Data security experts are sounding the alarm to warn those engaging in the latest social media trend of sharing celebratory COVID-19 “vaccine selfies” depicting themselves holding their Centers for Disease Control and Prevention vaccination record card. Including these records in such photos, experts caution, could expose the kind of information—such as full name and date of birth—criminals use to commit identity theft and even home robbery.
In public and private posts shared on Facebook, Instagram, TikTok and other platforms, those celebrating their immunization sometimes also tag specific locations or include details about their employment or health conditions that made them eligible to receive the vaccine. All of this information can serve as prime fodder for cybercrime. Both the Federal Trade Commission and the Better Business Bureau have issued warnings to this effect.
“Making your medical information public can be risky for many reasons,” said Heather Posner, Managing Director, Burns & Wilcox, Cleveland, Ohio. “These posts could contain a great deal of information that should not necessarily be made public. If those who share them are not effectively obscuring details like their date of birth, these posts could be used to steal identities or plan robberies.”
As identity theft and other cybercrimes become more prevalent in the U.S. and Canada, being prepared to prevent, detect or respond to such threats — and having insurance to support these efforts — should be front of mind for individuals and businesses alike.
“Our personal data should be secured just as we secure our homes by locking our doors,” said Danion Beckford, Underwriter, Professional Liability, Burns & Wilcox, Toronto, Ontario. “The relief and enthusiasm that inspire vaccine selfies are certainly understandable; however, exercising restraint is imperative. Sharing even the most basic personal details publicly could lead to devastating consequences if that information falls into the wrong hands.”
Cybercrime is changing, losses on the rise
Cybercrime is in the news almost daily; headlining reports this month alone included a hack of Microsoft’s email service significant enough to prompt a White House response,1 a third-party breach that temporarily disabled the Canadian Revenue Agency’s online platform,2 and a database hack that exposed 150,000 security camera feeds from schools, hospitals and other organizations.3 The cost of these intrusions can be massive: according to one report, global cybercrime losses in 2020 were expected to reach a record $945 billion, nearly doubling the $500 billion total losses in 2018.4
Social media platforms essentially encourage you to expand your digital footprint with posts about your family, your life and your hobbies; sadly, there are cyber risks associated with sharing even seemingly innocuous details. These facts form a trail of digital breadcrumbs cybercriminals can follow to locate and target you.
Unfortunately, a shared photo of a vaccination record is unlikely to be the only source of inadvertent exposure of an individual’s personal data. From home wireless network vulnerabilities to the growing number of phone apps that store payment details,5 the possible exposures are ever-expanding, said Matthew Lefchik, Director, Cyber Risk Management, Node International, Detroit/Farmington Hills, Michigan.
“Social media platforms essentially encourage you to expand your digital footprint with posts about your family, your life and your hobbies; sadly, there are cyber risks associated with sharing even seemingly innocuous details,” Lefchik said. “These facts form a trail of digital breadcrumbs cybercriminals can follow to locate and target you.”
Fortunately, cybersecurity awareness is growing and more businesses are protecting their interests with Cyber and Privacy Liability Insurance policies. This insurance can help organizations strengthen their data security protocols and mitigate the expenses associated with responding to a breach, including the cost of making ransom payments, notifying customers and handling public relations.
Despite estimates that 1 in 3 Americans6 and over half of Canadians7 have had one or more of their accounts hacked, individuals are often less aware of personal Cyber Insurance options like Cyberman365, a personal cyber protection program offered by Burns & Wilcox in partnership with Node International. Cyberman365 includes 24-hour monitoring of credit reports, social media, the dark web, bank accounts and more.
“Cyber risk is a common consideration for businesses,” Beckford said. “However, though individuals may be aware of the threats facing their company and workplace, they often are not considering their own risks and ways to protect themselves.” While efforts are being made to raise awareness around personal Cyber Insurance options, he said, there remains room for improvement. “The general public remains largely unaware of the financial damage a personal cyberattack could inflict.”
Damaged credit, legal fees among identity theft risks
Between 2019 and 2020, U.S. identity theft cases more than doubled, including a 2,920 percent increase in cases related to fraudulent claims for government benefits.8 Concerns have also been raised in Canada about heightened risks of identity theft amid the pandemic.9
“Identity theft can come in a variety of forms,” Posner said, such as opening a credit card in another individual’s name or assuming another’s identity entirely. “Losses from identity theft can range from negative credit reports and time involved in filing police reports and correcting records to financial hardship.”
“Spear phishing” scams related to the coronavirus reportedly increased 26 percent between October 2020 and January 2021.10 Since these scams use emails from a seemingly known or trusted sender to solicit data, vaccination record cards displaying an individual’s vaccine date, location and the brand of vaccine they received could provide an opening for this particular scam, Lefchik said. “A hacker could exploit that knowledge, claiming to be emailing on behalf of the manufacturer of the vaccine an individual received or the local health department where the vaccination took place in order to collect even more information,” he explained.
How damaging an identity theft will be often depends on how soon it is identified.
In addition to identity theft prevention and mitigation services available through Cyberman365, which costs $9.99 per month for individuals and $14.99 per month for families, the Cyberman365 HomeSafe program secures and provides insurance protection for home networks and devices for $9.99 per month.
If a device is affected by malware and it cannot be remediated, for example, Cyberman365 includes a digital voucher for up to $25,000 to replace it. “This is a significant benefit,” said Lefchik.
Although some may assume their Homeowners Insurance policy includes coverage to help with cybercrime-related expenses, this is not usually the case, Posner said. Even Homeowners Insurance policies with limited identity theft coverage would typically include a deductible and would be unlikely to provide the education and monitoring services of a program like Cyberman365.
Without early detection of identity theft, the damages can accumulate for months or years unnoticed. “How damaging an identity theft will be often depends on how soon it is identified,” Posner said.
“Cyberman365 includes coverage for up to $1 million to help with any eligible expenses associated with identity theft,” Posner explained. “The program also provides expert guidance throughout the process of investigation, restoration and recovery from a personal data breach, making it far less stressful and more expeditious.”
Investing in insurance should be part of a larger personal digital safety strategy, Posner stressed. Individuals should be aware of the risks posed by everyday actions like making online credit card payments while connected a coffee shop’s unsecured Wi-Fi network. “Taking simple precautions can help reduce data theft risks considerably and lessen the impact when data is compromised,” Posner said.
Businesses risk assets, reputation in event of breach
In its 2020 report, Cybersecurity Ventures predicted that a ransomware attack would hit a business somewhere in the world every 11 seconds in 2021.11 As the pandemic shuttered workplaces throughout much of the past year, commercial cyber risk and data breaches have surged, adding what some have called a “cyber pandemic”12 to the current economic and health crises.
A company’s reputation can be badly tarnished by a data breach. Even if no customers’ personal data was exposed, the publicity surrounding a breach can be enough for some customers to have second thoughts about continuing to do business with the affected company.
“Cyberattacks can be financially devastating to a business,” Beckford said, adding that this can be especially true for smaller, so-called “mom and pop” enterprises.
“A company’s reputation can be badly tarnished by a data breach,” he said. “Even if no customers’ personal data was exposed, the publicity surrounding a breach can be enough for some customers to have second thoughts about continuing to do business with the affected company.”
After this type of loss occurs, Cyber and Privacy Liability Insurance coverage can help with reputational damage expenses, lost income due to business interruption, data restoration, defense costs and fines and regulatory fees. Cyber and Privacy Liability Insurance policies can include coverage for losses stemming from cyberterrorism, cyber-extortion, social engineering and wire transfers.
Data backups may also be included in a Cyber and Privacy Liability Insurance policy’s coverage. Such backups can help defend companies against losses from ransomware attacks by ensuring their data is saved and accessible in a separate location, Lefchik explained.
Cyber and Privacy Liability Insurance policies also tend to emphasize preventive measures and may include options such as employee training in cybersecurity best practices. Through exclusive insurance programs Burns & Wilcox offers access to online knowledge centers, expert attorneys, and cybersecurity challenges to assess how savvy employees are when faced with common cybersecurity scenarios.
“Whether we are trying to protect ourselves or our companies, the goal is to limit the inadvertent release of information as much as possible,” Beckford said. “Encrypting passwords, limiting the sharing of personal data, and discussing suspicious emails and hyperlinks to the IT department at our workplaces—these and other precautions can go a long way toward increasing cybersecurity for everyone.”
Lefchik agreed: “We have plenty of tools at our disposal to help us take responsibility for our own digital well-being.”
1 Sganga, Nicole. “‘Hack everybody you can’: What to know about the massive Microsoft Exchange breach.” CBS News, March 14, 2021. 2 Jones, Ryan Patrick. “CRA locks out over 800,000 online accounts — here's what to know.” CBC, March 12, 2021. 3 Henriquez, Maria. “Verkada breach exposed live feeds of 150,000 surveillance cameras inside schools, hospitals and more.” Security Magazine, March 10, 2021. 4 Riley, Tonya. “The Cybersecurity 202: Global losses from cybercrime skyrocketed to nearly $1 trillion in 2020, new report finds.” Washington Post, December 7, 2020. 5 Cybersecurity & Infrastructure Security Agency. “Securing Wireless Networks.” U.S. Department of Homeland Security, March 11, 2010. 6 Gervis, Zoya. “More than 1 in 3 Americans have been hacked or had their identity stolen: survey.” New York Post, August 15, 2019. 7 Morgan, Steve. “A Whopping 52 Percent Of Canadians Have Been Hacked Over The Past Year.” Cybercrime Magazine, September 7, 2019. 8 Skiba, Katherine. “Pandemic Proves to Be Fertile Ground for Identity Thieves.” AARP, February 5, 2021. 9 Silver, Janet E. “Pandemic has increased risk to Canadians of identity theft and financial fraud.” iPolitics, November 18, 2020. 10 Sjouwerman, Stu. “Beware: Lots of COVID-19 Vaccine-Related Attacks Are Active and Looking for Their Next Victim.” KnowBe4, March 16, 2021. 11 Freedman, Linn F. “Ransomware Attacks Predicted to Occur Every 11 Seconds in 2021 with a Cost of $20 Billion.” The National Law Review, February 13, 2020. 12 Lohrmann, Dan. “2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic.” Government Technology, December 12, 2020.