Balancing the Good with the Bad 

Each month, I try to point out security and privacy "wins" alongside the "fails." After all, if you look hard enough, you can find great examples of people, organizations and businesses going above and beyond to secure and protect sensitive data.

That said, there are just so many mistakes and missteps, the Tips messages is rarely as balanced between good and bad as I'd like.

This month, with Valentine's Day just around the corner, I wanted to renew my commitment to rounding up a few more practices to LOVE. In fact, it's how I'm kicking off the first issue of the year... see "Look Here! Great Examples of Strong Protection" below. 

As you read, I hope you find inspiration for how to incorporate similar strategies in your corner of the world.


us  Look Here! Great Examples of Strong Protections
4 proof points that data security and privacy protection can be done

The Parent Coalition for Student Privacy provided a great set of instructions for checking student's settings in school-issued G-Suite accounts. This is a terrific service for parents and guardians who want to make sure their children's privacy settings as protective as possible.  
Ride-share app Lyft is doing a great job from a privacy perspective. Besides having adopted recommended privacy standards, the company also explicitly forbids third parties from allowing Lyft user data to be used for surveillance purposes. (I'd like to see them provide an update to their privacy policy, though.) 
Slack, the cloud-based workflow software, has adopted information security and privacy recommended practices, including publishing a transparency report, requiring a warrant for content and publishing its guidelines for law enforcement requests. Considering how much intellectual property, business secrets and personal data could be flowing through these communications, it is good to see what appears to be "above and beyond" security and privacy practices.
Kudos to the Canadian ranger in Fort Simpson, North West Territory, for contacting news agency CBC to report he found the health records (including an application to an addictions treatment facility and detailed notes from counselling sessions) in a bankers box at a salvage area. As with suspicious items and suspected crime, if you see something, say something!

hero2Google Fined $57 Million in France          
International rules plague stateside brands

No surprise, but still big news:  France's data protection watchdog fined Google $57 million for breaching EU online privacy rules

The really interesting part of this is not so much what Google did, but how it (mis)communicated its plans to collect, analyze and share user data. Regulators wanted to see more transparency and clarity from Google as it relates to the handling of personal information. 

We all saw it coming, of course. The global implications of the EU General Data Protection Regulation (GDPR) are something data security and privacy experts began discussing long before the regs became law. 

This is the largest GDPR penalty levied to date, but I'm willing to bet there will be many more. The deep pockets and expansive reach of tech giants make them pretty big targets for GDPR enforcers. What's more, regulators have now established a baseline fine of significant size to use in the future. 

I expect we'll see plenty more enforcement headlines like this over the coming months. As pointed out by my LinkedIn connection John Tomaszewski, "American lawyers using American drafting conventions can get sideways of the GDPR pretty quickly." 

votesWhat You Need to Know about the 'Breach of Breaches'
Hack of hacked databases exposes billions of records... yours likely included! 

In what could be described as the mother of all breaches, Collection #1 has been released on the dark web. The database is said to contain over a billion unique combinations of email addresses and passwords, and it's now available to the world's cybercriminals on the digital black market.

Collection #1 was first reported by security researcher Troy Hunt who said the database, which was built from 2,000 other databases chock-full of hacked data, appeared briefly on a cloud service and then on a popular hacking forum. 

What really stood out...

While Collection #1 contains nearly 2.7 billion email addresses and passwords, just 21 million of those passwords are unique. What does this mean? Millions of passwords are reused across multiple accounts. And that makes the job of cybercriminals and their robots so much easier. Figure out how to break into someone's email, and chances are really good you can break into their online banking account with the same credentials. 

Everyone needs to stop reusing passwords today! Everyone. Today.

Given the size of this database, it's logical to assume your email address and password combination is contained within. Five actions to take right now:
  • Use different passwords for different types of sites. Ideally, a unique password for each site.
  • Enable 2-factor authentication where possible.
  • Change passwords after breaches, and when you think they may have been compromised.
  • Don't rotate and reuse authentication credentials across your different sites and accounts.
  • Use different email addresses for different purposes.
Want more?

See my recent discussion about this incident with the folks at morning show Iowa Live.



ftcFortnite Gamers' Accounts, Money & Conversations Exposed in Hack
Video game bug lets hackers take over accounts, listen in on gamers
Thanks to a tip from Check Point, Epic Games has patched a vulnerability that gave hackers a way to:
  • Take over gaming accounts (Because Fortnite doesn't allow multiple sign ins, legitimate account owners could not log in if a hacker had taken over.)
  • Purchase in-game currency V-Bucks and "gift" it to another player (i.e., the hacker)
  • Eavesdrop on in-game conversations (which are often had between kids and teens)
The incident underscores the importance of talking with kids about good data hygiene. Fortnite gamers were exposed to the risks when they clicked on a link sent in an email, so a Phishing 101 lesson is in order for every young gamer in your circle. 

A few other tips for gamers:
  • If you have trouble logging in with your known credentials, report the incident immediately. 
  • Use 2-factor authentication.
  • Make sure your password is complex (i.e., as long as possible, upper and lowercase characters, numerals and special characters).
  • Do not use the same passwords on online gaming sites that you use for other sites.
  • If you receive odd or unexpected communication from the game, its developer or a fellow player, don't follow the prompts. Use your phone to call the sender to see if any action is really necessary.
  • Never have private or sensitive conversations while logged in to online games. 
  • Check the associated bank account or payment card often to look for in-game purchases you didn't make. 
Keep the spirit of HIPAA in mind 
The marketing department of Walgreens recently asked customers to participate in a survey that shocked me (see excerpt screenshot from my own inbox below). 

In exchange for the potential to appear in a commercial, customers were asked to provide:
  • Name
  • Phone number
  • Email
  • Photo
  • Information about ailments or health issues
In the communication, there was not a single word about privacy; not a single word about security. There was, however, a statement that this personal and private information may be shared with an unnamed advertising talent agency. (All my health care compliance friends can just imagine the Business Associate, and other, risks of such an arrangement!)

I would advise you never to participate in a survey like this, no matter what the reward. While Walgreens may be known for doing an effective job protecting pharmacy patient data, they aren't doing a great job of sharing how they do so... at least not in this circumstance. And, businesses, pay attention: As the Google penalty above points out, regulators seem to care as much about how you communicate your data security and privacy intentions as they do about the protections themselves. 

 easyWho's Looking Out for Student Privacy?
School records just as vulnerable to attack... maybe more.
Throughout school history, students have been threatened with, "That will go on your permanent record!" 
Back in the day, those records were on paper. Today, they're digital and often stored on vulnerable networks increasingly targeted by cybercriminals. 
So, who's looking out for the privacy of students and their records?
It's a big, complex question we tackled on a recently on my radio show, "Data Security & Privacy with the Privacy Professor." I was joined by Randi Weingarten, president of the American Federation of Teachers. We discussed several important risks for all parents and guardians to consider and to ask their school administrators about, including: 
  • Today's comprehensive student records contain much more than grades.
  • Several actions by the U.S. Department of Education are creating new student privacy risks.
  • Misguided protections by school districts often end up invading privacy. 
  • Third parties, such as testing organizations, take huge amounts of student personal data and monetize it. 
Listen to this important conversation about privacy in schools for students, as well as teachers. And then check out the "Educator Toolkit for Teacher and Student Privacy." You may want to share it with the schools in your community.

youReader Question: Is the Apple Health Records App Safe?
Early user data indicates patients are happy... but is their data secure?

As with any new device or app, I advise caution... and common sense. Any time you are considering downloading an app or sharing your data with anyone, ask yourself, what's in it for the developer? Data is typically the answer. After all, in today's digital marketplace, data is currency. 

So, if you are okay with Apple having access to your most personal, private health records, the next question becomes, who is Apple sharing this data with? And are you okay with that entity having access?

It's important to point out that the users recently surveyed on their satisfaction with the app seem to have a proclivity for sharing. Ninety percent  said the app improved the process of sharing their personal health information with friends and family. 

So, perhaps this app is designed with certain segments of the health care population in mind, such as patients cared for by family members or caregivers with power of attorney. 

Are you a member of those segments? If so, this app may be well-suited for you. Just do your research, ask the tough questions and proceed with caution. If you have a particularly sensitive ailment or history that you want protected to the highest degree, you might think twice about participating in a program that integrates with Apple Health Records. 

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

Privacy Impact Assessments: Effective Tools to Identify and Mitigate Security and Privacy Risks. A 1-day SecureWorld PLUS class at the following SecureWorld events:

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond). So far, I have tentative appearances set for February, May and June 2019, including... 
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

CIO Dive

CPO Magazine

Credit Union Times


Health Care Info Security


Iowa Live Morning TV Show


Nehemiah Security

Origami Risk

Privacy Analytics


Secureworld Industry News

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

This Valentine's Day, show your love to the organizations doing a great job with their data security and privacy strategies. They deserve it. Give them your business, spread your admiration online and live out their example by becoming a change agent in your own community or organization!

Happy February!

Rebecca Herold, The Privacy Professor
Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. February 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter