Why Are You Getting This?
You signed up to receive the Tips or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| |
Keep Your Awareness High! | |
December is a time of celebrations and goodwill, which often results in letting our guards and awareness down. Cybercrooks and other types of scammers take advantage of this. Some of the most common scams annually include sending Hannukah and Christmas delivery scams. This can look like last-minute super-low overnight-delivery gift deals, bank and financial institution impersonation for too-good-to-be-true loan deals, travel scams, gift card scams, Facebook scam using fake Facebook pages and impersonation friend requests, malware-infected websites, and fake job postings. Stay aware out there!
This month we answer five questions that cover a wide range of topics. Plus, we provide a suggestion for a fun awareness-raising activity that aligns with a special day in December.
And here’s something new we are excited about! We will start posting short, two-minute, videos to our YouTube channel and also to our LinkedIn page this month (December). Please let us know your feedback!
Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips.
We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.
Thank you for reading!
| |
December Tips of the Month
- Monthly Awareness Activity
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Privacy and Security News
- Where to Find the Privacy Professor
| |
Monthly Awareness Activity | |
Image by Dolores n; Buenos Aires - Argentina | |
December 8 is Pretend to Be a Time Traveler Day. What a great idea! We love history, and learning from the past to help us prevent making the same mistakes in the present and in the future. This is especially true for privacy and security issues. However, it seems that every 5-10 years we go through a wave of security and privacy practitioners trying to re-invent the wheel, saying they’ve identified “new” threats…that were threats years, and even decades ago.
This month for your awareness activity, consider providing lessons learned from the past, and how those lessons can still be applied today. Let’s make it Privacy and Security Time Traveler Day! Here are a few ideas to get you started.
- Play, “Did It Happen More Than 10 Years Ago?” This is a game I created that I’ve found multi-generational participants find especially fun to play. The instructions are fairly straight-forward. Divide into teams of 2, 3, 4, etc., or play individually. Take turns drawing a folded paper/notecard from a box of at least 20. The paper/notecard provides a succinct description of a widely publicized security incident or privacy breach that occurred. Ask the if the event occurred more than 10 years ago; the answer is either yes or no. The team/individual that answers the most questions correctly is the winner. I’ve seen this game spawn some very interesting discussions, which raises for many weeks/months/years the awareness for the associated topics.
-
Time travel to 1986: Have your family, friends and co-workers listen to, “Catching KGB Hackers with 75¢ and a 2400 Baud Modem” and hear my guest, Clifford Stoll, describe how he uncovered a huge Russian hacking activity that the governing officials at that time did not think was anything substantial enough to look into. The key lessons from then still apply today.
-
Time travel to 1989: Have your family, friends and co-workers listen to, “Computer Hacking Crimes and Prosecutions” and hear my guest, Mark Rasch, describe his prosecution of Robert Tappan Morris, who launched (accidentally) the first major attack on the internet. The key lessons from then still apply today.
-
Time travel to 1993 - 1996: Have your family, friends and co-workers listen to, “Backdoors in Cybersecurity Tools Gives Privacy Only to Outlaws” and hear my guest, Phil Zimmermann, describe how the US government made him the target of a 3-year criminal investigation for his invention and sharing of Pretty Good Privacy (PGP) encryption. The key lessons from then still apply today.
What other historical event in computer and/or information security or privacy would you time travel to? Let us know!
What other activities do you suggest for Privacy and Security Time Traveler Day? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in December?
| |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
December 2023
| |
We continue to receive a wide variety of questions about security and privacy. We also are still receiving many questions about HIPAA and personal health data. Thank you for sending them in! We’ve included five of the many questions we’ve received here and will answer the others elsewhere, or in upcoming Tips. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming! | |
Q: Is cybersecurity insurance only for business organizations? Or should individuals get it also?
A: Cybersecurity insurance is also often called cyber insurance, and cyber liability insurance. These types of insurance policies vary greatly, and go from being narrowly scoped to covering one specific type of incident, such as being hit with ransomware, to broadly covering a wide range of security and privacy incidents. The insurance can also cover a wide range of expenses and harms, such as the cost of data recovery, communicating to news media, legal bills, fines applied by regulatory agencies, mitigation activities and associated costs, and actions taken to protect the individuals whose data was breached, such as providing them with credit monitoring services.
These types of insurance coverages are available to both organizations as well as directly to consumers. The offerings of such coverages are increasing dramatically as the numbers of cyber attacks and privacy breaches of all types also continue to increase. Individuals should consider getting cyber insurance. If you have been a victim of identity fraud or theft, or some other type of computer-based crime, then you are now on the radar of other cybercriminals as being a good target for more cybercrimes. If you have several computing devices (desktop computers, laptops, tablets, cell phones, IoT products, smart cars, etc.), then it is worth considering. The more computing devices, the more need there is for cyber insurance. Increasingly more consumer home and property insurance companies offer cyber insurance. If you consider getting your own personal cyber insurance, look closely at the exclusions. Many personal cyber insurance plans do not cover many situations, such as (but not limited to) the following:
- Prior knowledge incident situations. For example, a hack into your computer system that runs on an unsupported operating system, such as Windows 7. Or, losses that you knew about before you purchased the cyber insurance.
- Confiscation. Losses resulting from law enforcement, government agencies, or some other similar type of authority confiscating your computing or digital storage device.
- Targeted celebrity. Losses resulting from you being an expected target, such as an elected official, a sports star, etc.
- Travel incidents. Losses that occur while traveling in countries or other geographic areas where your country has designated as a “Do Not Travel” area.
- Harms to the property of others. Losses from property damage or personal injury for which you may be legally liable or responsible.
- Cryptocurrencies. Losses occurring through the use of cryptocurrencies that are not authorized currency by your government.
- Harms from specific types of individuals. For example, from your family members, a guardian, a current domestic partner or spouse, someone living with you, or someone who acts on your behalf.
Bottom line, cyber insurance can be very valuable, to both organizations and individuals. However, be sure to read all the fine print and consider all exclusions to coverage plans prior to signing up for them.
| |
Q: How can healthcare covered entities (CEs), and their business associates (BAs) improve their breach response practices to ensure swift, comprehensive actions that not only align with HIPAA’s notification requirements but also mitigate reputational harm to the associated CE?
A: First, consider the HIPAA breach response requirements. When a CE or BA experiences a protected health information (PHI) breach, HIPAA requires affected individuals, HHS, and, in certain situations the media to be notified. Simply stated, under HIPAA a breach is one or more unpermitted uses or disclosures of PHI, compromising the security and/or privacy of PHI.
The unpermitted use or disclosure of PHI is a breach unless there’s a low probability the PHI has been compromised, based on a risk assessment of the context of the situation.
For most PHI breaches, HHS and individuals must be notified without reasonable delay and no later than 60 days after discovering the breach. Notifications of smaller breaches (impacting fewer than 500 individuals) must be made to HHS annually. All impacted individuals must still be notified without reasonable delay and no later than 60 days after discovering the breach. The Breach Notification Rule also requires BAs to notify the associated CEs of breaches experienced by the BA.
Two huge problems and challenges for CEs and BAs are:
- Knowing when a PHI breach has occurred. Most CEs don’t about a breach for weeks, months or even years after it has occurred.
- BAs quickly notifying the associated CEs. Often the BAs don’t contact the associated CEs until 60 days or more after they discovered the breach, and sometimes they never contact them. This doesn’t leave the CEs any time within the required 60 days to then notify the appropriate individuals and agencies.
Organizations, both CEs and BAs, can optimize their breach response protocols, which will also mitigate the previously described problems and challenges, by:
- Documenting/cataloging/inventorying all the sources and locations from where PHI is collected, stored, processed, shared, and destroyed. In other words, creating a data flow map for all PHI. You will not know if a PHI breach occurred if you don’t know these facts. This will support more quickly identifying when a breach has occurred, and also knowing the associated environments within which the breach occurred.
- Implementing risk management practices and tools to identify unauthorized access to any data, applications, systems, and devices throughout the data flow. This will then alert the CEs and BAs to a possible breach. Such actions also support requirements for HIPAA risk management.
- Include within BA Agreements a specific amount of time that BAs must notify their CEs of PHI breaches. This should be as soon as possible to give the CEs time to do their breach investigation activities. A common timeframe included in the BA Agreement is within 1 day from breach discovery.
| |
Source: US National Institute of Standards and Technology (NIST) |
Q: I own a small business in the U.S. What are the most critical data privacy regulations that small and medium sized businesses (SMBs) should be aware of?
A: There are over 33.2 million small businesses in the U.S., which account for 99.9% of all U.S. businesses. SMBs represent a huge portion of the US economy (44% of GDP), half of all employment, and half of the approximately $370 billion in overall U.S. tech spending. So, your question is important for over 99.9% of U.S. businesses.
I’ve spoken with hundreds of SMBs throughout my career and my team members collectively have helped thousands more SMBs. A large portion of them are business-to-business (B2B) businesses, meaning their clients are other businesses. Often the work they do for those businesses involve handling personal data (employees, customers, patients, etc.), and a wide range of support services for those businesses’ marketing activities which inherently involve huge amounts of personal data.
With this background in mind, key privacy regulations all SMBs in the U.S. should be aware of include:
-
Breach response laws that now exist in at least 54 US states and territories. They are all a little bit different. Most of the SMBs I’ve spoken with have not been aware of those laws. This creates a huge risk to them for not complying with all the applicable laws when data is accessed by unauthorized individuals and entities. This is of importance not only for SMBs who sell services and products to consumers, but it is also very important to know for B2Bs. SMBs need to make sure their business clients who have entrusted personal data of any kind to them have provided clear instructions for how to report personal data breaches to them, including details about the date, time, and type of breach. Timeliness is an issue with each of the laws, so they can’t put off responding. This includes marketing databases. The laws that apply are the laws of the states and territories where the individuals reside; it is not only the state/territory in which the business is located.
-
“Comprehensive” state privacy laws. These all generally govern how personal data can and cannot be used for purposes beyond the reason the data was originally collected, such as for sales and marketing. However, they are all slightly different from the others. Currently there are at least 14 such laws in 13 states. The laws in California (CCPA and CPRA), Virginia (CDPA), Colorado (CPA), and Connecticut are currently in effect. The Utah law (UCPA) goes into effect soon, on December 31, 2023. The rest go into effect at various times throughout 2024 through 2026. Those include privacy laws in Florida (FDBR), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Texas (TDPSA), Delaware (DPDPA), Tennessee (TIPA) and Indiana (ICDPA).
-
Healthcare industry. For SMBs who are healthcare covered entities (CEs), or business associates (BAs) supporting CEs, they must comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes some clear instructions for using protected health information (PHI) for marketing. It also includes restrictions for the type of data that can be used for marketing. HHS recently published guidance for how online web trackers, such as Meta Pixels, can and cannot be used by CEs and BAs in their online website portals for patients and insureds.
-
Financial industry. For SMBs in the financial industry, or supporting financial businesses, they need to be aware of the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA).
-
Education industry. For SMBs in the education industry, or supporting education institutions that are funded in whole or in part by Federal financial assistance, grants, etc., they need to know about the Family Educational Rights and Privacy Act (FERPA).
There are many others. However, if SMBs start with these, most of them will be addressing the majority of the requirements that exist throughout all the existing legal requirements. They should then look at the other privacy regulations and laws to identify where there may be additional compliance requirements that they did not just implement that they still need to put into place.
| |
Q: I just updated my medium-sized organization’s disposal policies and procedures. I am the 4th generation owner/operator of a family printing services business. I have one office location in a strip mall, a dozen remote workers, and customers throughout the U.S. and in some other countries. What are some important topics I need to ensure to include within my disposal requirements updates?
A: There are a wide range of laws, regulations, state, county and local laws, and other legal requirements found in contracts, website privacy notices, and other legal documents throughout the world. The EU General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and many others, generally require personal data to be protected through the entire lifecycle of data creation through to data disposal.
If your business prints information for other businesses, that include personal data, then you also need to determine from your associated business clients the disposal and retention requirements they must follow for their own legal requirements, and how they want you to follow such requirements for the data they provide to you. Also, in the US at least 35 states, including D.C. and Puerto Rico, have enacted laws that require private entities to securely destroy or dispose of personal information, or otherwise make it unreadable or indecipherable. These laws generally require businesses to destroy data that is no longer needed for legitimate business purposes, and as required by specific laws.
For example, New York’s SHIELD Act requires businesses to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” As well as to “dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.” Enforcement actions can be significant. For example, in 2022, a vision care company settled with the New York attorney general for $600,000 after failing to implement appropriate security measures under the SHIELD Act that led to a breach in 2020 impacting 2.1 million individuals.
Here are some important topics for you to ensure you have included within your disposal policies and procedures:
- A definition of personal data to use within your organization. It should be inclusive to address all your applicable legal requirements. In general, those are any type of data that can be associated with a specific individual, or location where an individual dwells or is otherwise located.
- Descriptions of the roles and associated responsibilities they have for information retention and disposal.
- How to destroy paper-based and other types of hard copy media containing intellectual property, personal and other types of confidential information. Some of the methods explicitly mentioned within some laws include: burning, pulverizing, or finely shredding media in a way that prevents the media from being reconstructed.
- How to destroy or erase electronic files or physical devices containing consumer report and other types personal data so that the information cannot be read or reconstructed.
- Requirements to conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information and other types of personal data and sensitive data. Due diligence could include:
- Reviewing and evaluating the disposal company’s information security policies and procedures associated with the services being considered
- Reviewing an independent audit of a disposal company’s operations and/or its compliance with applicable legal requirements
-
Requiring the disposal company be certified by a recognized trade association, such as NAID AAA Certification
- Obtaining at least three references from clients of the disposal company to validate their security practices
| |
|
Q: I volunteered to give a talk at our local independent living retirement center’s New Year’s get-together. What are some security and/or privacy topics you suggest I include?
A: Helping folks start 2024 by raising their security and privacy awareness is a great gift to them! Being that January 28 is International Data Privacy Day, and January is increasingly recognized as Privacy Month, it makes a really great topic to cover at a New Year’s get-together. Here are some current topics that would be very beneficial for them (and everyone) to know about:
- Phishing emails, text messages, phone calls, and social media posts. Describe common tactics and real-life incidents.
- Romance scams. Describe signs of scammers, the risks, and how to report them. Consider playing a portion of one or both of my two Data Security & Privacy with the Privacy Professor shows on this topic, which included victims of such scams as my guests.
- A Romance Scammer Took All My Dying Mother's Money
- “Romance Scammers Have Used My Photos Since 2016”
- Using multi-factor authentication (MFA). Explain what MFA is, and the various types of MFA methods.
- Keeping computing devices updated with the latest patches. Provide a demonstration for how to identify when an update is needed, and how to establish automatic updates.
- Watching out for AI-based phone scams. Those that are mimicking one of their friends or family members, and those that are trying to get recordings of their voices to impersonate them to trick their family and friends.
-
How to report scammers. Show them the FTC fraud report site and how to use it.
Have a great meeting. Let us know how it goes!
NOTE! We also wanted to let you know that if you are still looking for some security and privacy gifts, we once more updated our “Privacy and Security Gifts” guide. You can see it here.
| |
Data Security & Privacy Beacons*
People and Places Making a Difference
| |
We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.
-
Per Mar Security Services for sending their clients monthly newsletters that include security tips. There are probably other physical security services also providing such newsletters. Do you know of any? Let us know!
| |
-
Mike Leow for posting to LinkedIn the physical privacy notice shown below that was posted in a public location in Seoul, South Korea. We’ve long advocated for posting such privacy notice signs in public locations, such as in public parks, publicly accessible business buildings, stadiums, and all other locations where the general public has access.
| |
- Cybersecurity and privacy pros writing some fabulous new books to inspire and learn from.
-
Title: The Privacy Leader Compass. By Todd Fitzgerald and Dr. Valerie Lyons. With a real-life lesson I provided included.
| |
-
Title: Hood to Hooded. By Dr. Cheryl Cooper. It is an inspirational book!
| |
- Some classic books that are just as informative, relevant and important for security and privacy pros to know today as they were when they were first published.
-
Title: The Cuckoo's Egg. By Clifford Stoll. A true story about the first state-sponsored hacking activity against the US in 1986. The lessons learned are all applicable today. Listen to my conversation with Dr. Stoll describing the activities during this hack, including details not found in the book, in the episode of my podcast titled, “Catching KGB Hackers with 75¢ and a 2400 Baud Modem.”
| |
- Three of the 22 books I’ve authored that are still widely read and used, and are still being purchased by many:
-
Managing an Information Security & Privacy Awareness and Training Program 2nd Edition. This is a long-time favorite, and used by many different organizations. The content is still applicable. I could probably update some of the real-life examples, and some of the referenced laws/regulations. Perhaps after updating one or both of the other two books.
-
Data Privacy for the Smart Grid. Co-authored with Christine Hertzog. The sales for this book have been increasing over the past few years. The content is becoming increasingly more applicable.
-
The Practical Guide to HIPAA Privacy and Security Compliance 2nd Edition. Co-authored with Kevin Beaver. This book has been a favorite for many years. Many different universities also use it within their bachelor’s and master’s programs as a textbook. 2024 may be a good year to create the 3rd Edition.
| |
*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | |
Privacy & Security News
Visit the PSB News Page often!
| |
Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts. | |
Check It Out!
We have excellent feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about our “HIPAA Basics for Covered Entities 2023 Edition” course have been made. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out. As we approach the end of the year, it is time for you to complete your HIPAA training if you haven’t yet!
Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. We have received rave reviews for Dr. Kabay’s Secure Coding course. Have questions about our education offerings? Contact us!
| |
Where to Find the Privacy Professor | |
Something New Headed Your Way…
To make some time for several new courses, I am pausing my podcasts until May 2024. However, I have been asked to continue with some type of online communication. I’ve decided, starting in December, to create some short (a few minutes), weekly or bi-weekly videos about various security and privacy topics that we will post to our website, and to LinkedIn and Facebook. More about those in our December Tips!
| |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. December 2023 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |