Another Successful Data Privacy Day in the Books!
For the 8th consecutive year, we successfully secured the proclamation of Jan. 28 as Iowa Data Privacy Day. Planned to coincide with International Data Privacy Day (also on Jan. 28), the proclamation was our way of bringing greater awareness to the importance of privacy and protecting personal information.
We also successfully launched a new cloud-based risk management and compliance solution, SIMBUS360, to coincide with this important day. You can learn more about it here, and I'd be more than thrilled to provide you a demo of our compliance solution. We built SIMBUS360 for use by all industries. Heathcare, insurance and financial services and other industry security professionals have already shared their early impressions with us, and we've been overwhelmed by the incredibly positive response. 

To coincide with Data Privacy Day, we offered a special deal to businesses, which we are extending through February 15.

Celebrating Iowa Data Privacy Day proclamation with Governor Terry Bradstad

INFOGRAPHIC: Your Health Data, Available for the Taking

Please share widely to educate more patients, caregivers
 and medical device engineers! 

Heath and medical data are under siege, and many patients are completely unaware. To change that, we developed this infographic detailing what can happen to our most private data when not properly protected.
Please share this far and wide - more people should be asking tough questions of their doctors and caregivers!
devHow to Spot a Fake 
Con artists continue to woo unsuspecting victims into traps

Fraudsters are getting better, folks. Their attempts at persuading victims are so successful because they look so real. Read below before you open emails, attachments, or heaven forbid, your front door, to these criminals.
Savvy phishing attack targets Gmail accounts with high success rates This scam relies on email that appears to come from someone you know... with an attachment that will look familiar! (Thank you, Christopher Burgess, for this pointer.)
Beware utility scams -- Your power will not be shut off immediately Vulnerable populations are targeted in this one to increase its chances of success. (Thanks, Marla, for your pointer on this, as well!)
Someone just knocked on my door saying they're from my electric company Stories like this, in which the perpetrator, dressed professionally, comes to the home of victims, are particularly disturbing.
I overpaid you with my money order, please send some back In this era of Airbnb, HomeAway and VRBO, in which often unexperienced people rent out their actual homes, this scam is especially effective. 

Hacking is Not a 'Left' or 'Right' Issue
It's time to evolve the conversation beyond political bickering

In the U.S., there has been a lot of debate about the vulnerability of our systems - our election systems in particular. While the increased conversation is much-needed and welcomed, it's disappointing to see the real issue buried under a veil of political mud-slinging.
I believe, as do many of my data privacy and security colleagues, that national cyber security is not a left or right issue.
Countries hack each other. It's been proven. It's time to stop debating that fact and to move the conversation toward how we are going to protect ourselves from the bad actors. (I recently talked about the long history of countries hacking on CWIowa Live.)

With such a wide range of motivations to break into and steal from sensitive data repositories and connected systems, the dialogue should be less about whether there is hacking and more about how it's occurring. Only then can we get to the real meat of the conversation - which is how to strengthen the digital infrastructures of our countries. 

Good Technology in Bad Hands

Innovation in auto industry threatens security for vehicle owners, renters

A device designed for car manufacturers has found its way into the tech arsenal of crooks. If your vehicle has keyless entry or ignition, you could be at risk. (Thanks, Shelby Kobes, for this pointer!)
It works by intercepting the signal from a key fob nearby, which some drivers have gotten into the habit of leaving in their cars (Do not do this!). When researchers tested the devices - after catching criminals on security footage doing the same - they were able to break into 19 out of the 35 cars they tried. Scarier yet, they were able to start and drive off in 18 of them!
Two simple precautions you can take...
  1. Keep keys in a metal box or a wallet protected from radio-frequency ID chips
  2. Park your car in a locked garage or well-lit place with surveillance cameras
Simple Protection for Smart Homes

Internet of Things (IoT) castles warrant digital moat
 Home Sweet Home  message wooden heart sign from recycled old palette on rough grey wooden background copy space
The popularity of connected devices for the home is creating a need for easy and affordable defense systems. And this year's Consumer Electronics Show brought exactly that. (Thank you, Christina A
, for the pointer!)
Three organizations announced devices that promise to inspect data as it moves throughout a connected home's network. As a value add, the devices also come with parental controls to monitor the screen, device and gadget time of children.
Each of the devices works in concert with a connected home's router, the entry point for home networks, and will be managed through a smartphone app.
Love to see this kind of innovation and attention to home security!

big Viewer Question

CWIowa viewer sent me this question after my recent appearance on the morning show...  

I saw you talking about computing security and wondered what you know about SimpliSafe, which I hear is pulled into your router. Can you share your thoughts?

SimpliSafe is a home security system with an app that allows users remote views of their home through sensors, smoke detectors, etc. This video provides information about its use, but really doesn't talk about data security issues. 

While I have not looked closely at the solution, I reviewed the privacy policy on the website. 

A few things that concern me:
  1. They point to their Terms of Sale and Terms of Service in a way that seems like those supersede the Privacy Policy. The Terms of Service includes statements regarding SimpliSafe recording conversations, communications, etc.
  2. They share the information of those looking at their site, such as browsing histories, with marketers through cookies, web bugs, etc. They provide a link to opt-out of such sharing, but the page it takes you to doesn't make it clear what you need to do to opt-out.
  3. They only provide a general statement about their data security services; but provide four times as much information telling consumers that security is their ultimate responsibility (yet, they cannot guarantee security.) If I were advising Simplisafe, I would recommend they display a third-party security approval seal, an active site security scanning seal and something to demonstrate they have a comprehensive cyber security program in place.
A few things I like:
  1. They list the specific types of data they collect from you.
  2. They provide contact information if you have any concerns.
  3. In general I like home security systems; I use one myself. Mine is more costly than SimpliSafe, but it connects directly to the police station should I sound the alarm. 

A doctor holding a patients heart in his hand

How and why cybercrooks are targeting clinics and hospitals
This comes directly from our new infographic above. 

Attackers infect medical devices and systems that enable backdoors into networks. They move laterally through connected systems, looking for passwords and decryption codes.

With stolen medical data, criminals create fake IDs to buy drugs with high street value or medical equipment resold for a hefty profit. They also use stolen account numbers to file fake insurance claims.

But here's the really scary part...
Attackers aren't always looking to steal data. Sometimes, they are looking to manipulate it, causing patients to receive incorrect test results, wrong doses or unnecessary procedures.  

SeventhPrivacy Professor On The Road, In the News & On the Shelves

On the road...

One of my favorite things to do is visit with leaders in different industries - healthcare to associations to energy and beyond. Below are a few of the events I have scheduled for the upcoming season.

April 4, 2017:  Giving speech,  "Don't Fall for Social Engineering Scams," to attendees of the BBB Fraud Program meeting in Omaha, NE. 

April 18, 2017:  Giving speech, "Don't Let Third Parties Bring Down Your Business: Effective Vendor Management," to attendees of  ISSA Minnesota Chapter Meeting , St. Paul, MN. 
July 27, 2017: Providing sessions at the Internet of Medical Things III: Engineering and Cybersecurity for Connected Devices Conference , hosted by the BioPharmaceutical Research Council, NJ Hospital Association,  Princeton.

In the news...


CWIowa Live

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio on January 26, during which we talk about Data Privacy Day! 

On the shelves...

I'm thrilled to share the news that the ISACA Privacy Book, for which I was Lead Author and Developer, released this month. It's an effort that took two years, so it's extremely exciting to see it officially on the shelves (so to speak!). ISACA members can purchase the book for $35, non members for $70. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

How about this throwback from the year I graduated with a double major in Math & Computer Science?

 All dressed up for a Valentine's Party (if I remember correctly!)
'Tis the season for love and passion (Valentine's Day is just around the corner!). What a perfect time to dote on the organizations and individuals helping to advance data security and privacy awareness. This past month has reminded me there are so many passionate advocates who join me in this quest. 

Keep up the great (and important) work, everyone!

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images, some of which are my own personal photos. If you want to use them, contact me.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter