Article

The price of privacy risk: Managing the wide range of data exposures

The pace of adoption of new technologies coupled with evolving regulations worldwide is reshaping the privacy risk landscape. Companies that once felt prepared for and compliant with existing privacy standards may find themselves lagging in a dynamic and increasingly stringent regulatory environment. Managing privacy risk is a crucial component of an effective cyber risk strategy, and many companies are addressing the challenges proactively. However, many organisations face significant hurdles as they strive to understand, quantify, and mitigate the impacts of privacy risk.

The old adage “knowledge is power” holds true in a world increasingly driven by, and in competition for, data. With real-time insights and analytics come valuable opportunities for strategic decision-making and innovation — but also risks related to the proper collection, use, and dissemination of the underlying data.

Many organisations are now appointing chief privacy or data protection officers who report outside of typical risk management functions, often partnering with cybersecurity teams and initiatives. These leaders typically are charged with designing a privacy strategy to ensure proper handling of data — including compliance with existing, changing, or emerging regulations — to protect their companies’ and clients’ information and avoid potential penalties and/or lawsuits.

However, even businesses that are taking action to counter privacy risk may have significant work to do to quantify and mitigate potential impacts at the enterprise-wide level.

Privacy risk extends beyond data breaches

Privacy risks and data breaches are related concepts, but their scope and definitions are different. Historically, privacy risk has been tied exclusively to data breaches, or specific security incidents in which unauthorised access to sensitive data occurs, leading to the exposure, theft, or loss of that data.

However, in today’s highly litigious and regulated environment, privacy risk casts a wider net, including the unauthorised or wrongful collection, use, disclosure, or destruction of confidential information that may threaten the privacy of individuals or an organisation at large.

These risks can materialise in the absence of a data breach — for example, if an organisation mishandles the data collection process — and yield significant losses from regulatory and legal fallout. Many organisations unintentionally mishandle data or are unaware of regulatory stipulations that could threaten their operations.

Some common examples of privacy risks include:

Outdated or unstructured data collection and storage methods
Lack of informed consent or transparency around data use or retention
Wrongful use of employee, client, or confidential data by third parties
Unauthorised access to data

These risks can be exacerbated by the use of generative AI systems. For example, as generative AI systems increasingly produce believable, realistic outputs, it can become more difficult for individuals and companies to discern real requests from phishing or other cyberattacks.

What is sensitive information?

Typically, the three main categories of sensitive information include:

Personally identifiable information (PII): Any information that can be used to identify an individual, including their name, address, Social Security number, or email. This can also include biometric identifiers or geolocation data. It’s important to note that privacy regulations may alter the definition of PII.
Protected health information (PHI): Any information related to an individual’s health condition, provision of healthcare, or payment for healthcare services.
Payment card information (PCI): Any information related to the security of credit, debit, and cash card transactions, per the standards established to protect sensitive financial information during transactions, also known as Payment Card Industry Data Security Standards (PCI DSS).

A good example of the complexity of privacy risk is related to biometric technology, which measures and analyses an individual’s unique physical characteristics or behaviors for identification and authentication. The Biometric Information Privacy Act (BIPA), enacted by the state of Illinois, is among the most stringent biometric laws in the US, monitoring private entities’ collection, use, and handling of biometric data. Many other states have also introduced or enacted similar legislation governing the collection, use, and storage of biometric information.

As this technology evolves and is increasingly integrated into service delivery and business functions, regulations will continue to change, as will organisations’ exposures. Many insurers are beginning to notice an uptick in claims surrounding the use of biometric identifiers.

Underappreciated privacy breach costs

In recent years, privacy liability claims have increased, as have settlement values. Although many privacy-related lawsuits have yet to go to trial, the associated legal expenses, fees, and settlements have become more frequent, and incurring financial costs for organisations.

While ransomware events tend to gain significant media attention, it is also important to note that whenever a breach of data occurs, regulatory action and litigation costs nearly always apply. And in ransomware cases — regardless of whether an organisation pays a ransom — the average cost of recovery is now 10 times the size of the ransom payment, on average.

One common way to quantify a breach is the cost per record, or the average amount that each breached item costs. So, if there are 100 records breached and the total cost is US$1,000, that’s US$10 per record.

But cost per record can at times be misleading. Marsh McLennan’s Cyber Risk Intelligence Center (CRIC) has discovered that the cost of an incident is not a linear function of the number of records, but in fact has high initial costs, and decreasing marginal characteristics as record number increases.

For example, consider a breach of 10,000 records. The CRIC has found this will almost always result in a cost of US$10,000 or more, or $1+ per record. If carried further, that would suggest that a breach of 10 million records would cost US$10 million, or more. However, analysis shows the costs would only reach that level 1% of the time, and would more often be in the US$100,000 range.

Such analysis becomes critical in deciding where to invest limited resources in building a company’s cyber resilience strategy.

Dark web presence increases cybersecurity risks

Recent research from Marsh McLennan’s Cyber Risk Intelligence Center and Searchlight Cyber focused on the correlation between a company’s cybersecurity risk and its exposure on the “dark web,” a part of the internet used extensively as a communication channel by cybercriminals.

The research found a statistically significant correlation between how often a company’s name was bandied about on the dark web in forums and other areas and an increased likelihood of cyberattack. “Put simply: the presence of any dark web findings related to an organisation — without exception — was associated with a higher likelihood of a breach.”

The analysis demonstrated that external threat factors are significantly correlated with cybersecurity incident frequency — including privacy breaches.

Three privacy risk mitigation strategies

It’s important to keep privacy risk from getting buried beneath other priorities within an organisation’s broader cybersecurity approach. Below are three strategies to help risk leaders and executive committees elevate privacy risk on the agenda and address it from an understand, measure, and manage framework.

1. Understand: Know your regulatory environment

The collection, use, disclosure, and destruction of information is handled and regulated differently depending on your state, nation, or region.

The Global Privacy Law and Data Protection Authority (DPA) Directory is an online resource that compiles information about privacy laws and data protection regulations worldwide, including legal frameworks, key provisions, and authorities responsible for enforcing these laws. For example, the General Data Protection Regulation (GDPR) is a comprehensive law that seeks to unify regulations around data privacy across the EU.

In the US, the Health Insurance Portability and Accountability Act (HIPPA) is a federal law designed to safeguard individuals’ PHI, although data protection in general tends to be regulated by industry, sector, and state. California, for example, created the California Consumer Privacy Act (CCPA) which has many similarities to the GDPR, but only applies to state residents.

In Latin American and Caribbean countries, stringent data privacy laws have been relatively uncommon, but that is changing. For example, Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (LGPD), introduces new regulations around how internet users and businesses in Brazil collect, process, and use personal information.

In the Middle East, the United Arab Emirates, Saudi Arabia, Oman, Jordan, and Egypt have issued their own personal data protection laws at varying stages of implementation and practical application. Many Middle Eastern jurisdictions plan to follow suit, issuing new standalone data protection laws for the first time or updating existing laws to align with international best practice amid increased governmental support for personal data protection and privacy rights.

Personal Information Protection Law (China)
Personal Data Privacy Ordinance (Hong Kong)

Privacy Act

General Data Protection Regulation (European Union)
Swiss Revised Federal Act on Data Protection (Switzerland)

Digital Personal Data Protection Act (India)
Personal Data Protection Law (Kingdom of Saudi Arabia)
Protection of Personal Information Act (South Africa)

General Data Protection Law (Brazil)
Personal Data Protection Law (Mexico)
Personal Data Protection Law (Chile)
Personal Data Protection Law (Colombia)

Privacy Act 1988 (Australia)
Privacy Act 2020 (New Zealand)

Data Protection Act 2018

California Consumer Privacy Act
Health Insurance Portability and Accountability Act

2. Measure: Model the risk, quantify its financial impact

Another piece of mitigating privacy risks is to conduct a risk and impact assessment to evaluate how your organisation is collecting, using, and disseminating data. Organisations then need to go a step further than simply identifying their exposures and demonstrating the financial implications of privacy incidents. Privacy risk modeling and quantification typically involve:

Taking inventory of all data handling processes, including how sensitive information is collected, used, and shared.
Mapping data flows to understand how information moves within and outside of an organisation.
Developing tabletop exercises that test multiple scenarios, including standalone privacy events as well as data breaches or other cyberattacks, and a wide range of factors — for example, the type of sensitive information involved, or the number of records breached. For each scenario, estimate the associated costs, including legal, operational, and reputational.
Comparing hypotheticals with industry standards and historical data to gain a clearer picture of potential fines associated with regulatory non-compliance, the costs of implementing necessary compliance measures, or past coverage limits and deductibles that may inform out-of-pocket expenses.

The assessment should also evaluate the risks associated with third parties, especially considering that 60% of organisations work with more than 1,000 of them.

The following questions provide a valuable starting point for examining third-party risk, especially for organisations that rely on vendors for technology, goods and services, or information-sharing related to clients or employees:

What is your process for vetting third parties?
How are your third parties using the data you provide, whether it’s related to your employees, clients, services, or other areas?
How much visibility do you have into their data handling practices?

3. Manage: Emphasise cross-functional risk management and transfer

Privacy risk exists in the context of a wide spectrum of cybersecurity concerns. As always, progress in managing the risk is a cumulative effort — risk managers and cybersecurity leaders need to collaborate and align under one strategy.

From conducting regular privacy risk checkups to developing and educating teams about privacy incident response plans, the key to alignment is developing shared understandings across the business. The right stakeholders need to know what to do — and when and why — if a privacy risk escalates.

Table top exercises are one effective way to ensure cross-functional coordination in the event of a privacy incident. Properly designed tabletop exercises should test multiple scenarios, including standalone privacy events, data breaches, and other cyberattacks.

Many privacy incidents involve employee or client information, reinforcing the need to involve HR leaders and stakeholders from across the organisation. Engaging a third-party risk advisor can help you measure privacy risks with greater accuracy and efficiency, while also ensuring it remains an ongoing priority. By demonstrating a commitment to data protection and privacy, you may also show employees and clients that you are doing your due diligence to maintain a safe and responsible work environment.

These risk management strategies should work in tandem with a thoughtful risk transfer strategy to ensure you are adequately protected against potential losses. The risk quantification exercise can help inform your risk transfer approach by thoroughly evaluating your privacy exposures and helping secure specific, comprehensive insurance coverage.

Similarly, reducing the likelihood and impact of a loss from a privacy risk should include verifying that the third parties you work with have adequate coverage and privacy practices to meet the needs of your organisation.

Good cyber hygiene begins with consistency

By prioritising cross-functional collaboration and a comprehensive approach to cyber risk management, organisations can protect and properly handle sensitive information, while building organisational resilience.

Leaders can help establish a culture of strong cyber hygiene, including through regular audits of data handling practices, employee training on privacy policies, and enterprise-wide education around compliance with relevant regulations. This approach should be revisited regularly, with table top exercises performed at least annually given the dynamic privacy environment.

The ability to adapt, remain accountable, and explore new opportunities for improvement will be a competitive edge, now and into the future.

To learn more about the implications of privacy risks and how best to manage them, speak to your Marsh representative.