Balancing the Good with the Bad
Each month, I try to point out security and privacy "wins" alongside the "fails." After all, if you look hard enough, you can find great examples of people, organizations and businesses going above and beyond to secure and protect sensitive data.
That said, there are just so many mistakes and missteps, the Tips messages is rarely as balanced between good and bad as I'd like.
This month, with Valentine's Day just around the corner, I wanted to renew my commitment to rounding up a few more practices to LOVE. In fact, it's how I'm kicking off the first issue of the year... see "Look Here! Great Examples of Strong Protection" below.
As you read, I hope you find inspiration for how to incorporate similar strategies in your corner of the world.
|
|
Look Here! Great Examples of Strong Protections
|
4 proof points that data security and privacy protection can be done
The Parent Coalition for Student Privacy provided a great set of instructions for checking student's settings in school-issued G-Suite accounts. This is a terrific service for parents and guardians who want to make sure their children's privacy settings as protective as possible.
Ride-share app Lyft is doing a great job from a privacy perspective. Besides having adopted recommended privacy standards, the company also explicitly forbids third parties from allowing Lyft user data to be used for surveillance purposes. (I'd like to see them provide an update to their privacy policy, though.)
Slack, the cloud-based workflow software, has adopted information security and privacy recommended practices, including publishing a transparency report, requiring a warrant for content and publishing its guidelines for law enforcement requests. Considering how much intellectual property, business secrets and personal data could be flowing through these communications, it is good to see what appears to be "above and beyond" security and privacy practices.
Kudos to the Canadian ranger in Fort Simpson, North West Territory, for contacting news agency CBC to report he found the health records (including an application to an addictions treatment facility and detailed notes from counselling sessions) in a bankers box at a salvage area. As with suspicious items and suspected crime, if you see something, say something!
|
|
International rules plague stateside brands
The really interesting part of this is not so much what Google did, but how it (mis)communicated its plans to collect, analyze and share user data. Regulators wanted to see more transparency and clarity from Google as it relates to the handling of personal information.
We all saw it coming, of course. The global implications of the EU General Data Protection Regulation (GDPR) are something data security and privacy experts began discussing long before the regs became law.
This is the largest GDPR penalty levied to date, but I'm willing to bet there will be many more. The deep pockets and expansive reach of tech giants make them pretty big targets for GDPR enforcers. What's more, regulators have now established a baseline fine of significant size to use in the future.
I expect we'll see plenty more enforcement headlines like this over the coming months. As pointed out by my LinkedIn connection John Tomaszewski, "American lawyers using American drafting conventions can get sideways of the GDPR pretty quickly."
|
|
What You Need to Know about the 'Breach of Breaches'
|
Hack of hacked databases exposes billions of records... yours likely included!
In what could be described as the mother of all breaches,
Collection #1 has been released on the dark web. The database is said to contain over a billion unique combinations of email addresses and passwords, and it's now available to the world's cybercriminals on the digital black market.
Collection #1 was first reported by security researcher Troy Hunt who said the database, which was built from 2,000 other databases chock-full of hacked data, appeared briefly on a cloud service and then on a popular hacking forum.
What really stood out...
While Collection #1 contains nearly 2.7 billion email addresses and passwords, just 21 million of those passwords are unique. What does this mean? Millions of passwords are reused across multiple accounts. And that makes the job of cybercriminals and their robots so much easier. Figure out how to break into someone's email, and chances are really good you can break into their online banking account with the same credentials.
Everyone needs to stop reusing passwords today! Everyone. Today.
Given the size of this database, it's logical to assume your email address and password combination is contained within. Five actions to take right now:
- Use different passwords for different types of sites. Ideally, a unique password for each site.
- Enable 2-factor authentication where possible.
- Change passwords after breaches, and when you think they may have been compromised.
- Don't rotate and reuse authentication credentials across your different sites and accounts.
- Use different email addresses for different purposes.
Want more?
See my recent discussion about this incident with the folks at morning show Iowa Live.
|
|
Fortnite Gamers' Accounts, Money & Conversations Exposed in Hack
|
Video game bug lets hackers take over accounts, listen in on gamers
- Take over gaming accounts (Because Fortnite doesn't allow multiple sign ins, legitimate account owners could not log in if a hacker had taken over.)
- Purchase in-game currency V-Bucks and "gift" it to another player (i.e., the hacker)
- Eavesdrop on in-game conversations (which are often had between kids and teens)
The incident underscores the importance of talking with kids about good data hygiene. Fortnite gamers were exposed to the risks when they clicked on a link sent in an email, so a Phishing 101 lesson is in order for every young gamer in your circle.
A few other tips for gamers:
- If you have trouble logging in with your known credentials, report the incident immediately.
- Use 2-factor authentication.
- Make sure your password is complex (i.e., as long as possible, upper and lowercase characters, numerals and special characters).
- Do not use the same passwords on online gaming sites that you use for other sites.
- If you receive odd or unexpected communication from the game, its developer or a fellow player, don't follow the prompts. Use your phone to call the sender to see if any action is really necessary.
- Never have private or sensitive conversations while logged in to online games.
- Check the associated bank account or payment card often to look for in-game purchases you didn't make.
|
|
Keep the spirit of HIPAA in mind
The marketing department of Walgreens recently asked customers to participate in a survey that shocked me (see excerpt screenshot from my own inbox below).
In exchange for the potential to appear in a commercial, customers were asked to provide:
- Name
- Phone number
- Email
- Photo
- Information about ailments or health issues
In the communication, there was not a single word about privacy; not a single word about security. There was, however, a statement that this personal and private information may be shared with an unnamed advertising talent agency. (All my health care compliance friends can just imagine the Business Associate, and other, risks of such an arrangement!)
I would advise you never to participate in a survey like this, no matter what the reward. While Walgreens may be known for doing an effective job protecting pharmacy patient data, they aren't doing a great job of sharing how they do so... at least not in this circumstance. And, businesses, pay attention: As the Google penalty above points out, regulators seem to care as much about how you communicate your data security and privacy intentions as they do about the protections themselves.
|
|
Who's Looking Out for Student Privacy?
|
School records just as vulnerable to attack... maybe more.
Throughout school history, students have been threatened with, "That will go on your permanent record!"
Back in the day, those records were on paper. Today, they're digital and often stored on vulnerable networks increasingly targeted by cybercriminals.
So, who's looking out for the privacy of students and their records?
It's a big, complex question we tackled on a recently on my radio show, "Data Security & Privacy with the Privacy Professor." I was joined by Randi Weingarten, president of the American Federation of Teachers. We discussed several important risks for all parents and guardians to consider and to ask their school administrators about, including:
- Today's comprehensive student records contain much more than grades.
- Several actions by the U.S. Department of Education are creating new student privacy risks.
- Misguided protections by school districts often end up invading privacy.
- Third parties, such as testing organizations, take huge amounts of student personal data and monetize it.
|
|
Early user data indicates patients are happy... but is their data secure?
As with any new device or app, I advise caution... and common sense. Any time you are considering downloading an app or sharing your data with anyone, ask yourself, what's in it for the developer? Data is typically the answer. After all, in today's digital marketplace, data is currency.
So, if you are okay with Apple having access to your most personal, private health records, the next question becomes, who is Apple sharing this data with? And are you okay with that entity having access?
It's important to point out that the
users recently surveyed on their satisfaction with the app seem to have a proclivity for sharing. Ninety percent
said the app improved the process of sharing their personal health information with friends and family.
So, perhaps this app is designed with certain segments of the health care population in mind, such as patients cared for by family members or caregivers with power of attorney.
Are you a member of those segments? If so, this app may be well-suited for you. Just do your research, ask the tough questions and proceed with caution. If you have a particularly sensitive ailment or history that you want protected to the highest degree, you might think twice about participating in a program that integrates with Apple Health Records.
|
|
Where to Find the Privacy Professor
|
|
In the classroom...
Privacy Impact Assessments: Effective Tools to Identify and Mitigate Security and Privacy Risks. A 1-day SecureWorld PLUS class at the following SecureWorld events:
On the road...
One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond). So far, I have tentative appearances set for February, May and June 2019, including...
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet,
please get it touch
.
On the air...
HAVE YOU LISTENED YET?
I'm so excited to be hosting the radio show
Data Security & Privacy with The Privacy Professor on the
VoiceAmerica Business network
. All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites.
Hear the perspectives of incredible guests as they talk through a wide range of hot topics.
Some of the many topics we've addressed...
- identity theft
- medical cannabis patient privacy
- cybercrime prosecutions and evidence
- government surveillance
- swatting
- GDPR
- career advice for cybersecurity, privacy and IT professions
- voting / elections security (a series)
SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.
In the news...
CIO Dive
CPO Magazine
Credit Union Times
Forbes
Health Care Info Security
IANS
Iowa Live Morning TV Show
Mashable
Nehemiah Security
Origami Risk
Privacy Analytics
Quartz
Secureworld Industry News
|
|
3 Ways to Show Some Love
The
Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...
1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.
3) Share the content. All of the info in this e
mail is sharable (I'd just ask that you follow
|
|
This Valentine's Day, show your love to the organizations doing a great job with their data security and privacy strategies. They deserve it. Give them your business, spread your admiration online and live out their example by becoming a change agent in your own community or organization!
Happy February!
Rebecca
Rebecca Herold, The Privacy Professor
|
|
|