Insurance carriers and agents have come to learn that increased data can lead to greater risk for insureds, and they are increasingly advising businesses to disclose data collection practices while seeking to gain insurance coverage, according to David Garrett, president of CISO Advisory & Investigations LLC.
“It is not unusual now for insurance applications to include specific questions about applicants’ data collection practices,” Garrett said.
Standard insurance applications are becoming more detailed in the wake of increased wrongful collection of data claims as more companies are unintentionally swept up in litigation or regulatory action as a result of data collection practices, insurance industry experts told Insurance Journal.
“There have been many instances in the last decade where companies didn’t know they were doing anything wrong,” John Coletti, chief underwriting officer for cyber and technology at XL Catlin, said. “They thought they were collecting data for innocent means, but really, they were in violation of some statute. These situations can actually cause some large financial losses for companies.”
NetDiligence’s 2015 Cyber Claims Study found that personally identifiable information was the most frequently exposed data, making up 45 percent of claims, last year. The study also found that 2015’s largest legal and regulatory costs resulted from mid-revenue organizations accused of wrongful data collection. The combined legal and regulatory costs for these organizations ranged from $411,000 to more than $6.7 million over the course of the year, according to the study.
Coletti pointed to one example where some California and Massachusetts retail stores found out the hard way in the past several years that asking for customer ZIP codes along with a credit card transaction in those states can lead to class action lawsuits or regulatory involvement.
“There’s a statute in California that has to do with the collection of information at the point of sales,” Coletti said. “In the past when you would go into a store to purchase something, companies may ask for your ZIP code. It turns out that isn’t allowed under this statute in California, so lots of companies were doing this in violation of the statute and ended up with class action claims. They didn’t even realize it in many cases, because they just wanted that information to know a little more about their customers.”
This example points to the broader issue of information security, which has become more important than ever with trends toward collecting big data – large and complex sets of data used for analytical purposes.
“Some businesses today are storing massive amounts of customer data for no immediate purpose – simply in the hope that they will discover a way to monetize it in the future,” Garrett said.
“But stockpiling petabytes of data creates significant risks to businesses,” Garrett said.
Indeed, the California Supreme Court decided in February 2011 that the collection of a customer’s ZIP code along with a credit card transaction violates consumer privacy under the Song-Beverly Credit Card Act. Similarly, the Supreme Judicial Court of Massachusetts ruled that state law prohibits retailers from collecting ZIP codes as part of credit card transactions in March 2013.
“When you give somebody what you think is a harmless piece of information, they can do a lot more with it than you expect,” said Nick Economidis, an underwriter at Beazley, during a panel discussion at the 2016 Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium held in New York City.
In fact, the swipe of a credit card combined with a ZIP code and email address can lead a large data broker to get a name, address and other information about a customer, he added. As technology has grown more complex, protecting information privacy has become increasingly difficult, leading some states to crack down on data collection practices to better define personally identifiable information and leading regulators to dive deeper into the issue.
“What researchers have shown is that separate databases can be used along with algorithms to basically disclose the anonymity of anybody,” said Arturo Perez-Reyes, vice president at HUB International.
“The regulators have started looking at what constitutes personally identifiable information in a much broader sense,” said panelist Dominique Shelton, partner at Alston & Bird LLP, at the 2016 PLUS Cyber Liability Symposium. “They are looking at the fact that a lot of data can be identified later and linked to a specific person, so they are moving away from the concept of aggregated, purely anonymous data.”
Additionally, some state and local governments have moved to better regulate data privacy and security, Garrett said.
“New York is a great example,” he said. “Agencies as diverse as the New York Department of Financial Services have recently proposed new cybersecurity regulations.”
The New York State Department of Financial Services (DFS) has issued cybersecurity regulations for financial services companies that aim to protect New York state’s financial services industry from cyber attacks. The proposed regulation is the first of its kind in the U.S. It requires banks, insurance companies and other financial services institutions regulated by the DFS to maintain a cybersecurity program designed to protect consumers and ensure safety in New York’s financial services industry, according to a DFS press release. The proposal also addresses the issue of company data collection and retention.
While the FTC and state regulators have taken a closer look at this issue recently, laws around data collection still vary by state with no federal standard for compliance.
“The laws around that are kind of a state in progress right now,” said Perez-Reyes.
Garrett added that the patchwork nature of these laws so far has made it difficult for many businesses and underwriters to comply.
“There is no one security standard for companies to build their network, so for an underwriter, there’s no reference point,” said Coletti.
“On the buyer side, it can get frustrating because you can talk to three different underwriters who will all ask different questions because there’s no standardized process for evaluating someone’s cybersecurity.”
Insurance Industry Challenge
Another source of confusion for the insurance industry regarding data collection can be determining the difference between an unintentional wrongful collection of data claim and a business that has been negligent or malicious, Coletti added.
“This is a tricky coverage area for insurers because you understand from an insurance perspective in some cases, the company feels like it’s doing everything correctly, is being transparent, has read the laws, has done due diligence and has had lawyers review statutes and privacy notices and still gets hit with wrongful collection claims,” he said. “But you have some clients that aren’t doing that and are collecting data without any regard to laws or statutes. The coverage in the market treads that line between wanting to cover innocent insureds, but not wanting to cover those that are collecting data negligently.”
This has led many insurers to exclude wrongful collection of data from their policies, he stated.
“Some carriers say flat out they don’t want to cover wrongful collection because they don’t want to get into a dispute about whether the insured did this intentionally or negligently,” Coletti said.
This is because increased technological connectivity can impact the exposures both policyholders and insurers face, said Laurie Kamaiko, partner at Sedgwick Law.
“Insurance companies have the challenge of being very much on top of their own exposures, but also on top of the exposures presented to them through the lines of insurance they write,” she said.
With this in mind, businesses need to take a close look at their insurance policies to be sure the right coverage is in place.
“I tell clients all the time that it’s not just a question of seeking coverage for cyber events – there are a host of class actions for privacy claims associated with data breaches as well,” Shelton said during the panel discussion.
After companies are hit with class action lawsuits or regulatory investigations, they will sometimes look to their cyber policies for coverage and find a wrongful collection of data exclusion that’s not what they thought it would be, she explained.
Some insurers that initially exclude wrongful collection from their policies will add it back in through an endorsement or negotiation at the time of binding. Because this is a new product and market for many insurers, as coverages are better understood with advances in technology and increased wrongful collection claims, underwriters are learning to ask the right questions, Coletti added.
“I think the discussions between the underwriters and clients are getting more technical in regards to security and privacy law,” he said. “That trend will continue, and it has to continue. Evaluating cyber is a difficult underwriting process, and the only way to analyze it is through a detailed discussion or application. It’s a good thing for the industry in general, because this is something that has to be done to effectively mitigate cyber risk.”
Although regulation around data management has increased recently, businesses need to be aware of the data they’re collecting and what it’s being used for, particularly as technology changes so quickly, Coletti said.
“We live in a dynamic time,” Garrett added. “You have regulators all over the world pushing for increased controls to ensure data privacy and security. On the other hand, you have businesses seeking to monetize new technologies, such as big data analytics. One trend is pushing businesses to store less data, and the other is pushing [them] to store more. Only time will tell where the equilibrium will be.”
This article originally appeared in the Oct. 24, 2016 edition of Insurance Journal print magazine.