Midway through the NetDiligence panel “Wrongful Use and Inadequate Disclosure,” speaker Chris Keegan (Beecher Carlson) offered a remarkable statistic – the amount of data collected in the past two years is greater than all the data collected to that point in history. Fellow panelist John Yanchunis (Morgan and Morgan) called this trove “the oil of the 21st century” – a commodity of unprecedented value. With those ideas in mind, the panel set out to tackle the emerging issues around data collection and to explore how insurance companies must address potential misuse against a backdrop of increased litigation and regulation.
Moderator Mark Mao (Boies Schiller Flexner) led with an invitation to Yanchunis to sum up how litigation has begun to shape this “Wild West” of data collection. Yanchunis stressed that lawsuits have relied on legal definitions of privacy established in 19th century case law, now being retrofitted for the 21st century. It has been difficult to even establish standing to prevent data collection, because standing typically relies on proof that harm has already occurred. However, increased legislation seems likely to follow the passage of CCPA, and Yanchunis predicted that more class actions will be certified as a result.
With the prospect of legal damages and regulatory fines on the horizon, companies will look to cyber insurance to cover these losses. Panelists Laurie Kamaiko (Saul Ewing LLP), Richard Sheridan (Berkley Cyber Risk Solutions), and Chris Keegan turned the discussion to how insurers must approach the question of misuse. Kamaiko recommended investigating the initial data collection – what is the purpose of the data, and is the collector the one misusing? Or is the misuse a result of some third-party relationship? Knowing the answer to that question can help match the policy to the potential conduct. Sheridan added that policies may have a number of ways to deal with wrongful collection – through exclusions, explicit inclusion, or sublimits. Keegan predicted that new statutes will lead to explicit coverage, but that intentional violation of statutes by senior executives may be excluded as these actions may be considered business practices.
Discussion of recent lawsuits laid open a number of issues that would affect coverage. What makes data “personal”? Is the collection authorized and is it shared with outside parties? What if data is shared with a third party for one purpose, but the third party uses it for another? Can data use practices be defined as business policy? If there is harm, was the harm intentional, and – equally important – foreseeable? What are the limits of consent when data is collected from a minor?
The panel agreed that companies expect cyber coverage to extend to wrongful use. Additionally, as Sheridan pointed out – as regulations expand and judges become more sympathetic to privacy class actions, insurers may need to reassess how to write and price coverage to account for new uses, potential misuses, and increased loss.