Why cyber insurers should prepare for a privacy claims wave

A person holding a smartphone whilst framed against a wall bearing Facebook Inc.s 'Thumbs Up' symbol
A woman stands holding her smartphone whilst framed against a wall bearing Facebook Inc.s 'Thumbs Up' symbol in this arranged photograph in London on Dec. 23, 2015.
Chris Ratcliffe/Bloomberg

A recent storm of privacy class action lawsuits and regulatory actions are hitting hospitals, financial services companies, national retailers, and online service providers. Cyber insurers, attorneys, and forensic firms are suddenly swamped with cyber claims stemming from class action lawsuits and enforcement actions. Once seen as a low-risk cyber coverage area, cyber underwriters and claims teams are now scrambling to address the growing data privacy risks in their books.

In just the past six months there has been a flood of data privacy lawsuits and enforcement actions impacting cyber insurers' policies. Allegations include:

  • Restaurants sharing customers' online video-watching behavior with social media networks. 
  • Online tax services providers sharing data with the Meta Pixel on tax preparations websites. 
  • Hospitals and telehealth services sharing patient data with Facebook and other social media networks.
  • Online session replay tools that record site visitors' behavior, prompting plaintiffs' attorneys to allege violations of wiretapping laws. 

While many insurers are all too familiar with cybercrime claims, business interruption, and data breach notification issues, these new online privacy issues require an entirely new set of response activities and costs. The allegations are often focused on the intricacies of online tracking technologies…JavaScript, pixels, cookies, session replay. In addition, complexities of privacy policies, state privacy regulations, and online consent management tools add further complications. Then, at the center of it all, is understanding what data is alleged to have been shared and how it can be confirmed.

Thus, the insurance claims team must now coordinate a group of privacy attorneys, IT forensics firms, and executives within the insured's organization to understand how the website, the trackers, the data, and the third parties all conspired to create these alleged violations.

In light of these growing claims, some cyber underwriters are adding exclusions for coverage. Others, eager to build their customer relationships, are looking for opportunities to underwrite with greater intelligence about these privacy risks. 

A web privacy economy is growing today

Today, a new data privacy ecosystem of insurers, attorneys, regulators, tech service providers, forensic firms, PR agencies and consultants are being fueled by growing privacy threats. Whether providing proactive services or responding to litigation, every company that has a website is working through complex privacy requirements and striving to make their web operations compliant.

Individual state laws continue to evolve creating a difficult patchwork of regulations that add complexity to an already challenging compliance environment. In the U.S., federal regulators and state legislatures are implementing new laws, encouraging plaintiff attorneys to pursue class action lawsuits. This, in turn, drives insurers to create coverage for these new risks that their policyholders will face. 

New insurtech companies are creating tools to help provide intelligence to insurers during underwriting, while also creating better software for companies to not only comply with the new laws, but also mitigate the risk on their end. All the while, everyone in the 'privacy economy' is seeking to learn more about the risks and how to protect themselves.

Cyber insurers need privacy risk intelligence 

Insurers, having learned from the ransomware and cybercrime waves of the past, are getting proactive about building intelligent underwriting tools that can help them assess privacy risk prior to issuing coverage. And, likely, they will be adding new tools to help their clients mitigate risks as well. 

For many years, the focus for cyber insurers has been on IT and the growing role of the Chief Information Security Officer (CISO). Insurers and security professionals have been working together to help close the gap when it comes to intelligent underwriting. Similarly, it is now the Chief Privacy Officer (CPO), the Chief Marketing Officer (CMO) and the CISO that will need to collaborate with brokers and underwriters to enable more privacy intelligence and risk management.

Online privacy in the spotlight

Perhaps 2023 will be seen as the start of the revolution. Not only is the regulatory environment ripe, but consumers are also more aware than ever before due to constant spam, scams, tax fraud, cyberbullying and identity theft. New data privacy legislation has already been enacted in five states (California, Colorado, Connecticut, Utah and Virginia). 

The cyber insurance industry has been a leader in helping companies adopt new technologies and practices to fight ransomware and cybercrime. This year, we look to cyber insurance leaders to take up the cause for online privacy, encourage compliance, and ultimately help companies protect their customers' valuable personal information.

For reprint and licensing requests for this article, click here.
Data privacy Insurtech Cyber security Websites Data privacy rules Election 2024
MORE FROM DIGITAL INSURANCE