Corporate directors and security teams are currently facing a frenzy of activity as they strive to comply with the Securities and Exchange Commission’s (SEC) new cybersecurity regulations. The stakes are high, as claims stemming from mishandling protected personally identifiable information (PII) could potentially rival the financial impact of ransomware attacks. This warning comes from David Anderson, the vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.
In a recent presentation focusing on projected litigation trends for 2024, Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, highlighted the emerging concern around privacy claims. Specifically, Burke pointed out that “pixel-tracking claims” have become a new target for plaintiffs’ lawyers, who are going after companies that track website activity without obtaining proper consent. This growing trend underscores the need for organizations to prioritize privacy protection measures.
A survey conducted by Woodruff Sawyer revealed that 31% of cyber insurance underwriters identified privacy as their top concern for 2024, coming in second only to ransomware, which was chosen by 63% of respondents. This shift in focus towards privacy issues reflects a broader recognition within the industry of the significant financial and reputational risks associated with data breaches and privacy violations.
Privacy concerns are not just limited to the realm of cyber insurance. James Tuplin, senior vice president and head of international cyber at Mosaic Insurance, emphasized that underwriters across the board are paying closer attention to privacy trends. The timeline for privacy litigation is often extended, with cases taking five to seven years to navigate the legal system. This means that 2024 will likely see the resolution of privacy cases filed several years prior, before the enactment of new privacy laws such as the GDPR in the European Union.
For insurers, the payout for privacy claims may not be immediate, as these losses tend to evolve over time. However, as Anderson explains, insurers have the advantage of retaining interest from holding funds in escrow while these claims are being processed. This dynamic underscores the importance of proactive risk management and privacy compliance measures for organizations seeking to mitigate potential liabilities.
Despite the growing emphasis on privacy issues within the insurance industry, many boards of directors and security teams still struggle to view privacy as a business concern rather than just an IT issue. Tuplin notes that regulators, including the SEC, are increasingly holding Chief Information Security Officers (CISOs) accountable for privacy compliance, even though they may lack the authority or resources to address broader cybersecurity challenges.
One of the key challenges for organizations is the lack of clarity around the data they collect and store. Sherri Davidoff, founder and CEO at LMG Security, points out that many companies hoard data without fully understanding the associated risks. Organizations need to adopt a more strategic approach to data management, particularly when it comes to personally identifiable information (PII) that could trigger regulatory violations if exposed.
In addition to data management challenges, many companies struggle to keep pace with the evolving landscape of privacy laws and regulations. Michelle Schaap, a privacy and data security expert at law firm Chiesa Shahinian & Giantomasi (CSG Law), warns that even minor compliance infractions can result in significant financial penalties and legal consequences. Schaap emphasizes the importance of proactive compliance efforts and close collaboration with cyber insurers to identify and address potential regulatory gaps.
Recent legal cases underscore the potential consequences of regulatory non-compliance. In a notable example from 2022, a company faced litigation from its cyber insurance carrier due to inaccuracies in its security practices. Such cases serve as a cautionary tale for organizations seeking to avoid costly legal disputes and maintain the integrity of their cyber insurance policies.
In summary, the evolving landscape of privacy regulations and the increasing scrutiny from insurers and regulators underscore the need for organizations to prioritize privacy protection and proactive compliance efforts. By taking a proactive and strategic approach to data management and privacy compliance, companies can mitigate potential liabilities and safeguard their reputations in an ever-changing cybersecurity landscape.