Panelists at the 2016 Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium held Tuesday at the Hilton Midtown in New York City urged companies to take a closer look at data aggregation practices as regulators have begun to take a stricter approach to information privacy in recent years.
“The regulators have started looking at what constitutes personally identifiable information in a much broader sense,” said panelist Dominique Shelton, partner at Alston & Bird LLP. “They are looking at the fact that a lot of data can be identified later and linked to a specific person, so they are moving away from the concept of aggregated, purely anonymous data.”
As technology has advanced, data that was once considered anonymous is being found identifiable in some cases and could violate privacy rights, presenting concerns for companies that could become unintentionally wrapped up in litigation or regulatory investigations for wrongful collection of data following a technology breach, panelists explained.
“One thing companies have to worry about is inadvertent data collection,” said Thomas Reagan, cyber practice leader at Marsh Inc. “It can be very easy for organizations to get caught up in data tracking unintentionally, and one thing that I think will come before thinking about why organizations could be subject to a cyber attack is thinking about the data they collect – that has a lot of value organizations may not have thought about.”
As many businesses begin to look to internet connectivity as a way to measure employee behavior and facilitate business operations, they need to be challenging themselves about why they’re collecting data and how it could be used improperly, he said.
Panelist Nick Economidis, an underwriter at Beazley, pointed to one example of his experience with a dentist that was inadvertently collecting unnecessary data from patients, such as driver’s license information, that could present concerns in a case of identity theft.
“They were working with a third party and just got a standard form and didn’t give it a lot of thought,” he said. “So they just started asking patients for this information.”
With this in mind, companies are encouraged to not only analyze data aggregation procedures, but to take a close look at their insurance policies, panelists added.
“I don’t view it as a technology issue so much as a business issue,” Economidis said. “The law in Canada around information privacy is very adamant that you’re not supposed to collect information unless there is a business need in order to complete a transaction, not for analysis later on. In the U.S, we haven’t gotten to that point of thinking about things that way yet. We’re just getting our arms around protecting the data that we hold, but we haven’t thought much about what information we have a right to collect as part of our business processes and what information is a step too far.”
Under most cyber insurance policies, the appetite for coverage regarding wrongful data collection varies considerably between carriers and typically needs to be sought out through a unique policy where the coverage is included, he stated, adding that coverage agreements about loss or theft of information don’t always provide affirmative coverage for wrongful data collection.
“I tell clients all the time that it’s not just a question of seeking coverage for cyber events – there are a host of class actions for privacy claims associated with data breaches as well,” Shelton said.
After companies are hit with class action lawsuits or regulatory investigations, they will sometimes look to their cyber policies for coverage and find a wrongful collection of data exclusion that’s not what they thought it would be, she explained.
“So many companies have this approach that cyber risk is a really important issue for someone else,” Reagan said. “But increasingly, across all industries, companies are coming into contact with data either as a primary business activity or a sideline of their business. It’s definitely something that’s evolving quite a bit and definitely an area where people need to pay attention, dot the I’s and cross the T’s. Organizations that haven’t done that will have the potential for a rude awakening over the next few years.”