A new study from cyber risk intelligence firm KYND points to a growing source of cyber insurance claims beyond data breaches, US privacy litigation tied to everyday website tracking.
The findings, published in KYND’s Privacy Risk in 2026 white paper, show a sharp rise in lawsuits linked to website tracking and digital wiretapping, the recording of electronic communications without a user’s consent.
According to the report, annual case volumes have climbed from only a few hundred to more than 2,000 as legal action shifts toward routine online behaviour rather than classic cyber events such as ransomware or data theft.
The claims centre on how websites collect and share data generated when users visit a page. That information can be used to identify users even when no personal details are actively entered.
In some cases, plaintiffs do not need to prove financial harm. That changes the exposure profile quite a bit. Cyber insurance claims fall in 2025 as firms boost resilience.
Tracking often relies on common tools such as pixel-based technologies used to measure website performance, advertising response, and user engagement. Widespread tools, ordinary setup, quiet risk.
KYND analysed nearly 10,000 North American organisations to see how the issue shows up in practice. The company found 17.7% had tracking technologies running without any visible user consent. Among SMBs with revenue under $1bn, that figure rose to 20.2%.
Andy Thomas, chief executive of KYND, said privacy risk is no longer only about data breaches. He said what looks like a small compliance issue is turning into a repeatable and scalable source of litigation, especially across the SMB segment.
What may seem like a minor compliance issue is becoming a repeatable and scalable source of litigation, particularly across the SMB market. We’re seeing a shift toward claims driven by everyday website behavior.
Andy Thomas, chief executive of KYND
In his view, insurers are now dealing with claims driven by everyday website behaviour rather than one-off cyber incidents.
He also said this creates a new challenge for insurers because these risks are scalable, often hidden, and able to build across portfolios in ways that are hard to spot without the right visibility.
For insurers, this creates a new challenge. These risks are scalable, often hidden, and can accumulate across portfolios in ways that are difficult to detect without the right visibility.
According to KYND, privacy claims tied to website tracking tend to be lower severity than large ransomware or breach events, though they can occur far more often. That matters at portfolio level.
When many insureds use the same tracking practices, losses can stack quickly and hit broad groups of policyholders at once.
The company said this exposure is now firmly embedded in SMB portfolios, driven by standard website configurations and the heavy use of third-party tools such as analytics packages and marketing pixels.
KYND also found SMBs are more likely to be affected because they often rely on default website tools, have fewer technical resources, and face growing use of legal frameworks that allow claims to be brought at scale.
Thomas said the main issue for insurers is visibility. These risks are not buried deep inside systems, he said. They are happening in plain sight on company websites.
He added that bringing external website data into underwriting and ongoing portfolio monitoring gives insurers a better chance to spot exposure earlier, differentiate risk more accurately, and avoid unwanted accumulation.
KYND describes itself as a cyber risk analytics platform built for the insurance market. The company says it supports underwriting and portfolio management, especially in the SMB segment, with visibility into any organisation that has a URL.
