Pixel Capture – Reducing Cyber Disclosure Risks

The gut-wrenching sensation of learning that you or your client’s personal information has been violated by a third-party bad actor can ruin the day. In a world now driven by data, it is crucial for businesses to walk a balance between getting information to clients, getting data from clients, and protecting that data and the rights of all parties when that information is being transferred.

Registered Investment Advisors ranked Cyber/Privacy Data Breach as the highest concern in the Golsan Scruggs 2025 RIA Risk Survey, showing that  cyber security continues to be the top source of anxiety (https://gsria.com/riasure-risk-survey/). Charles Schwab’s 2024 RIA Benchmarking Study found a 25% increase in the average amount of money spent on cyber security by RIA firms with $250M or more in assets under management, with costs increasing on average from $12,000 to $15,000.

While the majority of RIAs are most worried about protecting the clients’ personal information, one of the overlooked risks for advisors is proper disclosures. No, we don’t mean the 20+ pages of your ADV Part 2A (not this time). Rather a current concern is the risk of litigation from exposures like improper data capture or lack of consent for electronic communications.

Protecting against these risks requires correct, up-front disclosures. Stuart Panensky at Pierson Ferdinand LLP calls this Peace Time work. “In cyber security, there is a clear divide between War Time, or reactive actions, and Peace Time,” Panensky said, “Peace Time is when you prepare to respond to an incident. When something happens, your reactions are dictated by how you prepared.”

Both insurance carriers and cyber and privacy attorneys like Panensky are seeing a growing risk of third-party litigation and potential class action against RIA firms regarding what is called ‘pixel capture.” Whenever someone visits a website, the website begins to collect data on that individual such as what they searched for, which pages were viewed and any phone numbers or email addresses that might be entered on the site. The problem arises when privacy disclosures are not provided to a website visitor prior to that data being collected.

U.S. federal law such as the Video Privacy Protection Act (VPPA) or numerous state laws like the California Consumer Privacy Act (CCPA) are meant to protect people from improper invasion of privacy, but the laws have begun to be wielded against businesses who do not properly disclose or receive acknowledgement about data collection and communication. These laws often carry both statutory damages and the right to sue.

Most RIAs and business owners have no idea that these laws exist, or even that pixel capture is happening on their websites. “AI is sticking all of these things together,” Panesky said, describing the growing relationships between data ethics, privacy policies and data management.

Some recommended Peace Time steps to preparing an affirmative defense include:

• Check with your web developer regarding your website’s disclosures for VPPA and pixel capture.
• Ask your web developer about your state’s laws regarding impermissible data capture.
• Ensure that website disclosures occur prior to the collection of data.
• Keep written policies and procedures regarding data privacy and communications.
• Consider getting client releases regarding the sharing of data with third-party vendors and any other electronic communication you might have with clients.
• Maintain appropriate Cyber Liability insurance limits for your business.

Legislation can and hopefully will change to close these litigation loopholes. In the meantime, RIAs can win the battle by preparing proactive steps during Peace Time and knowing ahead of time how to react during War Time. For more information or a review of existing cyber liability risks and insurance contracts, please contact Golsan Scruggs.

By Philip Bailey – Assistant Vice President

Golsan Scruggs is an insurance brokerage firm operating throughout the United States specializing in investment advisor E&O errors & omissions insurance (aka professional liability insurance) for RIA registered investment advisors. As one of the largest insurers of RIA firms in the U.S., we have a dedicated staff that understands the risks of the financial services industry and delivers superior results.  We make the underwriting process painless.

At Golsan Scruggs, we believe it is incumbent upon us to earn the right to be appointed as your insurance and risk-management agent. Our RIASURE process exists to serve that purpose.

Our RIASURE Review will analyze your fiduciary exposures, provide rate details and comparisons, and provide a contract comparison. No application required.

To obtain your complimentary RIASURE Review, please provide the following information or contact us at (800)273-5883. Fields marked with * are required.