“It is concerning to know that the device is listening in on what I am saying or what my children are saying,” said Melissa Martin, Broker, Professional Liability, Burns & Wilcox, Milwaukee, Wisconsin. “It makes one question the extent of this: How far are they reaching into customers’ private lives? How much of this has yet to be disclosed?”
The lawsuit could potentially include millions of customers who have used Amazon smart speakers, which are found in more than 50 million U.S. homes, Axios reported. The costs associated with a lawsuit of such magnitude could be severe and could be covered by a company’s Cyber and Privacy Liability Insurance, which can respond to data and privacy breaches.
It makes one question the extent of this: How far are they reaching into customers’ private lives? How much of this has yet to be disclosed?
“Invasion of privacy is the driving factor of the litigation, that customers did not give consent for Amazon to use that information. It may be difficult to put a value on that,” said Erica Rangel, Manager, Professional Liability, Burns & Wilcox, Chicago, Illinois. “If they can prove the devices actually are listening, I think this is going to be a big issue.”
Privacy a ‘hot-button issue’ as companies navigate differing state laws
Amazon has faced litigation over its smart speakers in the past, including a class-action suit filed in 2021 by health care workers who claimed the Alexa devices were recording protected health information, Becker’s Hospital Review reported last year. Another class-action lawsuit filed against Amazon in 2021 alleged that the speakers were recording customers and storing their data whether or not they used the “trigger” word to activate Alexa, violating the Federal Wiretap Act and various state privacy acts, Law Street reported.
If this type of data is used nefariously, “that is where it can get scary,” Rangel said. “You can go down a rabbit hole of what it could be used for,” she said. “These devices are supposed to help us and offer convenience, but we are giving them access to more than just credit card numbers. Our biometrics, our voice, is all starting to become data, which then could be manipulated to cause further harm.”
With a class-action like this that has potentially millions of individuals who are harmed, you could see tens of millions or in excess of $100 million in potential damages, depending on the ruling.
While it is unclear what specific damages the latest Amazon lawsuit will seek, Cyber and Privacy Liability Insurance could potentially cover regulatory violations, privacy breach due to security failures, and failure to disclose data collection. “The issue here could be more one of trust and possibly regulatory exposure depending on how the class-action is drawn up, because they may have been misleading customers for years,” Martin said. “It will be interesting to see how this pans out.”
Privacy violation lawsuits are becoming more common and more expensive, said Martin, who called the prevalence of privacy breaches a “hot-button issue” in the Cyber and Privacy Liability Insurance industry.
“It does not seem like this is slowing down at all; it seems like it is ramping up as far as the frequency and severity of these claims and how much they are costing companies,” she said. “With a class-action like this that has potentially millions of individuals who are harmed, you could see tens of millions or in excess of $100 million in potential damages, depending on the ruling.”
In February, Facebook agreed to pay $90 million to settle a lawsuit from 2012 that claimed the company was tracking users’ internet activity after they were logged out of the site, Reuters reported. In February of 2021, a class-action lawsuit against Facebook was settled for $650 million after users sued the company for its use of biometric data without permission, the Associated Press reported. This case was one of many to allege violations of the Illinois Biometric Information Privacy Act, but not all states have the same privacy regulations, Martin said.
These devices are supposed to help us and offer convenience, but we are giving them access to more than just credit card numbers. Our biometrics, our voice, is all starting to become data, which then could be manipulated to cause further harm.
“The difficulty comes in the lack of a federal data protection agency in the U.S. like they have in the EU. Here, you have a mix of state and federal laws that companies need to be able to properly navigate in order to avoid legal exposure,” she said. “Depending on the state, there could be issues with the way that Amazon is using individuals’ information.”
In Canada, new data privacy legislation is being proposed that would include restrictions on data collection, Biometric Update reported in June. In the U.S., the federal Children’s Online Privacy Protection Act (COPPA) does regulate information collected about children, according to the Federal Trade Commission, and potential violations of this act will be something to watch in the future, Martin said. “Children often interact with these devices without a parent even being in the room,” she said. “Does Amazon have something in place to ensure they are not violating COPPA?”
Privacy breaches can impact customer trust, affect bottom line
The “steady increase” in loss severity and frequency makes having a broad Cyber and Privacy Liability Insurance policy more important than ever. “Even if you are not a company collecting data, having a broad cyber policy is going to be a key piece of your risk management portfolio,” Martin said, pointing out how damaging this type of litigation could be for a company with fewer resources than Amazon. “I am sure that other smaller companies would have a much harder time dealing with a privacy breach like this.”
Beyond the risk of privacy violations in the way companies collect personal data, what happens with that data in the event of a cyberattack can constitute an even greater threat. U.S. data breaches cost an average of $4.24 million in 2021, according to IBM, while the average cost of data breaches in Canada reached a record high of $6.75 million per incident in 2021, the Canadian Press reported.
“It is a huge concern,” Martin emphasized. “It should be first and foremost in the minds of any risk manager at the company to have a process in place to manage the procedures for data collection and make sure that customers’ and employees’ information is kept private and to make sure they have proper security controls in place to keep them private.”
If a company’s data is breached in a phishing scam or hacking incident, releasing personal information about customers or employees, companies can face breach response expenses including data forensics, notification, network rebuilding, business interruption, regulatory penalties, crisis management and more. These can all be covered by Cyber and Privacy Liability Insurance.
“If the breach is large enough, it is likely going to be in the news, and a lot of Cyber and Privacy Liability Insurance policies will cover reputational harm or public relations coverage to help you rebuild your image in the public eye,” Martin explained. “They can help get the message out that you were swift and proactive in your approach to minimizing customers’ exposure due to the breach and have taken steps to ensure it will not happen again.”
When a company faces legal action following a privacy violation or data breach, lawsuits may also name a company’s board of directors or allege management. In these cases, the firm’s Directors & Officers (D&O) Insurance could respond.
“The responsibility of the directors and officers is to ensure the company is run and managed well and is fair for everybody, and they are looking out for the best interests of their shareholders,” Rangel explained. “If they are not in compliance with state or federal laws or using information without disclosing it to their customers, that could be a D&O Insurance lawsuit for mismanagement of the company. It is important for companies of all sizes to have the D&O Insurance to protect them in these kinds of lawsuits.”
In the most recent Amazon case over voice data, D&O Insurance could be involved “if Amazon’s practices were authorized at the C-suite level, and those executives were aware that this is the way that these devices were being run and they intended for them to run that way,” Martin said.
“If, because of these operations, customers lose faith in Amazon and stock ticks down a few points, all of a sudden you could have investors suffering financial loss and they could allege mismanagement,” she said. “There is a potential D&O Insurance component to it, should there be some type of financial loss. They would want to have D&O Insurance in place because those things can affect your bottom line, and when your bottom line is affected, so are shareholders in return.”
Employment Practices Liability (EPL) Insurance could also respond in cases where employee data is being collected, Rangel noted. “If you are collecting employee fingerprints or retinas to access your building without their consent, for example, it hits the EPL Insurance world too,” she said.
Take steps to reduce risk when collecting data
Although regulations may vary on what companies are required to disclose when it comes to the collection of personal data, disclosure is a smart policy for any company, Martin said. “There are certain industries that are held to different standards, but it is still good practice,” she said. “In business, your reputation is everything and you do not want to be a company that is known for deceiving or misleading your client. Being upfront with your customers about what you are doing with their information is advised.”
Company leaders should consult with their risk management team and Cyber and Privacy Liability Insurance carrier about best practices and any available resources for reducing the risk of a breach. This could include free preventative network scans to identify vulnerabilities, Martin said. Existing policyholders should also review their policies well in advance of renewal — “60 to 90 days out at a minimum,” she said — to be aware of any changes and have time to shop around for the best coverage.
Those without Cyber and Privacy Liability Insurance should know that it is no longer a coverage mainly obtained by large companies, Martin said. “Small companies are being targeted more aggressively now. Hackers have gotten wise to the fact that smaller companies do not see themselves as having an exposure, and that could not be any less true,” she said. “You want to harden yourself as a target.”
I think we are going to see underwriters asking more questions about [data collection] as more claims are coming up. I think this is going to be the next wave of privacy and cyber liability.
Biometric data collection and storage is an “evolving topic,” Rangel said, and companies should also consider how much data they are collecting and how this could impact a potential claim in the future.
“The amount of records a company holds is very important when underwriting their insurance coverage. If you are a smaller company that holds millions of records, you are at a higher exposure,” Rangel said. “I think we are going to see underwriters asking more questions about this as more claims are coming up. I think this is going to be the next wave of privacy and cyber liability.”