Sony Pictures Entertainment Inc. Data Protection Liability Insurance Summary August 31, 2012 to...

Sony Pictures Entertainment Inc.

Data Protection Liability

Insurance Summary

August 31, 2012 to August 31, 2013

Prepared by:

Lockton Companies

1

Phone: 646-572-7365Website: www.lockton.com

DISCLAIMER: This insurance summary is subject to the terms, conditions and limitations of the policy. Nothing contained herein should be construed as legal advise. It is provided as general advise only. Knowledgeable legal counsel should be consulted for any legal questions or interpretations.

2

Sony Pictures Entertainment Inc.Data Protection Liability

Insurance Summary

Organization: Sony Pictures Entertainment Inc. (“SPE”) and any Subsidiaries

Coverage: Data Protection Liability

Insurers: Primary: Lloyd’s of London (50/50 quota share with Brit Syndicate 2987 & Liberty Mutual Insurance Europe)

A.M. Best Rating: A XV

Excess: Lloyd’s of London (100% Beazley Syndicate 2623/623)A.M. Best Rating: A XV

Policy Period: August 31, 2012 to August 31, 2013

Limit of Liability: $20,000,000 Annual Aggregate Limit (Primary $10,000,000 Brit/Liberty / First Excess $10,000,000 excess of $10,000,000 Beazley). Coverage: A. Privacy Liability, Coverage B: Employee Privacy Liability, Coverage C: Privacy Regulatory Defense and Civil Penalties, Coverage D: Security Event Costs; and Coverage E. Security Liability.

Retention: $10,000,000 Each Claim

Retroactive Date: 31 August 2007, but 31 August 2011 in respect of the following: $19,000,000 excess of $1,000,000 in respect of Coverage C., Privacy Regulatory Defense and Civil Penalties, except Regulatory Compensatory Awards which have a retroactive date of 31 August 2007. $19,000,000 excess of $1,000,000 in respect of Coverage D.,Security Event Costs

Annual Premium: Primary Insurer: $350,000First Excess Insurer: $185,000

Policy Number: Primary Insurer: MEDTE1200695First Excess Insurer: MEDTE1200703

Extended Reporting Period: One year at 100% of the annual premium

Notice of Claim: If any claim is made against the Assured, the Named Assured’s Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Security Officer, Risk Manager, or General Counsel (or the functional equivalents of any of the foregoing) shall forward to the Underwriters as soon as practicable every demand, notice, summons or other process received by the Assured or its representative.

Brit Claims, Brit Syndicate 298755 Bishopsgate, London EC2N 3AS, UK [email protected]

Beazley, Attn: Beth Diamond, 1270 Avenue of the Americas, Suite 1200, New York, NY [email protected]

Notice of Circumstances: Written notice as soon as practicable with specific details – see the primary policy for the specific instructions

mailto:[email protected]

mailto:[email protected]

3


Insurance Summary

What is Covered?

A. PRIVACY LIABILITY The Underwriters shall pay on behalf of the Assured those amounts, in excess of the applicable retention, which the Assured is legally obligated to pay as damages and claims expenses resulting from a claim first made against any Assured and reported to Underwriters during the policy period or extended reporting period arising out of a privacy breach or the breach of privacy regulations by the Assured or others for whom the Assured is legally responsible, including outsourcers, business associates, and vendors, harming any third party who is not an employee of any Assured; provided such privacy breach or breach of privacy regulations takes place on or after the Retroactive Date and before the end of the policy period.

B. EMPLOYEE PRIVACY LIABILITY The Underwriters shall pay on behalf of the Assured those amounts, in excess of the applicable retention, which the Assured is legally obligated to pay as damages and claims expenses arising from a claim first made against any Assured and reported to Underwriters during the policy period or extended reporting period arising out of a privacy breach or the breach of privacy regulations by the Assured or others for whom the Assured is legally responsible, including outsourcers, business associates, and vendors, harming an employee of any Assured Organization; provided such privacy breach or breach of privacy regulations takes place on or after the Retroactive Date and before the end of the policy period.

LLC and Joint Venture Coverage Extension for Employee Privacy Liability is extended to pay damages and claims expenses arising from a claim(s) first made against any Assured and reported to Underwriters during the policy period or extended reporting period arising out of a privacy breach or the breach of privacy regulations by Limited Liability Companies and Joint Ventures where the Named Assured directly or indirectly owns more than fifty percent (50%) of the assets or outstanding voting shares or interests, on or after the Retroactive Date set forth and before the end of the policy period, harming an employee or employees of any Assured Organization.

C. PRIVACY REGULATORY DEFENSE AND CIVIL PENALTIES The Underwriters shall pay on behalf of the Assured those amounts up to the applicable sublimit of liability and in excess of the applicable retention, which the Assured is legally obligated to pay, including claims expenses, as a result of a civil regulatory action including a regulatory compensatory award, civil penalty or fine to the extent insurable by law imposed by a federal, state, or governmental regulatory body against any Assured and notified to Underwriters during the policy period or extended reporting period as a result of a privacy breach, security breach, or the breach of privacy regulations by the Assured or others for whom the Assured is legally responsible, including outsourcers, business associates, and vendors; provided such privacy breach, security breach, or breach of privacy regulations takes place on or after the Retroactive Date and before the end of the policy period.

4


Insurance Summary

D. SECURITY EVENT COSTS The Underwriters will reimburse the Assured for security event costs (up to the sublimit of liability of Coverage D. and in excess of the Coverage D. Retention) when such security event costs are incurred within twelve month(s) of the date that the Assured reports the security breach, privacy breach, or breach of privacy regulations to Underwriters (such report must be within the policy period) either to:

1. Comply with any statute, rule or regulation or under a judgment, settlement, consent decree, or other legal obligation, to notify the affected individuals of such security breach; or

2. Minimize harm to the Assured from a reputational damage event.

For clarification, the Assured may pay reasonable and necessary costs to comply with statutes, rules or regulations requiring notification without the Underwriter’s prior consent, but only for subparts 1 and 2 of the definition of security event costs. All other reasonable and necessary costs, as defined in subparts 3 and 4 of the definition of security event costs, require prior written consent by the Underwriters (such consent not to be unreasonably withheld).

In the event some of the individuals affected by the security breach, privacy breach, or breach of privacy regulations reside in countries, states, or provinces that do not have mandatory data breach notification laws or regulations, Underwriters will consider outside competent legal opinion that the entire group of individuals affected by the security breach, privacy breach, or breach of privacy regulations be notified. This will be considered as a voluntary notification, and all Security Event Costs are subject to the Underwriter’s prior written consent.

E. SECURITY LIABILITY The Underwriters shall pay on behalf of the Assured those amounts, in excess of the applicable retention, which the Assured is legally obligated to pay as damages and claims expenses arising from a claim first made against any Assured and reported to Underwriters during the policy period or extended reporting period that arises out of a security breach by the Assured or others for whom the Assured is legally responsible, including outsourcers, business associates or vendors; provided such security breach takes place on or after the Retroactive Date and before the end of the policy period, including the Assured’s actual or alleged: 2. the Assured’s actual or alleged security breach; 3. Failure to disclose a security breach affecting personally identifiable non-public information or failure

to dispose of such information within the required time period in violation of notification laws or regulations in effect now or in the future;

3. Transmission of malicious code from a computer system operated by or on behalf of the Assured to third party computers and systems;

4. Participation in a denial of service attacks against Internet sites or a computer system of a third party; and

5. Failure to develop and administer an identity theft prevention program or implement specific security practices required by governmental statute or regulation.

5


SummaryWho is Covered?

THE ASSURED AND THE ASSURED ORGANIZATION Assured shall mean: A. The Named Assured (Sony Pictures Entertainment Inc.) and any subsidiaries of the Named Assured

(together the Assured Organization); B. Any present or future officer or director of the Assured Organization, but only with respect to the

performance of his or her duties as such on behalf of the Assured Organization; C. Any present or future employee, including temporary, part-time or leased employee of the Assured

Organization, but only for work done while acting within the scope of his or her employment and related to the conduct of the Assured Organization’s business;

D. In the event that the Named Assured is a partnership, limited liability partnership, or limited liability company, any present or future general or managing partner, principal, or owner thereof, but only while acting within the scope of their duties as such;

E. Any person who previously qualified as an Assured under paragraphs B., C., or D. above prior to the termination of their relationship with the Assured Organization, but only with respect to the performance of his or her duties on behalf of the Assured Organization; and T

F. The estate, heirs, executors, administrators, assigns and legal representatives of any Assured in the event of any Assured’s death, incapacity, insolvency or bankruptcy, but only to the extent that such Assured would otherwise be provided coverage under this insurance.

Subsidiary means any entity while more than 50% of the outstanding securities representing the present right to vote for the election of such entity’s directors are owned by the Named Assured directly or indirectly, if such entity was so owned on the inception date of this policy; or 1. becomes so owned after the inception date of this policy, provided the revenues of the newly acquired entity do not exceed 15% of the Assured Organization’s annual revenues as set forth in their most recent audited financial statement; Or 2. becomes so owned after the inception date of this policy, provided that if the revenues of the newly acquired entity exceed 15% of the Assured Organization’s annual revenues as set forth in their most recent audited financial statement, the provisions of Section XI. G. must be fulfilled.

Important Definitions:

Claim means:

1.a written demand received by any Assured for monetary or non-monetary damages, or the service of a civil suit (including seeking injunctive relief, meaning a temporary restraining order or a preliminary or permanent injunction); 2. civil proceeding, including any alternative dispute resolution proceeding, for civil damages or civil relief, commenced by a complaint, demand for arbitration or similar pleading; and 3. with respect to coverage provided under Coverage C. Privacy Regulatory Defense and Civil Penalties only, a civil regulatory request for information, civil investigative demand or civil proceeding commenced by service of a complaint or similar proceeding.

6


SummaryImportant Definitions:

Credit protection services means a free credit report, identity theft protection insurance, credit consultation services including call center support, credit monitoring services, credit freezes or fraud alert services, or other credit restoration services for the affected individuals as appropriate. Credit protection services must be reasonable and necessary costs subject to the prior written consent by the Underwriters (such consent not to be unreasonably withheld). With respect to credit monitoring services, the Underwriters will reimburse only for one year of such costs for affected individuals who are at least eighteen years old, unless there is a rule, regulation, or statutory requirement requiring otherwise.

Damages means a monetary judgment, award or settlement, including: 1. Pre-judgment interest; 2. Post-judgment interest that accrues after entry of the judgment and before the Underwriters have

paid, offered to pay or deposited in court that part of the judgment within the applicable limit of liability;

3. subject to this policy’s terms, conditions, and exclusions, punitive, exemplary and multiple damages (where insurable by the applicable law that most favors coverage for such damages); and

4. with respect to coverage provided under Coverage C., regulatory compensatory award, civil fines or penalties to the extent insurable by law for a privacy breach, security breach, or violation of privacy regulations.

The definition of damages shall not include or mean: 5. Future profits, restitution, or disgorgement of profits by any Assured; or the cost to comply with

orders granting injunctive or non-monetary relief, including specific performance, or any agreement to provide such relief;

6. Return or offset of fees, charges, royalties, or commissions for goods or services already provided or contracted to be provided;

7. Liquidated damages pursuant to a contractual provision, fines or penalties (except as covered under Coverage C.);

8. Any amount which the Assured is not financially or legally obligated to pay; or 9. Matters that may be deemed uninsurable under the law pursuant to which this policy may be

construed.

Employee means any individual in the Assured Organization’s service, including any part-time, seasonal, and temporary employee, who is compensated by salary, wages, fees or commissions and over whom the Assured has the right to direct and control.

Privacy policy means the Assured’s policies in written or electronic form that govern the collection, dissemination, confidentiality, integrity, accuracy or availability of personally identifiable non-public information provided to the Assured’s employees or third parties.

7



Privacy regulations means the following statutes and regulations associated with the confidentiality, access, control or use of personally identifiable non-public information or personal healthcare information, including but not limited to: 1. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), known as HIPAA, including Title II that requires protection of confidentiality and security of protected health information and the rules and regulations promulgated thereunder as they currently exist and as amended, including related or similar state medical privacy laws as they currently exist and as amended; 2. The Health Information Technology for Economic and Clinical Health Act (The HITECH Act) and its implementing regulations as they currently exist and as amended with regard to electronic protected health information; 3. Gramm-Leach-Bliley Act of 1999 (G-L-B), also known as the Financial Services Modernization Act of 1999, including sections concerning security protection and standards for customer records maintained by financial services companies, and the rules and regulations promulgated thereunder as they currently exist and as amended; 4. State Attorneys General and Federal Trade Commission enforcement actions regarding the security and privacy of consumer information; 5. Governmental privacy protection regulations or laws, such as California Database Protection Act of 2003 (previously called SB 1386), as they currently exist now or in the future, associated with the control and use of personal information, including but not limited to requirements to post privacy policies, adopt specific privacy controls, or inform customers of actual or suspected breaches of security that has or may impact their personal information; 6. Privacy provisions of consumer protection laws, such as the Fair Credit Reporting Act (FCRA) and the California Consumer Credit Reporting Agencies Act (CCCRAA); 7. Children’s Online Privacy Protection Act or similar laws as they exist now or in the future; 8. Governmental statute or regulation requiring the development of an identity theft prevention program and adoption of necessary actions to prevent identity theft including but not limited to Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003; and 9. EU Data Protection Act and other privacy and security laws, statutes, or regulations worldwide as they exist now or in the future.

Regulatory compensatory award means a sum of money which the Assured is legally obligated to pay or deposit as an award or fund for the affected individuals due to an adverse judgment or settlement of a privacy regulatory proceeding to the extent covered by Coverage C.

Reputational damage event means an event that has been caused by a privacy breach, security breach, or violation of privacy regulations, and such privacy breach, security breach, or violation of privacy regulations has or is likely to be publicized through any media channel, such as television, print media, radio or electronic networks, the Internet, and/or electronic mail, which could damage the Assured’s brand, reputation, or customer trust.

Security breach means an act, error, omission, neglect, or breach of duty to protect the security and confidentiality of non-public proprietary corporate information, personally identifiable non-public information in any form, or other confidential paper records or electronic information, including but not limited to any electronic or non-electronic security failures, failure to protect against anticipated threats or hazards, failure to protect against unauthorized access, use, exposure, or disclosure, physical theft of hardware or firmware, false communications or social engineering techniques designed to trick the user into surrendering personal information (known as “phishing” or “pharming”).

8



Security event costs means all reasonable and necessary fees, costs, and outside expenses incurred by the Assured in connection with a security breach, privacy breach or breach of privacy regulations, as stated herein: 1. Notification costs and related expenses that are incurred to comply with requirements of governmental statutes, rules or regulations, or incurred to minimize harm to the Assured from a reputational damage event, or as a result of a judgment, settlement, consent decree, or other legal obligation, including the services of an outside legal firm to determine the applicability of and actions necessary to comply with governmental statutes, rules or regulations; 2. Computer forensic costs of outside experts retained to determine the scope, cause, or extent of any theft or unauthorized disclosure of information, but such expenses will not include compensation, fees, benefits, or expenses of any Assured or any employee of the Assured; 3. Crisis management expenses for other legal services (beyond the legal services defined under 1. above), public relations, or other crisis management services performed by an outside specialist firm incurred as a result of a reputational damage event. Crisis management fees include reasonable and necessary fees charged by a third party, but shall not include compensation, fees, benefits, overhead, charges or expenses of any Assured or any employee of the Assured; and 4. Credit protection services for the affected individuals.

Major Exclusions:

Bodily Injury/Property Damages with exception for wrongful infliction of emotional distress or mental anguish arising out of an actual or alleged privacy breach, security breach, or breach of privacy regulations

Wrongful Employment Practices or any type of Discrimination Satellite failures, mechanical, electrical failures, interruptions including utilities etc. Acts of God For any actual or alleged breach of any express, implied, actual or constructive contract,

agreement, warranty, guarantee or promise, but this exclusion does not apply to: 1. Any liability or obligation an Assured would have in the absence of such contract or agreement; 2. The Assured’s indemnification in a contract with a customer or client for a security breach, privacy breach, or breach of privacy regulations committed by or on behalf of the Assured; and 3. A breach of the Assured’s privacy policy

Pollution, mold, mildew, radiation, nuclear, EMF’s etc. Any Securities laws and/or regulations RICO, ERISA, Antitrust Governmental enforcement of any laws except if covered under Coverage C. or a claim

alleging a failure to disclose a privacy breach or security breach in violation of data breach notification laws or regulations

False deceptive, unfair trade practices except if such claim is covered under Coverage C. IP Infringement, acts of war, claims covered under prior policies Dishonest, fraud, criminal actions subject to a final adjudication, judgment, binding

arbitration decision or conviction against the Assured or admission by the Assured, establishing such conduct, or a plea of nolo contendere or no contest regarding such conduct

Based upon any fine or penalty arising out of any agreement by the Assured to comply with or follow the PCI Standard or any Payment Card Company Rules; or implement, maintain or comply with any security measure(s) or standards related to any payment card data,

9


Summary

Endorsements:

Exclusion I is hereby amended to add the following: 4. Based upon or arising out of the LulzSec hacking attack on the Assured’s website which was first notified on June 8, 2011 to the policies in effect prior to the inception date of this policy.

It is understood and agreed that Section. V Exclusions is amended to add the following:

N. Based upon or alleging false light, intrusion of a person’s seclusion, breach of duty of confidentiality or invasion of privacy, that arises solely out of media content created or produced by the Assured.

O. Based upon or arising out of unauthorized interception or recording of images or sound in violation of any civil anti-wiretap statutes.

Additional Terms & Conditions:• Affirmative coverage for the failure to safeguard Third Party Intellectual Property Assets in

the care, custody and control of the Assured

Sony Pictures Entertainment Inc. Data Protection Liability Insurance Summary August 31, 2012 to...

Documents

Transcript of Sony Pictures Entertainment Inc. Data Protection Liability Insurance Summary August 31, 2012 to...