Why are you getting this? You signed up to receive the Tips, asked to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receiving them. Please read our Privacy Note & Communication Info at the bottom of this message for more information.
|
|
|
Freedom From Privacy Invasion
As the US prepares to celebrate its independence next week, it’s a good time to think about what freedom means in the digital era.
Over decades in the privacy industry, I’ve heard this from countless people: “My life’s an open book. I have nothing to hide.” While that may feel true, the unfortunate fact is that we all have something to hide – our personal data, and other data that can be used to reveal intimate details of our lives. And increasingly used by artificial intelligence (AI) to make assumptions (often incorrect) which a large number of organizations are already using to make decisions that impact our lives, often in detrimental ways. And our personal data is also incredibly valuable on the digital criminal market. Protecting it is vital to remaining free from the digital chains of identity theft, other cybercrime and physical crimes, and to help prevent having decisions made that harm us in ways that often can be financially, physically, and mentally damaging.
If it helps, don’t think of privacy as having something to hide. Think of it as having something to protect. Your autonomy. Your choices. Your freedom. Which makes it so important to think about on US Independence Day, no matter where in the world you are located. Privacy is a fundamental right. Protecting it does not make you a closed book. It makes you a smart person.
|
|
|
Rebecca
We would love to hear from you!
|
|
A few photos of my road trip with my son through national parks (I’ll share additional photos from other locations in upcoming issues):
|
|
At Black Canyon of the Gunnison National Park in Colorado. AMAZING!! Loved it!
|
|
 |
At Mesa Verde National Park in Colorado. Amazing history and geologies!
|
|
 |
 |
Friendly elk visiting me from across the babbling brook in Estes Park, Colorado. Beautiful!
|
|
 |
|
July Tips of the Month
- Monthly Awareness Activity
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons
- Privacy and Security News
- Where to Find the Privacy Professor
|
|
Monthly Awareness Activity
|
|
This International Joke Day, July 1, raises privacy and security awareness through humor at work. Inject comics, written, audio or video jokes into your regular communication. (Pro Tip: Clear them with your HR area first; you never know what may fall under unacceptable).
Another idea: host a contest for the best privacy- or security-related joke. Here are a few for your funny bone:
- For healthcare pros: What room in a hospital has the least privacy? The ICU.
- For travel pros: What part of a boat has the least privacy? The poop deck. (A possible related topic where this could subsequently be used: in an infographic that shows security and privacy risks within cruise ships)
- For web pros: Why can’t you trust websites that display their privacy policies in purple font? They clearly violet your privacy.
Silly? Yes. Memorable? Yes! Even a groaner of a joke sticks around the memory banks, which makes even goofy humor a great way to advance awareness.
|
|
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
|
|
Seems the June Tips got many of you thinking. We received several new questions related to our topics in that issue. Below is an assortment. Please keep your questions coming.
|
|
Q: A business partner is making threats during our phone meetings. Is it illegal to record our conversations without telling the person threatening me?
A: I’m so sorry to hear you are dealing with such a stressful situation. The legality of recording depends on where you and the other person are each located.
Whereas US federal law only requires one-party consent, some state laws are stricter and explicitly state or imply that all parties much consent. Those states include California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington.
Another factor to note is that federal law stipulates that you must be participating in the conversation to legally record it. If you are not part of the conversation, federal statutes consider that illegal eavesdropping or wiretapping.
Here are the general legal requirements of a few international call recording laws:
- UK: Two-Party Consent
- South Africa: All-Parties Consent
- Canada: All-Parties Consent (And all parties must be told why the call is being recorded.)
- Australia: Call recording is illegal in most cases. It is permitted only for purposes of obtaining a warrant and monitoring criminal activity.
|
|
Q: Do patients have the right to deny their employers access to their protected health information (PHI) inside of a worker’s compensation situation?
A: The short answer is that patients do not have rights under HIPAA as it pertains to preventing their employers’ from accessing the specific PHI associated with workers’ compensation cases. Here’s why:
HIPAA does NOT apply to the following three types of entities:
- workers’ compensation insurers
- workers’ compensation administrative agencies
- employers, except to the extent they may otherwise be covered entities
The above entities need access to the applicable health information of workers to process claims and coordinate care.
Typically, in these circumstances, a worker’s PHI is obtained from the health care provider who treated them. Those providers are considered covered entities (CEs) and are obligated to follow HIPAA requirements, which includes directives for worker’s compensation cases.
HIPAA distinguishes the legitimate need of insurers and other entities involved in workers’ compensation systems to have access to individuals’ PHI as sanctioned by state or other laws. Because of the extreme variability among those laws, HIPAA allows disclosures of PHI for workers’ compensation purposes in a number of ways, to entities not defined as CEs under HIPAA.
Richard Ryan, a longtime Tips reader, sent us a follow-up to our June Tips, pointing out that there were differences in rights to access what is defined as protected health information (PHI) for worker’s compensation situations. Thank you, Richard!
|
|
Q: I own and operate a cannabis dispensary in the U.S., selling both recreational and medical cannabis. Do cannabis dispensaries like mine have to follow HIPAA requirements?
A: The Department of Health and Human Services (HHS) considers medical marijuana dispensaries as being health care provider covered entities (CEs) under HIPAA, and as such must comply with HIPAA requirements. This is largely because a physician’s prescription is necessary to obtain medical marijuana.
HHS extended its oversight to medical marijuana transactions after reviewing the practice and context within which medical cannabis is obtained today.
Medical cannabis expert Michelle Dumay has been a frequent guest of the Data Security & Privacy with the Privacy Professor podcast. Over several years, she and I have discussed a range of topics related to the applicability of HIPAA to dispensaries along with some specific privacy and security issues. Take a listen to the still applicable advice:
|
|
Image source: Andrew Grossman, Scop.Io
|
|
Q: I just discovered a huge amount of my personal data on ZoomInfo. I never gave consent. I’ve never even used ZoomInfo. Why are they allowed to sell my personal data?
A: We share your concern. ZoomInfo and other data brokers scrape personal data from a wide range of sources, including publicly accessible sites and also through apps. Businesses often use this data to build marketing lists. These apps typically take all the personal data available from the computing devices of the people who are using those apps. Most people have no idea they are serving as unwitting sources of data, having never given consent to have their data taken or sold.
Consider the number of people you have emailed or received an email from. The personal data of all those people lives in your computer and on your devices. Data broker apps siphon off all that data from email repositories on your devices (and the devices of hundreds of thousands of others) and dump it into their for-profit databases.
I recently spoke with a reporter at The Capitol Forum about the sneaky ways data brokers skirt privacy law requirements to take all this data. We will post the story on the Privacy & Security Brainiacs In the News when it publishes.
|
|
Q: My neighbors post images and videos of people walking by their house and in the street on NextDoor. Some of the images have been humiliating to those pictured. Are those posts breaking any laws?
A: There is no single, easy answer to this question. Legality depends on many factors, such as…
- Regulations in effect for the geographic location (e.g., city, state, and country)
- Location of the camera
- Location of the individual captured image (e.g., on the camera owner’s property or across the street)
We also cover many of the associated issues in our upcoming IoT security and privacy book (more on that in the August Tips issue).
|
|
Q: I’m starting a career in IT as a programmer. I’d like to specialize in cybersecurity. Do you have any recommendations for building skills in cybersecurity while creating code?
A: The global business community is sorely in need of programmers who are proficient in cybersecurity. Specifically, we need programmers who understand secure coding and applications testing. Until we get there, businesses will continue to push into production products that have not been given thorough quality assurance for code.
Get as much experience as you can in these areas. Build expertise by looking for opportunities to do these activities where you work. Take classes. Read books. You will be in high demand.
The lack of cyber-proficient programmers is one of the reasons I built the SaaS business, Privacy & Security Brainiacs. It’s designed precisely to train the next generation of programmers to think differently and with a cybersecurity mindset. One of our first Master Experts is the professor who lead the creation of the NSA certified National Center for Academic Excellence (CAE) Master’s in Information Security and Assurance program at Norwich University, Dr. Mich Kabay. And, we would love to have you as a student! (See more about this at the end of this issue.)
All the best for a fabulous and successful career, which I’m confident you will truly love.
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
-
Andrea Weckerle recently started publishing, Ready When Stuff Happens, which provides great advice on a wide range of tips, including preparing for what happens after death.
|
|
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security News
Visit the PSB News Page often!
|
|
PSB News pages contain articles grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.
|
|
Brand New Training Courses
Clearing up common confusion around HIPAA
|
|
Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”
|
|
Where to Find the Privacy Professor
|
|
|
real-world topics within the data security and privacy realm.
Latest Episode
First aired on Saturday, June 4, 2022
Dr. Clifford Stoll
Dr. Clifford Stoll wrote the book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989 which provides his first-person account of his Russian KGB hackers-catching odyssey. In this episode we cover additional facts about the hack, that include more discussion of the technical and security perspectives, still applicable, and some of the specific work that Dr. Stoll did during his tracking of the wily hackers, that actually seem to have inspired some of the tools commonly used by cybersecurity pros today…that they probably don’t even realize were first established by Clifford Stoll!
Next Episode
First airing on Saturday, July 2, 2022
Dr. Joseph Turow
Dr. Joseph Turow wrote the book, “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet,” and describes how your voice, and video, recordings are collected, analyzed, and used to do marketing, and make many other decisions that impact your life based upon the associated AI algorithms…which are often not accurate.
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Info
You are receiving this Privacy Professor Tips message as a result of:
2) making a request directly to Rebecca Herold; or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
|
|
|
|
|
|
|