|
|
Why Are You Getting This?
You signed up to receive The Privacy Professor Tips, or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| | April Fool's Month... Year! | | |
Fool me once, shame on you…fool me twice, shame on me. It's one of my favorite expressions because it reminds me who is best suited to protect us - ourselves! Our most powerful weapons are knowledge and information. And in today’s world, every day is an opportunity for a criminal to try and fool anyone and everyone if it gets them data and/or money in return.
Consider celebrating April Fool's Day by sharing, at any time this month or year, just one tidbit from this newsletter with a family member, friend or co-worker to help build up that all-important awareness of the risks to our privacy and security. Encourage friends, family and colleagues to do the same. No fools in this group!
We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.
We hope you are finding all this information interesting, though-provoking and valuable. Let us know! We continue to appreciate, and love, the feedback you are sending us! We always welcome your messages.
Oh, for those of you asking us to let you know what courses we have available, we suggest you check out, Dr. Kabay’s course, “Secure Coding” course, which provides over an hour of valuable information for every software programmer, developer and tester, of all experience levels. Additionally, for HIPAA business associates (BAs), and for HIPAA covered entities (CEs) to suggest to their BAs, please consider, “HIPAA Basics for Business Associates.”
Thank you for reading!
| | Image from Prasad Kale at Pexels. | | |
April Tips of the Month
- News You May Have Missed
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Where to Find the Privacy Professor
| | |
We are finding more unique news stories to share with you than ever before. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.
Here are just a few of the 100+ news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.
This month we limited the list to 34 news items, and will then include them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog by the end of the month. Here they are, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!
| | |
1. California AG Urges 23andMe Users To 'Delete Their Data' In Grim Warning About The Biotech Company. NOTE: There were many news reports about the privacy risks that have been created by the 23andMe bankruptcy. One commonality that we agree with is for everyone to irreversibly delete all their personal data, including physical forms of DNA within their spit or other body emissions, from that organization. And we go one step further and recommend you delete data from all the DNA analysis, etc., organizations that you’ve provided them to for analysis. If you’ve already received your analysis, they do not need your DNA/etc., any more!
2. Lawsuit Filed Against Former Michigan Coach In Alleged Hacking Case. Matthew Weiss has pleaded not guilty to 24 counts. "…the lawsuit claimed that between 2015 and January 2023, the former coach unlawfully gained access to the social media, email and/or cloud storage accounts of more than 3,300 people, including the two plaintiffs, and then downloaded personal, intimate photos and videos. Weiss primarily targeted female college athletes, the indictment alleged." Another report about this with additional and/or slightly different information includes: Feds indict ex-Michigan football coach Matt Weiss: He hacked computers to spy on women.
3. What Really Happened With the DDoS Attacks That Took Down X? Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that’s not how it works. "Security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly."
4. NFL Teams Gathered Detailed Consumer Data Without Standard Notice or Opt-Outs. Digital data, including information about consumers’ precise movements and locations, was shared with ad-tech vendors.
5. 'Uber for nurses' exposes 86K+ medical records, PII in open S3 bucket for months. “Non-password-protected, unencrypted 108GB database … what could possibly go wrong?”
6. FTC's $25.5M Scam Refund Treats Victims To $34 Each. Oh wow, just look at all the scary stuff in your Windows Event Viewer. “The average payments made following the initial scam ranged between $27 and $58, although follow-up calls would attempt to re-victimize those who already showed they could be tricked once. Bad news for the two companies, one of those people was an undercover fed and the scammers tried to fleece them out of additional repair services costing up to $500.”
7. JODI HUISENTRUIT CASE: Judge Hears Arguments To Unseal 2017 Search Warrant. NOTE: Here in Iowa, this has been in the news continuously, now around 1-2 times a year, since the early morning hours of June 27, 1995 when Ms. Huisentruit disappeared. There are many privacy after death issues involved with this case, as well as the need to solve a likely murder, and the need, if any, for providing the information to the public.
8. From Rumors to Ugly Reality: Georgians Stunned by Scam Call Center’s Cruelty. “Georgians were shocked and outraged after investigative reports exposed a Tbilisi-based call center, where young scammers ruthlessly stole millions from foreign victims while mocking them.” NOTE: This is the eastern-Europe country of Georgia.
9. One Tech Tip: Don’t Give Your Email To Strangers, Use A Decoy Address Instead. NOTE: Great advice! We have several different email addresses we use for different purposes, many of which are for free newsletters, or other types of free things that were offered in return for our email address.
10. Medicare and Medicaid Payments to Providers Are at Risk of Diversion Through Electronic Funds Transfer Fraud Schemes.
11. Speed Bump: CPPA Pulls Over Honda for Privacy Practices. "1. Honda required too much information from consumers to opt-out of sale/sharing of consumer data." "2. Honda required too much information to allow third-party agents to opt-out on behalf of consumers." "3. Honda’s cookie management tool was not offering symmetrical choices." "4. Honda couldn’t provide the CPPA with their contracts with advertising vendors."
12. White House Scrambles After JFK Files Expose Social Security Numbers. "The Trump administration rushed to mitigate harm from the errant release of more than 400 Social Security numbers and other private information in files on JFK." "The Washington Post, in its review of 60,000 pages released this week by the Trump administration, found unredacted Social Security numbers in more than 3,500 instances, because many of the individuals’ numbers were published more than once. (Another release late Thursday brought the total to more than 77,000 pages across some 2,340 documents.)"
13. Nation-State 'Paragon' Spyware Infections Target Civil Society. “Law enforcement entities in democratic states/countries have been deploying top-of-the-line messaging app spyware against journalists and aid workers.”
14. What Encrypted Messaging Means for Government Transparency. “An Associated Press review in all 50 states found accounts on encrypted platforms registered to cellphone numbers for over 1,100 government workers and elected officials.”
15. Under Trump, AI Scientists Are Told to Remove ‘Ideological Bias’ From Powerful Models. A directive from the National Institute of Standards and Technology eliminates mention of “AI safety” and “AI fairness.” NOTE: By not striving to remove bias from AI, AI results will likely be incorrect for some-to-many subpopulations, and could possibly even harm individuals when the AI is used to make medical conditions, perform HR evaluations, determine loan recipients, etc. Bias, of all kinds, has been a long-time significant risk of AI, and removing it is vital to ensuring the most accurate results possible, and for preventing harms to those who are impacted by the associated AI tools and results.
16. Tourists begin boycott campaign against Spain over new accommodation law: "I'm not coming back." The controversial legislation requires the collection of up to 42 personal details, which has sparked outrage among the British, the country's main visitors.
| | |
17. Podcast from the Identity Theft Resource Center: Eras Tour Sale – Bad Actors Make Over $600K from Taylor Swift Ticket Scam. "A group of identity criminals hacked into StubHub’s computer system and stole several hundred Taylor Swift tickets only to resell them...how consumers can avoid ticket scams and how businesses can protect themselves. "
18. Amazon Ditches ‘Just Walk Out’ Checkouts At Its Grocery Stores. Amazon Fresh Is Moving Away From A Feature Of Its Grocery Stores Where Customers Could Skip Checkout Altogether. “Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped.” “Instead of Just Walk Out, Amazon is moving towards Dash Carts, a scanner and screen that’s embedded in your shopping cart, allowing you to checkout as you shop.”
19. NFL Teams Gathered Detailed Consumer Data Without Standard Notice Or Opt-Outs. Digital data, including information about consumers’ precise movements and locations, was shared with ad-tech vendors. “Information collected by third-party ad-tech vendors included online behavioral data and geolocation data, which may be used by advertisers or other parties to determine the exact locations and movements of an individual’s phone or other mobile device.”
20. They Were Forced To Scam Others Worldwide. Now Thousands Are Held In Detention On The Myanmar Border. “Thai, Chinese and Myanmar authorities led to the release of more than 7,000 people from locked compounds in Myanmar where they were forced to trick Americans and others out of their life savings. But survivors have found themselves trapped once again, this time in overcrowded facilities with no medical care, limited food and no idea when they’ll be sent home.” NOTE: These are the sources of a large portion of those romance scammers that trick so many people out of their savings and pensions by impersonating others. Meanwhile the criminal groups trafficking the people forced to do these activities mostly go unpunished.
21. A Passenger Says A United Pilot Forcibly Removed Him From An Airplane Bathroom. Now he is suing. “An Orthodox Jewish passenger says a United Airlines pilot forcibly removed him from an airplane bathroom while he was experiencing constipation, exposing his genitalia to other flyers.” NOTE: This demonstrates the need for airlines to have privacy policies and procedures for aircraft personnel to follow for all types of privacy issues they may encounter, to prevent these types of privacy invasions, and subsequent lawsuits.
22. A Car Pulled From A River May Tell What Happened To An Oregon Family Of 5 That Went Missing In 1958. “No human remains were found in the vehicle.” “The bodies of two of the family’s children were found in the river later that year, though the remaining members never turned up.” NOTE: Several privacy after death issues are involved here. E.g., What rights, if any, do any survivors have for release of new information discovered?
23. AI Search Engines Are Confidently Wrong More Than Half The Time When They Cite Sources, Study Finds. NOTE: We have been warning about this for years, since AI started being used for business decisions over a decade ago. In a similar situation, on March 28 I was doing some simple math (percentages for voting stats), and it was disappointing, and alarming when considering that most folks take these results at face value, to see that every single time (20 times!) the answers were incorrect from the Google search, ChatGPT, and Gemini. Yet, widespread reports show that organizations are replacing critical jobs (e.g., programming, medical diagnosis, critical infrastructure, etc.) with AI and no one (according to associated reports) are checking the results. Bad output from AI (a form of unsecure coding) is a significant privacy, security and physical safe risk.
24. Undocumented Commands Found In Bluetooth Chip Used By A Billion Devices. “The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.”
25. How to Protect and Secure Your Data in 10 Ways. NOTE: This provides a very high-level starting point for businesses, particularly small-to-medium-sized, to start building their information and IT security program if they do not already have one. It is important to point out that this is just the start; many more actions need to be taken.
26. Photos Are Disappearing, One Archive At A Time. “When Hurricane Milton threatened Tampa last October, photojournalist Christopher Morris faced a familiar challenge: protecting his archive from destruction.” “Institutions such as the Library of Congress, which holds 16 million images, play a crucial role in preserving photojournalism, yet the surge of at-risk archives far exceeds anyone’s capacity.” NOTE: Another privacy after death type of situation. E.g., how can survivors of those whose information is removed maintain the history of their ancestors’ achievements and legacies? Do these removals impact history books in schools? Etc.
27. Cybersecurity Executive Tapped To Lead Agency (CISA) That Protects Voting Systems. Earlier in March, CISA “announced plans to cut about $10 million in annual funding from two cybersecurity initiatives, including one dedicated to helping state and local election officials.”
28. IRS Close To Finalizing Data-Sharing Agreement With ICE, Sources Say. “Officials are close to reaching an agreement that would enable ICE officials to submit names and addresses of suspected immigrants lacking legal status for the IRS to check against its confidential databases.”
29. Many readers have contacted us with multiple security and privacy concerns about the DOGE access to large amounts of personal data. Here is a sample of related reports, with the first three showing how DOGE access to Social Security data has been evolving. NOTE: We received over two dozen questions about the security and privacy of the data being accessed through the DOGE team, so we are including a range of news reports about this topic to address most of the concerns and questions we received.
a. Unions Ask Court To Stop DOGE From Accessing Social Security Data Of Millions Of Americans. “Tiffany Flick, a former senior official at the agency who says career civil servants are trying to protect the data from DOGE. “A disregard for our careful privacy systems and processes now threatens the security the data SSA houses about millions of Americans.”
b. Federal Judge Considers Blocking DOGE From Accessing Social Security Data Of Millions Of Americans. “A group of labor unions and retirees sued the Trump administration and asked the court to issue an emergency order limiting DOGE’s access to the agency and its data. DOGE’s “nearly unlimited” access violates privacy laws and presents massive information security risks, they said. A recently departed Social Security official who saw the DOGE team sweep into the agency said she is deeply worried about sensitive information being exposed.”
c. DOGE Blocked In Court from Social Security Systems With Americans’ Personal Information, For Now. The order also requires the team to delete any personally identifiable data in their possession. U.S. District Judge Ellen Hollander in Maryland found that the team got broad access to sensitive information at the Social Security Administration to search for fraud with little justification. The order does allow DOGE staffers to access to data that’s been redacted or stripped of anything personally identifiable, if they undergo training and background checks.
d. Judge Blocks DOGE From Accessing Sensitive and People’s Personal and Private Information At US Agencies, Including The Education Department, The Treasury Department and The Office of Personnel Management. “Led by the American Federation of Teachers, the plaintiffs allege Trump’s administration violated federal privacy laws when it gave DOGE access to systems with personal information on tens of millions of Americans without their consent.” “The judge found the Trump administration likely violated the law. She said the government failed to adequately explain why DOGE needed access to “millions of records” to perform its job duties.”
e. How To Know The Personal Information DOGE Collected About You. “The information the government stores about you goes well beyond name, address, phone number and Social Security number. It could also include detailed medical information and financial information.” “On March 10, a federal judge ruled that DOGE must respond to FOIA, or Freedom of information Act, requests.”
f. DOGE Plans to Rebuild SSA Code Base in Months, Risking Benefits and System Collapse. Social Security systems contain tens of millions of lines of code written in COBOL. Safely rewriting that code would take years—DOGE wants it done in months. "Under any circumstances, a migration of this size and scale would be a massive undertaking, experts tell WIRED, but the expedited deadline runs the risk of obstructing payments to the more than 65 million people in the US currently receiving Social Security benefits." NOTE: This is another example of what, if true with regard to plans, would be unsecure coding practices. Two of my degrees are in computer science and mathematics, I started my career as a systems engineer building a one very complex change control system, in COBOL, and I also wrote the accompanying JCL, as my first project, and then years later teaching as a university adjunct professor for a decade privacy and security including secure coding. The SSA, and all other government agencies, software is very complex, consists of a large number of code sets that are connected together, including to many other agencies, as well as to some third parties’ code. And COBOL programs are often structured with many code sets, each with specialized purposes, and often used used by multiple COBOL programs, as well as being called to execute from other types of code also. It will absolutely be a massive undertaking to “rebuild” the SSA software. Planning to do such changes in a few months is not only unrealistic, it could also expose and change the accuracy of even more personal data than has been referenced earlier, and very possibly bring down many different online services that people depend upon, even beyond the SSA through software connections to other agencies’ software, causing havoc to say the least. Hopefully those making these plans for “rebuilding” the code will listen to experts and change such unrealistic goals.
| | Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue. | | |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
April 2025
| | |
We continue to receive a wide variety of questions about security and privacy. Questions about current hot topics in society are of particular note. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.
Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!
| | |
Question of the Month:
Q1: I’m so concerned about my Social Security information and misuse. What are some scams that people should be on the lookout for?
| | |
A1:
Crooks come out of the woodwork when there are changes in society. Right now, with the change in U.S. government leadership, there are many concerns with government programs. In particular, Social Security. The crooks are seizing upon this opportunity, and launching multiple types of attacks, many using information posted online from those concerned and asking questions in social media sites about their Social Security benefits.
Here are six scam delivery methods these crooks use to try to take advantage of those concerned with their Social Security information. We provide more details about these in our latest blog post, which you can find here. Included are some images from a real-life situation.
1. The U.S. Postal Service. Yes, those old-fashioned scams by hard-copy postal mail are becoming a popular tool again. In January, a couple of my neighbors who are retired received a bogus letter claiming to be from the Social Security Administration (SSA). It told them that they were being given a “cost of living adjustment (COLA)” increase of over $400.00 in their monthly benefits and directed them to call a phone number to “start receiving this increase immediately.” They asked me if it was too good to be true. So, I walked them through a few red flags I saw in their letter.
Watch out for postal letters that have suspicious images that don’t exactly match what is on their website, that claim you must call a number to enact benefits, and call the actual SSA phone number and ask if the number in your letter is theirs. Any one of these red flags is a sign of a crook’s scam letter.
2. By phone. Crooks still love taking money from their victims through the phone. And worse yet, there are freely available tools that crooks use to show the legitimate SSA phone number on your caller ID.
If a caller that has what looks to be the SSA phone number tells you they are from the SSA and need your personal information to update the records they have for you, or that they are doing an audit and you need to give them personal data, or make any other type of claim, tell them you cannot talk at the moment, and ask them for their name and phone number, and that you will call them back. Then call the actual SSA phone number, report the call, and see if it is legitimate.
3. By email. Crooks have been using emails for crimes ever since people started using emails! Like the postal letter described previously, emails often coming from a legitimate-looking email address, that includes the SSA seal, and will often include official looking data, including the sender’s government ID, and often with your own actual social security number. Then, they will direct you to click a link to fill out a form, or to download some nifty new software that they are asking all social security benefit recipients to use. Huge red flags!
Call the SSA number to ask if they did indeed send the email before you do anything beyond looking at the email.
4. By text. Since most organizations are now sending text messages as one of their primary communication methods, people are very susceptible to automatically clicking a link from the texts that, upon a quick glance, seem legit. The SSA will only send text messages if you have opted in to receive texts from them, and only in limited situations, including the following such as when you’ve actively chosen to subscribe to receive updates and notifications by text, and when doing security activities, such as multi-factor authentication.
If a text message claiming to be from the SSA seems fishy it may actually be a phishing text. Call the SSA number to ask if they did indeed send the text.
5. On social media. Cybercrooks love using social media to scam people, because people love social media! And the social security scams on social media are widespread. But think about it; why would a government agency be commenting on your posts, or sending you a DM? Or, why would they be putting up a social media page or group…that is less than a year old? Well, they won’t. If you have someone using a real SSA employee’s photo, name, email address, etc. get in touch with you in some way on a social media site, they are most likely a crook impersonating the SSA. Most long-standing organizations have established their websites, and social media pages and groups, many years ago.
If someone claiming to represent the SSA is telling you information on a social media site, be skeptical! Call the SSA number to ask if they actually do have such a page or group on the social media site.
6. In person. Yes, these types of really creepy encounters still occur. Someone may knock at your door claiming to be an SSA agent, and say they have money for you because you overpaid, or that you may be eligible for increased benefits. Or, they may use one of the previous tactics to arrange to meet you in person to give you a check or even a cash payment. They may even flash a badge to look official. Beware! These types of tactics are not only creepy, they can be very dangerous; they can put you in physical danger.
SSA agents will never ask you to meet them in person to hand off cash, or show up at the door. Don’t let a stranger claiming to be from the SSA in your home or meet them somewhere. Call the SSA and report these situations, and call 911 if they persist at your home.
There are increasingly more crooks trying to take advantage of the general public’s concerns about their social security benefits. Stay aware!
Always be skeptical if you are contacted unexpectedly by someone claiming to be from the SSA. It is always better to confirm their identity than end up being conned and possibly loosely a lot of money, and going through a lot of stress. Call the SSA number to check out any such contacts made with you, or to your friends and family.
These scam attempts can also be reported at oig.ssa.gov. More information is also located at www.ssa.gov/scam.
| | |
Quick Hits:
Here are five more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.
| | |
Q2: We are a small business (10 people) that is a HIPAA business associate with several hospital systems. We use a cloud service for the software we use, and we each use our own personally owned computers. One of our largest hospital clients sent a HIPAA compliance business to do an assessment of our business. They told us a couple of things that HIPAA requires, but we want to check with you about this. We cannot afford this!
1) They told us that HIPAA requires all CEs and BAs to own all their own computing devices and software; that we couldn’t use any cloud services. Is this true?
2) They told us that HIPAA requires us to obtain a SOC2 certification. Is this true?
A2:
The short answers to your questions are: No, and no.
1) HIPAA does not require CEs and BAs to own the networks and related components that it uses to support business. There has never been a HIPAA requirement that a CE or BA must actually own all their own network and associated components. That would be financially prohibitive and infeasible for most CEs and BAs. This is not a practice that is found in the HIPAA regulatory text, nor in NIST SP 800-66 Rev 2, nor in any of the HHS OCR HIPAA enforcement activities.
2) HIPAA does not require CEs and BAs to use specific commercial products. There has never been an explicit HIPAA requirement that CEs or BAs must spend money to use a specific commercial product or service to meet compliance. Especially when the related actions can be accomplished by a CE or BA using other methods. HIPAA also does not require specific types of security and/or privacy certifications for compliance. By the way, SOC2 certification isn’t even specific to HIPAA; and it does not cover all HIPAA requirements.
Some CEs may require specific tools, software, or certifications to work with them. However, HIPAA does not. If a vendor claims HIPAA requires such services and tools…and by the way, also sells those services and tools…they either do not actually know HIPAA requirements, or they are being willfully deceptive.
We’ve been seeing a disturbing trend. Since January, four of my clients, who are small HIPAA business associates, have asked me basically these same questions based on these claims from the associated four different assessment businesses.
This is another topic that we wanted to provide more information about. You can learn more about these disturbing false claims in another one of our latest blog posts, which you can find here.
| | |
Q3: Does HIPAA allow CEs to provide PHI in social media sites if the associated individual makes a false claim about the CE, and provides false information and PHI about a medical care situation? In other words, can CEs defend themselves in social media comments for untruthful statements patients make about the CE?
A3:
Generally, no, CEs cannot provide PHI on social media sites. I can understand how strong the urge must be for healthcare providers and insurers to respond to false claims made about them in a public forum. However, HIPAA does not allow healthcare covered entities (CEs), or their business associates (BAs), to post PHI online without first obtaining the patients' explicit authorization, using properly documented authorization tools. Replying to a public post by a patient including that patient’s PHI without such documented authorization would most likely be considered as a PHI breach under HIPAA, since it is not being used in a way that supports the patient’s treatment, payment or authorization (TPO), so would be an unauthorized disclosure of patient PHI.
Here's a similar real-life situation. On November 29, 2017, the HHS OCR received a complaint alleging that New Vision Dental (NVD), a CE, impermissibly disclosed PHI on its online Yelp business page when Dr. Brandon Au responded to various reviews posted by individuals. The doctor provided full names (which are types of PHI) where only Yelp monikers were used by the patients in their complaints against the dental practice. Dr. Au included detailed information about the patients’ visits and insurance. OCR investigated, and found that in addition to posting PHI online in a publicly accessible area, NVD also failed to have the minimum content required in its Notice of Privacy Practices (NPP), and did not have HIPAA required PHI security and privacy policies and procedures, including not having those governing the release of PHI on social media/public platforms. HHS OCR required the dental practice to pay $23,000, and to also comply with a 2-year corrective action plan (CAP), that generally covered OCR monitoring most aspects of their HIPAA security, privacy and breach response rules throughout that entire period.
| | |
Q4: I’m responsible for physical security at my corporation. I am also one of the Information and IT Security team members, so I understand that physical security is necessary to preserve personal privacy and to safeguard IT components and print information. I’ve been asked to provide a real-life example to our Board of Directors, as part of our budget approval process, for how building designs and physical security systems can be complementary, or at odds. Can you provide such an example?
A4:
Interesting question! And an important topic that is often overlooked. So, kudos to you for understanding the role of physical security as it relates to information (in all forms) and IT (cyber, network, endpoint, etc.) security.
A critical key component is to ensure that the actions triggered by the physical security systems do not put humans and other living things at risk. Regarding security and privacy, physical safety/security implementations should not destroy mission critical information, in physical or digital forms, when activated (e.g., using fire alarms that spray water in a room with computers and servers within them) but use a different type of fire suppression substance that will limit damage to objects in the room. Another key component is to not implement surveillance cameras that are pointing in areas where privacy is expected, such as in locker rooms, restrooms, fitting rooms, etc.
You can see more information, and my real-life example, in another blog post we wrote, which you can find here.
| | |
Q5: I’ve provided a boatload of my DNA and other personal data to 23andMe over the years. Doesn’t HIPAA protect my data that I’ve provided to them?
A5:
No. 23andMe services are commercial products that are targeted to consumers, that they choose to use, and for which they provide whatever type of personal information or physical substances to 23and Me that they choose. Unless 23andMe is acting as a business associated (BA) to one of your healthcare providers who provided a prescription to use 23andMe so that you could give the results to your physician to help with your medical care. Ultimately, in most cases 23andMe is not a HIPAA CE or BA.
| | |
Q6: As more enterprises are embracing agentic AI, are their cloud infrastructures ready, and have enough security and privacy protections?
A6:
No, I’ve seen scant proof or case studies demonstrating that those using agentic AI are truly, comprehensively ready, with enough security and privacy protections. In particular there seems to be an almost complete lack of preparedness with regard to comprehensively mitigating the security, privacy and physical safety risks.
Agentic AI generally refers to AI systems that can make decisions and take actions autonomously, often interacting with various systems and environments without constant human oversight. Agentic AI in cloud infrastructures creates many unique security and privacy concerns. Here are overviews of some of the many types of privacy and cybersecurity risks as examples:
1. Privacy Risks. Cloud infrastructures typically collect, process and/or store vast amounts of personal, confidential (such as for intellectual property) and sensitive data. Consider this: When agentic AI systems have access to these types of data, it is a high risk that such data will be inadvertently leaked or misused through those autonomous actions. For example, if the AI is not adequately restricted or monitored, or the APIs are misconfigured through automatic adjustments, these various types of sensitive data items could be leaked, shared, or inappropriately processed in ways that violate privacy laws like GDPR, HIPAA, GLBA, FERPA, Canada’s PIPA, or California’s CCPA. Compromised agentic AI could also create pathways into the cloud ecosystem, allowing unauthorized access to system, application and network controls, along with the edge devices and endpoints.
2. Cybersecurity Risks. Agentic AI systems are very vulnerable to autonomous actions that are not monitored or validated by humans. Such validation is necessary to determine whether or not autonomous actions are appropriate for the associated context of each situation. This can result in misconfigurations that may be exploited and used by cyberattackers perform a wide range of malicious actions. For example, to break security measures, to perform unauthorized operations, or hinder other cloud services within the same ecosystem. It has also been increasingly demonstrated how malicious actors exploit agentic AI vulnerabilities to bypass conventional security controls, such as tricking the AI into disclosing sensitive information or performing actions that weaken or even cause cybersecurity incidents. Since agentic AI products are usually unattended and unmonitored, the actions taken, such as reconfiguring security settings or accessing restricted data, often result in unintended consequences.
| | |
Data Security & Privacy Beacons*
People and Places Making a Difference
| | |
|
We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
| | |
-
Court Settlement. For the MGM Resorts Breach. Key dates: May 19, 2025, Deadline to Exclude Yourself from the Settlement. May 19, 2025, Deadline to Object to the Settlement. June 3, 2025, Deadline to Submit a Claim Form. June 18, 2025, at 9:00 a.m. Final Approval Hearing. See more information and start your claim, at the linked site.
-
Victoria Warmerdam. For her 2025 Academy award winning Best Live-Action Short film, "I'm Not a Robot" NOTE: This is a good video for personal viewing. It might be an excellent video to add to your security and privacy awareness campaign, or for awareness to some departments or teams, depending upon the type of business or organization you are within. However, be aware the language does include profanity and a disturbing scene, so may not be safe for some, or even most, businesses’ rules. However, it could also inspire some thoughtful discussion about the evolution of robots, rights, etc. in other organizations. A law firm client of mine had their team that supports AI and robot rights watched it, and they told me it inspired some productive discussions among their team.
| | *Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | | |
Check It Out!
We are going to be posting more videos to our YouTube channel this year! We know; we are behind. We will be better at getting more online content created in 2025! To date we have not formally promoted it. We have found that our recently created video shorts are receiving a lot views and engagement! These are some wise and useful quick tips and facts from Dr. Mich Kabay, our premier Privacy & Security Brainiacs Master Expert. Check them out, along with the most recent one, “Violating Federal Law with Bad Coding Practices,” here.
| |
We have a few more shorts and medium- to long-length videos in production. In the meantime, please check them out, let us know of any topics you suggest we cover, “like” the videos, and subscribe. And of course, add comments for topics that motivate you to do so. These are some wise and useful quick tips and facts from Dr. Mich Kabay, our premier Privacy & Security Brainiacs Master Expert. Dr. Kabay’s course, “Secure Coding” provides over an hour of valuable information for every software programmer, developer and tester, of all experience levels.
What topics would you like to see us create videos, and more formal online courses, for? Let us know!
Have questions about our education offerings? Contact us!
| | Where to Find The Privacy Professor | | |
Rebecca will also be delivering the same keynote, “Privacy Governance for Third Parties: Tales from the Trenches of Real-Life Experiences,” in-person at the Iowa Chapter April luncheon on Tuesday, April 22, in West Des Moines, Iowa.
We’re excited to announce a special issue of the IEEE Computers & Security Journal on Security and Regulation for Computer & Security. Rebecca was invited to be a guest editor of this issue, in collaboration with the additional guest editors, Dr. Katina Michael and Dr. George Roussos. If you're researching and/or otherwise actively working on topics related to cybersecurity, privacy, and trust as they relate to regulation, please consider submitting your work. Full details on what we are looking for can be found here. Manuscript submission deadline May 1, 2025, so don’t wait!
Rebecca contributed to the Security Informed Expert Panel Roundtable question, “How did the security marketplace “change for the better” in 2024?”
Rebecca contributed to Solutions Review’s Tim King’s Data Privacy Day Insights summary.
| | |
Sign up!
Rebecca will be providing the Central Iowa ISACA chapter presentation at the April 15 meeting. Sign up here.
| | |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. April 2025 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |
