Companies are increasingly aware of the risks of compromised technology systems and data theft, but they also face potential cyber exposures that don’t entail a security breach.

Such exposures and lawsuits can result from organizations collecting, handling or sharing data in violation of various federal and state laws.

Non-breach privacy situations and lawsuits, as the insurance industry has dubbed them, remain a persistent problem for cyber insurers and policyholders, insurance industry sources say.

Such exposures can lead to substantial expenses. Zoom, for example, paid $85 million in 2021 to settle a class-action lawsuit alleging it shared information with third parties and should have done more to prevent unwanted meeting disruptions, or “Zoombombing,” among other things.

Privacy risk extends well beyond a traditional data breach, said Maria Long, New York-based chief underwriting officer for cyber insurer Resilience.

“Increasingly, non-breach privacy exposures — incidents that do not involve an external intrusion or data exfiltration — are becoming a primary concern for both insureds and underwriters,” Ms. Long said.

A trend toward more privacy regulations, many at the state level, creates an increasingly challenging compliance environment for organizations that collect data, typically through websites, including companies involved in online retail activity (see related story below).

“We see non-breach privacy claims often” for exposures involving data collection, wrongful collection, wrongful use,” said Meredith Schnur, New York-based U.S. and Canada cyber practice leader at Marsh.

Axa XL continues to see a steady volume of lawsuits, said Brooke Gartner, New York-based large loss specialist, cyber tech media group for the insurer.

Lauren Winchester, Philadelphia-based head of cyber risk services at Travelers, said, “Over the past three years, we have seen significant growth in privacy litigation related to website tracking technologies.” Plaintiffs have cited various state and federal laws in their allegations, including longstanding statutes such as the California Invasion of Privacy Act of 1967, the federal Video Privacy Protection Act of 1988 and other state wiretapping statutes, she said.

Coverage for the exposures may not be uniform across insurers.

Non-breach privacy coverage is a standard provision available in the cyber insurance market, but not every insurer offers it as part of its standard cyber liability policy, said John Grise, Bedford, New Hampshire-based executive vice president for Amwins Group. Some insurers include it in their base coverage, while others offer it as an optional endorsement or sublimit.

“It’s important for brokers and their clients to review policy language carefully to understand which NBP events, such as violations of privacy laws or mishandling of personal information without a data breach, are covered,” Mr. Grise said.

Ms. Long of Resilience said: “Many markets offer affirmative coverage under their cyber liability policy base form. Others take a more careful approach to the market and offer affirmative coverage via endorsement, conditioned upon additional underwriting information.”

Some insurers introduced exclusions after an influx of claims involving the VPPA and Illinois’ Biometric Information Privacy Act of 2008, said Daniel Woods, Edinburgh, Scotland-based principal researcher at cyber insurer Coalition.

Non-data breach privacy claims may be covered under cyber policies, but that depends on the allegations and the policy or endorsement language, as the language is not standardized across all cyber markets, said Ms. Winchester of Travelers.

“Some insurers have broad wrongful-collection coverage, some limit it to defense expenses only and some have exclusions that can limit coverage altogether,” she said.

Addressing such data privacy exposures is a primary function of cyber insurance, said Mike Colford, Berkeley Heights, New Jersey-based senior vice president, cyber product leader with Westfield Specialty.

“We’re actively underwriting to identify the potential non-malicious, non-breach-related privacy exposures,” he said. Such situations are “one of the big focuses of underwriters.”

Understanding how companies and organizations are managing their websites is critical, Mr. Colford said.

“What data is being collected, and if it is collected, is it being shared? How is it being shared? That’s a big focus of the underwriting community at this point,” he said.

Underwriters and other service providers can use AI tools to scrape policyholder privacy policies online and help ensure they contain the required disclosures, Mr. Colford said.

“We have firms that will go in and proactively go on your website and work with you to understand exactly what kind of technologies and software you have running on the website,” said Axa’s Ms. Gartner.

Policyholders are devoting more attention and resources to cyber privacy exposures, asking how best to evaluate privacy exposures so they know what the underwriters are seeing, said Ms. Schnur of Marsh. “The insurance community is starting to assist clients and customers with those types of helpful loss mitigation efforts.”

Such measures can bolster a company’s legal defense in a privacy claim.

“It’s not going to guarantee that you’ll completely stave off a third-party lawsuit, but it definitely puts you in a much more defensible position,” Ms. Gartner said.

Coalition’s Mr. Woods recommends that organizations remove unnecessary tracking tools; improve privacy policy disclosures and update them annually; and add an opt-in consent banner on the homepage.

“Companies should review their website code and remove pixels and other tracking technologies, particularly if unable to articulate a tangible benefit for their use,” said Travelers’ Ms. Winchester. “We scan for the use of pixels on our policyholders’ websites and alert them of the risk.”

As data privacy regulations proliferate, plaintiffs bar finds new opportunities

As governments worldwide continue to issue increasingly restrictive data privacy laws and regulations, they are creating new pathways through which resourceful plaintiffs attorneys can file claims for alleged privacy violations, sources say.

In the United States, the state law patchwork is aligning increasingly with the EU’s General Data Protection Regulation, which imposes statutory damages and obligations related to consent, transparency and data minimization, said Maria Long, New York-based chief underwriting officer for cyber insurer Resilience.

On Oct. 8, California Gov. Gavin Newsom signed AB 656, which requires social media companies to make it clear and easy for a user to delete their account, including complete deletion of the user’s personal data.

More regulation is creating more grounds for plaintiffs to bring actions, said Brooke Gartner, New York-based large loss specialist, cyber tech media group, for Axa XL.

The plaintiffs bar leverages the increase in laws and regulations surrounding consumer protection and non-breach privacy, according to Meredith Schnur, New York-based U.S. and Canada cyber practice leader at Marsh.

“The environment for claim activity continues to get worse,” she said.

Daniel Woods, Edinburgh, Scotland-based principal researcher at cyber insurer Coalition, said many claims allege violations of laws that were passed decades ago, such as the 1988 Video Privacy Protection Act, which was originally intended to cover video rental history.