PRESS RELEASE: New challenge for cyber insurers as privacy litigation risk surging among U.S. SMBs, KYND research finds

New study of 10,000 organisations reveals growing source of cyber insurance claims beyond data breaches

Cyber risk analytics company KYND has published new research revealing a sharp rise in U.S. privacy litigation linked to everyday website tracking practices, with small and medium-sized businesses (SMBs) at the centre of the risk.

The findings, published in KYND’s latest white paper, Privacy Risk in 2026, show that lawsuits related to website tracking and digital wiretapping, the recording of electronic communications without a user’s consent, have surged from just a few hundred cases per year to more than 2,000. Legal action is increasingly targeting routine online behaviour rather than cyberattacks or data breaches.

Claims focus on how websites collect and share user data, activity that is often widespread, easy to identify, and can be challenged under laws that do not require proof of financial harm. This includes activity such as pixel-based tracking tools used to measure website performance and user engagement.

KYND analysed nearly 10,000 North American organisations to understand how this risk appears in practice. The study found 17.7% had tracking technologies operating without any visible user consent, rising to 20.2% among SMBs with revenues under $1 billion.

“Privacy risk is no longer just about data breaches,” said Andy Thomas, CEO of KYND.

“What may seem like a minor compliance issue is becoming a repeatable and scalable source of litigation, particularly across the SMB market. We’re seeing a shift towards claims driven by everyday website behaviour.

“For insurers, this creates a new challenge. These risks are scalable, often hidden, and can accumulate across portfolios in ways that are difficult to detect without the right visibility.”

According to KYND, rather than large, one-off events such as ransomware attacks, privacy claims linked to website tracking are typically high-frequency and lower severity, but can build into significant losses across a portfolio. As similar tracking practices are widely used across many businesses, the exposure can accumulate quickly and affect large numbers of insureds at once.

KYND’s research highlights that this risk is now firmly embedded within SMB portfolios, driven by common website configurations and the widespread use of third-party tools such as analytics and marketing pixels.

The report also found that SMBs are more likely to be affected due to a combination of factors, including reliance on default website tools, limited technical resources, and the growing use of legal frameworks that allow claims to be brought at scale.

“The key for insurers is visibility. These risks aren’t hidden deep inside systems, they’re happening in plain sight on company websites,” Thomas added.

“By bringing that external data into underwriting and ongoing portfolio monitoring, insurers can spot exposure earlier, differentiate risk more effectively, and avoid unwanted accumulation.”

Read KYND’s white paper, Privacy Risk in 2026, here. For more information, please visit: www.kynd.io