Inflation may be bad these days, but the cost of improper use of web-based advertising and marketing technology (adtech and martech) has gone through the roof. Privacy-related lawsuits have cost Facebook $650M, T-Mobile $350M, TikTok $92M, and Zoom $85M. While large organizations are paying enormous settlements, fines and penalties, smaller organizations are also at risk, facing unexpected lawsuits due to their websites’ tracking technologies they may not even know about.
In addition to class action suits, these privacy risks are also triggering significantly increased regulatory scrutiny. The Federal Trade Commission (FTC) and the Department of Health and Human Services Office for Civil Rights (OCR), have defined the tracking, collecting, and sharing of individuals' sensitive information as a data breach. As just one recent example, the FTC fined $1.5M from GoodRX after bringing an enforcement action due to unauthorized sharing of medical data with Facebook and Google, among others.[i]
Reducing the Risk to Cyber Insurers and Insureds
While CyRisk observed this dramatic rise in privacy-related lawsuits and enforcement actions being brought against policyholders, we immediately took action, putting tools in the hands of underwriters and their clients to enable them to identify, evaluate and mitigate these risks. Website owners can be held liable for unlawful data collection, even when the websites are created and managed by third parties. In addition to settlement payouts, legal fees and breach notification costs, Federal and state regulators are imposing substantial fines. Organizations are also being penalized with negative publicity that harms their reputation and profitability.
Web Tracking Technologies
There are several web tracking technologies used by websites for a variety of purposes. Some identify users on a website, track their website behavior for useability improvements and provide information about users across different advertising networks and social media sites. These technologies include:
Session Replay software records and visualizes user interaction with a website or application, including clicks, movements, and time spent, for internet marketing and user behavior research. While the intention is to improve user experience, these tools have resulted in class action lawsuits citing state wiretapping law violations, including CIPA, FSCA, and WESCA.[ii]
Keyloggers and Keystroke Capture software may collect data users enter from website form entries. Keystroke capture can be used for employee monitoring or to save user data for later use. Using Keystroke Capture software without consent may violate federal laws like the Stored Communications Act and Federal Wiretap Act (amended by the Electronic Communications Privacy Act), as well as state wiretapping laws.
Ad trackers are embedded in websites to collect user data for deeper analysis, so it's important to know which ones are used, what data they collect, where it's sent, and how it's utilized. Ad trackers deliver ads that can obscure pages, link to phishing sites, and collect user data for marketing purposes or sale to third parties, which can violate data privacy laws and can be considered a data breach.
Third Party Cookies
Third Party Cookies are code placed on a visitor's web browser by a website other than the one currently being visited. The use of third-party cookies requires opt-in consent under the GDPR, opt-out consent under the CCPA, and their non-compliant use can result in a data breach, as they are considered non-essential under global data privacy laws.
Canvas Fingerprinting uniquely identifies user’s browsers by randomly drawing graphics using the HTML5 Canvas element instead of placing cookies. Canvas Fingerprinting collects personal data about website visitors and creates a highly accurate and personalized digital fingerprint of their browser, which can be viewed as a data breach for non-compliant use; while it is a unique personal identifier under CCPA, it is legal in Europe provided website owners obtain user consent before tracking them.
Remarketing Analytics creates lists of website visitors based on behavior like pages viewed and location, which are shared with an ad platform to display targeted ads and re-engage visitors likely to convert. Google Analytics Remarketing is considered a "sale" of personal data under CCPA/CPRA and businesses must offer opt-out consent for cross-contextual behavioral advertising, while under GDPR, it likely creates an illegal transfer of data to the United States.
Examples of Recent Enforcement Actions
- Following a misguided attempt to track the statistics of their own advertisements, the U.S based healthcare provider Novant was required to notify 1.36 million patients of unauthorized disclosure of their Protected Health Information under HIPAA. Novant had added the Meta Pixel code to their website, which was misconfigured, resulting in unauthorized access to protected health information (PHI) by third party advertisers. This leaked PHI included email, phone number, IP address, emergency contact information, appointment data and type, selected physician, and any extra content submitted in a “free text” box. [iii]
- In January 2023, a consumer class action lawsuit was filed in the Northern District of California, alleging that a direct-to-consumer pharmacy and telemedicine platform (Hey Favor, Inc.) shared sensitive medical information with Meta, TikTok, its parent company ByteDance, and data analytics firm Full Story, Inc. for advertising purposes, through tracking pixels embedded on its website.[iv]
- In March 2023, the FTC issued a proposed order against online counseling service BetterHelp, Inc., banning the company from sharing consumers’ health data (specifically, sensitive information regarding mental health) with third parties, including Facebook and Snapchat, for targeted advertising purposes. BetterHelp has been ordered to pay $7.8 million to consumers to settle those allegations as part of a consent agreement. Despite collecting such sensitive information, BetterHelp failed to maintain sufficient policies or procedures to protect it and did not obtain consumers’ affirmative express consent before disclosing their health data. BetterHelp also failed to place any limits on how third parties could use consumers’ health information—allowing Facebook and other third parties to use that information for their own internal purposes, including for research and development or to improve advertising.[v]
How Insurers will Adopt to Underwriting Privacy Risks and Website Tracking Tools
CyRisk is responding to underwriters’ need for new data sources and advanced technologies to help evaluate these privacy exposures and other emerging risks. Shifting market conditions and technological advancements are compelling underwriters to develop their skill sets further by using predictive data models and foresight to identify signals of non-compliance. Underwriters as “data pioneers” are crucial for cyber insurance to stay one step ahead of attacks and data privacy risk exposures. The cyber insurance underwriter must adapt to these skills and ensure that an organization:
- considers hypothetical risk when reviewing privacy policies and procedures to retain full and thorough compliance
- has controls, website policies, and organization procedures are in full compliance with ever changing privacy-focused legislation
The adaption of the exponential underwriter into a data pioneer will leverage emerging tools, information, and skill sets to focus on higher-level challenges and become more strategic in defining the future of the company to enhance business performance and shareholder value.[vi]
Cyber insurance can certainly help organizations transfer some of the potential risk an organization faces with these types of website tracking technologies, however, we anticipate many cyber insurance underwriters will soon offer remediation solutions that will include data privacy compliance analysis, and continued monitoring of website tracking tools exposed at an organization through reports illustrating the presence of ad trackers, session replay, pixel tracking, canvas fingerprinting and keystroke capture technologies in place at an organization.
Although these technologies have been in use for many years, the uptick in regulatory and legal scrutiny across many states has placed website tracking tools on the radar of many cyber underwriters who view these privacy risk exposures as a concern that could lead to substantial claim activity. Cyber insurance underwriters are responding to these emerging breach-related risks by leveraging tools to identify and evaluate the insured's risk based on their website's use of data gathering technologies.
CyRisk is committed to advancing the state of cyber insurance underwriting by identifying and assessing just such emerging risk exposures. For information on CyRisk’s Privacy Risk Detection feature, please inquire at Sales@CyRisk.com
[i] FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising - ftc.gov
[ii] ‘Illegal Wiretapping’: Class Action Claims Old Navy Secretly Records Website Visitors’ Communications - classaction.org
[iii] Misconfigured Meta Pixel exposed healthcare data of 1.3M patients - Bleeping Computer
[iv] Hey Favor Shares Users' Private Health Info with Meta, TikTok - classaction.org
[v] FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising - ftc.gov
[vi] The rise of the exponential underwriter - Deloitte