Bringing Data Privacy and Cyber Insurance Together with Bitsight

Background

The cyber insurance industry continues to face challenges related to traditional cyber security risks, and more recently, data privacy risks. In many cases, traditional cyber insurance policies may cover legal fees or costs related to a data privacy infringement. Organizations not only get hit with class action lawsuits following incidents like breach of PII/PHI, but are seeing demand letters from law firms who are looking to protect their clients from any possible disclosure of their sensitive data.

This is why Bitisght and Lokker have partnered together to bring the Cyber Insurance industry’s first unified data privacy risk and cybersecurity underwriting solution to market. We both firmly believe that this partnership will provide underwriters with a unified workflow within Bitsight whereby they can address all critical, externally observable elements necessary to manage their loss ratios, whether it be from data privacy or more traditional cyber events.

What’s new?

Bitsight and Lokker are proud to introduce visibility of this data, combined with actionable insights, into the Bitsight platform, available to all of its Cyber Insurance customers through a standard subscription.

The insights are delivered as a downloadable PDF report analyzing current regulatory trends and emerging risk areas. The Privacy Risk Assessment Report is designed to identify privacy threats and guide mitigation efforts, offering valuable support to underwriters, brokers, and organizations. The evaluation focuses on eight key categories:

1. Social media risks

The audit flags social media pixels, such as those from Meta, LinkedIn, and TikTok, embedded on websites. This is particularly concerning for healthcare sites that collect sensitive data, as these pixels pose legal risks like HIPAA violations and unauthorized data sharing. Many class-action lawsuits have targeted websites using these pixels.

2. Restricted geographies

Identify data requests originating from countries of concern, such as China and Russia, to prevent unauthorized access or misuse of sensitive consumer data. These efforts align with U.S. regulatory policies, including the 2024 Executive Order restricting data access from these regions.

3. Wiretapping risk

Session replay tools that may violate laws like the California Invasion of Privacy Act (CIPA) are flagged for tracking user behavior without explicit consent. These tools have been linked to a surge in lawsuits, with potential penalties reaching $5,000 per violation due to the private right of action.

4. High number of third-party domains

The audit will flag websites with a high number of third-party tools and identifies any that are known to pose risks. A large volume of third-party domains reduces control over data sharing and can increase the likelihood of breaches.

5. Video Privacy Protection Act (VPPA)

Identify instances where video-watching behavior is shared without user consent, helping websites avoid violations of the VPPA. The statute’s private right of action has driven a rise in lawsuits, with potential penalties reaching $5,000.

6. Global Privacy Control (GPC)

Check for compliance with privacy signals like Global Privacy Control (GPC), which allows users to opt out of data collection through browser settings. While GPC is not yet legally mandated, it is expected to gain regulatory backing as privacy legislation evolves.

7. Consent management

Detect missing or malfunctioning consent managers, helping websites adhere to opt-out or stricter opt-in requirements under emerging privacy laws. Proper consent management is also critical to avoiding violations deemed unfair or deceptive under consumer protection statutes.

8. Sensitive data scan

The audit checks for the unauthorized sharing of sensitive data, such as Protected Health Information (PHI) or Personally Identifiable Information (PII), with third parties. This ensures adherence to data-sharing best practices and reduces the risk of breaches.

The bottom line: Privacy risks are complex, and mitigating them often requires specialized expertise. This report not only identifies key privacy risks but also provides the detailed insights necessary to address and mitigate them effectively.

Who benefits?

• Insurers are better able to manage their data privacy risk alongside traditional cybersecurity risk. By leveraging the privacy risk data, insurers gain precise insights into privacy vulnerabilities, helping reduce claims and losses while enhancing privacy protections for insureds during renewals.
• Brokers are more capable of preparing their clients to procure a cyber insurance policy at the best price.
• Organizations, the insured, can use the report to identify and address privacy risks and vulnerabilities. Proactively mitigating these risks can lead to lower premiums, reduced exposure to fines, breaches, and lawsuits, and stronger overall compliance.

If you’re interested in learning more, please reach out bitsight.com/cyber-insurance-demo