Why Are You Getting This?


You signed up to receive The Privacy Professor Tips, or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.  

Image from Rebecca Herold

Aye, aye, aye... AI! Surveillance! ID Fraud! Oh, my!

Guess what? That request to the Iowa Governor to proclaim January 28 as 2025 Iowa Data Privacy Day, for the 16th year in a row was approved! I received notification on January 27. The image is the first image in this newsletter, above. Did you do something special for Data Privacy Day? Or, as so many organizations are now doing, for Data Privacy Week? We’d love to know what you did! Send us a message.

 

We hope you’ll find this month’s newsletter helpful. Feel free to share with your friends and colleagues this fall. They will probably be thankful!

 

We freely distribute the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, to help identify risks throughout their daily lives, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams. We love getting your questions! Send them our way, and you may see it in an upcoming Monthly Tips issue.


We hope you are finding all this information valuable. Let us know! We continue to appreciate, and love, the feedback you are sending us! We always welcome your messages. 


Thank you for reading!

Rebecca


We would love to hear from you!

Image from Image from FreePik..

February Tips of the Month


  • News You May Have Missed
  • Privacy & Security Questions and Tips 
  • Data Security & Privacy Beacons*
  • Where to Find the Privacy Professor

News You May Have Missed

We continue to find more unique news stories to share with you. We also share news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.

 

We’ve provided just a few of the news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.

 

This month we limited the list to 16 news items, and will then include them, and a long list of other interesting news items, into a post to our Privacy & Security Brainiacs blog by the end of the month. Here are the 16 news items, most with associated quotes included, that our Privacy & Security Brainiacs team found interesting throughout the past month, in no particular order. Sometimes we will also include a few sentences about the situation to provide some advice or additional insights, or a related news item. Read next month for even more. Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Or questions about any of the notes we included for the stories we listed this month? Let us know!

1.  Lawsuit alleges Vermont tracks pregnant women deemed unsuitable for parenthood. The moment she gave birth and her baby girl was immediately taken away.” “She had no idea that while she was in labor, hospital officials were relaying updates to the state — including details of her cervix dilation — and had won temporary custody of the fetus.” NOTE: We will keep an eye on this situation to see if HIPAA privacy violations are applied and/or lawsuits filed for violating legal privacy protections.

2.  Dealing the Dead. NBC News exposed how the bodies of the unclaimed poor are dissected and leased out for medical research without people’s consent or their families’ knowledge. The reporting helped families learn the fate of their loved ones and sparked sweeping changes. NOTE: We have been concerned with, doing research, and writing about privacy after death for over 25 years. It is not addressed enough in our opinion. This investigative report uncovers many more reasons privacy protections, and survivor consent, is critical the actions taken with the deceased.

3.  Man accused of stalking Caitlin Clark proclaims himself 'guilty as charged' in 1st court appearance. In one post on X, Lewis (the stalker) said he had been repeatedly been driving by Gainbridge Fieldhouse, the Indiana Pacers' home arena where the Fever also play. In another, he said he had "one foot on a banana peel and the other on a stalking charge." Other messages directed at Clark were sexually explicit. The social media posts "actually caused Caitlin Clark to feel terrorized, frightened, intimidated, or threatened" and an implicit or explicit threat also was made "with the intent to place Caitlin Clark in reasonable fear of sexual battery," prosecutors wrote in the Marion County Superior Court filing. The FBI learned the X account belonged to Lewis and that the messages were sent from IP addresses associated with an Indianapolis hotel and downtown public library. NOTE: This and the following news story about PornHub provide good examples of how IP addresses are used to associate specific individuals to specific actions for a wide variety of reasons. Businesses need to be aware of how they are using IP addresses within their own websites and apps, since there are many privacy and legal risks related to such activities.

4.  The man who drove a truck into a crowd of people in New Orleans on New Year’s Day, killing 14, had previously scouted the French Quarter and recorded video with his Meta smart glasses, the FBI said. The attacker recorded video with the glasses as he cycled through the French Quarter and plotted the attack, said Lyonel Myrthil, FBI special agent in charge of the New Orleans field office. He also wore the glasses, which are capable of livestreaming, during the attack, but did not activate them.

5.  Iowa bill would add training for police to prevent motorcyclist profiling. The bill tasks the Iowa Law Enforcement Academy to include the motorcyclist profiling prevention training in the existing anti-bias course officers take. The bill defines motorcyclist profiling as a law enforcement officer, without a legal basis, stopping, questioning and arresting or searching someone based on them riding a motorcycle or wearing paraphernalia related to motorcycling. NOTE: You can see the proposed bill here.

6.  Pornhub pulls out of Florida, VPN demand 'surges 1150%.’ Between the clock striking midnight and 4am on January 1, the day of the Pornhub pullout, the folks at VPN-pushing vpnMentor documented a rather incredible 1150 percent spike in Floridians wanting to use a VPN to mask their public IP addresses.

7.  Polk County, Iowa, Sheriff warns residents of scam calls. Scammers are claiming they are Polk County Sheriff's Office employees and asking people to send them money. Deputies say they will never ask for money over the phone, especially to avoid arrest or to cancel a warrant. They will also never ask for those payments to be gift cards, prepaid cards or cryptocurrency. NOTE: Businesses need to be aware of this also; particularly those that are small and medium sized. Many such businesses are vulnerable to being victims of such scams.

8.  Bad romance: how to take control of your dating data and avoid a clinch from a cyberstalker. 23% of dating app users have experienced some form of online stalking during their online dating experiences.

9.  New vehicles, advanced technology could be putting your data at risk. New vehicles could be putting your information at risk. Video footage and other data collected by Tesla helped law enforcement piece together a cybertruck explosion, but privacy experts say the investigation highlights a major security problem.

10. Paying a ransom offers no assurance of full data recovery. In fact, only 7% of businesses who paid a ransom successfully retrieved all their data, and 10% experienced data leaks despite payment. NOTE: This demonstrates that paying a ransom should be a last action to consider doing; too many are simply handing over the money first. With a thoughtful, effective and tested backup and recovery plan most ransoms would not need to be paid.

11. Hackers use GenAI to attack more frequently and effectively. AI is a gamechanger for cyber attackers and defenders alike. Attackers are using AI technology for a range of purposes, including making existing attacks more effective (32%), increasing the volume of existing attacks (28%), and creating new types of cyber threats (23%).

12. 'Cyber event' causes over two weeks of inoperable services for Winston-Salem, North Carolina. “…getting a major city system up and running after an attack like this, could take months.”

13. U.S. Citizen Denied Entry Into Poland After Security Staff Object to Handwritten Notes in Passport. A US citizen was barred from entering Poland because her passport contained handwritten notes of locations and airport names under visa stamps from the countries she had visited. As a general rule, it is not permissible for the holder to write in a passport other than to provide a required signature and emergency contacts. Airlines and immigration officials often deny boarding or entry if they feel a passport has been damaged or defaced. It was not clear why border officials elsewhere had not questioned the woman about her passport.

14. A Florissant, Missouri man has been sentenced to over two years in federal prison for his role in a check-washing scheme that impacted a bank in the Metro East. The scheme involved the theft of authentic checks from the U.S. mail, which were then altered through a process known as check washing. Conspirators created counterfeit checks using the stolen account information and forged signatures, then attempted to deposit $48,200 in counterfeit checks into his bank account in O’Fallon, Illinois.

15. As ‘smart cities’ tools grow nationwide, so do privacy and ethical concerns. Tech tools aimed at making the roads safer and more efficient amass a large amount of data, and some data privacy experts worry about how that data could be handled.

16. The amount of waste from electrical and electronic products is increasing worldwide. According to eurostat, the amount of electrical and electronic equipment put on the market in the European Union evolved from 7.6 million tonnes in 2012 to a peak of 14.4 million tonnes in 2022. As more electronic devices can store information, secure and proper erasure of data has become an immense security challenge. NOTE: Every individual and business need to make sure the digital products they throw away have irreversibly removed all the data from within them.

 

Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

February 2025

We continue to receive a wide variety of questions about security and privacy. Questions about current hot topics in society are of particular note. Thank you for sending them in! This month in addition to our Question of the Month we’ve included four Quick Hits questions.

 

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Image from. Pexals, by Ole_CNX

Question of the Month:



Q1: How has generative AI changed the way data privacy has to be managed?

A1:


A spike in AI use in 2024 has created the necessity for all privacy professionals and business leaders to address the many ways that generative AI may be impacting their organizations, employees, and customers. The key to knowing how to address the use of generative AI is understanding that generative AI is almost always trained using real data. This can include large amounts of existing content like text, images, video and audio from the internet, social media sites, publicly accessible including web pages, books, articles, and social media posts, which often include those sites that post breach data online. The AI tools learn patterns and use that data to generate new content that are derivatives of the data it was trained on. This can create many privacy issues when personal data is involved, which it often is.

 

It is also important to understand that no AI tool is 100% accurate in what it generates, so there are also problems with making decisions based on biased and/or, incorrect generated information. Additional problems include those with using personal data for training the AI, which violates many different types of laws, regulations and other legal requirements throughout the world.

 

Organizations must additionally realize that using information that is intellectual property to train AI tools could violate copyrights, trademarks and patents. Such intellectual property could also include information that is personal information or that directly impacts the privacy of an individual or group of individuals.

 

Generative AI has necessitated many ways that privacy, and associated security, management must be reviewed and updated appropriately. A few of the issues that need to be reviewed and updated include:

  • The organization using real personal data (from customers, patients, employees, and anyone else) for testing and/or training AI tools, using it in AI marketing tools, etc.
  • Depending upon information from flawed AI algorithms that return incorrect information to make decisions. Always cross-check the output of AI from reliable sources, especially on critical, sensitive, or legal topics.
  • Establishing and/or updating security and privacy AI policies and supporting procedures.
  • Providing training for the updated and new AI security, privacy and compliance policies, procedures, and key points that are related to organization-specific situations, along with real-life examples, such as the growing number of problems being reported about AI trained with real personal data revealing personal data as its generated output.
  • Implementing protections to prevent cyber criminals and other external threats, and/or malicious insiders, from successfully using AI, for activities such as….
  • in phishing, and other types of social engineering, attacks using emails, texts, social media, websites, phone calls, videos, planning in-person interactions, etc.,
  • for finding vulnerabilities into networks and within networks,
  • for identity fraud and identity theft,
  • to create AI-powered malware,
  • using adversarial machine learning techniques to trick AI-powered security systems, such as injecting imperceptible noise to data to fool image recognition or intrusion detection systems,
  • for password cracking,
  • to manage and optimize the damage, data exfiltration, and other harmful activities of botnet networks, such as Distributed Denial-of-Service (DDoS) attacks, and
  • locating and exploiting vulnerabilities in IoT product components.

Image from jemastock at Freepik.

Quick Hits:


Here are four more questions we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.

Q2: You’ve written before about being an expert witness for a case where a victim of domestic assault was tracked using the digital capabilities in her car. Can you help me recover from being a victim of identity fraud from a domestic assaulter?


A2:

For my readers: I received this question in 2024, and communicated with the questioner directly. She is now sorting out and repairing the damage. However, what I learned from this situation is that domestic violence involving economic abuse and coerced identity fraud is more widespread than I had realized, and a growing problem. I recently heard an in-depth news report about this, "'He wanted to destroy me financially': The economic abuse of domestic violence survivors,” and decided that it would be good to share.

Image from Freepik.

Q3: Can I pass on a warning to your readers? I have ATT phone service. Today someone with a 1-855 number called claiming someone was trying to charge two phones to my ATT account. Next thing you know my phone went dead. I had to run to a store before it closed to get my phone turned back on. The store said they had 20 people with the same problem today. They told me, never answer the phone from 1-855 numbers!


A3:


We are sorry to hear about your scary ordeal! But we are relieved to know that you got access back to your phone.

 

  • To expand upon the advice the store gave you, since you indicated you are using AT&T service, here is some good information they provide about texting scams.

 

 

 

 

Q4: Have you seen any new phishing tactics lately?


A4:


Actually, I’ve personally been experiencing a very old phishing tactic that the crooks started using again more frequently in 2020. Most of those, including all of the letters I’ve received, included reference to COVID-19 victims in particular. Here’s an example, below, of a physical letter and the envelope it was in that I received via USPS in 2024. However, I also received similar letters earlier in 2024, and just yesterday I received an envelope with a similar letter in it from London, England. 

 

Notice the example below came from Canada. These letters have been being sent the to general public increasingly more. Most of them are sent from other countries, with Canada being the most popular. There are other countries of origin as well, as my most recent letter from England demonstrates. A high percentage of them are sent to Korean, Vietnamese, and Latino communities.

 

I marked out some of the information that would not be helpful or relevant. I highlighted some of the content that has writing errors, which is a huge red flag in these scam letters.

Some additional tips:

  • The phrase, "striking similarity," is almost always in these scam attempts.
  • The scammer posing as a lawyer almost always want you to be in “partnership” in the scam and agree to work with them, typically to split the money with you.
  • If you receive such a message:
  • Do not respond to the sender.
  • Never provide personal information or agree to partner with someone contacting you about an unclaimed inheritance or life insurance policy based solely on a shared last name.
  • Report it as a scam to your local authorities and/or the Federal Trade Commission (FTC).

 

See more about this particular type of phishing scam from the FTC here.

Q5: Are there any cybersecurity or privacy risks with doing away with Daylight Saving Time (DST) in the U.S.?

 

A5:


We are glad to get this question again, after answering it around a year ago, since it is once more in the news as a current U.S. government initiative.

 

Yes, there are risks! This topic is similar to the very necessary need that existed for planning ahead to change the computer code of millions of software programs back in the late 1990s to prepare for changing the years in dates beginning with “19” to “20” …in other words addressing the widespread Y2K software code problems well in advance to prevent harmful impacts. I was part of that work. At the Fortune 200 financial and health insurance corporation where I worked, thousands of programs had to have portions of code rewritten to prevent program crashes, errors, incorrect calculations and other problems specific to the purpose of each software program. All of these events could have resulted in security incidents (e.g., loss of confidentiality, data integrity, and access), and privacy breaches (e.g., failed authentications, incorrect changes to personal data, etc.).

 

With that background and similar situation, fast-forward to today. It is hard to say how many software programs have code that is run based upon the two DST time changes each year, but it is a sure bet that there are many of them. I was a systems engineer at the very beginning of my career, and I can testify that the wide habit back then of programmers/coders hard-coding dates and times is still just as popular as it was back then; possibly more. Eliminating DST would most likely require changes in computer code that performs, and depends upon, time-based and/or date-based calculations, scheduling, and time zone conversions.

 

The specific programs needing changes would depend upon at least the following considerations:

  • Legacy systems: Older software systems require reviewing, and might subsequently require substantial modifications to accommodate the removal of code based upon DST.
  • Scope of use: Software code used in regions and industries that incorporated DST into their business activities, such as finance, transportation, scheduling, and healthcare (such as for medical devices). 
  • Time zone conversions: Programs that perform time zone conversions or time-sensitive transactions across different regions require review and subsequent modification based upon findings.
  • Embedded systems and devices: Devices and embedded systems with accurate time-dependent functions, like routers, servers, and IoT devices, may need firmware updates.
  • Complex time-related calculations: Software that includes complex time-related operations, such as calendaring, scheduling, events support, time-sensitive data management, and systems management need to be review and may require significant adjustments.
  • AI tools: Algorithms that may have been engineered with DST changes embedded, and/or been trained with data that have such DST considerations.

 

Because of the millions of software programs that exist, including hundreds of thousands that were coded many decades ago that are still in use, up through recent ones that perform activities based upon times, it will be necessary to review all such software code, make necessary code changes, test thoroughly and then put into production before any DST elimination actually occurs. If code is not reviewed, similar to how it was for Y2K, there could be some very interesting, and possibly harmful in many ways, problems and security incidents.

Data Security & Privacy Beacons*

People and Places Making a Difference

We get many suggestions for beacons from our readers; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those, the suggester feels the organization deserves recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Check It Out!

Check It Out!


We are going to be posting more videos to our YouTube channel this year! We know; we are behind. We will be better at getting more online content created in 2025! To date we have not formally promoted it. As we start getting a good number of some video shorts, as well as medium- to long-length videos, posted, we will be doing some traditional promotions. In the meantime, please check it out, let us know of any topics you suggest we cover, “like” the videos, and subscribe. And of course, add comments for topics that motivate you to do so.

 

What topics would you like to see us create videos, and more formal online courses, for? Let us know!

 

Have questions about our education offerings? Contact us!

Where to Find The Privacy Professor

Rebecca was a guest on the Phishing for Trouble podcast, along with Wendy Nather. We discussed “Whose Intellectual Property am I Responsible For?” Episode #7 (scroll down the page from the link).

Check it out!

 

Rebecca provided her insights within the Solutions Review article,Data Privacy Day 2025: Insights from Over 50 Industry Experts.” (scroll down the page from the link)

Check it out!


Rebecca provided her predictions within the Security Informed article, “What Will Be The Big News For Security In 2025?” (scroll down the page from the link)

Sign up!

 

Rebecca is providing the Opening General Session and Keynote at the ISACA Virtual Conference on Wednesday, February 19, 9:30 AM - 10:45 AM CST, “Navigating the Privacy Maze in Emerging Technology and Digital Transformation.”

See the recording now! "Ask Me Anything!" Privacy & Security Brainiacs Live: Dr. M.E. Kabay on Secure Coding


During this hour, Dr. M.E. Kabay provided great discussion about secure coding, his new Secure Coding Master Expert course available from the online training platform Privacy & Security Brainiacs, and his latest textbook, “The Expert in the Next Office: Tools for Managing Operations and Security in the Era of Cyberspace.” Check it out! Post your questions under the video in our YouTube channel. Or, send any questions you have for Dr. Kabay to us using info@privacysecuritybrainiacs.com.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website
Facebook  Twitter  Linkedin  

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:


Source: Rebecca Herold. February 2025 Privacy Professor Tips

www.privacysecuritybrainiacs.com.


NOTE: Permission for excerpts does not extend to images.


Privacy Notice & Communication Information


You are receiving this Privacy Professor Tips message as a result of:

 

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn


When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com

 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.

The Privacy Professor | 625 42nd Street | Des Moines, IA 50312 US

Unsubscribe | Update Profile | Constant Contact Data Notice

Constant Contact