Cyber Risk: How the 2011 Sony Data Breach and the Need for Cyber Risk Insurance Policies Should Direct the Federal Response to Rising Data Breaches


In 2011, a number of high profile data breaches made national news. Companies such as Epsilon Data Management and Nasdaq experienced data breaches that posed serious risks to their business operations. Total data loss incidents numbered in the hundreds, and multiple incidents involved millions of records.

Of all the data breaches in 2011, the string of data breaches that plagued Sony Corporation were arguably the most high profile. Sony made headlines for breaches of its Playstation Network and Qiocity services in April as hackers accessed Sony‘s clients‘ personal information.

As news spread of the mounting data breaches hitting Sony, an ancillary issue involving Sony‘s insurance coverage surfaced. Zurich American Insurance Company, one of Sony‘s insurers, filed suit in New York state court asking the court for a release from any duty to defend or indemnify Sony as to claims surrounding the data breaches. The suit brought to light the growing realization among businesses that traditional commercial liability policies will not cover damages and other costs incurred as a result of a data breach. To fill the void of coverage under traditional commercial liability policies, insurance companies are now offering alternative specialty products, often referred to as "cyber risk" policies.

The Sony data breaches and other data privacy issues have inspired a renewed and forceful discussion among privacy advocates, practitioners, and politicians on what role government should play in regulating how companies and organizations protect data. At least some observers believe insurance should play some role in this discussion. Part II of this Note will review the Sony data breach to highlight the growing risks to businesses and organizations in storing electronic data, and the current and proposed governmental response. Part III will discuss why the inadequacy of traditional general commercial liability insurance policies in covering claims related to data storage has made new cyber risk insurance policies necessary for entities subject to cyber risk. Lastly, Part IV will call for governmental action in facilitating the expansion of cyber risk policies through incentives and infrastructure building to solve the coverage gap plaguing U.S. businesses and organizations.


cyber risk, data breach, Sony data, costs of data breaches, hacking, cyber-security legislation, cyber risk policies



Lance Bonner (Washington University School of Law)



Publication details



All rights reserved

File Checksums (MD5)

  • pdf: f15c02158f9490ec04cbb260ae88de45