Cyber insurers track privacy exposures

Increased privacy claims surrounding the collection and sharing of data by companies are reverberating through the cyber insurance sector as underwriters and policyholders take steps to stem losses. 

The deployment of data tracking and collection technologies by website operators and assertions of so-called “wrongful collection” and subsequent sharing of personally protected information are increasing as overall web usage and the development and use of such tracking technologies continue to grow. 

An $18.4 million settlement approved in September 2021 to resolve a class-action lawsuit against health care provider Mass General Brigham Inc. over the use of cookies, pixels, website analytics tools and associated technologies on several websites without first obtaining the consent of website visitors encouraged further privacy lawsuits.

The “massive settlement prompted the plaintiffs bar to start attacking this technology in earnest,” said Christine Flammer, New York-based claims manager, cyber and technology claims, for Axa XL, a unit of Axa SA. 

Broad interpretations of statutory language by courts have also helped fuel a rise in claims, sources said, as judges allow cases to move forward, placing insurers on the hook for defense costs. In response, underwriters are considering wider use of exclusions.

“Motions to dismiss are not readily granted,” said Anjali C. Das, a partner in Chicago with Wilson Elser Moskowitz Edelman & Dicker LLP and co-chair of the firm’s national cybersecurity and data privacy practice. 

She said courts are allowing cases to move into discovery to learn more about the new wave of claims and suits, some of which are based on arcane language in the Video Privacy Protection Act, or VPPA, a federal statute that was enacted in 1988 in response to the disclosure and publication of then-Supreme Court nominee Robert Bork’s video rental history without his consent. 

“The recent wave of litigation over the past 18 to 24 months has courts still wrestling with the role of VPPA in the modern world,” Ms. Das said. One attraction of the VPPA to plaintiffs is that it provides for statutory damages of up to $2,500 per violation, she said. 

<div align=”center”><a rel=”gallery” class=”fancybox” href=”https://www.businessinsurance.com/assets/pdf/BI_0723_04A.png”><span class=”rsrch_img” style=”background:white !important; width: 480″>

<img src=”https://www.businessinsurance.com/assets/pdf/BI_0723_04A.png” width=”480″></span></a></div>

A concern for insurers is that cyber insurance often contains provisions for defense costs, and class-action suits can be lengthy, potentially making insurers responsible for what could be substantial defense costs, Ms. Das said. 

“There’s cover under many cyber policies for defense of these actions,” said Meredith Schnur, New York-based cyber brokerage leader, U.S. and Canada, at Marsh LLC. 

The effect of the rise in claims and the uncertainty of courts’ positions with insurers has been “immediate,” said Bobby Bianconi, Rocky Hill, Connecticut-based head of U.S. technology and cyber at Aspen Insurance Holdings Ltd.

“We are extremely selective on who we will choose to partner with if they continue to deploy” data collection and tracking tools, he said. Any such applicant receives added scrutiny and must answer an expanded set of underwriting questions about how data is collected and shared, the answers to which could result in a “wrongful collection” exclusion being inserted in the policy, he said. 

“There is a host of underwriting questions about what the market is looking for and to understand, and if they feel that the responses and the control environment that is in place at an organization using tracking tools are not to their satisfaction, they will look to exclude it,” Ms. Schnur said. 

Some organizations have removed tracking technology from their websites in response to the wave of claims, said Marissa
Olsen, Jersey City, New Jersey-based senior vice president and global head of cyber claims at Aspen. 

Ms. Flammer of Axa XL said privacy claims began to accelerate over the past year but noted that coverage for such “tracking claims” is often subject to sublimits or defense-only coverage. 

Nadia Hoyte, New York-based national cyber practice leader with USI Insurance Services LLC, said that while tracking technologies are not new, “what’s different is how we use information and with whom we share it.” She said a wider application of risk management techniques could help stem collection claims. 

“Privacy departments in organizations are very clear and focused when dealing with doctors and those involved with patient care, but those same considerations have not always been shared with the marketing department,” which may be responsible for deploying the tracking technology, Ms. Hoyte said.

<BR><HR>

Regulators start to rein in data tracking activity

While litigation is driving concerns around online privacy claims, some risk managers and cyber security personnel also must respond to regulatory agencies and state lawmakers introducing new privacy rules and enforcing existing regulations. 

“States are taking up the mantle on what kind of data regulations need to be in place to protect consumer information,” said Jeremy Barnett, Calabasas, California-based chief commercial officer for Lokker, which is owned and operated by Apomaya Inc., a data and technology security company. 

California’s Consumer Privacy Act of 2018, which gave consumers more control over the personal information that businesses collect about them, was amended to provide consumers additional protections beginning Jan. 1, 2023, including the right to correct inaccurate personal information that a business has about them and the right to limit the use and disclosure of sensitive personal information collected about them, according to information on the California State Department of Justice’s website. 

Mr. Barnett said other states, including Colorado, Connecticut and Virginia, are considering similar legislation and regulations to protect consumers. 

In addition, Nadia Hoyte, New York-based national cyber practice leader with USI Insurance Services LLC, said regulatory agencies in other states, such as New York’s Department of Financial Services, are stepping up enforcement actions. 

In May 2023, the DFS announced a $4.5 million penalty against OneMain Financial Group LLC, alleging it “failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events,” in violation of the department’s Cybersecurity Regulation.