Litigation, compliance requirements and best practices to mitigate risks associated with data collection

Author: John Farley

Data collection risk has come into focus in recent months, and for good reason. Organizations that are alleged to have wrongfully tracked, collected or shared an individual's sensitive information have found themselves in the crosshairs of regulators and the target of class action lawsuits. Specifically, the use of pixels has been a source of concern, because of allegations that they were used to share millions of people's protected health data with external parties — including with social media platforms and other technology firms — without consent. In fact, as of this writing, four million people have been notified by three different organizations that their sensitive information may have been shared due to pixel usage.1

What are pixels and why are they risky?

Pixels are pieces of code embedded in a website and often used to gain insight into individuals by analyzing how they're using websites, with the goal of enhancing marketing efforts via targeted digital marketing.

Organizations that use pixels can find themselves in violation of a wide variety of compliance obligations including those specific to state, federal and international privacy laws. Violations may extend other requirements under HIPAA and other mandated compliance requirements. Liability for non-compliance may be imposed even if the sharing of this data to a third party was unintentional.

This exposure was illustrated in June 2022 when The Markup published an article stating that 33 of the top 100 hospitals were using data-scraping pixels on their websites.2 The report said that some of the hospitals had pixels installed inside their password-protected patient portals, which collected and shared sensitive patient information with a major social media platform without patient permission.

The current legal landscape

We saw significant pixel-related litigation in 2022 when a Third Circuit Court of Appeals decision held that the use of pixels to share an individual's search history with a third party for targeted marketing purposes violated Pennsylvania's wiretapping statute.3 Since then, more than 50 class action lawsuits making similar allegations against multiple defendants have been filed and we expect class action litigation to increase in 2023.

We also predict increased regulatory scrutiny by a variety of regulator-driven privacy regimes, which may include increased costs to respond to regulatory investigations, fines and settlements.

Mitigating data tracking liabilities: What to do now

The Office of Civil Rights (OCR), which is responsible for enforcing HIPAA Rules, recently issued guidance on using tracking pixels.4 Specifically, the OCR guidance addresses four key areas for regulated entities, including:

  • Tracking on user-authenticated webpages
  • Tracking on unauthenticated webpages
  • Tracking within mobile apps
  • HIPAA compliance obligations for regulated entities when using tracking technologies

Leveraging Cyber insurance

Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by claims for wrongfully collecting and/or sharing information, either directly or indirectly through a vendor. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

Organizations should also be aware of the rapidly evolving Cyber insurance products that may impact the scope of insurance coverage. The hardening 2023 Cyber insurance market has spurred cyber insurers to use various methods to reduce their cascading losses for regulatory risk, such as the issues unfolding around the use of data collection technology. Sub-limits and coinsurance are often imposed for certain cyber losses. In addition, some carriers have modified cyber policy language to restrict or even exclude coverage for certain incidents that give rise to costs incurred for regulatory investigations, lawsuits, settlements and fines.

Author Information

Sources

1Davis, Jessica. "Healthcare's pixel problem: Meta-based Marketing Projects Spur Privacy Questions," SC Events, 11 Nov 2022.

2Feathers, Todd, Simon Fondrie-Teitler, Angie Waller and Surya Mattu. "Facebook Is Receiving Sensitive Medical Information from Hospital Websites," The Markup, updated 16 Jun 2022.

3Yannella, Philip N. "Third Circuit Ruling in Wiretap Case May Bring Greater Scrutiny to Privacy Policy Disclosures,"CyberAdvisor. 17 Aug 2022.

4"Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," U.S. Department of Health & Human Services, reviewed 1 Dec 2022.

Disclaimer

The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).