By Mia MacGregor

April 14 - (The Insurer) - Organizations need to sharpen their focus on the privacy side of cyber risk as claims related to wrongful data collection continue to climb, according to Anju Owad, senior vice president at Brown & Brown.

"Many claims in 2024 had risen from wrongful collections, making it a huge liability for organizations,” Owad said.

Wrongful collections typically refers to unauthorized tracking methods, such as pixel tracking, Google Analytics or Google Tags, used to gather user data without proper consent.

While many companies use these tools to monitor user behavior and sell the data, Owad noted that some may not even be aware they’re engaging in such tracking.

“Many companies collect information and sell it, and many don’t even realize they’re tracking in the first place. Then they face regulatory fines and penalties because there are rules for tracking that you have to adhere to.”

Cyber insurance policies have long been divided between coverage for security and privacy risks. However, the industry's attention has skewed toward security in recent years amid a surge in ransomware attacks, Owad said.

“It’s always been that way,” she noted. “But since we’ve been hit by so many ransom attacks, there’s been such a focus on security. From my perspective, companies also need to pay attention to privacy.”

Owad emphasized that privacy-related liabilities are growing more complex due to the patchwork of state-level regulations.

“If a company wants to use tracking tools, they have to follow state-specific laws, which can be very complicated depending on where they or their customers are located,” Owad said. “There are both intentional and unintentional cases of wrongful collection.”

Owad warned that organizations often underestimate the legal risks in their rush to gather data.

“With all these companies wanting to collect as much information as possible; user data is like a gold mine, they’ll try to figure out ways to gather it.”

That drive to collect comes with heightened risks, especially when it involves user behavior data, she explained.

“User behavior is also considered biometrics. You can’t burn off your fingerprints, but you can easily change your email address. So there’s a lot more scrutiny on how companies handle biometrics and user behavioral data than anything else.”

More states are tightening regulations around biometrics, increasing penalties for mishandling user data, she said.

“A lot of states are taking a closer look at biometrics and putting in harder fines and penalties for companies that are not looking at how they're collecting their data, and it's starting to become a huge problem,” Owad said.

“Organizations often don’t realize they’re the culprit. They either don’t understand the rules, or they don’t know how to manage and protect the data they’re collecting.”