The Lights are Up
People seem to be very ready for some joy in my corner of the world. What about yours?

It may have been the unseasonably warm weather that brought holiday lights and decorations out earlier than normal this year. But, I suspect it was something even more central to the human condition.

There has been such a heavy onslaught of negative, even scary, news this year. Perhaps we're all trying to alleviate the tension with some pure, unspoiled happiness.

Either way, let's go with it. Time to celebrate!

As we do, let's also be smart and aware. It's how we keep the holiday hounds at bay. The crooks, scammers and con artists - cyber and otherwise - come out of the woodwork when people are at their most generous. 

Read on (and share!) for the latest threats to your data security and privacy.  


A Fairy Tale They Say Tell the real from fake with these six tips

Down to the Village: Share 
your impressions

Catch Me If You Can Don't click yes in this dialog box

Right to the Traffic Cop European privacy police influencing others 

Two Eyes Made Out of Coal
'He said, she said' replaced by video evidence

Reader Question: Is this password keeper safe?

Health Care Spotlight: Voice Assistants Bring New Compliance Threats

Privacy Professor On the Road & In the News

BTW, if you're unfamiliar with the song Frosty the Snowman, these story headers won't make much sense. Appreciate you indulging me in a little holiday fun!

fairyA Fairy Tale They Say

Tell the real from fake with these six tips

How easy is it to spread fake news? Scary easy.

One really simple way to do it is via video, which is one of the most consumed forms of media today. Thanks to free, open-source tools, the technology to make fake-news videos that look incredibly realistic is available to almost anyone with Internet access.

To demonstrate just how little is involved, I created a short demo in preparation for my in-studio visit to a local morning show

You can watch the fake video demo on the Privacy Professor YouTube channel.

So, how can you tell the real from the fake when it comes to video and images? Try these six tips:
  1. Check the URL on which the content is loaded. Be suspicious of content on sites with a .co extension like "abcnews . com . co" (spaces added to keep this Tips message out of your spam folder). 

  2. Copy and paste suspicious photos into Google Images to see if the originals have been copied and republished out of context.
  3. Lean on,, and other fact-checking sites to check the validity of information.

  4. Understand the difference between news and satire (e.g., 

  5. Don't believe a news story unless you have verified it in at least three places from three different, legitimate sources.

  6. Verify the validity of quotes heard in video by searching Google for the exact phrase "spoken" by the spokesperson. If it's legitimate, it should be reported in other areas or show up in transcription somewhere else online.  
ONE MORE THING:  Beware of fake websites and bogus merchandise that are being pushed out to victims during the holidays. I discussed a few of them on a second visit to CW Iowa Live on November 28.
downDown to the Village
Please share your impressions

The community of Monthly Tips readers continues to mean so much to me. You are always so generous with your feedback, and I love receiving it.

I'll be using your impressions and perspectives to improve this newsletter, as well as some of my business endeavors, in 2018. So, if you would take a moment to complete the Tips Survey, as well as participate in the SIMBUS Personal Privacy Evaluation, I'd be thrilled.

Monthly Tips Survey: Tell us how it can be better for you!

Personal Privacy Evaluation: Find out just how secure your personal data and privacy really are.
Survey Privacy Info
We've made the answers to this survey anonymous.
No names or email addresses will be associated with any of your answers.
IP addresses will be temporarily maintained until you've submitted your answers, to establish continuity of your session in the event the connection is interrupted.
Evaluation Privacy Info
The results of your evaluation will be sent to the email address you provide at the end of the quiz. SIMBUS will incorporate your non-identified answers into generic, bulk summary results.
catchCatch Me If You Can

Don't click 'yes' in this dialog box

One of the tried-and-true tips we all know (and hopefully, follow!) is never open an attachment from an unknown source. And it's still good advice. However, there is a new threat that doesn't even require an attachment.

It's a Microsoft Office vulnerability that Tech Republic calls "nearly undetectable." Without getting too techy, it avoids many antivirus protections because it relies on remote access to malicious code. (Thanks to Tom Conley for this pointer!)

Microsoft has not released any plans to fix this problem. So, if you use Microsoft Office (and who doesn't?), be sure to talk with your IT teamor favorite IT guru, about this threat to understand what red flags you may need to watch for.

Here's one tip for now:

An Outlook-specific attack requires the user to click "Yes" in a dialog box. It reads: "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?" According to Tech Republic, clicking "No" will stop the attack dead in its tracks.

 (Other tips are available at Tech Republic.)

On a related note...

Just as people may think avoiding attachments keeps them safe, others may think staying off of social media does the same. Not so. 

Thanks to Clarinette Tara for pointing out this shocking news flash: Facebook knows all about you even if you've never had an account. 

It's all thanks to the social giant's People You May Know algorithm. What it does is, among other things, create what Gizmodo calls "a shadow profile, built from the inboxes and smartphones of other Facebook users." 

Here is just one wild outcome, as reported by Gizmodo:

Years ago, a man donated sperm to a couple, secretly, so they could have a child. Then one day, Facebook recommend the child as a person he should know. Although he still knows the couple, he is not friends with them on Facebook.

rightRight to the Traffic Cop

European privacy police influencing others

You may have heard about the massive $2.7 billion fine levied against Google in Europe. It came after regulators found the Internet giant had illegally steered search traffic to its own shopping platform, therefore denying consumers a genuine choice.

In the U.S., legislators are investigating how this and other tactics deployed by Google and similar tech companies are influencing American consumers. That's on the federal level. But, U.S. states are also taking steps to scrutinize some of Google's strategies.

In Missouri, the attorney general's office is looking into the possible ways in with the company has manipulated search results. Importantly, it is also probing for information on how Google has handled (or mishandled) its users' data.

Keep asking questions; it's having impact

Consumer interest is finally ramping up to the point legislators, regulators and other governing bodies are waking up to the real threats careless or predatory data strategies facing citizens today. 

Net neutrality has helped to keep such manipulations of access to sites and information from disrupting a level playing field . It is important for everyone who uses, and depends on, Internet access t o continue having an affordable, restriction-free path to online information. Certainly  large portions of the population rely on Internet access for communication, work, access to healthcare and many other things. (See more about net neutrality here.)

Soon, businesses, as well as lawmakers, will begin to feel the pressure. Keep on talking, asking questions and sharing your concerns, experiences and perspectives. It's having a very real impact! 

twoTwo Eyes Made Out of Coal

'He said, she said' replaced by video evidence

Accusations of misconduct - in the workplace, on the streets, in the air - are rampant. Consumers are accusing airlines, suspects are accusing cops, colleagues are accusing one another. The need for strong evidence to prove or corroborate those accusations has never been more intense.

Enter body cams.  

Most of us think of wearable video cameras as something exclusive to law enforcement. But very soon, they may find their way into the once-friendly skies, as some airlines have already starting using them. Here is how the manufacturer of body cams justified the need for the technology to the New York Times :

"Why should it just be that the passenger is the one who is recording everything on their cellphone and editing it the way they see fit?" he said. "The crew has no way of documenting what they went through to get to the very explosive situation."

If we accept a certain amount of wrong-doing is a given (and even the most optimistic among us probably would), there is likely a legitimate use for wearable recorders. So, I support their use with one MAJOR caveat. If body cams are going to be worn, and the data from them (e.g. video) collected, stored and shared, there MUST be strong data security and privacy controls in place. There MUST be strict, dutifully followed, policies and procedures governing their use, as well as how the resulting video is used.

Here are a few tips for any company or organization that may be considering body cams, wearable recording devices or any other surveillance of its employees or customers:
  • Understand applicable legal requirements and restrictions for your organization's implementation of such monitoring devices. Some industries, and some countries, have privacy laws that could prohibit their use (e.g., the EU General Data Protection Regulation, GDPR, which goes into effect May 25, 2018).
  • If you determine you can legally use such devices, establish a position or person responsible for overseeing and managing their use, as well as the associated data. This person should be able to answer the inevitable questions about the devices and data.
  • This person assigned should also implement documented policies and procedures for the use of such devices and associated data. These policies need to be strongly supported and endorsed by executive management to be effective.
  • Provide training to all employees about the new policies and procedures to ensure they know and understand the requirements for use. Employees at all levels should be able to knowledgeably answer any questions they get from clients, customers or others.
  • Know that, generally, people included in recordings must be notified and aware the fact they are being recorded. Have a plan for addressing this requirement. 

Is this password keeper safe?

I was on my laptop last night and found a download called "Keeper" for keeping track of passwords. What do you know about this service?
Your question poses a red flag right off the bat.  I'm curious how you "found a download." No apps should hop down from the Internet onto your hard drive without your consent. If you did not actively and knowingly download it yourself, that's a big strike against this particular provider. 

Assuming, however, you found it through intentional research, here are my pieces of advice:

My No. 1 recommendation for using password keepers is to make sure they store passwords locally, not in the cloud. That's because many password keepers have been breached.

My No. 2 recommendation is to make look for keepers that apply encryption to passwords in storage.

Keeper is cloud-based, so it violates the first of my two "rules."

Take a look at KeePass (to which I have no affiliation), which in addition to meeting my above two requirements also has longevity on its side, as it's been around for what I believe is longer than most, if not all other password keepers.  It stores your passwords on a local device (e.g. in an external hard drive, USB thumb drive, etc., you can attach to your computer whenever you need it). 

Oh, and, it's free! 

I also like  offline password vaults, which are  physical devices.  Because you must physically have them in hand, they eliminate the possibility of someone getting access to all your passwords from a remote location. These, however, are not free.

What should we watch out for with smart (Internet of Things) devices we get as gifts?

Great question! I covered this last year in a visit to CW Iowa Live, and the advice is still valid today. See Privacy Professor on CW Iowa Live - Dec 20, 2016


Voice Assistants Bring New Compliance Threats

If you work in health care, consider subscribing to Report on Patient Privacy (RPP), a publication put together each month by Theresa Defino and the Health Care Compliance Association. The following is an important except from the October edition.  (PLEASE NOTE: I do not, and have never, worked for this organization. I just really like the publication.)

A survey by physician research company DRG Digital found that 23% of U.S. physicians use a voice assistant [such as Siri, Alexa and Google Home] professionally. They reported using voice assistant programs to look up drugs and dosing; to look up diagnosis, disease and clinical information; to communicate with colleagues; and to search the medical literature.

Inevitably, though, some likely are breaking [HIPAA] rules.
"Covered entities and business associates using [voice assistants] would need to implement procedures to ensure that persons using the device are not able to access protected health information that they do not have the need or authorization to access," Valerie Breslin Montague, a partner in the Chicago
office of law firm Nixon Peabody LLP, told RPP.
In other words, users, not [the voice assistant providers], will need to guard access to PHI, Montague says. "It would be up to the covered entity or business associate using Alexa or Siri to implement procedures to limit access to the protected health information shared with, and stored on, the devices."

The Privacy Professor's Two Cents

If you are using these devices in areas where patient conversations are occurring, let them know what they are saying may be recorded. This is something you could communicate not only verbally, but also in your privacy notices. It may also be necessary to put into your patient authorization forms, depending the situation.

Also, it's important to understand the data is stored in cloud servers, with comparatively little to none of the data stored within the physical devices. This increases the risk of inappropriate access to that data. 

Discuss with your legal counsel.

PPInewsPrivacy Professor On The Road & In the News  

On the road...
I highly recommend SecureWorld events. Thanks to Kerry Nelson and your team for including me in your 2017 Detroit (shown here) and 2018 events!

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

Privacy Piracy Radio Show
December 11, 11 a.m. eastern, Discussion on privacy breaches, the legal and business impacts and what needs to be done to be prepared. Listen at Privacy Piracy (88.9 FM and ). 
December 13 (US) / 14 (Australia) - Panel member for "From Wearables to Implantables that Measure and Enhance Human Behaviour: What can we do already? Where are we headed?" at the IEEE Life Sciences Conference. (I will be attending  remotely.)

December 14, Noon to 1 p.m. eastern, Webinar:  Lessons Learned and Recovery from Breaches

Privacy Professor In the news...

Privacy Piracy

I was happy to speak with Mari Frank on the  Privacy Piracy  radio show (88.9 FM and www.kuci.orgon October 30. We discussed the privacy and security implications of the Internet of Medical Things (IoMT). Listen to the 29-minute program on demand.

CIO Dive

Healthcare Info Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

In November, I visited the studio twice. During the first segment, we discussed how easy it is to create fake news, and of course, some tips on how to spot it. Later in the month, I came back to talk about holiday scams. 

You can catch up on all my visits to CWIowa Live with my on-demand library on YouTube.

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

Photo by Manop published under Creative Commons License
The lights, decorations, ringing bells, even the harried shoppers, all remind me how lucky we are to be celebrating yet another holiday season. 

They also inspire me to do what I can to educate, build awareness and encourage everyone to watch out for one another. Data security and privacy is getting more attention than ever before, and for that, I'm especially grateful!

Enjoy your holidays and stay safe!

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter