The increasing concern over privacy risk exposure is well justified, as privacy-related class action settlements rose to $896.7M in 2022, an increase of 41% over the prior year. In fact, in 2022, privacy-related class action settlements exceeded data breach settlements by over $175M. With ongoing data breaches and the seemingly endless advance of new privacy regulations, accompanied in some states by substantial financial exposure, the understanding and proficient management of privacy risks has become more critical than ever before. This holds particularly true for insurers and reinsurers, with cyber insurance playing a pivotal role and in many cases, footing the bill for legal defense, and in some cases, settlement costs.
What is Privacy Risk Exposure?
Privacy risk exposure refers to the potential for a breach of sensitive data that could result in financial loss, reputational damage, or legal consequences. This can occur through various means, such as unauthorized access to data, data leakage, or non-compliance with privacy regulations.
The regulatory environment regarding data privacy has grown more complex in recent years, with state laws like the Illinois Biometric Information Privacy Act (BIPA) accounting for an outsized portion of recent legal and settlement costs. Although BIPA’s private right of action, which allows individuals to sue to enforce their rights, is not found in all state privacy laws, biometric privacy laws like BIPA are gaining traction, with New York City’s Biometric Identifier Information Law in effect this year, and several others on the way. And the lawsuits quickly follow. All of which makes it challenging for businesses to remain up-to-date with the rapidly evolving regulations, as well as the enforcement agencies such as the Federal Trade Commission, the Department of Health and Human Services, Office for Civil Rights, as well as the CFPB's interpretations of the security and privacy aspects of the Consumer Financial Protection Act.
Which Industries have the Highest Privacy Risk Exposure?
While it would certainly make life easier for underwriters if this risk was confined to a clearly defined set of industries, the fact is that this exposure is not limited to just big tech, healthcare and social media companies. Organizations across nearly all sectors may be hit with these lawsuits. From fashion to manufacturing and hospitality, from education to professional services and transportation, all have been targeted. Which begs the question: Why?
Privacy exposure can exist within virtual organizations as well as brick and mortar operations. That risk is heightened where biometric data is involved. Large organizations have been sued for their use of biometric employee time tracking systems, while retailers have been sued for security camera systems that employ facial recognition technology. Meanwhile, the near ubiquitous use of online marketing technologies for several years across virtually all industries has opened potentially massive privacy exposure, with the potential for claims arising years after the current exposure has been mitigated. These technologies enable the collection of data at a scale that was previously not possible. And the financial incentives to share the data with third parties (Facebook, Google and many others), either to benefit from the analysis or other processing, or to benefit from the outright sale of the data, are more powerful than ever. Just as it has become increasingly cheap, easy and fast to spin up sophisticated computing infrastructure without having the least idea how to properly secure it, so too these new technologies are readily available to collect, use and share sensitive data, but it is much harder to do so in a fully compliant manner.
Web Tracking Technologies: Examining Risks and Vulnerabilities
Web tracking technologies are tools and techniques used by companies and third-party entities to monitor and collect information about users' activities online. These technologies play a significant role in the digital economy, especially in areas such as online advertising, personalized content, and analytics. However, they also pose significant privacy risks as they can lead to the collection and inadvertent sharing of personal identifiable information, often without the users' explicit consent. Here are some of the more at-risk web tracking technologies:
Pixel Tracking: The pixel is a piece of code created that allows other websites to target their visitors later with ads on sites like Facebook and Google. Common actions that can be tracked by pixel include viewing a page or specific content, adding payment information, or making a purchase.
Session Recording: Session recording technology allows a third party to monitor and record all of a user’s behavior on a webpage—including mouse movements, clicks, scrolling down the page, and anything you type into a form even if you don’t click submit.
Key Logging: Key logging is when a first or third party monitors the text that you type into a webpage before you hit the submit button. This technique has been used for a variety of purposes, including identifying anonymous web users by matching them to postal addresses and real names.
These technologies, while useful for businesses, can pose significant privacy risks to users. Therefore, it's crucial for insurers, reinsurers, brokers, and risk managers to understand these technologies and the privacy risks they pose. Tools like CyRisk's Privacy Risk Detection (PRD) can help identify these technologies and provide actionable insights to mitigate privacy risks.
5 Considerations for Underwriting Privacy Risks
The questions that most underwriting teams are struggling with today are “How do we properly assess privacy risk exposures resulting in the use of web tracking tools; and How do we underwrite them in our day-to-day operations?
The following set of questions should be considered when delving into these new risks.
What types of data does the organization collect or monitor and what technologies are in place to collect that data? What data is being shared and with whom? It's imperative to understand the nature and extent of data amassed from website visitors. Also is it confined to their email addresses or does it encompass other types of personally identifiable information as well? This paints a portrait of the potential risk magnitude.
Do they effectively track the amassed data? Does the organization actively utilize the acquired data? If so, where is it stored? Some companies might remain oblivious to the full extent of data they are amassing. What is the utility of this information within their business model? If it plays a pivotal role in conversions and revenue, then an outright discontinuation of web tracking technology might not be a pragmatic option.
Do they share or sell the accumulated data? This question explores third-party involvement in web tracking technology. Take, for instance, the prevalent use of chatbots on company websites. Frequently, these bots are outsourced to third parties, and if visitors input personal information into these bots, issues can surface. The same holds true for pixel tracking; comprehending the data collected, and that data's post-collection destination becomes very important.
Do they disclose to visitors about their data tracking practices? Often, the solution to this inquiry resides within the confines of the privacy policy, a document that should be displayed on the company's website. This can not only shield the organization from potential legal headaches but it also provides consumers with transparency about data collection.
Do they obtain consent from their visitors? Consent is typically captured through a cookie consent manager. This should pop up upon a visitor's arrival at the organization's website before cookies are placed and users are tracked, empowering the website visitor to dictate their preferences concerning cookies and collected data.
By exploring and answering these important questions, underwriters can navigate the underwriting of these potential risk exposures with more knowledge and efficiency.
How Can CyRisk's Privacy Risk Detection Help?
CyRisk's Privacy Risk Detection (PRD) feature is a powerful tool that can help insurers, reinsurers, brokers, and risk managers navigate the complexities of privacy risk. PRD provides a comprehensive analysis of a company's privacy risk exposure, identifying potential vulnerabilities and providing actionable insights to mitigate these risks.
PRD leverages advanced technology to analyze a company's digital footprint, including its website scripts, third-party interactions, and data transfer practices. This information is then used to generate a report, providing a clear, quantifiable measure of the company's privacy risk exposure.
For insurers and reinsurers, PRD can inform underwriting decisions, helping to accurately assess privacy exposure, establish subjectivities, policy terms and manage risk. Brokers can use PRD to advise clients on their privacy risk exposure, recommend appropriate insurance products and prepare them to go to market for insurance.
With CyRisk's Privacy Risk Detection, insurers, reinsurers, brokers, and risk managers can gain clarity around privacy risk exposure, protect their businesses, and provide the best service to their clients. For more information on Privacy Risk Detection solution, contact CyRisk at sales@cyrisk.com
