November 17, 2024 3:22 a.m. PT
As Allianz Commercial has warned in its annual cyber risk outlook, the frequency of large cyber claims (over $1 million per claim) has increased by 14% in the first six months of 2024, while severity has increased by 17%. This is evident from the insurer’s claims analysis, after an increase of just 1% in severity in 2023. Elements related to data and privacy breaches are present in two-thirds of these major losses. Overall, the total number of cyber claims is expected to stabilize in 2024, following a 30% increase in frequency in 2023, resulting in more than 700 claims.
“The growing importance of data breach losses among cyber insurance claims is driven by a number of notable trends,” explains Michael Daum, Global Head of Cyber Claims at Allianz Commercial. “An increase in ransomware attacks, including data exfiltration, is a result of the changing tactics of attackers and the growing interdependence between organizations sharing increasing amounts of personal data. At the same time, the evolving regulatory and legal environment has led to an increase in so-called ‘non-attack’-related data privacy class action lawsuits, resulting from incidents such as unlawful collection and processing of personal data – the share of these claims has tripled in value in just two years.”
“Non-aggression” claims are increasing as privacy disputes increase
The increase in ‘non-attack’ data privacy claims is due to developments in technology, the growing commercial value of personal data and an evolving regulatory and legal landscape. For example, unlike the EU’s General Data Protection Regulation (GDPR), US privacy rules are less prescriptive and open to interpretation, while plaintiffs’ lawyers are hungry for potential sources of revenue. This creates a gray area ripe for class action lawsuits, the report said.
“We are seeing more data privacy breach claims in the US, where there is a growing trend of class action lawsuits against major US and international companies regarding privacy violations, such as around consent and data use,” Daum said. “The cost of some of these claims could be even greater than that of a ransomware incident, in the hundreds of millions of dollars.”
Over the past year in particular, data breaches have emerged as one of the fastest growing areas of U.S. class action lawsuits. More than 1,300 were filed in a wide range of data privacy regulations in 2023, more than double the number filed in 2022 and four times as many as in 2021, according to law firm Duane Morris.
Multiple class action lawsuits have been filed against organizations across a wide range of industries, including healthcare, social media and gaming, over their use of Meta Pixel tracking tools to monitor consumer behavior, while entertainment streaming platforms have also been targeted, with it is alleged that they may have violated privacy protection rights.
Major data breaches can also evolve into hyper-litigation, where one event gives rise to a whole series of class action lawsuits. More than 240 lawsuits related to the 2023 MOVEit data breach were consolidated into one multidistrict lawsuit in October 2023. And with the large number of plaintiffs, there are incentives for parties on both sides to reach a settlement. The top 10 data breach class action settlements totaled $516 million last year, a significant increase from the $350 million recorded in 2022.