As corporate directors and security teams scramble to ensure they meet the Securities and Exchange Commission's (SEC) new cybersecurity regulations, claims due to mishandling protected personally identifiable information (PII) could rival the cost of ransomware attacks, warns David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage. While privacy claims take years to work through the legal process, "losses are generally just as catastrophic over three to five years as a ransomware claim is over three to five days," he says.[1]
In a presentation focusing on 2024 litigation trends, Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, noted, "Pixel-tracking claims are the latest target for the plaintiffs' bar going after companies tracking website activity through pixels on the screen without obtaining proper consent." Activities like that could be why 31% of cyber insurance underwriters in a Woodruff Sawyer survey picked privacy as their top concern for 2024, second only to ransomware, chosen by 63% of respondents.
James Tuplin, senior vice president and head of international cyber at Mosaic Insurance, agrees that underwriters will take a much closer look at privacy trends this year. He confirms that it often takes five to seven years for privacy litigation to work through the courts, which means 2024 will see the culmination of privacy cases filed from 2017 to 2019 before many countries and US states begin passing new privacy laws. For example, the European Union's General Data Protection Regulation (GDPR) was enacted in 2018, so these cases represent initial GDPR violations.
For the insurer, however, the payout for privacy claims may not be as large because the "underwriters have a long time to play with their capital while those losses build to their final resolution," Anderson explains. That's because insurers retain the interest from holding funds in escrow while claims work through negotiations and litigation.
While boards of directors generally have capable advisors on privacy, they still think of privacy issues as an IT matter rather than a business matter, Tuplin says. He adds that some regulators, including the SEC, are putting CISOs in the crosshairs of regulations even though they do not control the budgets or have the authority to solve all cybersecurity issues. Among the reasons privacy has become challenging to boards and security teams is that in many cases, organizations do not know what kinds of data they are collecting and where that data resides, notes Sherri Davidoff, founder and CEO at LMG Security. She says that companies tend to hoard data as an asset rather than consider it a hazardous material.
"It's like nuclear waste," she says. "The more data you have, the more risk you have."
Enterprises need to eliminate data PII better, which could trigger a regulatory or legal violation should the data fall into the wrong hands. While security pundits have been telling companies for years that they need to know what data they have and where it is located, many companies, including those subject to strict regulatory oversight, often do a poor job of classifying and identifying the locations of all of their data, she says.
Another major challenge many firms face is they do not track all of the privacy laws and regulatory requirements of the data they hold. Understanding the US data privacy law landscape is difficult enough. Still, it becomes more challenging when one considers that nearly every state has unique laws dealing specifically with health records and children's data. Organizations with PII on European Union citizens must also comply with the GDPR. Companies doing business in other countries need to have legal counsel look into laws in every country where a company does business to ensure they meet those privacy laws.
Many companies think that if they comply with the various compliance regulations, adhere to state laws, and have cyber insurance, then they are all set. "That is not, in fact, enough," says Michelle Schaap, who leads the privacy and data security practice at law firm Chiesa Shahinian & Giantomasi (CSG Law). "While it might be sufficient to protect against a consumer's suit or legal action from attorney generals' or another enforcement agency's action against the compromised entity, there are other considerations."
What might seem like a minor infraction, such as not following through entirely on a posted privacy policy, could trigger multiple regulatory violation fines. "It's a deceptive trade practice," Schaap says. "If you're saying you are doing X and not, that becomes the first count in the FTC claim. Each state has their own little FTC laws or consumer protection laws."
A simple opt-out request is another example of what might seem to be a minor infraction that corporate security teams could overlook but which could generate a compliance or legal violation. When a consumer asks a company to be taken off a mailing list, the request needs to cover all email addresses the requester uses to comply with all state laws. Thus, even if a company says it is compliant with the law, it might not be compliant for all the states in which it operates. Misstating its adherence to privacy laws could trigger the denial of an insurance claim.
To fill some of these compliance holes they might not know about, Schaap recommends that companies take advantage of any help their cyber insurer provides, such as security tabletop and other exercises, to stay on the right side of regulations and keep their policies in good stead. This is not just theoretical; in 2022, a company misstated its use of multi-factor authentication in its insurance application questionnaire. The cyber insurance carrier, Travelers, sued the company, ultimately keeping the premiums the company paid despite canceling the cyber insurance policy and denying the claim.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. LinkedIn. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.darkreading.com/data-privacy/privacy-ransomware-top-2024-cyber-insurance
Comments