Cyber and Privacy Risks: How cyber insurers must lead the charge to protect customers' online data
Original Article here.
By: Desmond Devoy
Lawsuits and expanding regulatory actions against companies that track user activity are having an impact on the cyber insurance industry.
“Cookie consent is not enough,” said Jeremy Barnett.
“The wave of class action lawsuits regarding the Meta Pixel and session recording scripts on company websites are impacting cyber claims,” said Barnett, who is the chief commercial officer at LOKKER, a customer privacy and online security firm. “Regardless of a user’s consent, organizations that violate data privacy laws are subject to expensive legal actions that are hitting cyber policies.”
Recent lawsuits are a red flag for cyber insurance
A class action lawsuit filed against Chick-fil-A, alleges that the restaurant chain violated the 1988 Video Privacy Protection Act (VPPA). The suit claims that the company allowed the Facebook tracking pixel to identify a user’s video watching behaviour, when it posted a series of holiday videos on its website.
“It’s not so much the fact that Chick-fil-A tracked video-watching on its website. It was the fact that the restaurant shared personally identifiable data with Facebook about who was watching these videos,” said Barnett. “The plaintiff’s attorneys claim the data sharing is a violation of the VPPA.” Over 40 cases of VPPA violations have been filed including claims against a broad range of companies including HBO, the NBA, CNN, Buzzfeed, and PBS.
When it comes to your personal medical information, that’s another thing – and another set of laws, like HIPAA (Health Insurance Portability and Accountability Act) from 1996. Under a Federal Trade Commission (FTC) order announced this past February GoodRx may have to pay a civil penalty of $1.5 million for failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies.
Then in March, BetterHelp was also ordered by the FTC to pay $7.8 million for deceiving customers after promising to keep sensitive personal data private. The FTC had charged that the company revealed consumers’ sensitive data with third parties like Facebook and Snapchat.
“GoodRx and BetterHelp had a business model that said, ‘We’ll provide you discounted services, or telehealth services in exchange for us being able to share your information with our partners to help you get health care that you need.’ I think that their intentions were good-- to increase access and reduce the costs of care by creating marketing partnerships for healthcare consumers. Unfortunately, the means to promote these services may have violated privacy laws.”
Without a US national data privacy law, federal authorities, like the Department of Health and Human Services, and the Office of Civil Rights, which enforces HIPAA, and the Federal Trade Commission are stepping in with enforcement actions. Barnett adds, “And plaintiffs’ attorneys, recognizing that consumers are demanding online privacy protections, are challenging organizations in every industry with litigation to become better stewards of their customers’ private information.”
“While individual states are drafting and implementing sweeping privacy legislation, companies are on alert to make sure that they’re not sharing sensitive customer data with third parties,” said Barnett. “Cyber insurers, often footing the bill for privacy litigation and settlement costs, are now assisting these organizations in proactively identifying risks and using advanced tools to underwrite with greater intelligence.”
Companies may not be putting tracking software on their websites for any malicious reasons.
“Hospitals, retailers, banks are all using adtech to get better information about their site visitors to improve their own services,” he said. “Unfortunately, these trackers are also sending potentially identifiable information back to data brokers as well as directly to Facebook, Google, LinkedIn, Snapchat, Oracle and TikTok that often exploit personal information without the user’s knowledge nor permission. .”
What can companies do to protect their users and themselves?
“Organizations need better tools to run their web operations in compliance with privacy laws,” remarked Barnett.
“The way online tracking technology has evolved has increased in both sophistication and obfuscation,” he said. “Cookies, pixels, and trackers are shrouded in mystery and hidden from the visible website. When we do our shopping, our tax filing, our telehealth, there’s amazing convenience. But what sacrifices to our privacy are we making for that convenience?”
He hopes that these enforcements will encourage companies to adapt how, why, and if they collect this type of information.
“It is forcing companies to get their legal, IT and marketing people together to better understand what their website is actually doing behind the scenes,” he said. “They need better tools, better practices, and a shared vocabulary about data privacy not just so that they can comply with the law, but so that they can actually be better stewards of customers’ data.”
Cyber insurers have been instrumental in driving cyber security practices like adoption of firewalls, dual-factor authentication, and endpoint threat detection solutions. With the growing online privacy threats, insurers are now helping nurture an ecosystem of data privacy solutions and privacy-by-design practices, as well. While new privacy regulations are a major driver of behavioral change in business, cyber insurers are in a strong position to drive privacy compliance through underwriting practices, as well.