Source: Zoonar GmbH via Alamy Stock Photo
As corporate directors and security teams scramble to ensure they meet the Securities and Exchange Commission's (SEC) new cybersecurity regulations, claims due to mishandling protected personally identifiable information (PII) could rival the cost of ransomware attacks, warns David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.
While privacy claims take years to work their way through the legal process, "losses are generally just as catastrophic over the course of three to five years as a ransomware claim is over the course of three to five days," he says.
In a presentation focusing on 2024 litigation trends, Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, noted, "Pixel-tracking claims are the latest target for the plaintiffs' bar — going after companies tracking website activity through pixels on the screen without obtaining proper consent."
Activities like that could be why 31% of cyber insurance underwriters in a Woodruff Sawyer survey picked privacy as their top concern for 2024 — second only to ransomware, chosen by 63% of respondents.
Privacy Is a Business Issue
James Tuplin, senior vice president and head of international cyber at Mosaic Insurance, agrees that underwriters will be taking a much closer look at privacy trends this year. It often takes five to seven years for privacy litigation to work through the courts, he confirms, which means 2024 will see the culmination of privacy cases filed in 2017 to 2019 — before many countries and US states began passing new privacy laws. For example, the European Union's General Data Protection Regulation (GDPR) went into effect in 2018, so these cases represent initial GDPR violations.
For the insurer, however, the payout for privacy claims may not be as large because the "underwriters have a long time to play with their capital while those losses build to their final resolution," Anderson explains. That's because insurers retain the interest from holding funds in escrow while claims work their ways through negotiations and litigation.
While boards of directors generally have capable advisors on privacy, boards still tend to think of privacy issues as an IT matter rather than a business matter, Tuplin says. Some regulators, including the SEC, are putting CISOs in the crosshairs of regulations even though they do not control the budgets or have the authority to solve all cybersecurity issues, he adds.
Tracking Privacy Laws
Among the reasons privacy has become challenging to boards and security teams is that in many cases, organizations do not know what kinds of data they are collecting and where that data resides, notes Sherri Davidoff, founder and CEO at LMG Security. Companies tend to hoard data as an asset rather than considering it as a hazardous material, she says.
"It's like nuclear waste," she says. "The more data you have, the more risk you have."
Enterprises need to do a better job of eliminating data — PII, in particular — that could trigger a regulatory or legal violation should the data fall into the wrong hands. While security pundits have been telling companies for years that they need to know what data they have and where it is located, many companies, including those subject to strict regulatory oversight, often do a poor job of classifying and identifying the locations of all of their data, she says.
Another major challenge many firms face is they do not track all of the privacy laws and regulatory requirements of the data they hold. Understanding the US data privacy law landscape is difficult enough, but it becomes more challenging when one considers that nearly every state has unique laws dealing specifically with health records and children's data. Additionally, organizations that have PII on European Union citizens also must comply with the GDPR. Companies doing business in other countries need to have legal counsel look into laws in every country where a company does business to ensure they meet those privacy laws.
Small Error = Big Loss
Many companies think that if they comply with the various compliance regulations, adhere to state laws, and have cyber insurance, then they are all set.
"That is not, in fact, enough," says Michelle Schaap, who leads the privacy and data security practice at law firm Chiesa Shahinian & Giantomasi (CSG Law). "While it might be sufficient to protect against a consumer's suit or legal action from attorney generals' or another enforcement agency's action against the compromised entity, there are other considerations."
What might seem like a minor infraction — such as not following through completely on a posted privacy policy — could trigger multiple regulatory violation fines.
"It's a deceptive trade practice," Schaap says. "If you're saying you are doing X and, in fact, you're not, that becomes the first count in the FTC claim. Each state has their own little FTC laws, or consumer protection laws."
Another example of what might seem to be a minor infraction that corporate security teams could overlook but which could generate a compliance or legal violation is a simple opt-out request. When a consumer asks a company to be taken off a mailing list, the request needs to cover all email addresses the requester uses in order to comply with all state laws. Thus, even if a company says it is compliant with the law, it might not be compliant for all of the states in which it operates. Misstating its adherence to privacy laws could trigger the denial of an insurance claim.
To fill some of these compliance holes they might not even know about, Schaap recommends that companies take advantage of any help their cyber insurer provides, such as security tabletop and other exercises, to stay on the right side of regulations and keep their policies in good stead.
This isn't just theoretical. In 2022, a company misstated its use of multifactor authentication on its insurance application questionnaire. The cyber insurance carrier, Travelers, sued the company, ultimately keeping the premiums the company paid despite canceling the cyber insurance policy — and denying the claim.