January Tips: Celebrating Data Privacy Day 2020

Celebrating Data Privacy Day All Month Long

Although International Data Privacy Day is recognized on Jan. 28, that's no reason to wait. We like to celebrate all month long! It's a fantastic way to raise consumer awareness, and it gives companies a perfect excuse to move data security and privacy projects forward.

For the past 11 years, I've been honored to work with the Iowa governor's office to have Jan. 28 proclaimed Iowa Data Privacy Day. We've been successful at securing the proclamation through three different top legislators and two political parties. It's been a privilege, and I'm very grateful to the individuals who have taken an interest in continuing this important tradition.

A lot has changed since Data Privacy Day was first founded in 2007. Notably, the number of industries impacted by data security and privacy issues has grown dramatically. Whereas Healthcare and Big Tech were once the chief industries impacted, it's now hard to think of an industry NOT affected. From travel and entertainment to agriculture, there isn't a single sector that doesn't need to pay attention to the data security and privacy of its customers, employees, partners and others.

Read on for a sampling of impacted industries. Hopefully, it gives you an idea of the breadth and depth of the data security and privacy issues facing our society today.

IN THIS ISSUE

Data Security & Privacy Beacons

Talking Tech: Rampant Risks Rage within the Technology Industry

Retail Secrets: Consumer Scores Lead to Different Experiences for Different People

Financial Troubles: Fake Websites Create Very Real Problems

Healthcare Problems: Ransomware Plagues Medical Providers

Fueling the Fire: Skimming Artists Set Sights on Gas Stations, Hotels

Reader Question: Why is Cyber Crime so Costly in Arizona?

Where to Find the Privacy Professor

I'v e included more of my photos from the Luxembourg trip.

Pictured here is one of the large collection of vineyards that fill much of the Luxembourg countryside.

Data Security & Privacy Beacons

People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Firefox Monitor is offering free data breach monitoring to Firefox account holders. A Firefox browser is not required to sign up for an account, and a nswers to FAQs are available without an account. Firefox checks for public data breaches and alerts users of any incidents including their email addresses dating back to 2007. The service also provides helpful tips to mitigate risk and shares best-practice precautions, such as changing passwords for affected accounts and being diligent about not reusing passwords.

The Iowa Clinic recently distributed an email clearly stating its patients' privacy rights, as well as instructions on how to opt-out of third-party communication. It's a very clean, simple example of how to properly inform stakeholders of updated terms and conditions. Shoot me an email if you'd like me to forward the Iowa Clinic's recent communication to you.

Princeton IOT Inspector automatically discovers Internet of Things (IoT) devices and analyzes their network traffic. This helps users identify any security and privacy issues that may exist within the devices. It presents the results in a user-friendly way with graphs and tables. Tools like this, which require minimal technical skills and no special hardware, are fantastic for increasing consumer awareness. They also place a healthy pressure on tech developers and providers to build security and privacy controls into their devices before making them available to the public.

The Tor Browser is a product I've been a fan of for many years. Users all over the world rely on the browser to protect large amounts of personal data while they are online. The diverse group of people behind Tor are united by a common belief: internet users should have private access to an uncensored web. They are working hard to protect all people from the rampant tracking, surveillance and censorship that happens when various entities siphon our personal and behavior data as we engage with websites through traditional browsers. NOTE: I interview the former top executive of the Tor Project in my January 2020 VoiceAmerica show!

With the product PRIVACY4CARS, users can delete data gathered by connected vehicles. While I've not yet tried the service, I'm including it here as something readers may be interested in. If any of you have tried it, I'd love to hear about your experience. Does it work as advertised?

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.

My rough translation:

"The City of Remich Welcomes You

She had this place arranged for you

to look at the installations and plantations

Thank you"

Talking Tech

Rampant risks rage within the technology industry

An industry commonly associated with security risk, Big Tech will continue to be impacted by data security and privacy issues. In fact, two new tech-related vulnerabilities have just crept up:

Password Hardware Presents Problems

Many people rely on hardware-based password managers because the solutions feel safer. While that may be true in some cases, the hardware is not entirely without risk. A well-engineered and fully-tested hardware-based password manager is certainly a better alternative to writing passwords on sticky notes and stuffing them in an unlocked desk drawer or sticking them on your computer screen . However, you should consider that if the device is lost, stolen or destroyed, your password data is, too.

Unfortunately, users view these devices as "hacker proof" because they're not connected to the internet. Yet, researchers report some hardware-based password managers have poor security. Passwords saved on these devices could be accessed via flash chips, even after being reset.

Innovations in password management have led many people to use online password managers. Your best bet for protecting your data with this type of program is to close it down completely when not in use and set up two-factor authentication, as this Forbes article advises.

New Flaws on Smartphone Apps Revealed

Another especially disturbing report affects a nearly ubiquitous tech gadget, the smartphone. New vulnerabilities discovered in Android apps stem from app developers who source malicious code from code libraries.

It's important we not assume iPhone apps are in the clear. Flaws in the app code can be replicated over and over again. This is why we see issues from years ago continuing to victimize users across different devices and systems. Although patches and fixes are continually implemented, there are no guarantees an app isn't compromised. It helps to regularly update your apps, but that's not foolproof either.

As more issues with Big Tech products and solutions crop up, the responsibility for protecting users falls on many, including users themselves. Before you plug in those new holiday gifts, do your homework. Read reviews and privacy policies. If you have questions, ask the providers. Red flag if they do not respond.

Vianden Castle, located in the northern part of Luxembourg, is one of the largest fortified castles west of the Rhine, with origins dating from the 10th century .

Retail Secrets

Consumer scores lead to different experiences for different people

Not many consumers knew of their "s ecret consumer score" before news of the rankings was revealed in a recent New York Times article.

The story worked from the fact that companies like Airbnb and OkCupid share customer data with third-party companies to protect against fraud. The third parties are asked to sift through the personal information and assign a score to each customer.

The score is typically used to detect things like false or stolen identities. This information, in itself, was not surprising. What was, however, is the fact these scores are used for even more than fraud detection, such as the level of attention a customer might receive from a call center representative.

What's the big deal, you might ask. Why shouldn't suspected fraudsters be treated differently?

Well, that's just the thing -- the score is based on suspicion alone. The algorithms that underpin scores like this can be biased, and even broken.

It's unclear how fraud scores are determined. Even more disturbing, it's unclear the unlimited ways the score could be used against consumers.

With the increased attention consumer privacy rights are getting from lawmakers (e.g., GDPR, CCPA), the secret consumer score may not stay secret for very much longer. In fact, according to the NY Times journalist who reported the story, there are already steps you can take to request your own score.

It should be noted that the reporter who attempted to follow those steps did not have much luck getting the complete information she requested. You might want to give it a try yourself. If you do, please share your experience with me, as this is a story I'll be following closely in 2020.

Are secret consumer scores being used against us? Who knows. But, the more questions we ask, the more answers companies may be compelled to provide.

A closer view of one of the Vianden Castle towers. I loved exploring this fascinating part of history!

Financial Troubles

Fake websites create very real problems

The financial sector has long been subjected to data security and privacy issues. The highly sensitive information contained within the servers and cloud platforms of even small financial institutions is the golden goose for cyber criminals. Add increasingly sophisticated attack models to the wealth of data, and you can see why the industry is such a high-priority target for crooks.

The real trouble for banks and other financial services entities is they are often liable for the mistakes of their customers.

Take the recent trend of fake websites, for example. D ata thieves trick unsuspecting online shoppers into thinking they're being routed to an authorized payment processor. Instead, it's a site that secretly steals payment card information.

How do the cyber crooks do it? They simply add a few lines of code and graphics that mimic legitimate payment processing sites. Subtle hints as to the sites' illegitimacy are practically indecipherable even to the most discerning online shopper. Below is a comparison** of the real and fake sites. As you can tell, the URL is about the only give-away, and even that doesn't look all that unreal...

Scams like this put us on high alert. They can even make us skeptical of every site. That isn't necessarily a bad thing, though. Heightened due diligence, especially when entering payment information or any other personal data, is absolutely called for this day in age.

That's why I'm so passionate about sharing this kind of information with my readers. It's my hope that by offering up information and tips, you'll develop hyper awareness... essentially the only weapon strong enough to slow the spread of consumer cyber attacks.

**The comparison image above comes from Malwarebytes via Ars Technica.

A medieval bridge in an ancient forest where a hiking trail passes through in the Mullerthal Region - Luxembourg's Little Switzerland

Healthcare Problems

Ransomware continues to plague medical practices

Thanks in no small part to the unfortunate fact medical practice owners regularly pay the ransom demanded by cyber crooks for stolen data, ransomeware attacks continue to proliferate in the healthcare community.

As of this fall, these attacks had already climbed 60 percent year over year. According to Tech Genix, about 65 percent of companies facing ransomware pay the requested amount.

Cybersecurity directly impacts patient health

Around the Thanksgiving holiday, Great Plains Health medical center in the Midwest U.S. was locked down by a ransomware attack that forced the cancellation of a large number of patient appointments and procedures. This demonstrates that r ansomware is not just a data-access problem; it goes beyond the digital with potentially serious repercussions on human health and lives.

Awareness of stolen-data ransomware attacks growing

Some ransomware attackers are stealing data first, then encrypting it and demanding payment to remove the encryption.

Historically, ransomware attacks simply blocked a victim's access to their own data. Early ransomware attacks were not know to have involved data theft. I've warned of ransomware-related data theft for many years. Thankfully, awareness is growing.

In these circumstances, victims pay the ransom and believe their troubles are over. In fact, they are just beginning. In at least one case, the crooks took the stolen data and published it -- 700 MB worth of patient files.

How to deal with a ransomware attack

There are good bits of advice out there about how to react if hacked. This includes things like:

Follow procedures to be sure the attack is legitimate and not simply "scareware."
Try a free decryptor to see if you can retrieve some of the files on your own.
Attempt to remove the ransomware using a malware removal tool.

But... the most effective action you can do to prevent fallout from ransomware comes before the attack: Practice good data hygiene. This includes things like:

Creating and following a consistent procedure for frequently backing up your files.
Developing a process for deleting data after a certain amount of time. (Many data protection laws and regulations require this.)
Having a written policy and procedure for how to deal with ransomware and other hacks.

Exhibit showing the old way wine was bottled in the underground wine caves in Caves St Martin, in the Remich region.

Fueling the Fire

Skimming artists set sights on gas stations, hotels

Travelers are a frequent target of cyber criminals. Out of their element, visitors to new locations are less likely to spot something unusual -- like a gas station skimming device.

In a similar fashion, crooks count on travelers to be much spendier than they might be in their every day life. And so, they have pointed their point-of-sale (POS) malware in the direction of hotel restaurants, bars, gift shops and convenience pantries.

A steady uptick in skimming incidents within both fuel and hospitality environments recently prompted Visa to send out a warning:

The activity [involves] continued targeting of POS systems, as well as targeted interest in compromising fuel dispenser merchants to obtain [payment card] data.

'Well beyond amateur card skimming'

In its reporting of recent fuel and hospitality POS attacks, SecureWorld called the attacks "well beyond the amateur card skimming attacks we've heard about in years past."

What's the difference?

This time around, skimming scammers are finding their way to the POS through the breached company's network. Rather than place a physical skimming device on a gas pump or a gift shop payment terminal, the hackers enter through the back door and "move laterally within the network to the POS environment."

Visa believes a sophisticated hacking group known as FIN8 is behind the attacks, which may signal that we are at the beginning of a very large way of POS network assaults. Be very mindful of this as you travel. Although there isn't much you can do to spot a "behind the scenes" attack, you can keep a close watch on your financial accounts as you travel.

RELATED: Watch out for the growing use of USB charger skimmers. (Remember that inexpensive tech gift I suggested in the December Tips? It will guard against these data-stealing tactics.)

READER QUESTION

Analysis of Internet Crime Complaint Center data found Arizona had the highest average monetary losses per cyber crime victim. Any theories about Arizona that may have contributed to this outcome?

Per the infographic produced around the analysis, the losses are specific to individuals impacted after a company holding their data experienced an email compromise.

I have a few ideas about why Arizona may have scored so high:

Ambulatory health care services, an industry with a vast amount of health data, is Arizona's largest GDP industry. Health data can be used for a wide range of both traditional and identity crimes. Some of the most profitable cyber crimes involve the selling of hacked health data on the dark web. That's because health data is generally the most valuable, giving the cyber crooks higher returns than the run-of-the-mill data. Worse, attempting to clean up the fallout from a health data breach is complex and often costly for victims.

Arizona also has a large senior and retired population. While some seniors are technically astute, others more easily fall victim to phishing and other types of social media scams that involve large amounts of money.

Interestingly, Massachusetts scored the next highest on the list. A large portion of folks in the U.S. have health insurance from companies based in Massachusetts. An email compromise of a major insurer would lead to a wide range of exposed health data.

Another large businesses sector in Arizona (and Idaho, which also scored high on the list) is agriculture. Data in this space often includes farmers' activities, inputs/outputs to their livestock and crops and data related to commodities investments and related activities. Cyber crooks can accomplish a lot with such data.

Funding of cybersecurity programs also plays a big role here. Healthcare, agriculture, transportation, utilities and education (with the general exception of universities with strong cybersecurity programs, such as in Iowa, where the costs per victim were much lower) are generally underfunded when it comes to information security practices. So it's possible breaches in Arizona, Massachusetts and Idaho were not identified for many days, weeks, months or even years after the initial intrusion occurred. The longer a breach goes undetected, the more damage victims may experience.

Great question... I hope this information helps!

Some of the old wine barrels in the underground wine caves in Caves St Martin, in the Remich region .

Where to Find the Privacy Professor

On the road...

I just love speaking, hosting and teaching courses all over the world... in places just like Luxembourg!

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch. And, if you're going to be in any of the locations below, stop by and say hello.

May 21, 2020: Speaking at the Contact Center Association of the Philippines (CCAP) Privacy Summit. More details to come!

On the air...

HAVE YOU LISTENED YET?

I'm so excited to be hosting the radio show Data Security & Privacy with The Privacy Professor on the VoiceAmerica Business network .

Here are my newest shows:

Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm, iHeart Radio and similar apps and sites.

Some of the many topics we've addressed...

student privacy
identity theft
medical cannabis patient privacy
children's online privacy and safety
applications and systems security
cybercrime prosecutions and evidence
government surveillance
swatting
GDPR
career advice for cybersecurity, privacy and IT professions
voting / elections security (a series)

Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen, let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics related to your organization's business services and/or products.

In the news...

Bora

Looking back at 2019: Your Best Cybersecurity Moments

Credit Union Times

'Tis the Season for Holiday Scams

IANS

Global Privacy: What to Expect in 2020

Privacy Piracy Podcast

IOT security and privacy risks

Security Boulevard

Episode 95: Special Guest Rebecca Herold, The Privacy Professor

Shared Security Podcast

What's going on in privacy and information security

Tech Target

Microsoft to apply CCPA protections to all US customers

Wire

Odds of a Bad Bet

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people!

We have a variety of advertising packages to meet every budget.

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps.

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

the terms below.)


Middle Ages Medieval Knight's Suit of Armor in Vianden Castle

Just like this steady sentinel keeping watch over this boss' castle, lawmakers around the world are stepping up their efforts to better protect their people during the digital revolution. We celebrate this movement and others throughout the entire month of January and especially on...

International Data Privacy Day, Jan. 28, 2020.

Please join us in the celebration... and send me a note if you do. I always like to hear how people are marking the momentous day.

Have a wonderful month of data security and privacy awareness!

Rebecca

Need Help?

Please get in touch if you need any help with...

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. January 2020 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Info

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com;

2) making a request directly to Rebecca Herold; or

3) connecting with Rebecca Herold on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at [email protected].

If you wish to unsubscribe, just click the SafeUnsubscribe link below.

The Privacy Professor

Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

[email protected]

privacyguidance.com