Our Cyber Coverage Explained series is back. In our latest edition, we're exploring a current hot topic in the cyber market: Wrongful Collection of Data. Below, you’ll learn more about the current regulatory landscape, how the cyber market is responding, and what brokers should look for to guarantee that their clients are protected.
Data is valuable. It helps organizations better understand how consumers interact with their website and allows them to tailor products and services to certain audiences. Third-party vendors, like Meta, are also looking to understand consumers’ wants and needs. Everyone wants a piece of the pie; even threat actors know personal data is where the money is.
That’s the problem regulators, privacy advocates, and in turn, the cyber insurance market faces right now. Everyone is increasingly concerned about how data is stored, shared, and used in conjunction with our overall right to privacy. The European Union’s General Data Protection Regulation (GDPR) drew the first line in the sand, inspiring states across the U.S. to follow suit (like the California Consumer Privacy Act) to establish data and privacy protections for their citizens.
As regulators crack down and statutes evolve, wrongful collection of data claims are increasing rapidly. How can brokers and cyber insurance carriers work together to provide the best solutions for clients in the throes of varying state and federal laws?
Many organizations, from small businesses to large enterprises, that use and collect consumer information don’t recognize their missteps until they’re face-to-face with a wrongful collection of data lawsuit. As a relatively undeveloped area of the law with no national regulations, the true definition of “wrongful collection” is decided by a patchwork of state laws and various regulatory entities.
Basically, it’s complicated.
When users enter their information or simply browse on a business’s website, they trust that it’s safe, secure, and being used for its intended purpose. Data privacy laws suggest that organizations collecting data have the responsibility to protect it, but according to various state statutes there’s further action required. Organizations may need to inform consumers that data is being obtained in the first place, as well as provide the option to opt out of sharing data through an informed consent process.
If an organization doesn’t inform you that your data is being collected, provide you the opportunity to opt-out, or shares your data to a third-party without obtaining informed consent, it could be considered “wrongful” — but it still depends on the state.
Fines and penalties for wrongful collection of data claims can be financially devastating and tend to disrupt the ordinary course of business. Knowing what fuels these losses will help you advise your clients on best practices and advocate for them to get the cyber insurance coverages they need.
The Illinois legislature passed the Biometric Information Privacy Act (“BIPA”) in 2008. It prohibits companies from collecting biometric data unless the individual has been informed of what is being collected, how long it will be held, and provided their written consent. The ACLU argues biometric data is even more sensitive than other personal data — unlike a phone number or driver’s license — it cannot be changed in the event of a security breach.
Common lawsuits related to BIPA allege that employers are collecting employees’ fingerprints (or other biometric information) for timekeeping purposes but fail to provide advance notice or are sharing with third-parties without consent. Other cases are related to face-recognition technology or directed towards the manufacturers of the timekeeping devices.
These lawsuits are growing increasingly more popular — and the penalties aren’t cheap. For each negligent violation, damages amount to $1,000 and for intentional or reckless violations, the price tag balloons up to $5,000. That doesn’t account for the cost of legal fees, either.
BIPA-related lawsuits don’t show any sign of slowing down. The Illinois Supreme Court ruled in favor of the plaintiffs in Rosenbach v. Six Flags, confirming that employees don’t need to prove actual harm to qualify as an “aggrieved person” under the statute. Recent rulings — Tims v. Black Horse Carriers and Cothron v. White Castle System — determined that there is a five year statute of limitations on BIPA claims and that BIPA claims accrue every time biometric information is collected. This means that the statute of limitations starts after the last use of biometric technology by the plaintiff.
Tracking pixel is found on 30% of the web’s 100,000 most popular destinations. The Markup, an investigative newsroom dedicated to the use of technology, found that one-third of the top 100 hospitals in the United States featured pixel technology on their websites.
The purpose behind pixel tech is straightforward (for the first-party organizations, anyway): Track how users interact with a business’s website to make marketing to specific audiences easier. The fundamental concern is over what data is being collected by third-party organizations, like Meta and Google, and how it is being used.
Allegedly, patient data was sent to Meta from private form-fill pages, including full names, descriptions of allergic reactions, and medication details. Search terms, like “pregnancy termination” and “Alzheimer’s,” were also sent as relevant information by pixel.
Over the past year, a growing number of privacy class actions have hit Meta (as well as companies and healthcare entities using tracking technology), claiming that pixel is improperly collecting sensitive patient information without proper disclosure to patients.
Early wrongful collection of data lawsuits typically centered around the Video Privacy Protection Act (VPPA), a law passed in 1988 after a Supreme Court nominee’s video rental history was leaked during the nomination process. The VPPA states that personally identifiable information regarding video purchases cannot be shared with anyone without the consent of the consumer.
A 2014 case claimed that Hulu violated the VPPA by sharing viewing history and personal information to Facebook. But without substantial proof that Hulu knew Facebook was combining the identity of Hulu users with the videos that they were watching, the case was dismissed.
This briefly ended the trend of using the VPPA for modern use-cases, but with pixel tracking in the news, we’ve seen a revival. Nearly 50 class action lawsuits have been filed since last February, alleging that pixel is sending video consumption data to third-parties.
The cyber market faces costly claims, pending lawsuits with unclear resolutions, and emerging regulatory guidelines. As we all know, the cyber market is far from standardized, which means that carriers are responding to these new cyber risks in dozens of different ways — primarily with exclusions. But all hope for adequate coverage is not lost, as long as you’re working with cyber underwriters who are approaching the risks smartly, asking the right questions, and using technology to their advantage to help address cyber incidents.
Class action lawsuits — like what the market is seeing with BIPA, VPPA, and pixel-related claims — are typically covered by third-party insuring agreements in a cyber insurance policy. Make sure that the policy defines what is considered “private” information to help protect your business and ensure that clients will maintain broad coverage in the event of a lawsuit or breach.
Anyone seeking cyber insurance should expect to answer some questions about how they handle data, but as new risks and regulations unfold, expect the questionnaire to get longer and more granular. Come prepared to answer questions like the following:
Do you share or sell website user data with any third party prior to notifying users or obtaining their consent? For example, Meta’s Pixel or Google Tag Manager?
Is a process in place to evaluate and approve the use of tracking pixels and other website tracking technology?
Are consumers or users able to opt-out?
Does the applicant obtain written consent or release for collection, storage, use, disclosure or transmission of biometric data, prior to collection:
Was such consent/release reviewed by a qualified attorney?
Please provide a copy of the consent form.
a. Is it publicly available?
b. Has a retention schedule and guidelines for permanently destroying biometric data?
Depending on your client’s answers and their industry (do they handle particularly sensitive information, like healthcare?), they may face a wrongful collection exclusion.
While clients need to understand the scale of their data collection practices to accurately fill out applications, they should also understand how these practices may put them at risk. We use the Corvus Scan to pinpoint tracking technologies on an applicant’s website and have found that some applicants are unaware of the presence of trackers until we point them out. By explaining the regulatory and legal risks associated with these technologies during the cyber underwriting process, we can help applicants and policyholders make informed decisions about their usage.
If clients are using certain ad-tracking technologies but have adequate rationale for its implementation and are using it responsibly (with legal input, opt-out capabilities, and informed consent), carriers may avoid adding an exclusion. Of course, that’s only possible if clients are adequately informed on the risks associated with ad-tracking technologies to begin with.
As a knee-jerk reaction to high-cost fines and penalties, many cyber insurers are adding strict exclusions to wrongful collection of data claims across the board. But it doesn’t need to be that way. For example, Corvus is working with applicants on a case-by-case basis to determine if they are informed about their data collection, and if they are, we’ll work with them to avoid adding an exclusion that could result in devastating losses. Brokers should work with clients to assess their exposure and explain the importance of responsible data collection practices, especially as the regulatory landscape develops.
This blog post is intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security or privacy advice. This blog post is not to be considered an objective or independent explanation of the matters contained herein.