Why Are You Getting This?



You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Information at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

Happy New Year! We all wish you a very happy, healthy, privacy-friendly and strong-security 2023!

January Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

January 4 is Trivia Day! Raise data and cyber security and privacy awareness through trivia competitions! Engage company teams, friends, family members, and your community. 

Here are a few trivia questions to get you started. And if you read this issue of the Monthly Tips closely, you’ll know the answers! We have also provided the answers at the end.

1.Which of the following statements should be included within a good website privacy policy?

A. How cookies are used

B. How your information is shared with others

C. The types of information collected from you

D. All of the above

E. None of the above

2. What was the largest total financial penalty given to one organization for a violation of HIPAA requirements?

A. $39.5 million

B. $16 million

C. $8.7 million

D. $64.2 million

E. $48.2 million

3.Which of the following is a true statement about Facebook posts?

A. Posting a statement that you do not allow Facebook/Meta to use your

posted information will now protect your photos from being distributed by

Facebook/Meta.

B. Having your lawyer draft and post on your behalf a statement of your

ownership of all content you post will prevent Facebook from using all of

the content you post.

C. The Facebook/Meta Terms of Use apply, and allow Facebook/Meta to

use and publicly display your photos and other content you've posted on

Facebook.

D. Any Facebook user can negate the Facebook/Meta Terms of Use if they

post to their timeline they reject the terms, and use certain legal

terminology.

E. If you obtain at least 10 likes to a statement proclaiming your exclusive

use of your posted content, then Facebook/Meta cannot use that content

for their own purposes.  

What other activities do you suggest for Trivia Day? Let’s call it Cybersecurity and Privacy Trivia Day! Are you planning to do my suggested activity, or your own? Or are you doing an awareness event for a different recognized day or week in January? Let us know!

I include a list of 250 security and privacy awareness activities and resources within my book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Here are a few questions we’ve received over the past several months about privacy, security, and current trends and products. We've received many! Plus, we received a great question about a "smart" gift. Narrowing them down was tough, but your question may be included in an upcoming issue.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: Jo asks, “Lensa is an app that takes real photos and uses AI to make art images from them. Is it safe? I see a lot of my friends and family members using it. I am leery of giving Lensa my photos. What else are they doing with those photos?”

A: Jo, we like your thinking…and questioning! For the benefit of our readers not familiar with Lensa, it is an app that uses generative artificial intelligence (AI) to analyze existing data to then generate new images. Other AI tools also use generative AI to not only create new images (e.g., Astria AI, Avatar AI, and ProfilePicture.AI), but also text (e.g., ChatGPT), audio, videos, and even computer code. 

Much has been made and lauded about how Lensa does not keep or claim any rights to the original photos provided to them by those using the app. Most people then understandably believe that if they maintain complete control over their photos if they use the app they will also control the images created from their photos. This is an incorrect interpretation -- one that could lead to security incidents and privacy harms.

Here are a few considerations:

• Who owns the generated images? The parent company, Prisma Labs, Inc. owns and controls all images created. Their Terms of Use states, “You grant us consent to use the User Content, regardless of whether it includes an individual’s name, likeness or persona, sufficient to indicate the individual’s identity. You further acknowledge and agree that our use of your User Content will not result in any injury to you or to any person you authorized to act on your behalf.” You are “agreeing” to this, whether you realize it or not, when you use this app.
• What if someone uploads your photos into the app without your permission? This is critical. No technical controls prevent submitting photos of other people. This creates intellectual property (IP) rights, copyright, and other legal issues. For example, is using generative AI photos of others for marketing purposes acceptable? Other ethical and safety questions and issues arise too. Prisma Labs states, “You may only share the User Content that is non-confidential and you have all necessary rights to disclose.” Plus they include a long list of other statements within Section 6 of their terms of use. Will this prevent others from uploading your photos? How many people actually read the terms of use for apps? Except for us here at PSB, and other privacy pros and lawyers, probably virtually no one. These statements are basically providing a way to try and keep Prisma Labs from being liable for the unauthorized use of individuals’ photos.
• Many reports indicate that the resulting art images are actually derivatives of existing art. Are the associated artists being compensated in any way? Do they, or their descendants, or the current owners of the images, even know that their original art was being used in this way? We could not find a report substantiating this. So, does this create a liability? Copyright, trademark, or other property rights violations? And how does it impact the associated artists and art owners?
• These created images may potentially be used for public and law enforcement facial recognition systems. Could these images be used by criminals to put people at the scenes of crimes, to be able to blame others?
• Images may potentially be used for authentication and access control facial recognition systems, which are becoming more widely used. This was actually our first thought. If we were malicious, this would be the first thing we would be giddy about using to find yet more ways to infiltrate physical facilities, as well as digital networks.

Jo, you are right to be leery…or in this case, wisely risk-averse. So are we. We are not going to use this, or similar apps, until our questions have been resolved to our satisfaction.

Q: I received a pretty “smart” necklace for Hanukkah, made by invisaWear®. If I push a button on the charm twice, the device sends a text to five friends and/or family members to let them know that I need help. The texts include my GPS location. I also get the option to contact 911. Sounds good! But, based on what you’ve been reporting all these years, this sounds privacy-invasive. What tips do you have for me?

A: What a nice-looking necklace, and thoughtful gift! We love products that help improve our safety. However, they also need to do so without requiring the use of our personal information for other purposes, and the devices need to be secure, to prevent unauthorized and unapproved access to, and sharing of, the data of those using the devices, and also information from others nearby.

Many types of “smart” internet-of-things (IoT) wirelessly-connected jewelry have popped up recently. We even answered a question about the Oura Ring, in our August issue. But, is this jewelry, meant to provide safety alerts, privacy-friendly and cyber-secure? 

No blanket answer exists. And indeed, when discussing this question with my communications team, one marketing professional said, “Most people don’t care about privacy! They figure that all their data has already been breached so why worry?”

I get that. I’ve heard this statement thousands of times. However, my passion throughout my career is to help consumers and organizations understand that the impacts on their lives, positive and negative, depend upon the context within which their personal data is used, with whom it is shared, how accurate the data is, how long it is retained, and more. They can then make the best informed choices. 

I performed a high-level security and privacy assessment of the invisaWear necklace by reviewing that business’s website Privacy Policy and Terms of Use. Quite frankly, the information provided on those pages reveals very few security protections within the device itself, or for the data. And the privacy practices as described are also very weak and not aligned with longstanding privacy standards. My original answer to this question was multi-paged, so instead of including it here, please read it in our Privacy & Security Brainiacs blog.

When considering privacy risks, you must consider the context of accessing and using the data that this smart necklace is collecting and sharing with others. The site indicates that the wearer’s real-time GPS location is transmitted, and the security protections indicate that only the stored backup data is encrypted. This reveals the risk that the cleartext GPS transmissions could be accessible, allowing the wearer to be physically located. If someone is traveling alone, and a criminal can locate their victim using GPS, this intended safety-protection jewelry could quickly become a victim-location tool. Many other types of risks are detailed in the blog.

I’ve been an expert witness for cases involving assaults that occurred by criminals monitoring IoT devices on the victims. These situations are increasing. Manufacturers need to strengthen the security and privacy protections within their IoT products to help prevent related crimes, as well as to protect privacy and secure data.

If you want to use the necklace’s capabilities, we encourage you to contact the manufacturer and ask them to strengthen their privacy practices and digital security protections. We’ve spoken to many IoT product manufacturers, and the majority of them tell us that consumers do not tell them that they want privacy protections and security capabilities. Therefore, the manufacturer won’t spend time or resources developing them.

As mentioned earlier, possibly many don’t care simply because they don’t realize the risks. If you want more security and privacy control over your data, speak up! Consumers can help make change!

Do you have more suggestions? Have feedback on the blog post? Drop us a line.

Q: In last month’s Tips you talked about Reddit’s privacy policy as imperfect. What should we, as consumers, look for in website privacy policies?

A: Great question! We could write a whole newsletter just about this. But here’s a short summary. Before you give information to a website (beyond what your browser is giving behind the scenes), check for the following:

1. Description of the types of information that are being automatically collected from you and that you type in with your consent. The more types of information collected, the more insights about your life are determined. For example, consider names, addresses, mobile numbers, email addresses, and IP addresses. But also think about GPS location, date, time, etc. You should see an opt-out option to retract consent, or refuse consent to begin with.
2. Description for how cookies, web beacons, and other types of tracking technologies are used. Cookies are sometimes needed to make the site functional. For example, to maintain a site visit session so you don’t need to re-enter the same data over and over again when going from one site sub-page to a different sub-page. However, other types are much more privacy-invasive, such as those that follow you everywhere you go online. Web beacons (Meta Pixel is an example of web beacons on digital steroids) can do even more types of tracking based on your identity and are not dependent on your browser, which cookies generally depend upon.
3. Description of how the organization is using your data. For example, it may be used for analytics, to improve site functionality, to create site visitor profiles for marketing, etc.
4. Description of how your data is being shared. It should be more specific than simply saying things like, “to trusted business partners” or “as required by law.” The more vague the explanation is, the more likely the sharing is being done in ways that are more privacy-invasive.
5. Description for how individuals can get access to their own associated information.
6. An overview description of the security practices being used. At a minimum data encryption, strong authentication (such as multi-factor authentication), identity verification for data access requests, anti-malware tools, intrusion prevention and detection tools, utilizing a comprehensive risk management program, providing effective security and privacy education to workers supporting the privacy and security promises. 
7. Contact information to where questions about the organization’s privacy and security practices can be submitted. Each site should provide, at a minimum, not only a physical mailing address, but also a phone number, and an email address. They should also indicate a response will occur within a timely manner, such as within 2 business days.
8. A high-level description of the privacy laws and regulations with which the business meets compliance, and an offer to provide recent (within the past year) proof of such compliance.

We also believe that instead of carving out separate protections for individuals based upon their locations, such as providing extra protections for individuals in the EU to comply with GDPR, and different protections for California residents to comply with CCPA and CPRA, and many others, that the privacy practices utilized should be followed for all individuals, regardless of where they are located.

Q: I’m curious. What is the largest HIPAA penalty to date?

A: It was applied against Anthem in 2020. 43 state attorneys generals working together penalized Anthem with a $39.5 million fine, plus an additional separate penalty from the California Attorney General for $8.7 million. Anthem was also given a comprehensive six-year corrective action plan (CAP). That wasn’t all!  Anthem had also received a  penalty of $16 million from the HHS OCR in 2018, in addition to another minimum two-year CAP. So, the total financial penalty against Anthem for this breach was $64.2 million. 

Q: Have information disposal breaches stopped occurring? I haven’t seen news stories about them lately. If so, why do you think they’ve stopped?

A: In truth, security incidents and privacy breaches via technology have been steadily increasing. Disposal breaches are also on the upswing, but don’t seem to make headlines recently. Perhaps that’s because other more titillating technology-related incidents are happening. But here’s a good example of a recently announced disposal breach. On August 23, 2022, the HHS OCR announced a settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”), over the improper disposal of protected health information (PHI), which is a violation of HIPAA. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan (CAP), that will be subject to review at any time for six years, to resolve this investigation. 

What, specifically, did NEDLC do? To summarize -- They disposed of empty specimen containers with PHI on the labels in a publicly accessible garbage bin in their parking lot. The container labels included patient names and dates of birth, dates of sample collection, and the name of the provider who took the specimen. The OCR’s investigation revealed numerous HIPAA violations at NEDLC, including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Image source: CoolThings.com

Q: A concerned mother wrote to us and said, “My IT-industry brother gave my 10-year-old tech-curious daughter a gadget called a ‘Flipper Zero.’ What is the purpose? What does it do? I saw a TikTok and I don’t think I should let her keep it. What is your opinion?”

A: I love this question! It is both techie and intergenerational. A Flipper Zero is a small gadget that is widely used to perform vulnerability assessments and penetration testing, often for IoT products. However, it is also reported as being used by hackers to do such things as hack into smart garage doors; and to unlock, start and steal smart cars. It can also turn smart appliances on/off and change their settings and more.

If your daughter is interested in learning how technology works, and also how to identify security and privacy vulnerabilities and weaknesses, this would be a nice tool for her to use to get some hands-on experience. We advise you read the articles below, review with her what types of uses you will allow her to perform with the Flipper Zero (e.g., only on your own IoT products, systems and devices), and describe activities not allowed (e.g., hacking into any devices, systems or networks of others without their permission). She should understand that she must not break laws with her actions, that it should be used for learning purposes, and to identify security vulnerabilities and privacy problems within your own home…which is an awesome benefit.

Give these a read:

• This article shows that Flipper Zero is not new; it has been being talked about since at least mid-2020.
• This article describes beneficial and harmful actions that can be done with Flipper Zero. Good knowledge to have before discussing with your daughter.
• This article provides some good real-life stories about the impacts, good and bad, of using Flipper Zero. 

Q: Recently I’ve been seeing the same message being posted and reposted to Facebook, claiming to be written by a lawyer, saying something to the effect, “I do not allow Facebook/Meta to use my photos, information, etc….Violation of my personal life will be punished by law.” I know years ago this was just a bogus message spreading online that had no legal merit. Is it now valid, under Meta? Or, is it just the same sham being circulated again?

A: We’ve been seeing them too! Every couple of years it crops up. And since it typically includes a sentence that claims it was the advice provided by a lawyer, it seems to add enough legitimacy to cause a new flurry of reposts. However, it is *NOT* true that “A new Facebook/Meta rule allows the company to use your photos without permission, and posting a legal notice on your page will prevent it from doing so.” Posting this type of boilerplate legal notice on your Facebook page has no legal impact. It is useless. 

Look at the Facebook/Meta Terms of Use. You agree to those terms by default when you use Facebook. By doing so, you are granting Facebook a “non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content (consistent with your privacy and application settings).” The privacy declaration that is once more going around is worthless and has no impact on what Facebook can or cannot do with your posts.

• GroovyTek for their in-person help and classes they provide to consumers “over 40.” Kudos to you for your valuable consumer help and education services!
• HSBC UAE for their short (56 seconds) video, “Faces of Fraud: How to spot an investment fraudster.” And they used a generative AI produced image of a person based solely on the recording of an actual fraud criminal. What are your thoughts about this?
• Help Net Security for their, “7 free cybersecurity resources you need to bookmark” list. This is particularly helpful for techies who are familiar with a wide variety of tech tools.   
• The National College National Online Safety for their infographic, "What Parents Need to Know about WeChat." There are significant privacy issues with that app! This points out several of them. 
• The Department of Justice (DoJ) for upholding the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule) and the Federal Trade Commission (FTC) also for applying COPPA violations, and also in upholding Section 5 of the FTC Act. They jointly announced on December 19, 2022, a settlement requiring Epic Games Inc. (Epic Games) to pay $275 million in civil penalties (the largest civil penalty ever imposed for a COPPA violation) as part of a settlement for violations of COPPA and the COPPA Rule. And Epic Games will pay an additional $245 million (the largest penalty ever obtained for violating an FTC rule) in refunds for tricking users into making unwanted charges, a violation of the FTC Act, Section 5. Throughout the past several years the collection of children’s data has increased, and the practices were increasingly deceptive and privacy-invasive. Will other organizations take notice and increase their privacy practices? We hope so.
• VentureBeat for providing, “Top employee cybersecurity tips for remote work and travel.” They provide three good tips, along with instructions for each. See more tips in a couple of blogs that Rebecca wrote, “The Spies Who Eavesdrop on Your Work from Home: Part 1 – IOT” and “The Spies Who Eavesdrop on Your Work from Home: Part 2 – Apps.” 
• IRS tool for checking if charities are valid. The Tax Exempt Organization Search “tool”…actually spreadsheets with detailed listings of tax-exempt charitable organizations in each state, region, etc.…allows you to search for the name of a charity to confirm they are legitimate. For example, the Excel spreadsheet for Iowa contains 29,500 tax-exempt charities collecting money from residents in the state. That said, we do have concerns about the large amount of personal information (primary contacts) included. 
• Midamerican Energy for their "Scams: Dos and don'ts." According to Utilities United Against Scams (which we’ll name as another beacon), the typical cost for each utility’s victim who lost money was about $500. All types of businesses should provide information to their customers about scams that involve the business’s services and/or products. 
• The Organized Crime and Corruption Reporting Project (OCCRP) for catching phone call scam crooks and providing Eurojust and Europol evidence and support to put these criminals away. They ruined so many lives; read more details about how their crimes harmed many people here.
• A Facebook friend, F.H. for making a post about how to avoid being the victim of a targeted phishing scam. If you receive something you want to warn others about, please, go ahead and do it! Raising awareness is good! Oh, but don’t go to that link shown in the message!

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 



We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions which support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard before. We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing.

Answer Key

to Trivia Questions

in the Monthly Awareness Activity Section



1. D.

2. D.

3. C.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. January 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at [email protected]. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.