As corporate directors and security teams grapple with the new cybersecurity regulations imposed by the Securities and Exchange Commission (SEC), a stark warning emerges regarding the potential impact of mishandling protected personally identifiable information (PII). David Anderson, Vice President of Cyber Liability at Woodruff Sawyer, underscores the looming threat that claims arising from privacy mishandling could rival the costs associated with ransomware attacks.
Anderson notes that, while privacy claims may take years to navigate the legal process, the resulting losses can be just as catastrophic over the course of three to five years as a ransomware claim is over three to five days. This revelation comes amidst a shifting landscape where privacy issues, especially those related to protected PII, are gaining prominence in the cybersecurity arena.
In a presentation outlining litigation trends for 2024, Dan Burke, Senior Vice President and National Cyber Practice Leader at Woodruff-Sawyer sheds light on the emergence of pixel-tracking claims as a focal point for plaintiffs. These claims target companies engaging in website activity tracking through pixels without obtaining proper consent, adding a new layer of complexity to the privacy landscape.
A survey conducted by Woodruff-Sawyer reveals that 31% of cyber insurance underwriters consider privacy as their top concern for 2024, following closely behind ransomware, which remains a dominant worry for 63% of respondents. This underscores the industry's recognition of the escalating importance of safeguarding privacy in the face of evolving cyber threats.
James Tuplin, Senior Vice President and Head of International Cyber at Mosaic Insurance predicts that underwriters will closely scrutinize privacy trends in 2024.
The prolonged nature of privacy litigation, often spanning five to seven years, means that this year will witness the culmination of cases filed before the implementation of significant privacy laws.
Privacy management poses challenges for boards and security teams, exacerbated by a lack of comprehensive understanding regarding the types of data collected and its whereabouts within organizations.
Sherri Davidoff, Founder and CEO at LMG Security, likens data hoarding to hazardous material, emphasizing the need for companies to prioritize data elimination, particularly PII, to mitigate regulatory and legal risks. Companies may face significant challenges despite compliance with various regulations and state laws. Michelle Schaap, who leads the privacy and data security practice at Chiesa Shahinian & Giantomasi (CSG Law), cautions that minor infractions, such as inaccuracies in privacy policies or incomplete opt-out procedures, can lead to regulatory violations and fines.
Schaap recommends that companies leverage assistance from their cyber insurers, engaging in exercises such as security tabletops to address compliance gaps. A real-world example from 2022, where a company's misstatement about multifactor authentication led to a denied insurance claim, underscores the critical importance of accurate and transparent adherence to privacy laws.
As privacy claims rise to the forefront of cybersecurity concerns, companies must adopt a proactive approach to privacy management, acknowledging its transformation from an IT matter to a critical business issue. Navigating the intricate web of privacy laws, compliance challenges, and potential litigation requires a comprehensive strategy to protect sensitive data and corporate reputations in this evolving cybersecurity landscape.
