Carriers take an inconsistent approach to non-breach privacy as claims skyrocket

By Michael Loney

Feb 19 - (The Insurer) – Speaking at the NetDiligence Cyber Risk Summit in Miami Beach in February, Garrett Koehn, chief innovation officer and president of ExecPro for CRC Group, highlighted a growing area of concern for the market.

He said that non-breach violations of privacy data are one of the biggest evolving areas in the cyber market.

“If there's a class action around that area, there's really no consistency in how carriers handle it,” Koehn said. “So it could be appropriately covered. It could be silent, it could be a defence-only. It could be a sub-limit. It could be only if the C-suite didn't know about it.

“And so that seems like an area that's a newer one that's not yet settled.”

Others have also highlighted the market’s exposure to non-breach privacy claims.

In a blog post on AI and insurance published on February 13, retail broker Woodruff Sawyer warned that non-breach privacy claims may involve personal identifiable information used or gathered by AI models.

“Cyber policies vary widely in their treatment of non-breach privacy exposure, and an increase in claims may cause market pullback. It’s worth reviewing the scope of coverage in your existing policy to ensure you don't have coverage gaps,” the blog post said.

Those comments followed Woodruff in a cyber report earlier in February noting that recent litigation trends under US privacy laws, particularly the Video Privacy Protection Act (VPPA), have highlighted a surge in consumer privacy class actions.

“The VPPA, originally enacted in 1988, has seen renewed interest as plaintiffs' attorneys target companies using web cookies and tracking technologies. Companies across various industries, from media to healthcare to technology providers, are facing these claims, which often involve using third-party analytics tools like tracking pixels.”

It is not only carriers that are taking an inconsistent approach; courts too have shown mixed responses to these cases.

“Some have dismissed claims at the pleading stage, while others have allowed them to proceed to discovery. This inconsistency creates uncertainty for businesses regarding compliance and potential liability,” Woodruff warned.

In the report, Woodruff lead product counsel for cyber Bridget Quinn Choi, explained that “non-breach privacy" refers to situations where legally protected information – business or personal – is collected, transferred, stored, used, or made accessible without the express notice or consent of the data subject.

The risk from this stems from gaps in a company’s data collection and privacy posture. It results in entities unwittingly collecting, transferring, disclosing, or misusing personal or business information in violation of state and federal laws.

“Privacy-related disputes arising out of the use and collection of digital information skyrocketed in 2024,” Quinn Choi said. “The plaintiffs’ bar has used ‘wiretapping laws’, like the California Invasion of Privacy Act, and other ‘multiparty consent’ state and federal laws against companies.

“In a typical scenario, plaintiffs’ lawyers conduct scans of websites to see if ad tracking technology is deployed and sharing information without notice or consent on a company’s website. They then leverage one or more individuals to serve as a putative plaintiff or claimant and assert that the individual(s) went to the website and had their information collected without notice.”

This means the use of ad tracking tools, including pixels, cookies, session replay, and chat bots increases a company’s exposure for both lawsuits and regulatory scrutiny.

NON-BREACH PRIVACY CLAIMS NOW A 'TOP CONCERN'

Gallagher warned in a January cyber report that non-breach privacy claims “have become a top concern as these losses started to mature in 2024”, with allegations based on a variety of state laws often allowing for private rights of action.

“As state, federal and international privacy law has expanded in scope and complexity, so too has the exclusionary wording in cyber policies. We are paying particular attention to exclusions to website tracking claims and those that exclude claims stemming from specific privacy laws,” Gallagher said.

The broker cautioned that terms like “unauthorised” versus “wrongful” or “unlawful” or “in violation of law” may be the difference between a loss being covered or not.

Allianz Commercial’s ‘Cyber Risk Trends 2024’ report also highlighted the increasing frequency and severity of non-breach privacy claims.

The report said that the evolving regulatory and legal environment has brought an uptick in what it termed ‘non-attack’ data privacy-related class action litigation. The share of these claims tripled in value in two years, from just 7 percent in 2022 to 14 percent in 2023 and finally to 21 percent.

Michael Daum, global head of cyber claims at Allianz Commercial, noted in the report: “The latest development in cyber insurance has been a marked rise in ‘non-attack’ cyber claims, mostly related to data privacy breaches in the US. In the past these claims were rare but now they make up a significant proportion of claims.”

The rise in ‘non-attack’ data privacy claims is the consequence of several trends, including developments in technology, the growing commercial value of personal data, and a developing regulatory and legal landscape, the carrier suggested.

Allianz Commercial said that, unlike the EU’s General Data Protection Regulation, “privacy regulations in the US are less prescriptive and open to interpretation, while plaintiff lawyers are hungry for potential sources of revenue”.

“This is creating a grey area that is ripe for class action litigation,” it added.

It is to be hoped that the market will begin to address the grey areas around non-breach privacy in 2025.