As company directors and security teams race to ensure they meet new cybersecurity regulations from the Securities and Exchange Commission (SEC), complaints due to mishandling of protected personally identifiable information (PII) could rival the cost of ransomware attacks, warns David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.
While privacy claims take years to work their way through the legal process, “losses are generally just as catastrophic over the course of three to five years as a ransomware claim is over the course of three to five days,” he says.
In a presentation focused on litigation trends in 2024Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, noted: “Pixel tracking allegations are the latest target for the plaintiffs’ bar: to go after companies that track website activity across pixels on the screen without obtaining appropriate consent.”
Activities like that may be why 31% of cyber insurers in a Woodruff Sawyer survey chose privacy as their top concern for 2024, second only to ransomware, chosen by 63% of respondents.
Privacy is a business issue
James Tuplin, senior vice president and international cyber lead at Mosaic Insurance, agrees that insurers will be taking a much closer look at privacy trends this year. It often takes five to seven years for privacy disputes to reach the courts, he confirms, meaning 2024 will see the culmination of privacy cases filed between 2017 and 2019, before many countries and US states begin to pass new privacy laws. For example, the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, so these cases represent the first violations of the GDPR.
For the insurer, however, the payout for privacy claims may not be as large because “underwriters have a lot of time to play with their capital as losses reach final resolution,” Anderson explains. This is because insurers retain an interest in holding funds in escrow as claims work their way through negotiations and litigation.
While boards typically have knowledgeable privacy advisors, boards still tend to view privacy issues as an IT issue rather than a business issue, Tuplin says. Some regulators, including the SEC, are putting CISOs in the crosshairs of regulations even though they don’t control budgets or have the authority to fix all cybersecurity problems, he adds.
Monitoring privacy laws
One reason privacy has become a challenge for boards and security teams is that in many cases organizations don’t know what kind of data they’re collecting and where that data resides, notes Sherri Davidoff, founder and CEO of LMG Security. Companies tend to accumulate data as a resource rather than considering it a hazardous material, he says.
“It’s like nuclear waste,” he says. “The more data you have, the greater risk you run.”
Companies need to do a better job of deleting data, especially PII, that could trigger a regulatory or legal violation if the data ends up in the wrong hands. While security experts have been telling it to companies for years Because they need to know what data they have and where it is located, many companies, including those subject to rigorous regulatory scrutiny, often do a poor job of classifying and identifying the location of all their data, he says.
Another big challenge many companies face is that they don’t keep track of all the privacy laws and regulatory requirements of the data they hold. Understanding the The landscape of US data privacy legislation that’s hard enough, but it gets even more challenging when you consider this almost each state has unique laws dealing specifically with medical records and children’s data. Furthermore, organizations that have personal information on EU citizens must also do so comply with the GDPR. Companies operating in other countries should have legal counsel review the laws of each country in which a company operates to ensure they comply with those privacy laws.
Small mistake = big loss
Many companies think that if they comply with various compliance regulations, adhere to state laws, and have cyber insurance, then they are good to go.
“This, in fact, is not enough,” says Michelle Schaap, who leads the privacy and data security practice at the law firm Chiesa Shahinian & Giantomasi (CSG Law). “While it may be enough to protect yourself from a consumer lawsuit or legal action by attorneys general or another enforcement agency against the compromised entity, there are other considerations.”
What might seem like a minor infraction, such as failing to fully comply with a posted privacy policy, could trigger multiple regulatory violation fines.
“It’s a deceptive business practice,” Schaap says. “If you’re saying you’re doing
Another example of what might seem like a minor infraction that corporate security teams might overlook but could generate a compliance or legal violation is a simple opt-out request. When a consumer asks a business to be removed from an email list, the request must cover all email addresses used by the requester to comply with all state laws. Therefore, even if a company claims to be compliant with the law, it may not be compliant for all states in which it operates. Misrepresenting your compliance with privacy laws could result in an insurance claim being denied.
To close some of these compliance gaps that they may not even be aware of, Schaap recommends that companies take advantage of any help provided by their cyber insurer, such as security plans and other exercises, to stay on the right side of the regulations and maintain their policies in good condition. Instead.
This is not just theoretical. In 2022, a company falsely declared the use of multi-factor authentication on its products insurance application survey. The cyber insurance company, Travelers, sued the company, ultimately withholding the premiums paid by the company despite canceling the cyber insurance policy and denying the claim.