Is it worth taking out personal cyber insurance in case you are caught up in a data hack?
The recent Optus and Medibank data breaches in which thousands of Australians had their personal information stolen have heightened public consciousness of the threat of identity fraud.
Information including names, dates of birth, addresses, phone numbers, passport and Medicare numbers, and even healthcare claims have been posted online in the past few months as a result of the high profile breaches.
If you’re worried about your personal information being stolen in a hack or data breach, should you consider investing in personal identity theft protection or is it a waste of money?
What is personal cyber insurance?
Cyber insurance for individuals is offered in products such as Norton Identity Advisor Plus, Aura’s Identity Guard, Experion Identity Protection and PrivacyGuard. Prices range from $99.99 for a year of Identity Advisor Plus to $75 (US$50) a month for Aura’s family coverage.
The products generally offer similar services with varying degrees of coverage.
Norton’s Identity Advisor Plus, for example, promises to monitor social media and the dark web for any data that identifies you, alert you if you are caught up in a breach and provide an “identity restoration support specialist” to guide you through the next steps, such as replacing identity documents and locking accounts. It also offers identity theft insurance up to $58,000 to cover legal expenses and lost income for time spent standing in queues to correct records.
Most products also offer credit monitoring to alert you of anyone trying to take out loans or open bank accounts in your name and will lock down your credit file to prevent such activity.
Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup
Will these products prevent me from being hacked?
Short answer: no. These products are designed to limit the damage in the event your personal information is leaked by finding it quickly, limiting ID fraud in your name and potentially to cover any financial losses you might suffer.
Aren’t I covered by the company’s cyber insurance?
If you’re a business, cyber insurance will cover everything from financial losses and cybersecurity support to legal advice and privacy breach management.
Large companies often have cyber insurance designed to cover the costs should they come under an attack, but this is not always applicable to the customers of the business.
Is personal cyber insurance necessary?
While it might be possible to undertake some of the monitoring and remediation offered by these services yourself – such a searching your own name on social media and engaging a credit monitoring service – you might prefer the peace of mind that comes with knowing someone else is doing it in a systematic way.
And, unless you work in tech, monitoring the dark web is probably beyond your expertise.
Josh Lemon, a digital forensics and cyber incident expert at SANS Institute, thinks the “appetite for individuals to actually take insurance out is probably pretty low”.
“If you have your driver’s licence exposed or your credit card exposed, the time it takes you to get those changed and renewed often isn’t compensated as part of those claims.”
In some cases, companies will pay out costs incurred by customers for credit monitoring and document replacement, as was the case for customers caught up in the recent Optus breach.
Lemon also said customers who have lost money from their bank accounts are often compensated by the banks.
“A lot of Australian banks have consumer protection rights that allows that money to be returned back to you,” he said.
However Prof Yang Xiang, Swinburne’s dean of digital research, pointed out companies are not obliged to pay for replacements for documents except out of brand reputation management efforts, so the insurance may offer some peace of mind.
“That could give the individual some protection in terms of money. It doesn’t protect the information at all, but it just gives you some protection in terms of if you lose any money, the insurance can cover some loss,” he said.
Consumer group Choice has not examined personal insurance for ID theft since 2014, but at the time labelled it as unnecessary insurance.
Lemon said cyber insurance for small businesses was still a good investment, and noted that insurance was getting much more expensive for larger companies, with increased carveouts including around ransomware attacks. Medibank told investors it had not taken out cyber insurance due to the cost involved.
Can software prevent cyber-attacks?
Xiang said consumers should be aware that software is unlikely to protect you from cyber-attacks, given most cyber-attacks have some level of human involvement through phishing campaigns or other methods to obtain people’s login details.
“We do have some automated ways to protect users’ information, for example by using AI to give some indication that your personal information might be compromised. But still, it needs human involvement.”
Guardian Australia sought comment from Norton.