.png)
In the first installment of this exploration into digital illiteracy within the property insurance sector, we delve into a subtle yet pervasive issue: the unseen risks of data privacy breaches in outsourcing practices and marketplace platforms.
Unfortunately, in researching this article, I found a large batch of Xactimate estimates with policyholder claim data open to the internet. I'll cover this later in the article, and what it has to do with something called digital literacy.
As professionals in this field—including public adjusters, contractors, and independent adjusters (IAs)—increasingly turn to 3rd-parties on generalized online platforms like Fiverr, UpWork, or industry-specific vendors for efficiency in tasks such as generating Xactimate estimates, this challenge is quietly surfacing.
This challenge is not born from malice or negligence, but rather from a gap in digital literacy.
Ok, What Is Digital Literacy?
The American Library Association (ALA)'s webpage for digital literacy resources state:
"Like information literacy, digital literacy requires skills in locating and using information and in critical thinking. Beyond that, however, digital literacy involves knowing digital tools and using them in communicative, collaborative ways through social engagement. ALA’s Digital Literacy Task Force defines digital literacy as “the ability to use information and communication technologies to find, evaluate, create, and communicate information, requiring both cognitive and technical skills.”
Digital literacy matters, because some of the most common cybersecurity issues can stem from careless handling of personal data, not knowing how different software and digital solutions work, sharing admin credentials insecurely, and not knowing about how to avoid basic phishing and social engineering attacks.
Because navigating the web of different data privacy laws (13+ US states have them now, including some with additional data breach reporting requirements, which I'll cover in another article), the digital realm now requires more than just a cursory understanding.
It demands a nuanced, informed approach to handling sensitive information.
Data Breaches Only Happen From Brute-Force Hacking... Right?
Nope. Not always.
A lot of data breaches happen due to human error, and exposed credentials, which can be picked up by basic credential scrapers.
And, while Government entities and insurance companies are larger targets for bad actors, small businesses and professionals must take the same care and diligence to protect their clients' information.
With data breaches becoming so common that we see headlines almost every day, and cybercriminals armed with new technology, it's clear that no one in the property insurance sector is immune, including state departments of insurance:
Insurance companies:
and first-party property insurance claim professionals—which we'll focus on in a moment—but first:
Are We Resigned to “C’est La Vie”, or, Can We Do Something?
The remedy to this situation (for the property insurance industry, at least) lies in enhancing digital literacy among insurance professionals.
I know of insurance adjuster colleagues that still use mainly physical files for their operations, which doesn't sound like a such a bad idea at the moment. Maybe they shouldn't change a thing!
However, for those of us that are firmly set-in, or easing into digital operations and claim management, we must look closer and address the digital literacy gap.
This includes a thorough vetting of third-party service providers and a keen understanding of the privacy settings in online platforms.
Digital Illiteracy and Accidental Data Leaks
In researching the topic of this article series, I stumbled upon some Xactimate estimates open to the internet, via reviews left on Fiverr, for Xactimate estimating gigs. I found these through regular Google searches.
Across multiple listings, I found sensitive information within the reviews, like:
claim and policy numbers
first and last names
loss addresses
business names and addresses, EINs
phone numbers
email addresses
and more
The Xactimates were for losses across the United States, including Texas, California, Minnesota, Rhode Island, New Jersey, Georgia, Virginia, Montana, Michigan, Washington D.C., Arkansas, Ohio, Massachusetts, Maryland, Louisiana, New York, Kentucky, Indiana, Florida, Pennsylvania, and even Ontario, Canada.
After investigating to figure out how this may have happened, I believe it's not the fault of the providers of the Xactimate estimating gigs, but rather simply due to a default sharing setting on the platform when leaving reviews.
Looking at the Help Center, it appears that when leaving a review, the default setting is to include a copy of the deliverable for other buyers to view. In order to avoid that, these professionals would have to be aware of Fiverr's unique website settings, and uncheck that option before posting their review.
This is just one example of digital illiteracy and its role in data breaches.
EXAMPLES OF THE EXPOSED XACTIMATES:
I blurred the sensitive data from the images in the gallery below for privacy within this article, but they are completely unredacted on Fiverr:
If a data breach like this occurs by accident in a public space like a Fiverr review, immediate action is probably a good idea. You can probably contact Fiverr support to remove any sensitive data from the review, while maintaining the integrity of the professional's review.
The digital revolution in property insurance is plentiful with opportunities, but also rife with risks that demand our attention and action.
Is Outsourcing Bad, or Good?
As with most business tools, the concept of outsourcing for businesses is neither good, nor bad.
How, when, where, and with whom you outsource to, can determine risks and possible issues with legality (for which, your attorney in your state will certainly be the best person to consult with about topics like this).
When it comes to estimating property losses, specifically, many professionals in the first-party property claims space may outsource some or all of their estimating. That is not necessarily a bad thing... At the same time, data privacy must be considered.
(An aside: those prices for the estimating gigs in Fiverr were the lowest I've ever seen. I would probably never use Fiverr for that service, but who knows? They could be good at what they do. Just be careful out there!)
🔑KEY CONCEPTS:
Vet who you outsource to
Know the technology you use
Be aware of your regulatory and privacy requirements
Resources, for The Concerned First-Party Property Claims Professional:
Digital Literacy Basics and Resources, American Library Association
Data Breach Response: A Guide for Business, United States Federal Trade Commission
The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition, The American Bar Association (Bonus: Four Tips to Avoid Cyber Insurance Coverage for a Data Breach; sorry ABA members only. Therefore, I'm not allowed access to read it, but the title looks good)
For the nerds: 2022's Joint Cybersecurity Advisory, multiple agencies, including the US Cybersecurity and Infrastructure Security Agency
I hope this is helpful! Be sure to subscribe to the blog. This is only part one of a series you won't want to miss.
✌🏾Be well,
