The following is an editorial by Alicja Grzadkowska, senior news editor at Insurance Business. To reach out to Alicja, email her at firstname.lastname@example.org.
Forget the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) – the latest battle over privacy risks that the insurance industry should be paying attention to is the one that has pitted a world leader against an immensely popular social media app.
For weeks now, the hundreds of millions of people using TikTok outside of its home base of China have been watching as the fate of the app in the US and other countries is being determined. The US government’s main beef with the app, and why it’s moving to ban it, has centred on TikTok’s ownership by a Chinese firm, which government lawyers have argued represents an immediate danger to national security. The app’s parent company ByteDance is based in Beijing, and the Trump administration has claimed that the app’s American user data risks ending up in the hands of the Chinese government – a claim that TikTok has denied.
At the same time, ByteDance has been involved in a settlement around consumer privacy litigation that has exposed it to hundreds of millions of dollars in damages in the US and involved claims that the app unlawfully recorded facial-scan images of children and sent confidential information about adult users to China, according to a filing in Chicago federal court cited by Bloomberg.
Then, over the past weekend, a federal judge in the US partially granted TikTok’s request for a temporary injunction against the Trump administration’s attempt to ban the app in the country, reported Bloomberg. The move effectively blocked the US government’s ban on downloads of the app only hours before the policy was set to take effect. This is happening all while the application scrambles to find a commercial partner that would allow it to continue operating in the US.
While it has become the centre of attention in this saga, the US isn’t the only country that’s been scrutinising TikTok. At the end of June, India banned TikTok, and, just last week, the general manager of TikTok Australia and New Zealand had to reassure a parliamentary hearing about the security of the app’s data. Concerns about the security of the app have likewise cropped up in Europe, though there’s been little action to investigate or ban the app on the continent so far.
The debates around how serious a privacy risk TikTok actually presents have many layers to them, and, in many cases, encircle other social media applications that gather and use people’s data with what is sometimes reckless abandon. Nevertheless, TikTok’s expansion, and the political controversies it has sowed, have underscored the rise of a new risk in the cyber and privacy landscape, as well as the importance of regulations to protect users’ rights and privacy, such as the GDPR in Europe, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, state-specific legislation in the US, and the mix of federal, state and territory laws used in Australia to regulate data privacy and protection.
There’s a lot to be gleaned from this developing regulatory environment where an increasingly harsh light has been shone on companies that either don’t adequately safeguard their users’ information or misuse it. In fact, some experts have predicted that the next cyber storm on the horizon involves the wrongful use or wrongful collection of data. However, insurers are somewhat tentative about providing coverage for wrongful use or wrongful collection of information because it’s an evolving risk, which in turns presents challenges on the cyber insurance front, in terms of adequately protecting companies from the financial losses that could arise.
As a result, brokers and agents have their work cut out for them, to not only understand how cyber policies are evolving to adjust to a changing risk landscape, but also to explain to clients how their policies work and, importantly, what they don’t cover.
“I think people expect their cyber policies to do a lot more than they actually do,” Nick Economidis, vice president, eRisk at Crum & Forster, recently told Insurance Business. “They expect their cyber policy to cover everything to do with their computer system, and so lots of people try to make claims for things that are far beyond the intention of the policies.”
While it may seem like the privacy issues floating around TikTok have little to do with your insureds, the controversy is a good reminder of the growing consumer and political disillusion towards misuse of data, the reputational as well as financial risks that this environment can introduce, and the potential gaps that exist in cyber policies to address this threat.
It’s also a learning opportunity for the insurance industry about the need to be fast-moving in identifying new privacy and cyber-related challenges, and providing relevant risk transfer solutions to clients, while also passing along useful risk mitigation tools so that insureds understand what the wrongful use and/or collection of data looks like within their own operations, and the consequences of not respecting regulations.
By staying ahead of the privacy curve, insurers can demonstrate their value and help clients avoid – in the worst-case scenario – becoming the next target of governments around the world.