Data privacy claims on the rise
Evolving regulation, wave of litigation, AI shape future risk landscape
Cyber claims have continued to rise, largely due to an increase in data and privacy breach incidents.In the first half of 2024, large cyber claims increased by 14%, with the severity of these claims up 17%, according to an analysis by Allianz Commercial.
Data and privacy breaches were a key factor, involved in two-thirds of these large losses. The surge is driven by a combination of evolving ransomware attacks, which now frequently involve data exfiltration and an uptick in class-action privacy litigation. Both trends have significantly impacted the cyber insurance landscape, making data breach claims more prevalent and costly.
The rise of "non-attack" data privacy claims has become particularly notable, driven by wrongful data collection practices and increasing regulatory scrutiny.
In the US, privacy-related class actions have soared, with over 1 300 cases filed in 2023, more than double those in 2022. US corporations face growing litigation risks over consent and data usage violations, often with claims reaching hundreds of millions of dollars. Unlike ransomware attacks, which can have a defined timeline, privacy-related class actions can evolve into lengthy and costly legal battles, further increasing financial exposure.
Data exfiltration, where cybercriminals steal personal or corporate data and threaten to publish it unless ransom demands are met, has become a game changer. Many ransomware attacks now include a data privacy component, as attackers combine traditional encryption tactics with data theft.
This results in not only extortion demands but also potential regulatory fines, notification costs, third-party litigation, and the threat of business interruption. High-profile data exfiltration events, such as the MOVEit breach, have resulted in large-scale class actions and significant settlements, highlighting the growing severity of this attack vector.
Further complexity
Artificial intelligence (AI) adds a new layer of complexity to the evolving cyber risk landscape. AI relies on the collection and processing of massive amounts of data, including sensitive personal and biometric information, for training algorithms and making predictions. While AI is becoming a critical tool for organizations in fighting cyber-attacks—able to detect breaches, isolate systems, and automate response efforts—it also heightens privacy concerns. The misuse of AI in areas like chatbots, surveillance systems, and data-driven consumer products increases the risk of privacy violations and data breaches. Moreover, the regulatory framework around AI is still evolving, leaving organizations with increased uncertainty and exposure to litigation.
To address these challenges, businesses must strengthen their cyber hygiene by implementing robust access controls, database segregation, regular security audits, and breach simulation tools. Early detection and response capabilities are crucial, as breaches that are not contained early can be exponentially more expensive. AI can aid in these efforts, automating tasks like forensics and breach notifications, significantly reducing the life cycle of a data breach claim.
Insurers must also adjust, focusing more on data privacy risks. By providing clients with loss prevention and mitigation strategies, insurers can help companies minimize the impact of privacy breaches, mirroring their success in addressing ransomware threats. Strong cybersecurity, combined with ongoing vigilance, is essential to reducing the growing risk of data privacy and cyber-attack-related losses.
*Michael Daum is the Allianz Commercial Global Head of Cyber Claims, and Rishi Baviskar is the Allianz Commercial Global Head of Cyber Risk Consulting.