Thursday, 20 August 2020 20:06

Wrongful Use of Data: The Next Cyber Storm Brewing on the Horizon

Written by Bethan Moorcraft, Insurance Business Magazine


Two of the big ones at the moment include the European General Data Protection Regulation (GDPR), which has extra-territorial reach that applies strict regulation on any company offering goods or services to EU residents or monitoring the behavior of EU residents, as well as the California Consumer Privacy Act (CCPA), the strictest privacy law to be enforced in the U.S. so far.


“As these laws go into effect, we’ll start to see regulators looking to enforce them. They’ll probably start with some soft enforcement, but then I think they’ll start looking for people that they want to make examples out of,” said Economidis. “Regulators often target the larger entities first, but then they’ll go after smaller entities if they feel they aren’t managing the law the way they want it managed. They want to set some examples and put some precedents in the world, and I think we’ll soon start to see that more clearly with both GDPR and CCPA.


“Closely following that, I think we’re going to see some attorneys, particularly plaintiff class action attorneys, looking at these privacy laws and trying to figure out how they can put these laws to use. I think they’re going go after people in the market that they think are examples of the worst behavior, or at least examples of behavior that they don’t want to see continued in the market.


"As they do that, I think we’re going see more and more litigation around what is fair use and what is fair collection of information---and that litigation is going to be expensive, and someone’s going to have to pay for it.”


When asked whether he felt insureds really understand the connection between data collection, data security and the cyber insurance policy, Economides said a lot of insureds overestimate the reach of a typical cyber policy. 


“I think people expect their cyber policies to do a lot more than they actually do,” he told Insurance Business. “It’s like automobile insurance, where people expect their automobile policy to cover everything to do with their automobile. It’s the same when it comes cyber; they expect their cyber policy to cover everything to do with their computer system, and so lots of people try to make claims for things that are far beyond the intention of the policies.


"Historically, when cyber policies first came out, they were limited to a failure of computer security, and very specifically a failure of the insured’s computer security," he said. "They have broadened out significantly over time, partly because customers kept trying to make claims for things that were not covered. They just saw the word cyber and thought that gave them protection for all cyber-related risks.”