Data privacy claims on the rise as evolving regulation, wave of litigation and AI shape future risk landscape
By Michael Daum and Rishi Baviskar
Cyber claims have continued their upwards trend over the past year, driven in large part by a rise in data and privacy breach incidents.
The frequency of large cyber claims (>€1mn) in the first six months of 2024 was up 14% while severity increased by 17%, according to Allianz Commercial claims analysis. This followed a 41% increase in frequency but just a 1% increase in severity during 2023. Data and privacy breach-related elements are present in two thirds of these large losses.
The growing significance of data breach losses among cyber insurance claims is driven by a number of notable trends. A rise in ransomware attacks including data exfiltration is a consequence of changing attacker tactics and the growing interdependencies between organizations sharing ever more volumes of personal records.
At the same time, the evolving regulatory and legal environment has brought an uptick in so-called ‘non-attack’ data privacy-related class action litigation, resulting from incidents such as wrongful collection and processing of personal data – the share of these claims has tripled in value in two years alone. Looking forward, growing reliance on artificial intelligence (AI) has the potential to turbo charge exposures, although AI will also become an essential tool in fighting cyber-attacks.
‘Non-attack’ claims increase as privacy litigation ramps up
The rise in ‘non-attack’ data privacy claims is the consequence of developments in technology, the growing commercial value of personal data, and a developing regulatory and legal landscape. For example, unlike the EU’s General Data Protection Regulation (GDPR), privacy regulations in the US are less prescriptive and open to interpretation, while plaintiff lawyers are hungry for potential sources of revenue. This is creating a grey area that is ripe for class action litigation.
We are seeing more data privacy breach claims in the US where there is a growing trend for class action litigation against large US and international corporations related to privacy violations, such as around consent and data usage. The cost of some of these claims can be even larger than a ransomware incident, in the hundreds of millions of dollars, not including the cost of reputational damage.
Over the last year in particular, data breaches have emerged as one of the fastest growing areas of US class action litigation. Over 1,300 were filed across a wide range of data privacy regulations in 2023, more than double the number filed in 2022 and four times that filed in 2021, according to law firm Duane Morris.
Multiple class action lawsuits have been launched against organizations for using tracking tools such as Meta Pixel to monitor consumer behavior. Meanwhile, entertainment streaming platforms have been targeted with class action lawsuits alleging that they may have violated privacy protection rights.
Large data breach events can also evolve into hyper litigation, with one event triggering a slew of class actions. More than 240 lawsuits related to the 2023 MOVEit data breach were consolidated into a single Multidistrict Litigation in October 2023. And with large numbers of claimants, there are incentives for parties on both sides to settle. The top 10 data breach class action settlements last year totaled $516mn, a significant increase over the $350mn recorded in 2022.
In many jurisdictions, data breaches must be notified and communicated as soon as possible, which brings an incident to the attention of plaintiff attorneys, which are quick to raise enquiries and launch a class action. It’s a double edge sword. We need companies to be able to talk about what has happened, but transparency can also lead to explosive media attention and litigation.
The risk of data breach litigation is also growing in Europe. Heightened awareness of data protection rights, a rise in the availability of third-party litigation funding, and a more consumer friendly litigation environment could make mass data privacy claims a reality, albeit not on the same scale as the US.
Data exfiltration: a game changer for data breach claims
The past 18 months has seen several high-profile mass-data exfiltration cyber-attacks – including MOVEit, MGM, T-Mobile, Change Healthcare and Snowflake – that have resulted in the theft of records belonging to hundreds of millions of individuals, triggering class action litigation and increasing pressure for companies to pay large extortion demands.
The rise in data exfiltration has been a game-changer. It is now a well-established method of cyber extortion. Even if you have a backup, your data is effectively lost as the attackers have a copy and will threaten to publish on the dark web.
Typically, what starts as a ransomware loss escalates into a data privacy event, once it is revealed that attackers have stolen personal data. This can lead to a large claim involving regulatory fines, notification costs and potentially third-party litigation, in addition to extortion demands, first party costs and any potential business interruption from the ransomware attack.
Even a lesser discussed cost, such as the cost of postage for notifications that there has been a breach can result in significant costs. For example, the cost of mailing a paper letter to 50 million people alone, can be somewhere in the region of US$20mn+.
AI to power future data privacy breaches
The use of AI by businesses and public bodies is growing day by day, with almost every industry using applications. Almost two thirds (65%) of organizations say they regularly use AI, nearly double the number from a year ago, according to a McKinsey survey.
AI relies on the collection and processing of vast amounts of data, including personal, health and biometric information, for training AI models and making accurate predictions or recommendations. AI is also integral to some technologies, such as personal assistants, for surveillance, tracking and monitoring systems, chatbots and driverless vehicles.
Given these developments, AI can create potential privacy and security risks if not properly managed. With so much data being collected and processed, there is a risk that it could fall into the wrong hands, either through hacking or other security breaches. There are also concerns around potential breaches of privacy laws, such as whether organizations have proper consent to process data through AI. It will take years until AI regulation is well developed. Until then, organizations face a phase of elevated uncertainty, and the risk of data privacy related losses will be above normal levels.
Different AI applications carry varying degrees of risk. AI-use cases that focus on consumer products and services – such as chatbots or generated content – are likely to bring a higher degree of data privacy risk than administrative applications, such as automation of internal processes.
Doubling down on cyber security, data protection and privacy
Against this backdrop, businesses large and small must redouble their efforts to protect data. Despite a general trend for increased investment in cyber security in recent years, many data breaches, including some of the largest over the past 18 months, are the result of weak cyber security within organizations and/or their supply chains.
Data breach risks are best mitigated through good cyber hygiene, including strong access controls, database segregation, backups, patching and training. In addition, there are further measures that help protect personal data, such as breach and attack simulation tools, which can help identify cyber security weaknesses, breach response and crisis management. Vendor cyber security oversight, including regular audits, is an increasingly important aspect of good cyber security, and an area where many companies need to improve.
Early detection and response capabilities are also key. Around two thirds of breaches are typically reported by a third party or by the attackers themselves. Cyber breaches that are not detected and contained early can be as much as 1,000 times more expensive than those that are.
AI is becoming an essential tool in the fight against cyber-attacks, as it can quickly identify a security breach and automatically isolate systems and databases, as well as having the potential to significantly reduce the cost and life cycle of a data breach claim by automating and speeding up tasks, such as forensics and notifications. Organizations that deployed cyber security AI and automation reduced the cost of a data breach by around $2mn on average, according to IBM.
The insurance industry must also step-up its focus on data privacy, replicating recent successes in ransomware, where insured losses are still significant but have stabilized, as improved cyber security and backup strategies have helped insured companies better withstand attacks. This means providing loss prevention and mitigation advice to this increasingly important area of cyber exposure.
Michael Daum is Allianz Commercial Global Head of Cyber Claims, and Rishi Baviskar, Allianz Commercial Global Head of Cyber Risk Consulting.
