Why Are You Getting This?

You signed up to receive the Tips or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Happy Data Privacy Day...Week...Month!

January 28^th is Data Privacy Day throughout the world. In the US, the National Cybersecurity Alliance (NCA) decided that starting in 2023 they would expand it from the established day, January 28, to being a recognized week instead. However, many states, countries, and cities are still commemorating a day instead of a full week. Here is our Iowa proclamation from 2023:

This month we answer 7 questions that cover a wide range of topics. Plus, we provide suggestions for fun awareness-raising activities that align with Data Privacy Day on January 28, and just as nicely with a Data Privacy Week for the end of January.

In honor of Data Privacy Day, we have started posting short, two-minute, videos to our Privacy & Security Brainiacs website, YouTube channel, and also to our LinkedIn page. Please let us know your feedback!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips.



We hope you are finding all this information valuable. Let us know! We always welcome your feedback and questions.  

Rebecca

We would love to hear from you!

January Tips of the Month



• Monthly Awareness Activity
• Privacy & Security Questions and Tips 
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

Data Privacy Day began in the United States and Canada in January of 2008 as an extension of Data Protection Day in Europe. We celebrated with some blog posts in 2008 and 2009. Starting in 2009, each December we have submitted the proclamation request for the upcoming year, starting with the 2010 Iowa Data Privacy Day. This image shows what we included within that proclamation that the Governor agreed to sign!

What do you have planned to do on January 28 for Data Privacy Day? Or are you planning for Data Privacy Week or Data Privacy Month? Don’t know yet? Here are a few ideas to get your brainstorming started; some of the activities we’ve done throughout the years. throughout the years.

1. Wheel of Security and Privacy Fortune: I was responsible for information security and privacy for a large financial company throughout the 1990s. One year we set up a “Wheel of Security and Privacy Fortune” outside the cafeteria for International Computer Security Day. As people entered or left, they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security and privacy policies requirements and presented them in a way so that they related to work responsibilities and performing daily business activities. They were of varying degrees of difficulty, and we gave prizes of different sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it, all the way up to a gift certificate to the cafeteria for a full meal. This was a great success and was well-received. We were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security and privacy topics.
2. Doing an Information Security and Privacy Contest. For a different awareness event in the 1990s, I worked with the lead corporate artist, describing a large number of security and privacy risks common within a business environment. I then asked him to take those risks and visually incorporate them into a poster showing a 3-story building, the side of which was cut away so that you could see all the workers and their work areas inside and the streets, grounds and parking area around the building. I sent the poster to each business department throughout the worldwide locations (around 130 – 140 of them). Each department team had a week to document a listing of each of the privacy and security risks they found in the poster and send back to me. I gave a prize to the team that correctly identified the most infractions; a pizza party during lunch for all their team members, recognition in the company magazine, and a photo of the winning team, along with their names and department. There was a fantastic response. Approximately 93% of the business departments participated. If you want to see more about this event, and my measurable positive results, you can read about it here. Send us a message if you want information about how to get a kit to do this type of event at your own organization.
3. Helping Employees Protect Their Own Information. One of my large healthcare insurance clients brings me into their facilities once a quarter and I provide a 30-minute discussion about a topic 4 to 5 times throughout the day. Employees can attend at a time that works best for them. I talk about how the employees can help protect their own personal information for specific situations. For example, one quarter I explained the risks of wireless home networks and how to secure them. Another quarter I talked about common identity theft causes, and how to protect against them. At the end of each talk, the information security officer and/or privacy officer then talks for around 5 minutes pointing out how the actions I described related to their own information security and privacy policies, and they point them to the specific related ones. We then leave around 10 minutes for questions. There are always great questions, related directly to the employees’ own experiences and personal lives. You can do something similar to effectively raise privacy awareness within your organization. Get in touch and we can provide you with more information about this type of event.
4. Regularly Providing Publications that Show Real-life Examples. Personnel love to know the information security incidents and privacy breaches that have happened in real life. And, there are no shortage of examples with the almost daily reports of incidents and breaches! Incorporating information about how information security incidents and privacy breaches could have been avoided by describing the controls and protections that would have prevented them is extremely useful to not only the readers, but raises their level of awareness. We provide many awareness raising e-books, infographics, documents and videos (free and paid) at our Privacy & Security Brainiacs site.
5. Ask Your Governor to Officially Declare DPD for Your State. In 2023, for the 14th consecutive year, we were successful at working with the Governor of Iowa to obtain an official proclamation of Iowa Data Privacy Day! We included an image of that proclamation at the top of these Tips. Each year we have submitted the request in December. The Governor's office requires the request to be submitted 4 to 8 weeks before the official proclaimed day. Last year we found out the week before Data Privacy Day that the proclamation was accepted again. We have not yet learned whether or not our request for 2024 will be accepted for the 15th consecutive year or not. We included mention of a few timely topics, including AI, tracking pixels, and health data. We will be celebrating here in Iowa, alongside those of you in other states and across the globe for International Data Privacy Day, during the week leading up to, and including, Saturday, January 28. Consider asking your governor to make a similar proclamation for your state or country.
6. We once more updated our “Privacy and Security Gifts” guide. You can see it here. Give some of these to your co-workers, family or friends who are demonstrating a high level of awareness. Or, give them to those who  you would like to help be more aware of privacy risks, and the tools that can mitigate those risks.
7. I included a listing of 250 awareness activities in my Managing an Information Security and Privacy Awareness and Training Program book. Check it out for many, many more ideas.

Please let us know what you did for this day, week or month.

We continue to receive a wide variety of questions about security and privacy. We also are still receiving many questions about HIPAA and personal health data. Thank you for sending them in! We’ve included seven of the many questions we’ve received here and will answer the others elsewhere, or in upcoming Tips. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Image from GoSleep.fi

Q: If I'm going to sleep or nap in an airport, what's the best way to prevent my stuff (laptop, backpack, luggage, etc.) from being stolen?

A: I’ve traveled often throughout my career, with many flights going overnight, with layovers in airports where all the merchants are closed throughout the wee hours of the night/morning. Here are a few good tactics to not only protect your valuables while napping, but also to protect your safety.

1. Some airports offer locking sleeping pods where you can securely get some quality sleep without worrying about safety. These vary greatly in how they look, and where they are located. Some are within the primary foot-traffic areas of the terminals. Others are in more isolated locations. Most of these provide privacy screens/construction to keep others from seeing inside the pods, as well as a locking compartment for your luggage. Some allow for a few minutes for free, while others cost quite a bit. Many find peace of mind, and more peaceful sleep, within these types of secured devices. See some examples in this November 2023 article, “U.S. Airports with Sleep Pods — Catch Some Z’s on the Go!”
2. If you don’t want to, or cannot, pay for a sleep pod, then be sure to take multiple actions to protect your privacy, safety and valuables. A few of these include:

• Find a location with surveillance cameras in an area where airport workers will be present, and ideally close to the airport security offices or police stations.
• Attach your carryon luggage, backpack, etc. to the bolted down chair or bench where you are planning to get a few moments of sleep.
• Put digital trackers within each of your carriables, and also on yourself, such as in your pocket. In addition to you having access to the tracker app, make sure someone who you wholly trust also has access to the data from these trackers.

You can see a wide range of security and privacy travel tools in our updated (now with 42 types of items), “Privacy and Security Gifts” list.

Source: Stitch.net home page, December 26, 2023

Q: I live in a retirement community, and our management sends us your monthly Tips. They are always so interesting. I learn so much! Several in the community are thinking about joining Stitch (stitch.net). After 50 you can never have too many friends! You taught us to always check the privacy notices on websites. It took us a while to find one for this new social media site; that was a red flag for us. Can you take a look and let us know of any other red flags you see? Thank you! Sincerely, Ike and community friends.

A: Stitch is described on their site as a “companionship” social media site where people can find friends, events to attend with others, social connections, and a wide range of other benefits to generally fight loneliness. It acknowledges that may also occasionally include dating and romance.

We believe a social media site such as this is a great idea! It is good to see Stitch provide some information about safety of their members. However, the privacy notice they provide is sorely lacking in being easily available, and does not provide many privacy or data protection assurances. Indeed, it seems to dismiss the importance of their legal requirements for data protection, and how their customers’ value their own privacy by stating, “Legal Stuff (Does Anyone Ever Read This Section?): We certainly hope you find the rest of Stitch far too interesting to ever contemplate coming here, but just in case you may someday need to do so, our lawyers want you to have access to the following documents.” We will give them the benefit of the doubt that they are likely trying to be funny. However, given that most of the population has had their personal data stolen from multiple entities that collected or derived their information, it does not lend itself to laughter. They do encourage their website visitors to carefully read their Privacy Policy. However, they indicate that they do NOT consider the following to be “identifying information” (personal data): “your IP address, referring URL, browser, operating system, cookie information, and Internet Service Provider.” These actually are personal data in a wide variety of situations. They also state, “we make no representations as to the security or privacy of your information.” These statements are troubling.

Another concern is how they verify new members. Having someone already a member to verify you is usually fine. However, their other, more common, method of verifying members is to collect a photo from those who are applying to be a member. You must take a photo of yourself with a verification code assigned by Stitch showing the handwritten code. Then you send your photo to Stitch. They review your photo, then the Stitch folks say they will verify you, but they do not describe how they will verify you. All they state on their support page is that, “Stitch will match your image to the photos shown in your photo, and do some extra analysis to check you are a real person in order to verify your account.” So, what is preventing someone else from stating that they are me? Stitch does not address this issue. They are also using at least one Meta Pixel (icon indicating this is circled in red in the image right above this question) to track online activities, which means Facebook and potentially many other third parties will know that you are using and/or visiting their website.

Ultimately, we like the concept of their services, and some of their described actions, but they need to do more. We have sent them some free advice for how to improve their security and privacy activities. We encourage you to also do so before signing up to participate in their community. When many organizations hear from enough potential customers, they will often take actions to fulfill at least some of the more common requests they receive.

Artist: Ada Ruiz, Baltimore - Maryland – USA

Q: What are some ways to prevent being a victim of a caller spoofing someone legitimate?

A: These are becoming harder to spot as technology advances, and as artificial intelligence (AI) tools are able to audibly sound just like the legitimate person they are claiming to be. It makes it very important for you (and your family, friends and customers) to keep awareness high.

We have posted a significantly expanded answer for this question on our Privacy & Security Brainiacs blog. You can read it here.

Do you have more suggestions to add to our list in the blog post? Let us know!

In December 2019, the US Government Accountability Office (GAO) put together an informative report, “Fake Caller ID Scheme: Information on Federal Agencies’ Efforts to Enforce Laws, Educate the Public, and Support Technical Initiatives.” See it for additional tips, stats and information.

Q: How is AI being used within social engineering tactics?

A: Social engineering involves manipulating individuals, often by exploiting their trust or naivety, into divulging sensitive information, such as login credentials or financial data.

AI is going to be used much more frequently, and in new and unexpected ways, to not only launch social engineering attacks, but also to facilitate many new types of cyberattacks. In addition to research I’ve done in this area, one of our Privacy & Security Brainiacs team members, Noah Herold, has also done research for how AI is being used for social engineering and other cybercrime tactics.

Criminals do not need much clean audio to train AI to create realistic voice models. Less than an hour is needed for most AI models, and that amount of time is getting less and less as AI models used to impersonate voices are getting more powerful. Criminals are able to use published audio, such as from podcasts, videos, and audible news reports, to train AI for to impersonate specific individuals to initiate such scams.

It’s now possible to use AI to filter your voice in near real-time rather than just recording sound bites to use for a script.

Specific to social engineering tactics, Noah and I put together some information for you describing a few ways that criminals have already been using AI. We have posted a significantly expanded answer for this question on our Privacy & Security Brainiacs blog. You can read it here.

Q: We have a medium-sized hospital, with seven clinics, telehealth and mobile (including home visits) healthcare services. Different vendors are giving us conflicting information about the requirements for HIPAA physical safeguards. Some vendors have told us that physical safeguards only apply to using locks and cameras on our hospital building. Others said other things. Can you help us understand what HIPAA actually requires to meet their physical safeguard requirements?

A: Under HIPAA, physical safeguards apply to four areas, throughout the full protected health information (PHI) lifecycle (from collection/creation through all areas where the PHI is accessed and stored, through to when it is destroyed, including within all the environments of business associates (BAs):

1)   Facility access controls.

a.   Contingency operations.

b.   Facility security plan.

c.   Access control and validation procedures.

d.   Maintenance records.

2)   Workstation use.

3)   Workstation security.

4)   Device and media controls.

Each HIPAA covered entity (CE) and (BA) must implement the physical safeguards that are appropriate for their own associated environments.

We have posted a significantly expanded answer for this question on our Privacy & Security Brainiacs blog. You can read it here.

Q: As a hospital or clinic patient, do I have a right under HIPAA to obtain from the hospitals and clinics where I’ve received care a list of every person who has viewed my medical records?

A: Patients have a right under HIPAA to an “accounting of disclosures” from HIPAA covered entities (CEs), which include healthcare providers such as hospitals and clinics.

An accounting of disclosures is information detailing where the requesting individual’s information has been sent to, and accessed by, an entity from outside the associated healthcare provider in the six years prior to the date on which the accounting is requested.

There are a few types of exempted disclosures such as those provided to carry out treatment, payment, or health care operations (TPO); those made to the individual patient; incidental disclosures that are otherwise permitted, pursuant to authorization; for the facility's directory or to persons involved in the individual's care or other notification purposes; for national security or intelligence purposes; to correctional institutions or law enforcement officials to fulfill a legal court order; or as part of a limited data set. So, the short answer is no, you won’t receive a list of every person who has viewed your medical records because you will not see those who are involved with providing your TPO in the accounting of disclosures, nor will you see those who fall within the exemptions. However, you would see everyone else who was given access to see and/or receive a copy of your medical records, which would include your PHI.

On November 28, 2022, the US Department of Health & Human Services (HHS) the Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to revise the Confidentiality of Substance Use Disorder Patient Records (SUDPR) regulations. Among other revisions, it would create two additional individual rights under the HIPAA Privacy Rule that are not currently covered:

• Right to an accounting of disclosures of SUDPR
• Right to request restrictions on disclosures of SUDPR for TPO

We are keeping an eye on this, and other NPRMs, and will report in an upcoming Tips issue if and when any of the current HIPAA NPRM changes are implemented.

Artist: Andrew Grossman

Q: I saw a short segment on QR code scams on the morning news. I want to know more! Can you provide more information about preventing being a QR code scam?

A: A quick response code, called QR code for short, is a square image that can be scanned with a mobile phone or computing device, usually by just pointing the device’s camera at it. The image itself is filled with data that take many actions, such as sending the computing device user to a specific website or payment portal.

The FBI started receiving reports in 2022 of people falling victim to QR code scams, including many who had lost money. Frauds involving cryptocurrency were increasing particularly quickly. Crypto transactions are often made through QR codes associated with crypto accounts, which makes these accounts favorite targets of cybercrooks.

Cybercrooks are also using QR codes and gift cards together. For example, cybercrooks call and say they’re going to send a QR code to your phone, so you can receive a free $100 gift card. However, the cybercrook will actually send a QR code may taking their targeted victim to a malicious website.

Here are some ways to prevent being a victim of a QR code scam:

• Do not scan a randomly found QR code.
• Be suspicious if the site asks for a password or login info after scanning a QR code.
• Do not scan QR codes received in emails or text messages unless you know they are legitimate. Call the purported sender to confirm.
• Some scammers are physically pasting bogus codes over legitimate ones, such as on gift cards. If it looks as though a code has been tampered with, do not use it. This also applies to legitimate ads you pick up in a store within a magazine or newspaper, or get in the postal mail.
• Use antivirus software that can check the safety of a QR code before opening the link.

If you are the victim of any other online fraud, you should report the incident to the US FBI’s Internet Crime Complaint Center at www.ic3.gov and/or make a report to Interpol, and/or report the crime to your associated state’s and/or country’s internet crime bureau.

Artist: Emmanuelle Elizabeth, Jakarta - Jakarta - Indonesia

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than the suggester’s. Typically for those the suggester feels deserve recognition for noteworthy data security and privacy actions. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

• Dr. M.E. Kabay. For posting the awareness-raising message below, along with this comment, “Victims will give their payment information to criminals. NEVER USE A PHONE NUMBER FROM AN EMAIL to contact a company that you use. Use the number you already have on file (e.g., on the back of your credit card if it's supposedly a message from the credit-card company). Check your account YOURSELF using the usual link, not the one in the email message.” Do you know of anyone who has also publicly posted useful information to their social media account? Let us know!

Source; Dr. M.E. Kabay Facebook page, https://www.facebook.com/photo/?fbid=6788240301257074&set=a.293104694104033

• The Federal Trade Commission (FTC) for finally taking actions to update COPPA. The COPPA Rule has not been updated since 2012. The FTC received over 176,000 comments in response to its call to comment on updating the COPPA Rule.

• NIST. For publishing new guidance, formally titled Draft NIST Special Publication (SP) 800-226, Guidelines for Evaluating Differential Privacy Guarantees and an accompanying article about it. Do you have comments or questions about these draft guidelines? Let NIST know! Submit comments by 11:59 p.m. EST on Thursday, January 25, 2024 to privacyeng@nist.gov. NIST encourages such feedback to be provided within this template.

• Kathir Kalyanaraman, a teen in Johnston, Iowa, for his great work in creating TechGift.Org. As this Des Moines Register article describes, Kathir, “refurbishes electronic devices back to working order, devices that are destined to be used by organizations that work with people in need, especially among immigrant and refugee communities in Iowa.” We contacted Kathir, and he confirmed that he ensures all data is removed from the refurbished devices. Kudos to you, Kathir, for having the awareness to do this!

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts.

Check It Out!

We have excellent feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about our “HIPAA Basics for Covered Entities 2023 Edition” course have been made. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out. As we approach the end of the year, it is time for you to complete your HIPAA training if you haven’t yet!

Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. We have received rave reviews for Dr. Kabay’s Secure Coding course. Have questions about our education offerings? Contact us!

Something New!

To make some time for several new courses, I am pausing my podcasts until May 2024. However, I have been asked to continue with some type of online communication. We have now started creating short "2-minute warning" videos about various security and privacy topics that we will post to our website, LinkedIn, Facebook, and our YouTube channel; see the first one here.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. January 2024 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.