Privacy litigation surged 78% between 2020 and 2024. Cyber insurers are watching claims climb. Yet every underwriting model in the market was built to measure breach risk — network intrusions, ransomware events, data exfiltration. Not lawsuit risk. Not behavioral privacy violations that never involve a breach at all.
This is the privacy risk gap. And it is widening.
The modern cyber insurance market was built around breach events. The threat model was simple: adversaries attack, data gets stolen, costs accumulate — notification, forensics, credit monitoring, regulatory fines. The underwriting frameworks, security ratings, and questionnaire workflows were all calibrated to that model.
Privacy litigation operates differently. The exposure comes not from what an attacker does to a company, but from what the company does itself — what data it collects, how it shares it, whether its privacy policy accurately describes its practices, and whether its technology stack creates behavioral signals that regulators or plaintiffs' counsel can observe from the outside.
"A company can score 900 on BitSight, maintain ISO 27001 certification, and be facing eight figures in BIPA exposure that their security controls have nothing to do with." — Insurance underwriter, cyber specialty lines
The first-generation security ratings tools were designed to answer a different question entirely. They measure attack surface, patching velocity, encryption standards — the infrastructure of breach defense. None of that tells you whether a company's video player is sending watch history to Meta, whether its location data practices match its policy, or whether it has enrolled users in biometric capture without adequate disclosure.
The claims driving this gap aren't exotic. They follow recognizable patterns, and they repeat across industries with remarkable consistency:
Plaintiffs' counsel has turned VPPA — a 1988 statute designed to protect video rental records — into a powerful tool against modern streaming and media companies. The theory is straightforward: if a website uses Meta Pixel, Google Analytics, or similar tools while serving video content, and those tools transmit viewing data to third parties without proper consent, it potentially constitutes wrongful disclosure of video records under federal law.
The statute provides statutory damages of $2,500 per violation — which, at scale, creates enormous class action exposure. Class certification is relatively easy to obtain. And the observable behavior that triggers liability — pixel tracking on video pages — is measurable from outside the company with no questionnaire required.
Illinois BIPA remains the most consequential state biometric privacy law, with a private right of action and per-violation damages structure that has produced some of the largest privacy settlements in history. Facebook paid $650 million. BNSF Railway paid $75 million. Texas Instruments settled for an undisclosed amount. The pattern is consistent: companies deploying facial recognition, fingerprint scanning, or voice-print analysis without the disclosure, consent, and data retention policies BIPA requires.
For insurers, the underwriting challenge is that biometric data collection is not always obvious. It appears in HR technology, timekeeping systems, security access controls, and increasingly in consumer-facing applications — often deployed by vendors, not the insured's own engineering team.
Session replay tools, chatbot technologies, and behavioral analytics platforms have generated a wave of litigation under California's Invasion of Privacy Act (CIPA) and similar state wiretapping statutes. The theory — often called the "wiretapping theory" — holds that capturing real-time user behavior on a website without adequate consent constitutes unlawful interception of electronic communications.
Courts have split on the viability of these claims, but the volume of filings is significant and growing. And critically, the observable indicators of potential liability — the presence of specific JavaScript trackers, session replay scripts, and analytics tools — are detectable from the outside by anyone who visits the site.
The implication for underwriters is clear: the questions that matter for privacy litigation risk are not adequately captured by current intake processes. Self-attestation is structurally unreliable — insureds don't always know what third-party scripts their site is loading, let alone whether those scripts create statutory liability. Security ratings don't measure behavioral privacy practices. And questionnaires about privacy programs ask about controls that are largely irrelevant to the legal theories driving claims.
What underwriters need is an outside-in view of privacy behavior — the same view that regulators and plaintiffs' counsel form when they assess a target company. That means observing what data flows exist between the insured's properties and third parties, mapping those flows to applicable statutes, and surfacing the specific technical behaviors that have historically driven claims.
The regulatory landscape is accelerating the problem. The FTC has signaled renewed interest in privacy enforcement under its unfair and deceptive practices authority. State attorneys general are increasingly coordinating on privacy investigations. The EU's expanded enforcement of GDPR — including record fines against US companies with European operations — adds a cross-border dimension to the exposure.
Meanwhile, the plaintiff's bar has become more sophisticated. The firms driving VPPA and CIPA litigation have developed proprietary tools for identifying targets. They are systematically scanning websites, reviewing pixel deployments, and mapping tracking behavior to liability theories before filing. The gap between what companies know about their own privacy behavior and what outside observers can determine is closing rapidly — and not in the insured's favor.
For insurers who want to write privacy risk accurately, the response is equally clear: build the capability to see what outside observers see. That's the signal the market needs.
