After learning through recent news reports that more than 50 million Facebook users unknowingly had personal data from online profiles shared with a data mining firm, consumers are scrambling to review personal information shared on their own social media accounts.

This developing scandal will likely prompt organizations of all sizes to reinvestigate their privacy policies and processes. “Any organization that collects “personally identifiable” information is subject to a variety of state and federal privacy laws,” said David Derigiotis, Certified Information Privacy Professional (CIPP), Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Mich.

What constitutes personally identifiable information can vary considerably depending on the industry sector of the business and home state or country from which the data of the individual originated. Any organization that uses cookies online to track visitors also may be liable since that is considered a form of data collection.

A Cyber Risk and Information Privacy Insurance policy – also known as a Cyber and Privacy policy – can help protect these organizations. This type of policy can cover costs associated with a potential data breach, including legal fees and even regulatory fines. It also can help limit exposures from hacking, viruses and other perils that come with operating a business or entity in an online environment.

“The bottom line is that organizations need to be mindful of their data collection practices,” Derigiotis said. “They need to be transparent with clients, identify who they are sharing their data with and know the security policies of those third parties. If a vendor you chose to share client data with experiences a data breach, it just became yours.”

“When it comes to online privacy, you need to do what you say and say what you do.” –  David Derigiotis, Burns & Wilcox

Facebook, which could be fined millions of dollars by the Federal Trade Commission (FTC), reportedly shared data it collected with data mining firm Cambridge Analytica, raising questions about the company’s compliance with existing consumer protection laws. Facebook and Cambridge Analytica have publicly debated who is at fault, but Derigiotis said that regardless, companies need to thoroughly vet any organization that they share data with, including whether those organizations have purchased the right insurance or have the financial means and resources to properly manage a data compromise. Facebook CEO, Mark Zuckerberg, pledged Wednesday afternoon to conduct a full investigation into third-party companies’ use of its member data.

Venmo, Vtech cases highlight need for coverage

Facebook is not the only company facing concerns over security and privacy. In late February, the Federal Trade Commission settled with PayPal about that company’s process of handling privacy disclosures with its own payments app Venmo, as part of a case that goes back two years. In January, electronics company Vtech agreed to pay a $650,000 fine as part of an FTC settlement for a 2015 data breach.

The assessment of penalties in such situations will largely depend on whether an organization is deemed intentional and/or deceptive in its privacy practices, Derigiotis said. If deception or intent is found, then Cyber Risk and Information Privacy Insurance can be denied, but generally it requires willful intent rather than ignorance or a lack of proper policies, such as with Vtech’s recent situation.

“When it comes to online privacy, you need to do what you say and say what you do,” Derigiotis said. “Increasingly we see organizations that do a better job of protecting data as getting a competitive edge within the marketplace.”

“Companies need to thoroughly vet any organization that they share data with, including whether those organizations have purchased the right insurance.”

The cost of Cyber and Privacy Insurance is almost negligible when considering the risks, Derigiotis said. He estimated that $1 million in policy coverage can cost about $1,000 for an annual premium for a lower-risk, smaller organization, with costs rising for higher-risk, larger ones. Such policies have the potential to fund costs such as a forensic investigation, access to and costs of experienced lawyers who specialize in privacy law, a call center established to deal with shorter-term customer service response, public relations costs needed to manage brand reputation, business infrastructure losses if IT systems are knocked offline, and any regulatory fines and penalties handed down.

Privacy guidelines must be actively managed

Organizations need to make their privacy policies easy to comprehend, Derigiotis said. Such policies can be reviewed by an organization’s legal counsel or an information privacy professional. An insurance specialist can help to assess the type and amount of Cyber and Privacy Liability Insurance needed.

The specialist would help to evaluate the regulatory environment within an industry sector and advise where fines and penalties associated with noncompliance are more typical or common. Healthcare organizations, for example, may be particularly vulnerable because of industry rules and regulations surrounding protected health information such as HIPAA, Derigiotis said.

As with any coverage need, an insurance broker or agent must be consulted. Click here to forward this article to your insurance broker or agent to ask if you need this coverage, or share with clients to start the conversation and ensure proper protection.

This information was provided by Burns & Wilcox, North America’s leading wholesale insurance broker and underwriting manager. Burns & Wilcox works exclusively with retail insurance brokers and agents to assist clients like you with their specialty insurance needs. Ask your insurance broker or agent if a Cyber and Privacy Liability policy is right for you.