied profit potential, so generally you'll get coverage if the odds are reasonably good that you won't make a claim - or at least an excessive one.

Of course, any non-zero risk carries the potential for payout, so insurance companies hedge their bets in a number of ways. One of the main ones is by pooling. Get a big enough, deep enough pool and you'll almost always be paying someone, but price the product right and the payments coming in will make up for the payments going out with room for investment and profits and you have a nice little cash engine going.

Unfortunately, not everyone remembers that. Thanks to precision analytics, insurance companies have been making smaller, shallower pools with the aim of maximum income with minimum payout. That may seem like good business, but too much efficiency is harmful. It's one of the primary reasons we've had this whole so-called "socialized medicine" debacle (too many people who can't get in an affordable pool). The flip side of such efficiency is "too big to fail", which we got when insurers and investors fine-tuned their resources so much that they provided an interlocking matrix so efficient that a failure could no longer be absorbed and instead produced a positive-feedback effect where one failure triggered the next.

But that doesn't matter here. Sony's insurers wrote policies based on reasonable efforts on Sony's part to keep a secure shop. When Sony failed to do so, they invalidated the actuarial data used to offer and price the policies, which is basically fraud when you do it deliberately or with wanton disregard.

Yeah, you really showed GeoHot, Sony! (1)

elrous0 (869638) | more than 2 years ago | (#36844612)

I guess that'll teach some punk to try to jailbreak one of your consoles!

Re:Yeah, you really showed GeoHot, Sony! (1)

hedwards (940851) | more than 2 years ago | (#36846996)

So pirates really are putting them out of business.

Interesting Precdent (0)

Anonymous Coward | more than 2 years ago | (#36845346)

This is going to actually result in some major changes as far as data security is handled and judged, I think. I mean, the legal system (at the moment) is rigged pretty heavily against consumers; arbitration requirements, class-action denials, and so forth means that no matter how reckless you are with your data, they just really don't have to worry so much about a lawsuit coming from that end of the pipe. As long as their data security isn't so objectively awful that the government comes down to tear them a new one (...Which they rarely will, since they seem to need to pass a new law every time to make it so it 'won't happen again' and is thus unusable in the original incident due to Ex Post Facto restrictions), they were home free.

But an insurance company? Now you've got a Corporate Titan vs a Corporate Titan - in other words, an even playing field. And a single lawsuit with enough money in the balance for Sony to really, really need to win.

And win or lose, what we're going to get out of this, is SOME legal standard for 'required data security' with real penalties for breaching - if you go over this line, it's got an impact similar to losing a class action. Because that insurance company that was going to cover your losses for each case of damages, won't. This'll be a standard that companies will try to meet. And as said, even if they rule that Sony WASN'T negligent, they're going to come up with what is. I'm hoping for a verdict here instead of a settlement.

Re:Interesting Precdent (1)

Nevo (690791) | more than 2 years ago | (#36846614)

A very interesting point, and one on which I agree. To date, companies haven't cared much about cybersecurity because there's no fiscal benefit to spending all that money. This case may indeed change that.

April Fools (1)

wrightrocket (1664871) | more than 2 years ago | (#36845438)

When they removed Linux capabilities from the PS3 it was supposed to enhance enhance security. April fools on them!

No Accountability (1)

Grand Facade (35180) | more than 2 years ago | (#36845574)

It's the corporate way...

It's just some silly data, what's the big deal?

All your $ are mine.

It's worth the investment for Zurich (0)

Anonymous Coward | more than 2 years ago | (#36845838)

This is just normal business practice.

Insurance companies are not "good guys" who look at the insurance policy and decide if they are obligated to pay on a large claim. They do not want to pay---period. They look at the policy and decide whether they would win or lose the lawsuit when you sue them to pay the claim. If the language of the policy is at all vague or unclear, even in the slightest respect, they will take the position that they are not obligated to pay. At that point they'll running the math looking at the cost of a lawsuit and the likelihood of success.

In this case, Zurich looked at the probabilities of winning versus losing, the cost of the lawsuit, and the cost of paying Sony. They decided it made economic sense to spend a few million on lawyers to try and avoid paying a large claim. Like they say in the mafia movies: "It's not personal, it's just business."

It's a shell game (1)

Grand Facade (35180) | more than 2 years ago | (#36845862)

Sony = We're not responsible, someone illegally accessed your data.

Sony = We have insurance for that, collect from them >>>>

Insurance Co = (professional non-payer of fees, obsfucator and dragger of feet) We're not paying, Sony was criminally negligent. Go collect from them >>>>>

Sony = OMG! The government must protect us from the evil haxors and get your restitution from our insurance.

Insurance Co = Restitution shmestitution, it is us who got hurt here! The gov't must protect us from the evil haxors. We're not paying.

Lawyers = PROFIT!!!!

To clarify: (1)

AlecC (512609) | more than 2 years ago | (#36846004)

Zurich are not trying to get out because of Sony's gross negligence in their security. This is what the various drunk driving and lunatic driving analogies would imply.

From TFA, Zurich are saying 'it does not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general."' I.e. that the policy was never insurance against cyber-damage, but against property or personal damage caused by Sony's products. If Sony's products exploded, or polluted the environment, or jammed radios, Zurich would have to pay up. But they claim that the policy they sold was never intended to cover Sony's databases.

Grabs Captcha Text (1)

Anonymous Coward | more than 2 years ago | (#36846174)

( curl http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp 2>/dev/null | grep "<b>" | sed "s/[<>]/ /g" | awk '{printf($2)}'; echo )

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>