As Allianz Commercial warned in its annual cyber risk outlook, the frequency of large cyber claims (more than $1 million per claim) in the first six months of 2024 increased by 14% while the severity increased by 17%. This is what emerges from the insurer’s analysis of claims, after an increase in severity of only 1% in 2023. Elements linked to data and privacy breaches are present in two thirds of these major disasters. Overall, the total number of cyber claims in 2024 is expected to stabilize, following a 30% increase in frequency in 2023, which resulted in more than 700 claims.

“The growing prominence of data breach losses among cyber insurance claims is driven by a number of notable trends,” explained Michael Daum, global head of cyber claims at Allianz Commercial. “The increase in ransomware attacks, including data exfiltration, is a consequence of evolving attacker tactics and growing interdependencies between organizations sharing ever-increasing volumes of personal records. At the same time, the evolving regulatory and legal environment has led to an increase in data privacy class actions, so-called “non-attacks”, arising from incidents such as unlawful data collection and processing personal – the share of these claims has tripled in value in just two years.

‘No Attack’ Claims Rise as Privacy Litigation Intensifies
The rise in data privacy non-attack claims is a consequence of evolving technology, the growing commercial value of personal data, and the changing regulatory and legal landscape. For example, unlike the EU’s General Data Protection Regulation (GDPR), US privacy regulations are less prescriptive and open to interpretation, while plaintiffs’ lawyers are hungry for potential sources of income. This creates a gray area ripe for class actions, the report notes.

“We are seeing more and more data privacy breach claims in the United States, where there is a growing trend of class action lawsuits against large US and international companies related to privacy violations, e.g. of consent and use of data,” Daum said. “The cost of some of these claims can be even higher than a ransomware incident, running into hundreds of millions of dollars. »

Over the last year, in particular, data breaches have become one of the fastest growing areas of class action litigation in the United States. More than 1,300 requests were filed under a wide range of data privacy regulations in 2023, more than double the number filed in 2022 and four times the number filed in 2021, according to law firm Duane Morris.

Multiple class action lawsuits have been launched against organizations across a wide range of industries, including healthcare, social media and gaming, for using Meta Pixel tracking tools to monitor consumer behavior, while streaming platforms entertainment companies have also been targeted, alleging that they may have violated privacy rights.

Significant data breaches can also escalate into excessive litigation, an event triggering a host of class action lawsuits. More than 240 lawsuits related to the 2023 MOVEit data breach have been consolidated into a single multidistrict litigation in October 2023. And with the large number of plaintiffs, parties on both sides have incentive to settle. Last year, the top 10 data breach class action lawsuits totaled $516 million, a significant increase from the $350 million in 2022.