Privacy & Health Are Not Mutually Exclusive
We all want this pandemic to be controlled and eliminated as soon as possible, for the sake of everyone. However, n
o one should feel compelled to give up their privacy during a pandemic. Any assertions otherwise are unfounded. And, don't forget, any freedoms sacrificed now in the name of health and safety will almost certainly be continuously sacrificed even after the current COVID-19 crisis subsides. It's happened before; namely, with the Patriot Act put into place to address fears sprouted during the 9/11 attacks on our country.
In this issue, we address many ways to hang on tightly to your privacy, whether that be through awareness of scams, taking preventative action or practicing good data hygiene behaviors. As you read, remember that the "new normal" does not require you to give up your right to data security and privacy. In fact, it may actually require you to step up your diligence.
Special Note:
Because much of our content this month is sort of heavy, I thought I'd lighten it up a bit with some delicious imagery. I know many of you have found your inner baker during quarantine. If you'd developed or discovered any unforgettable recipes, or have some photos of your creations to share, please send them my way!
|
|
 Data Security & Privacy Beacons
|
People and places making a difference**
Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!
An Aetna employee
was nominated by a Tips reader for going over and above to advocate for the security of her protected health information (PHI). After being asked repeatedly for her Social Security and Medicaid numbers by a home health provider the Tips reader was no longer employing, she called her health insurer Aetna for help. The insurance carrier got on the phone with the provider and the Tips reader together and warned the provider that their company could and would be reported if they continued to request this information, which they had insisted they needed to be reimbursed for the care they provided the Tips reader. Aetna confirmed they did not. Says the Tips reader: "My concern is how many seniors are giving out their PHI to providers like this...they managed to intimidate me at first...
I was in pain and not at my best. The representative who helped with the home health provider was outstanding. She truly went above and beyond."
The OCC recently issued guidance on media access to protected health information (PHI). The guidance was well-timed given concerns over HIPAA violations surrounding government, media and other requests for data on COVID-19 patients. In addition to other reminders, the guidance included important clarification, such as masking or obscuring patients' faces or identifying information before broadcasting a recording of a patient is not sufficient.
We are again including the FTC in our Privacy Beacons round up for raising awareness of COVID-19 related scams. This week, the commission reminded consumers that the government will never call, text, email or ask people to click on a link they sent to activate their Economic Impact Payment debit card or get their money. In addition, the FTC communicated in great detail the steps people should take to secure their funds should they receive them on a debit card.
**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
|
|
Privacy Risks of Contact Tracing
|
|
Overreaching contact tracing methods are spreading as fast as the virus.
Technology has proven to be an incredible ally in the battle to slow the spread of COVID-19. Mobile apps have allowed many restaurants to pivot to delivery and pick-up business models. Contactless payments have kept cashiers from having to handle shopper's cards and cash. Advanced machine learning and AI is helping researchers learn more about the virus so they can develop treatments and vaccines on an accelerated time table.
No one wants a cure for COVID-19 more than I. And I know that also applies to my privacy expert colleagues.
But, as we've discussed many times, for every upside of technology, there's at least one downside. And, as technology is deployed to trace human contact from community to community, and person to person, there are very serious privacy concerns that must be addressed.
Take the contact tracing app TestIowa.com, for example. The tool's online survey, although designed to help restore our state's economy through the use of real-time data and improved testing of suspected infections, asks entirely too many questions. A birth date, for example, is a highly vulnerable piece of personally identifiable information that goes for big money on the dark web.
Collecting everyone's specific birthdate is not necessary to aid contact tracing efforts. Asking for general age range or category, which is what is reported from the state, would have been privacy-friendly.
Aside from the over-collection of private data, TestIowa.com raises a few other concerns. First, the provider was selected by the state's governor through what appears to be a very haphazard, no-bid process lacking appropriate due diligence. Second, as reported by the Cedar Rapids Gazette, the
tech start up behind the tool has no health care experience, and therefore, may not have much, if any, appreciation for HIPAA rules and regulations. While the rules may not apply to the tool specifically, they serve as a best practices doctrine for developers, providing them with the long-standing, expected and de facto privacy practices that should be implemented in a consumer-facing tool like TestIowa.com.
Across the globe, several other examples of overreaching contact tracing methods are setting a frightening precedent. Take China, for example, which surveils its citizens directly through GPS-enabled spyware installed on their smartphones. Per an
April 20 Fortune article:
At checkpoints throughout the city, police and security guards demanded that anyone seeking to come and go present a QR code on their mobile phones that rates the user's risk of catching the coronavirus. Green codes granted unrestricted movement. A yellow code required seven days of quarantine. Red meant 14 days of quarantine.
What color would show on your phone if your country demanded such activity? And how accurate would it be? Allowing devices manufactured and managed by unrestricted technology behemoths or hungry startups with questionable experience with or respect for data security and privacy controls is a slippery slope to say the least.
I spoke
recently
with Bruce Sussman for his SecureWorld Sessions podcast about some of the improvements that need to be made to the contact tracing apps and tools that have been quickly created and put to use. Listen to the show
when it first airs Tuesday, June 2, and share your feedback with Bruce and me. We'd love to hear it!
|
|
Spreading misinformation is a dangerous pastime.
Hop on social media today and you're sure to see false information relayed about the coronavirus pandemic. Unless you're viewing information from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC), don't believe everything you see. Even more important, don't share everything you see.
The spread of dangerous rumors and conspiracy theories is scary. Especially when people are feeling overwhelmed, uncertain or confused, they may be drawn into believing or doing something they wouldn't otherwise.
I see it now occurring daily on LinkedIn, Facebook, Twitter, YouTube and Instagram. It's discouraging to see so much verifiably false information spread.
Consider the
video claiming a COVID-19 patent has existed for years
. Before being removed from YouTube, the video had more than 2.6 million views. The video's claims may have sounded legitimate. However, the truth is that the patent is for another strain of coronavirus, not COVID-19. And, the existence of a patent for a virus is not unusual. In fact, it's a best practice among researchers, not a signal of a conspiracy.
Several Big Tech companies claim to be working to
curtail the spread
of misinformation
, but such an undertaking will not be easy. T
witter and Facebook, for example, have started taking some actions. Other social media outlets, however, are still spreading massive amounts of misinformation, often through bots. Listen to more about these misinformation campaigns in my show with Theresa Payton from earlier this year.
Facebook, Twitter, LinkedIn, Google, YouTube and Microsoft have announced they will combine efforts to combat false information. Unfortunately, removing information from these sites often feeds conspiracy theories.
Also not helping is the fact social media algorithms are designed specifically to show more people the posts that get the most engagement, regardless of whether the post is true. Sharing, commenting on or liking a post, even to express how ridiculous it is, further compounds the issue.
Each of us has a choice to be part of the solution rather than part of the problem. The next time you see something that seems "off," do your homework. See if you can find a second, trustworthy source that supports the facts or ideas contained in the content. And, while I certainly understand it can be tempting to jump in the fray, keep in mind that commenting only tells the social media algorithms that more users are interested in the content.
|
|
 |
The Delicate Balance of Privacy and Productivity
|
Measuring productivity doesn't require surveillance.
Leading a remote workforce is new territory for many employers, especially when it comes to the data security and privacy risks the shift opens up. One of the biggest areas for concern developing in the new world of remote work is employee surveillance.
A great number of companies have integrated employee monitoring into their remote environments. Various software solutions keep tabs on keystrokes, websites visited, attentiveness in Zoom meetings, time tracking and even periodic webcam photos to ensure employees are at their computers.
Surveilling "
on the clock"
activities is not new. Yet, depending on where a business operates, this type of activity may be considered unethical, intrusive and potentially even illegal. This is especially true if employers fail to get consent, or at minimum notify employees they're being monitored. Proactive communication can help maintain high morale and keep a strong company culture intact.
No doubt, productivity is a concern for employers. However, with remote work likely to increase in a post-pandemic workplace, employers should be thinking through how they will set expectations around performance in the future. There are many ways to measure productivity beyond watching an employee's every move, remotely or otherwise.
Productivity aside, an even more valid concern for surveillance is that of data security. In most cases,
an employer is liable for security and data breaches
even if it's a remote worker who causes the breach. As such, it's important employers have the proper security controls in place.
Employers and employees alike are entering a new era. Our new normal will be full of challenges, such as attacks against trade secrets, employee personal data and other treasure troves of intelligence opened up by remote work. Mitigating these risks
while also being mindful not to cross the line into an employee's personal information, is expected to become a larger area of focus in the coming months and years.
Check out Privacy Security Brainiacs for Resources
To help organizations address
work-from-home
and other mobile computing
security and privacy concerns, my team is providing complimentary templates of relevant policies. The templates can be used to update existing policies or to establish new ones.
We will continue adding more information on the site and here in the Tips message in the coming weeks and months. I am also excited to announce my book on the topic will be coming out at the end of 2020 through Taylor & Francis.
In the meantime, I encourage you to check
Privacy Security Brainiacs
often for updates.
If you're a team leader or business owner, consider carving out some time to think about how to effectively (and respectfully!) manage productivity, worker's (and their family's) privacy, as well as overall data security in a remote environment. If you haven't considered the impact to your business, review this article for few
legal and employee relations risks.
|
|
|
A Nation Divided over Paper Ballots
|
The debate: Which is more secure, mail-in or in-person voting?
Like many of Americans, I just mailed in my absentee ballot for the June primaries. Casting my vote via mail is simple and convenient, not to mention, healthier. Subjecting myself to crowds at a polling location when I don't have to seems sort of silly given the COVID-19 risks.
I've been exercising my right to vote ever since I was old enough. Due to the extensive amount traveling I've done over the years, I've probably voted by mail 60% - 70% of the time. And, I know from understanding the procedures and the controls in place, that my vote is being counted, and that it can only be counted once. Thanks to the types of ballots, the "secrecy envelopes," control numbers, and several other security controls, its entirely possible to verify that my vote through the mail was received, and that it was counted. (See below.)
Even so, there is much debate -- and even litigation -- over whether mail-in voting is secure. In Texas, the Democratic party sued Republican leaders to allow mail-in absentee ballots.
The pandemic has thrust absentee voting into the spotlight. But, the concept is far from new. Since 1980, California has conducted all of its elections by mail. Now, Hawaii, Oregon, Utah and Washington do, as well. Other states rely on a combination of mail-in and in-person voting.
The Case for Mail-In Voting
I've researched the security technologies and procedural controls of both mechanisms for many years. My findings indicate mail-in voting controls are much harder to hack. Altering physical paper is much more difficult than digital records.
The procedures established in the past few decades have corrected the lack of security at voting poll locations in the 1930s. Unfortunately, those century-old tactics are still pointed to as reasons not to allow mail-in voting.
Those who have long been responsible for voting security also provide compelling reasons mail-in voting is one of the most secure ways to vote. FEC Commissioner, three-time Chair and ethics/election lawyer Ellen Weintraub recently posted compelling facts and evidence about the security of mail-in voting. She pointed out that secretaries of state, including in Iowa, are debunking the fraud conspiracy theories. In addition, the U.S. Election Assistance Commission has provided much analysis about the security of mail-in voting.
Tune In for More on Voting Security
Because I continue to find the topic so fascinating, I've
talked extensively on my radio show with voting security experts
. Together, we've covered everything from voting and election security and vulnerabilities to the mobile voting app issues my home state experienced during the Iowa caucuses. I will be doing more shows on voting security and fraud in the near future. See the "Voting Security" section of my radio page for links.
Mail-in voting is an ideal option for those unable or unwilling, especially during the pandemic, to go to a physical voting site. In the coming months, I have no doubt the debate will become even more heated.
|
|
|
Protecting Against SIM Swaps
|
| |
