Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.

Gone Phishin' US Midwesterners are venturing outside to enjoy warmer temperatures. Fishing is one of the great-outdoors activities we love most. In fact, you’d be hard pressed to pass by a pond, lake, creek or stream without spotting a fisher or two.

As good-natured sportsmen and women bait their hooks, an entirely different set of ‘phishermen’ is doing the same. Worldwide, scammers are using the Russia-Ukraine war, continued concerns over COVID-19, –even tax time – to trawl for their own ‘catches of the day.’ One particularly insidious scam is bobbing up all over. Many friends and clients have asked about it. Read on to learn how to steer clear of this and some other malicious lines the world’s phishers are casting this spring.   Have you had anything phishy come into your email or social streams? Send it on over! We may discuss it in an upcoming Tips.

Rebecca We would love to hear from you! Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

April Tips of the Month International Haiku Poetry Day  Privacy & Security Questions and Tips Data Security & Privacy Beacons Privacy and Security News Where to Find the Privacy Professor

International (Privacy & Security) Haiku Poetry Day April 17

If you’ve been scratching your head, trying to figure out how you’ll celebrate International Haiku Poetry Day, you’ve come to the right place! Host a poetry contest at work, at home or with friends for the most creative haiku about privacy or security.  Don’t recall what a haiku is? Here’s a refresher… A haiku is a type of Japanese poetry. It consists of three lines, each with a “five-seven-five” structure. In the western hemisphere, this is often considered to mean numbers of syllables. However, in Asia it (very generally stated) refers to the number of sounds, not just syllables.  Here are a couple of privacy- and security-inspired examples to get your brain cells stimulated.  “Alexa, shut off!” “Sorry, I need your data.” “Bye!” Yanks plug from wall. How do I encrypt? Try AES 256… There’s no 512. Send us your security & privacy haiku! We may publish it in an upcoming Tips issue. Or ask us about one of our haikus; did you like them?

Rebecca’s photo from her farm; a hummingbird moth!

Privacy & Security Questions and Tips Rebecca answers hot-topic questions from Tips readers

We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming! Q:  People come into my apartment while I am away. I feel like I have absolutely no privacy. Can property owners do this legally?  A:  We get this question often, and it’s a frequent topic on NextDoor (see an example below).  In the US, landlord and tenant laws vary from state to state. In many states, including our home state of Iowa, the law is squishy. (See our state’s access requirements clause below). It requires landlords to give at least twenty-four hours' notice of their intent to enter. However, it also says landlords can enter immediately in the case of an emergency. Of course, there is no standard definition for what constitutes an emergency.  Here is a nice summary of US landlord-tenet laws. If any international readers want to send similar summaries for laws outside of the US, send them on. We’ll publish them next month.

Excerpt from NextDoor

Iowa's law

Q: Is the Weight Watchers online children’s social media site, Kurbo, safe for them to use with regard to privacy and data security? A: In short, I have no trust in WW (the name Weight Watchers now uses). I would not recommend it for privacy and security reasons, but also because the FTC recently penalized WW for violating children’s privacy laws and using deceptive means.   Since at least 2014, WW has offered weight management services to children online, marketing directly to children as young as eight years old.  WW collected and kept children’s personal information without providing notice to, or obtaining consent from, their parents as required by the U.S. Children’s Online Privacy Protection Act (COPPA) Rule. The Rule is intended to protect the safety and privacy of children online. WW also encouraged younger users to falsely claim they were over the age of 13.  Read more of the details of the alleged illegal and deceptive actions and the egregiously large amount of children’s data collected and never deleted.  As part of the settlement agreement with the FTC, WW must pay a $1.5 million penalty, and the WW companies are also prohibited from retaining data collected in the future from children under 13 for more than a year after the last time a child uses Kurbo by WW.  The settlement order also requires the companies to destroy all personal information previously collected that did not comply with the COPPA Rule’s parental notice and consent requirements unless the companies obtained subsequent parental consent to retain such data. The settlement also requires the companies to destroy any affected work product that used data illegally collected from children in violation of COPPA.  From a privacy perspective, I would not consider the site safe. And, given the violations and the seemingly flagrant instructions to children to change their ages, I would also question WW’s security practices.  To how many third parties did WW International and Kurbo give all that data? How are those companies using it? How long will that data linger be used for decisions around things like scholarships, sports teams, colleges, jobs, mortgages, health insurance, etc.? From my view, there is no benefit to children for this social media site, only risks that could impact their lives in many unforeseen ways for years to come.

Q: There is so much misinformation spread online and through podcasts, TV and radio. Does any of this create cybersecurity or privacy problems?  A: Yes, misinformation impacts cybersecurity in many ways. I discussed this with Theresa Payton, author of the bestselling book, “Manipulated,” on my show, in the episode, “How Poor Tech Security & Misinformation Upend Elections.” The concepts we discussed apply in many areas of life beyond elections. Give it a listen.  Two other good resources for this topic: EU Disinfo Lab: Why Disinformation is a Cybersecurity Threat Security Intelligence: Protecting Your Data From a Unique Threat: Misinformation

Q: I applied for life insurance from four different companies to compare deals. I had to give all of them access to all my health records, along with health information of my family members. Now I’m worried. Can I require the life insurance companies I don’t use to delete the 900+ pages of medical records they now have about me and my family? Does HIPAA require the companies I did not join to delete that information, and to provide verifiable proof it was deleted? Are they obligated to prove they’ve not shared all that health data with others? A: I recently purchased an additional life insurance policy from a very well-known life insurance company and was quite frankly alarmed at the huge amount of health data they required me to provide to them, including data on my parents and grandparents. When I asked about their data security and privacy practices, they pointed me to their website’s privacy notice. The notice did not answer my questions. Worse the website indicated the notice hadn’t been updated since 2005 (a huge red flag).  Your questions only scratch the surface of some very complex issues within healthcare regulation. Let’s break them down by a few important issues.   HIPAA protections. HIPAA does *NOT* apply to life insurance companies. A lot of folks are understandably confused by this. So, while your healthcare providers likely had to follow HIPAA procedures to release your health records to the life insurance company, the life insurance company itself is not a covered entity under HIPAA. Your healthcare providers would have followed the same procedures if you’d asked them to release your records to any other type of business or a person.  Website privacy notices. Read the life insurance companies’ posted privacy notices. You may have better luck than I did finding the answers to your questions. However, it’s not unusual for posted website privacy (and security) notices to neglect including the type of information you asked about. That said, some privacy-progressive organizations are beginning to do so. None of the 10 large life insurance companies’ privacy notices we reviewed included this information, though.  Permission forms. You likely completed several forms from the insurance companies during the application process. These forms are probably the best place to find answers to your questions. That’s because they typically describe unique requirements and practices based on the specific type, term and coverage of the product in question. They should contain information about health data retention and the third-parties that will have access to the data.  If you do not find your answers in the paperwork, or on the life insurance companies’ websites, call the insurance company. I did. However, I was very disappointed (to say the least) when they told me they retain within their own systems *ALL* the health data they collect, including from applicants that subsequently do not decide to purchase their coverage. I asked what the legal basis for that retention was, and the call center staff member I was speaking to put me on hold for 15 minutes. When she returned, she said the company retains data for “auditing purposes,” and her legal team did not give her any information about which laws require retention.  The PSB team will continue to look into this. The amount of health data that life insurance companies are retaining, for people who aren’t even their insureds, could be staggering. Are they protecting that highly sensitive health data sufficiently? We certainly want to know the answers and will report any information we discover in any upcoming issue. In the meantime, if you want a legal opinion, speak with a lawyer who specializes in life insurance. And, if any readers have information about this, please let us know!

Q:  Our small business received an email message with a PDF attachment offering to list us in the EU Business Register. We scanned it, and it’s malware-free. Because we have a small business and want to sell in Europe it seems like a good deal (almost too good). What do you think? A: This is a widely distributed scam; I received a similar message. See the "Scam Email" below for a screenshot. The Union of International Associations (UIA) includes this as one of the scams it is monitoring.   The message contains two classic malware red flags: It does not include the recipient’s name in the salutation.  A PDF is attached. PDFs are often the carriers of malware.  However, the scammers have taken quite a few steps to convince even the privacy-risk aware that their message is legitimate.   A quick scan on Trend Micro’s URL checker gives only a warning (no statement the site is malicious).  Scanning the PDF with both automatic email malware scanning and computer-based malware scanning software detects no malware.  The scammers use a logo that looks very similar to the logo of the European Commission. Both the fake logo and the real logo use the same colors and include stars in a circular pattern.   The address listed as belonging to the EU Business Register seems to be legit; it comes up on Google Maps and other business information sites. By using language like, “make sure your profile is up to date,” the scammers give recipients a sense of comfort, as if the recipient has previously trusted the “EU Business Register” with their information.   Lastly, they use the finest of fine print fonts, in all caps, to inform the recipient that following these instructions commits them to a 3-year subscription costing Euro 995 (approximately USD $1,100) per year. It’s really hard to read; even if we didn’t have Rebecca’s red penned scribbles included.

The word “ORDER” is the same size font as the regular form font

The proliferation of this scam indicates tricksters are harkening back to the classics – scams that ensnare victims into financial contracts. While it’s unclear how the scammers plan to enforce these contracts, particularly in the US, there are certainly ways to make the lives of people fooled into giving away their information miserable.  Be super careful before providing any entity your legal signature, and always, always, always read that really tiny print, before signing or submitting anything!

Scam Email

PDF Form Attached To Email

Data Security & Privacy Beacons* People and places making a difference

The ABA published “A Practical Guide to Cyber Insurance for Businesses,” which has received rave reviews from folks who reviewed pre-publication copies.   The Union of International Associations (UIA) created a Fraud Monitor and an Encyclopedia of World Problems and Potential for privacy and cyber. Comparitech updates its map of US ransomware attacks daily. HR Dive published How HR can prepare for a cybersecurity attack — 'before it's too late'. Incurring some risk is the nature of business, but backup plans and cybersecurity training are key. EU Disinfo Lab provided a site to track and report on disinformation and misinformation campaigns in the EU. Koen Maris, a Cybersecurity Leader and Advisory Partner at PwC Luxembourg, shared his expertise in a recent episode of The Cyber Interview. It’s an informative and short listen at 4:38 minutes. At 2:08 minutes, Koen says, "Security through obscurity is definitely not the way forward." Koen, we strongly agree with you. Security through obscurity has been pursued by too many business leaders for decades. It has never worked.  Rachel Tobac for demonstrating how easy it is to hack someone, even those who aren't online much. See her in action on Jeffrey Katzenberg Hacked!!!

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News Visit the PSB News Page often!

We continue to get great feedback on the Privacy & Security Brainiacs (PSB) News Page. Thank you! We have added a large amount of news on our three news pages since the last Tips! We have our all topics on the Privacy & Security Brainiacs News Page. It contains news grouped by each month, and within each month by specific topic. We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here.

We Have An Announcement!! We are excited and proud to announce our new online class! To alleviate mounting confusion about the temporary HIPAA requirements allowance, along with commonly misunderstood requirements, what obtaining “satisfactory assurances” means, and much more, we have just released, “HIPAA Basics for Business Associates 2022.” The course includes coverage of both temporary HIPAA requirements that are still in effect, as well as proposed permanent HIPAA rule changes. It also covers common BA misconceptions and HIPAA compliance errors. Ask us about our deeply discounted beta testing user pricing.

"Facebook: The privacy saga continues" by opensourceway is licensed under CC BY 2.0

Where to Find the Privacy Professor

See our new Privacy & Security Brainiacs page for our business in the news! We have added several new items since the January Tips were published.

Rebecca's Radio Show If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of real-world topics within the data security and privacy realm.  Latest Episode This episode first aired on Saturday, March 5th, 2022 David Elfering Critical Infrastructure Cybersecurity: Over the Road Trucking & Transit Listen to the world’s most experienced expert on the topic during this thoughtful discussion and examination of cybersecurity within the surface transportation industry. If people are worried now because of shipping and trucking delays and worker shortages, then they should be even more worried about the unseen threats lurking deep under the ground transportation surface. Cybersecurity vulnerabilities could cause many more disruptions! Next Episode First airing Saturday, April 2, 2022 Rik Farrow Unix, Linux & Dirty Pipes! Listen to the original Unix expert discuss this operating system, and compare to Linux, iOS, Android and others. What are the biggest security risks for these OS’s? Also hear his advice about current vulnerabilities, such as Dirty Pipe, related cybersecurity careers, and more!

The Privacy Professor | Website Privacy & Security Brainiacs| Website

‌ ‌ ‌

Permission to Share If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution: Source: Rebecca Herold. April 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com NOTE: Permission for excerpts does not extend to images. Privacy Notice & Communication Info You are receiving this Privacy Professor Tips message as a result of: 1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com; 2) making a request directly to Rebecca Herold; or 3) connecting with Rebecca Herold on LinkedIn. When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. If you wish to unsubscribe, just click the SafeUnsubscribe link below.