By: Rory Eric Jurman and Avery A. Dial
In recent years, there have been several notable large data breaches that have caught the attention of the media. Home Depot and Target are examples of major corporations that have been hacked. You may also remember that external hackers breached Sony’s Playstation network in 2011 and obtained personally identifiable information from over 77 million people.
In late 2014, another Sony company, Sony Pictures Entertainment, was hacked in what some are calling the worst corporate data breach in history. A hacker group known as Guardians of Peace (“GOP”) gained access to mountains of data including embarrassing, sensitive and valuable employee emails, HR information, and intellectual property. The FBI concluded that GOP is associated with the government of North Korea. Further, President Obama, in an executive order sanctioning North Korea, found that North Korea’s “destructive, coercive cyber-related actions during November and December 2014 [inter alia] constitute a continuing threat to the national security, foreign policy, and economy of the United States.”
One of the distinctions between the 2011 Sony Playstation Network attack and the 2014 Sony Pictures attack is that The 2014 hack of Sony Pictures is widely thought to be a terrorist attack, carried out by the government of North Korea as show of force to stop the release of the Sony Pictures comedy, The Interview, which depicts the assassination of North Korean “Supreme Leader” Kim Jong-un. After the hack and release of information obtained from Sony, GOP threatened further, presumably physical attacks, similar to September 11, 2001, to theatres showing the movie.
After the actual September, 11, 2001 attacks on the World Trade Center in New York, insurers began crafting a terrorism exclusion. The terrorism exclusion was born in an era that that perceived a terrorist attack as something similar to a plane crashing into a building. While we still live with the possibility of destruction of physical property and human life as a form of terrorist attack, as the recent Sony Pictures hack has shown, hacking and data breaches can be also be terrorist acts. Rather than making a statement by being the proverbial bull in a china shop, rogue actors can now forward their political agendas "undercover of the night." How do we reconcile the terrorism exclusion born of the “September 11” era with the changing face of terrorism today?
II. An Example of Application of a Terrorism Exclusion
Johnson v. PPI Technology Services, L.P.
Although not a hacking case, in Johnson v. PPI Technology Services, L.P., 2013 WL 6665996 (E.D. LA 2013), the Eastern District of Louisiana analyzed a terrorism exclusion. In PPI, James Johnson and Robert Croke, were injured when armed gunmen attacked an oil rig platform off the coast of Nigeria on which they were working. Both men were shot. Croke was additionally kidnapped, tortured and taken to a camp where he was held until he was rescued by a helicopter raid. Both men brought claims under the Jones Act against PPI.
PPI filed a third party complaint against The Insurance Company of the State of Pennsylvania (“ISOP”) for denial of coverage under a Foreign Commercial Policy Package. One of the reasons for denial was a terrorism exclusion that excluded coverage for “[b]odily injury [ ... ] arising directly or indirectly as a result of or in connection with terrorism including, but not limited to, any contemporaneous or ensuing bodily injury [ ... ] caused by fire, looting or theft.”
“Terrorism” was defined in the ISOP policy as:
the use or threatened use of force or violence against persons or property, or commission of an act dangerous to human life or property, or commission of an act that interferes with or disrupts an electronic communication system, undertaken by any person or group, whether or not acting on behalf of or in connection with any organization, government, power, authority or military force when the effect is to intimidate or coerce a government, the civilian population or any segment thereof, or to disrupt any segment of the economy.
It was clear that this incident involved use of violence undertaken by a group of people. Accordingly, whether the Terrorism exclusion applied turned on whether the acts of the gunmen “had the effect of intimidating or coercing a segment of the civilian population or disrupting a segment of the economy.” ISOP argued that the acts terrorized the civilian crew and disrupted operations of an oil rig for several days, thus hitting both prongs.
Conversely PPI argued that the gunmen were not terrorists. Rather, they were just ordinary robbers. Also, PPI argued that that fact regarding rig operations was not included in the original complaints and should not have not have been raised at that point in the litigation. Finally, PPI argued that undefined terms in the exclusion such as “population” and “economy” made it ambiguous.
The US District Court in the Eastern District of Louisiana found that the exclusion did not apply because the gunmen’s actions could be interpreted either as intimidating and coercing a section of the population and disrupting the economy or could be interpreted as an act for pecuniary gain that only had an effect upon the people on the vessel, who do not represent a “segment” of the civilian population.
Because the act could be interpreted both ways, the court chose to err in favor of coverage, declaring that the exclusion did not apply . Although not expressly stated in the case, it appears that PPI’s ambiguity argument was effective because if “population” or “economy” were defined then the court may not have found the acts subject to two different interpretations.
III. Applying a traditional Terrorism Exclusion to the Sony Pictures Attack
The Sony Pictures hack seems as if it would trigger a traditional terrorism exclusion under the facts of the attack as they are commonly understood at this point in time. GOP “disrupt[ed] an electronic communication system” and “threatened use of force or violence.” By executive order of the President, GOP’s actions threatened the “economy” of the United States. GOP caused a cancelled, then delayed, then limited, release of a feature film that was going to be released nationally from a major studio. The attack was politically motivated and orchestrated by a country declared to be a part of the “Axis of Evil” with an apparent purpose of punishing Sony for producing The Interview and to stop Sony from releasing the movie.
According to the FBI, GOP is an agent of North Korea. The purpose of the attack was clearly intended to stop a film that may have a negative portrayal of Kim Jong-un. Therefore, GOP is not a group of ordinary robbers and dissimilar to the crew of rogue gunmen in the PPI case. None of the ambiguity present in the facts of PPI is present in the Sony Pictures hack. Arguably, coverage for the 2014 attack could be properly excluded by a Terrorism Exclusion.
Terrorism Exclusions are often overlooked. Most business owners do not recognize a need for insurance that would cover them in the case of a terrorist attack because, at least in the United States, terrorist attacks are rare. However, in the information age, terrorists will attack using new methods and new targets. Sony Pictures is not a defense contractor. It is an entertainment company.
Given the fact that many of the sophisticated hacker groups are considered to be “terrorists” by law enforcement, a data breach at your company could also trigger a Terrorism Exclusion if other factors are present. Make sure that, at least with regard to your cyber and data breach policies, you have coverage for possible terrorism, before, as the Rolling Stones forewarned, you get hit by terrorists, out of sight, and Undercover of the Night.
 You may remember that North Korea was one of the nations George W. Bush declared to be a part of the “Axis of Evil.”
 There were other exclusions analyzed in PPI. However, since this paper is only focused on the Terrorism Exclusion, they are not discussed here.
 This paper does not analyze whether Sony would be eligible for assistance under the Terrorism Risk Insurance Program ("TRIP").In general, a person or entity affected by an official terrorist act may apply to the government for assistance.The Terrorism Risk Insurance Program was recently renewed until 2020.However, in order to be eligible for funding under TRIP, the act causing the loss must be certified as terrorism by the Secretary of the Treasury, in consultation with the Secretary of Homeland Security, and the U.S. Attorney General.Because TRIP requires a pronouncement of the Secretary of the Treasury, an act arguably could fall short of being an act of terrorism under TRIP but still trigger a traditional terrorism exclusion, leaving a business with no remedy.