Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

“Live like you were dying.”

This is the title of a Tim McGraw song I’ve loved since I first heard it when it was released in 2004.

It reminds us that we need to live life to the fullest while we can. But when doing so, we also need to consider our legacies, our personal information, and how information about us can impact our survivors when we are gone. 

Now is an excellent time to think about getting all these issues addressed before we go on business or personal trips to ensure we are not leaving our survivors guessing, or completely unaware, of our digital and other types of personal information items and how they should be handled if we're not around. 

I’m not trying to be a Debbie Downer. But in the past four years, I’ve lost seven friends and business clients directly from COVID-19 and then experienced the death of three more family members and friends. 

In addition to facing deep grief, I’ve learned to celebrate life and prepare for the future.

One of the kindest and most generous things you can do for loved ones is to give them the gifts of clarity and convenience, so they don’t have to spend hours guessing, sifting through your possessions and electronics, or arguing about your wishes.

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips. 

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

Celebrate life daily and leave a clean and convenient legacy, keeping your private information private long after you’re gone!

Thank you for reading!

Rebecca

We would love to hear from you!

July Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips 
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

July is Family Reunion Month. What a great opportunity to create memories -- from elders to the youngest! 

So many activities and games can engage your guests. You’ll learn so much about what’s important to the people in your family, what they want to share openly with future generations, and what they like to keep private.

• Take photos and make videos of those in attendance to remember the day and to share afterward with each other and those who could not attend. Set up a secured-access location online to make the information available. Here is a good, recent list of possible photo and video sharing cloud services to consider, along with two to avoid. 
• Have a “Keep Your Family Close and Protect the Family Legacy” activity. Ask attendees to bring their paper and digital devices with personal data they no longer need and help them clean up their personal information risks. You can even create a guessing game called “Keep or Dump?” and involve everyone in making the decisions. Provide a cross-shredder, degausser, and a digital device dumpster for attendees to use during the day. The privacy- and cybersecurity-savvy in attendance can help to shred, degauss, and dispose of the items. Most cities now have electronic waste services and sometimes even associated dumpsters, which you can bring to the event. For example, here is one in my area. Ask family reunion attendees for a free will donation to cover the costs at or before the event if cost is an issue.

What other activities do you suggest for making your own Family Reunion Month a big hit with your relatives or friends you consider part of your family? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in July?  

We’ve received several questions about protecting privacy after death throughout the past couple of years. The best ways to plan and ensure such protections are in place are very common. Although we don’t want to depress you, think about how much more stressful your loved ones’ lives will be in the future! 



We also continue to receive many healthcare and IoT security and privacy questions and growing numbers of other topical questions. 



Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: A few years ago, I worked for a hospital in the medical records department. A couple of years after I left the hospital, I asked a family member about the ownership of a local restaurant. I subsequently learned from a publicly available document that the individual in question was listed as the restaurant's owner. I told my family member that someone listed as the owner of the said restaurant had been in the hospital back when I worked there, but I did not give the person's name. I did not give any other information. Did I violate HIPAA? Thanks, Z

A: Z, this is an interesting question. First, let’s consider some background.

Under the U.S. Health Insurance Portability and Accountability Act (HIPAA) healthcare covered entities (CEs) and business associates (BAs) must follow termination procedures appropriate for their respective organizations to terminate access to PHI when employees leave the employer. CEs and BAs must maintain documentation demonstrating changes in access levels for workforce members with PHI access and the removal of such access when employment ends. Upon exit, CEs and BAs must ensure the exiting employees understand their obligations remain to not disclose any PHI to which they had access. 

The context must always be considered for situations such as what you describe. For example, if you had worked for a hospital in Kansas City, and then a couple of years later mentioned to someone that the starting Kansas City Chiefs quarterback was in the hospital when you worked there, it would be effortless for most people to know that only one person fits this description -- Patrick Mahomes II. Note: this is purely a hypothetical example! The case could be made that a HIPAA violation occurred.

However, if you mentioned that an owner of Publix Supermarkets was in the hospital, it could be tough (depending on the full context of the situation) to know which of the 200,000 employee-owners was the one in the hospital, making it hard to make the case that a HIPAA violation had occurred. And then, we see other cases where there may be a handful of owners, and based on the circumstances and context of the situation, they may be able to be identified or may not. 

You indicated that a publicly-available document listed the individual in question as the restaurant's owner, implying there was only one owner. If so, that would leave only one possibility as to who was a patient in the hospital when you were an employee there.

This brings us to the next consideration: Since you were no longer an employee of the hospital when you told another person not involved with the individual’s healthcare treatment that the owner was a patient when you worked at the hospital, would that mean you were violating HIPAA? It depends.

• Did you agree not to disclose any PHI after you left the hospital? 
• Was not revealing PHI at any time during or after your employment a condition of your employment?
• And/or was keeping PHI confidential part of your offboarding activities from the hospital? 
• Was this part of the HIPAA privacy and/or security policies? 
• Was this issue covered within your HIPAA training?  

Whether or not you violated HIPAA would depend upon the answers to at least these questions. Whether or not anything will happen will likely depend upon whether or not the former patient discovers this disclosure and files a complaint with the HHS OCR and/or takes other legal action. It also depends on if this situation is discovered in some other way or if some type of harm occurred to the individual as a result. 

Q: What are some good privacy and security actions to take before going on a vacation, business trip, or any other type of overnight travel?

A: I’m so happy you are thinking about this! Here are a few things to do:

• Before your trip, provide an itinerary to one or two trusted family members and/or friends. Include phone numbers of the places where you are staying and/or the owners of those places. 
• I hope you’re keeping up-to-date with all the details about your life, health and travel insurance policies, bank accounts, credit card accounts, other accounts, etc., and keeping them in a secure location. Let your trusted family members and/or friends know where they can find this information if needed, such as in an accident or illness while traveling.
• If you have a home security system, do a test before you leave to ensure you can access information the system is collecting from your home, that the data is not publicly available, etc.
• Either put a hold on your deliveries and mail while you are gone or ask a trusted neighbor, friend, and/or family member to pick up such items daily while you are gone.
• Think twice before making publicly available posts to social media sites that you are traveling and exactly where you are at any point in time. This is especially important when traveling alone. This communicates to others who are malicious that you may be a vulnerable target in locations where you do not live, and it also lets them know your home may be empty and an easy target for theft. Wait until after you are back to talk about your trip. 
• Practice security and privacy in your hotel room, such as keeping doors double-locked, leaving valuables in safes, checking for surveillance devices in your room or vicinity wherever you are at, not using public USB chargers, unless you are using a juice-jack blocker, using a privacy screen on your laptop, tablet, and smartphone, etc.
• See more in our free downloadable PDF, “Protecting Privacy and Security While Traveling.”

Q: Do any laws protect privacy after death?

A:  Yes. Some do, but not many exist. Folks are often surprised to know that most (possibly all) of the laws/regulations that are considered to be “comprehensive” throughout the world only apply to “natural” people, meaning those who are living! For example, the EU General Data Protection Regulation (GDPR) only protects the privacy, and personal data, of natural (alive) persons. 

In the U.S. HIPAA applies to protected health information (PHI) after death. When the HIPAA Privacy Rule first went into effect in 2003, it protected PHI forever after death. However, after several years, the decision was made (largely for reasons related to medical research and to allow support to descendants of the dead) to limit the time that HIPAA would cover PHI after death.  As a result of the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, PHI must now be protected for 50 years after the individual's death. 

Also, under the Due Process Clause (found in both the Fifth and Fourteenth Amendments to the United States Constitution), family members generally maintain the right to control the dissemination of photos of deceased relatives. Privacy rights in this context only extend to the privacy of the living relatives of the decedent, not the actual deceased. 

Do you have other laws or regulations to add to our list? Please send them!

Q: Why is there a need for privacy after death? I don’t even care about privacy while I’m living. I have nothing to hide!

A:  We are happy you are confident about your legacy! However, once you are dead, of course, you will no longer be impacted by possible misuse of your life activities and representations through your photos, audio, video, and creations. But, the inappropriate use of your information could impact your survivors, your family, friends, co-workers, neighbors, etc. 

Many court cases have been filed to preserve privacy after the death of individuals. For example, in the 2011 judgment, Experience Hendrix v. HendrixLicensing.com Ltd., Al Hendrix, the sole heir, was denied the acquisition of Jimi Hendrix's publicity rights because New York at the time did not acknowledge post-mortem publicity rights. 

We anticipate the issue of privacy after death will become a topic of significant discussion in the coming months and years, as AI is being used to represent the deceased’s thoughts, views, and even new work. And as social media is being perpetuated for individuals after their deaths, and even new patents are being created to download what is claimed to be the consciousness of deceased individuals to use as chatbots after their deaths to allow their survivors to have “conversations” with them.

Q: Do you have a security and privacy checklist for things to do before do my death?

A: Yes, I initially created this when my children were young, and I was traveling often for business. I’ve kept it updated over the years. You can download it free from here.

Q: How can I delete all the data about me on social media, IoT, and now this mind-boggling AI?

A: Well, I’ve got good and bad news for you. You can download and then remove the active content you have on many social media sites, but not all of it. Ways also exist to remove data from many IoT product components, including the cloud storage areas, but not all IoT products allow this. And when it comes to artificial intelligence (AI) tools, most of them use whatever you feed into them to provide ongoing training for their AI algorithms. 

Here are some excellent places to find instructions on what we are aware of about removing your personal data from as many of these sites and tools as possible. This is worth repeating: If you want to save what you have posted online, download all your content before you delete it and deactivate your account!

• How to permanently delete your Facebook account.
• How to permanently delete your LinkedIn account.
• How to permanently delete your Instagram account.
• How to permanently delete your Twitter account.
• How to permanently delete your Pinterest account.
• How to permanently delete your WhatsApp account.
• How to permanently delete your Telegram account.
• How to permanently delete your YouTube account.
• How to permanently delete your Alexa account.
• How to permanently delete and/or remove your Google Home, Assistant, and Nest accounts.
• How to permanently delete your Ring account.

See how to delete the accounts in all the above and in many more social here IoT products, and AI tools in our free downloadable PDF here. Do you have more to add to our list? Let us know!

Q. Is not having a funeral a good way to protect privacy after death?

A: Consider a primary purpose of a funeral. Memories, photos, video, and audio are being provided to and shared among attendees and guests. Many more types of privacy risks exist in all the other areas where the personal data of the deceased have been shared throughout their lifetime. Your survivors will likely not know how you’ve shared all of your personal information and with whom. That is why you should take care of this yourself before your death by following the recommendations in the answers to the other questions in this issue.

That said, if there are things you would not want others at a funeral to know, see or hear after your death, document these things and discuss them with your family members and/or friends who you would like to carry out your wishes. Another consideration is to ensure any publicly communicated plans to attend a funeral are limited as much as possible to only those you know and trust or are shared only after the event. Criminals use such information to plan thefts when they know the occupants will be gone. Case in point: The US Federal Trade Commission (FTC) published a notice on June 15, 2023, describing a new crime where criminals diligently read death notices and funeral announcements. The crooks then contact the grieving families, pretend to be from the funeral home, and tell the family that if they do not pay more money immediately, the funeral will be canceled.

Most people will want to publish funeral information ahead of time, which is understandable. In this case, ask a trusted friend or neighbor to watch your house while you are at the services or celebration of life. Or, if you have security cameras around your property, monitor them throughout the day.

Something interesting to note: Celebrations of life are usually less expensive. They are often held in social locations or online, and are becoming much more popular. In these situations, even more privacy concerns exist, as a result of public access to these places and digital interlopers who may attend online if the celebration isn’t secured.

Q. This may sound weird, but I feel my privacy is violated by all the unwanted catalogs, business ads, etc., that I get in the mail via the U.S. Postal Service. Is there any way to stop this?

A. It does not sound weird! The first widely accepted and published definition of privacy in the U.S. spoke directly to your feeling. It was from Former Associate Justice of the United States Supreme Court, Louis Dembitz Brandeis, whose essay, “The Right to Privacy,” was published in 1890 in the Harvard Law Review. Within it, Brandeis repeatedly mentioned “the right to be let alone.” It sounds like you are feeling the need for this right…in your mailbox!

Many others are also feeling this need for privacy in their mailboxes. Last year DeleteMe published, “How to Stop Junk Mail in 6 Simple Steps,” a nice list of ways to stop as much junk mail as possible. PC Magazine also recently published a helpful set of instructions for how to unsubscribe from catalogs and stop junk mail.

• Privacy4Cars for providing a tool, the Vehicle Privacy Report, that vehicle owners can use to learn about the privacy facts for their specific vehicle.
• Facebook for providing information about the differences between hacked and fake accounts and providing steps to take for each situation if it happens to you. Most folks I’ve spoken with don’t realize this type of information is made available on Facebook; check it out.
• Tara Taubman-Bassirian for hosting the webinar, “Large Language Models (LLM) and the future of education and law,” with Richard Self, and Rebecca, discussing the privacy and security risks of artificial intelligence (AI); LLMs in general, and ChatGPT in particular. See the recording here. 
• George V. Hulme for his insightful article, Technical Debt in OT Environments: How It's Different and Why it Matters. An excerpt: “Today, technical debt broadly refers to having old technology in place that causes problems later on, such as increased maintenance, lower productivity, and software or system reliability.” I would add to this increased security incidents and privacy breaches.
• Max Eddy and PC Magazine for their articles, "So, You're Locked Out of Multi-Factor Authentication. Now What?" and “How to Lock Down Your Google Account With a Security Key.”
• Kevin’s Security Scrapbook Spy News from New York for interesting corporate espionage news and stories.
• DeleteMe for publishing, “How to Stop Junk Mail in 6 Simple Steps.”
• PwC Luxembourg for sending the following email message to those who subscribe to their emails. Others throughout Europe are also sending such messages. This is the first of such privacy messages that I’ve received. Thank you for explaining some of your privacy practices and pointing to where more information can be found!

• Zoominfo, and Verasafe, for sending the “Notice of personal information processing” in the second image below. I know some of you are probably rolling your eyes, saying, “They were legally compelled to send this!” Yes, we know. However, the message itself is well-written and provides a nice example of the types of information to include in such types of communications, as well as within website privacy notices. One big problem, though, their link to their “Privacy Center” returned a 404 error, which they turned into a marketing tactic. Yikes! Will this be fixed by the time this issue is published? We’ll find out soon.

We still have significant concerns about their business of collecting and selling personal data (including ours). However, as our disclaimer below indicates, this is a noteworthy example of this type of privacy communication that will be helpful for many organizations to see, who are creating their own similar types of communication.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We have great feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements have been made about our “HIPAA Basics for Covered Entities 2023 Edition” course. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out! 

Students of each Master Experts “Online Education” course receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Have questions about our education offerings? Contact us!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. July 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.