How well do your clients know their data privacy risks?

Firms under tougher scrutiny amid wave of class-action suits

How well do your clients know their data privacy risks?


By Gia Snape

How well are organizations protecting their customers’ private data?

It’s a tricky question, but one that brokers need to ask to clients as class-action lawsuits and state regulatory actions on consumer data privacy continue to escalate.

One CEO warned that firms of every size and industry are under greater scrutiny for the use of third-party trackers that collect user information, increasing their cyber and liability exposures.

“Since cloud software has become more common, propagation of our data to third, fourth and fifth parties has grown completely out of control,” said Ian Cohen (pictured), CEO of LOKKER, a software technology company specializing in online data privacy and compliance products.

To help organizations better understand their data privacy risks, the Silicon Valley-based firm launched an assessment tool called LOKKER web privacy risk score.

The tool assigns businesses a numeric rating based on their potential risk of privacy violations relating to the collection and sharing of customers’ online data.

Why is data privacy so complex for organizations?

Cyber insurance providers are increasingly coming up against higher claims from litigation and settlements.

Data privacy breach class-action suits against some of the biggest US companies in recent years have reached well into the millions of dollars.

Complicating matters is the fact that, while most Americans want to keep their data private, they also don’t truly understand what companies do with their data.

A recent survey by the Annenberg School for Communication found that a majority of users (more than 75%) aren’t aware that the federal government doesn’t regulate user data collected by businesses.

The study suggests users might implicitly be surrendering their information without informed consent.

“The issue is that many trackers are difficult for organizations to see or manage, and asking users to opt-in or out of hundreds of trackers is unreasonable,” Cohen said.

For the CEO, the best way to prevent claims is if companies shore up their data privacy defences, which can start with a holistic understanding of their risks.

“When we looked at the top 20 cyber insurers, we saw that their loss ratios are all over the map. If they can't price the risk, insurance companies are going to start excluding things,” he told Insurance Business.

“We need to get a handle of data privacy risks and figure out a way to explain, quantify and protect against it.”

Tracking web trackers a ‘blind spot’ for companies

Though most companies have good intentions with their customers’ data, some are simply unaware of how many trackers, cookies, and other applications operate within their websites, and the potential privacy liabilities they create.

“The company can't see or control what's going on beyond their third-party software,” said Cohen.

“That means on a page like a hospital website, data is inadvertently shared with a third party that uses other third parties. Those third parties use other third parties, and it just grows exponentially.”

How does LOKKER determine privacy risk?

LOKKER used over 170,000 websites to generate its privacy risk score, analyzing seven well-known privacy risks:

  1. Presence of known malware such as data skimmers
  2. Javascript that collects and transmits data to third parties
  3. Presence of session replay tools
  4. Third-party tracking scripts such as ad tracking and cross-site tracking
  5. First- and third-party cookies
  6. Consent management/cookie banner
  7. Third-party requests from foreign domains

Each web page is scored individually, and the average is used to determine the overall site score, the company said. The higher the score (as low as 0 and as high as 1,000), the higher the website’s privacy risk.

The score also has adjusted weighting for the various risk types based on the third-party scripts’ function, frequency, and location. 

Cohen is confident that the scoring tool will also aid insurance companies in assessing data privacy risks and make the underwriting process more transparent.

“The score makes [assessment] very fast, so it bypasses a lot of manual questions,” he said. “It breaks the risk down into specific factors.”

Do you have any thoughts about this story? Let us know in the comments.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!