Common tracking technologies used on websites may be transmitting private information about site users to third parties to facilitate advertising. This led to numerous class actions being filed in 2022 and has sparked interest from regulators. It has also attracted the attention of cyber insurance underwriters.
Here’s what you need to know about these technologies, why regulators and insurers are concerned and what your organization can do to mitigate potential risks.
How tracking technology works
Perhaps the best-known example of tracking technology is the Meta Pixel, a small bit of computer code that resides on a website and tracks the activity of visitors to that site for the purpose of targeting them with advertisements based on their activity.
As Meta — the parent company of Facebook — explains (opens a new window), the goal is to lead web site visitors to reengage with a site owner in order to boost sales. Similar technologies, such as cookies, tags and web beacons, are used by many site owners. These technologies are also frequently included in mobile apps.
Legal, regulatory ramifications
A number of class-action suits filed against healthcare organizations allege that protected health information or individually identifiable health information of their site visitors has been sent to Facebook by the Meta Pixel without their knowledge or permission. Some of these suits allege violations of federal wiretapping laws and state privacy statutes.
The Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services has taken note and issued guidance (opens a new window) about the potential for online tracking technologies to result in violations of the Privacy Rule within the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance explains steps covered entities using tracking technologies should take to ensure compliance with HIPAA.
Although healthcare companies’ use of tracking pixels has garnered most of the attention recently, the potential problems tracking technologies create are by no means limited to the healthcare industry.
Cyber insurers’ reactions
Cyber insurance underwriters are concerned about the exposures that online tracking technologies may create. Insurers are asking underwriting questions about the use of the technologies, compliance with regulatory requirements, and the ongoing level of consultation about them with the organization’s legal and compliance advisors. Their concerns go beyond how these issues are managed today, and extend to what has happened over the past year or so.
While underwriters are particularly focused on healthcare organizations’ compliance with the HIPAA Privacy Rule, some insurers have introduced online tracking exclusions in cyber insurance policies that apply to companies across several industries. And insurers’ attention to this issue is likely to increase in the year ahead.
What organizations need to do now
It is essential that organizations using online tracking technologies determine what information is being collected from site visitors and mobile app users and where that information is being sent. Organizations then need to evaluate whether the collection and transmission of the information complies with their privacy policies and applicable laws.
If your organization has a cyber insurance renewal coming up, you should expect underwriters to ask questions about any online tracking technologies being used, the information being obtained and where the information is sent. If an organization is not well-prepared to answer such questions, it may prove difficult to find insurance coverage for online tracking exposures.
For more on this topic, contact your Lockton advisor or email cyber@lockton.com (opens a new window).
