Privacy & Health Are Not Mutually Exclusive

We all want this pandemic to be controlled and eliminated as soon as possible, for the sake of everyone. However, n o one should feel compelled to give up their privacy during a pandemic. Any assertions otherwise are unfounded. And, don't forget, any freedoms sacrificed now in the name of health and safety will almost certainly be continuously sacrificed even after the current COVID-19 crisis subsides. It's happened before; namely, with the Patriot Act put into place to address fears sprouted during the 9/11 attacks on our country. 

In this issue, we address many ways to hang on tightly to your privacy, whether that be through awareness of scams, taking preventative action or practicing good data hygiene behaviors. As you read, remember that the "new normal" does not require you to give up your right to data security and privacy. In fact, it may actually require you to step up your diligence. 

Special Note:  Because much of our content this month is sort of heavy, I thought I'd lighten it up a bit with some delicious imagery. I know many of you have found your inner baker during quarantine. If you'd developed or discovered any unforgettable recipes, or have some photos of your creations to share, please send them my way!

beaconstwoData Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

An Aetna employee  was nominated by a Tips reader for going over and above to advocate for the security of her protected health information (PHI). After being asked repeatedly for her Social Security and Medicaid numbers by a home health provider the Tips reader was no longer employing, she called her health insurer Aetna for help. The insurance carrier got on the phone with the provider and the Tips reader together and warned the provider that their company could and would be reported if they continued to request this information, which they had insisted they needed to be reimbursed for the care they provided the Tips reader. Aetna confirmed they did not. Says the Tips reader: "My concern is how many seniors are giving out their PHI to providers like this...they managed to intimidate me at first... I was in pain and not at my best. The representative who helped with the home health provider was outstanding. She truly went above and beyond."

The OCC recently issued guidance on media access to protected health information (PHI). The guidance was well-timed given concerns over HIPAA violations surrounding government, media and other requests for data on COVID-19 patients. In addition to other reminders, the guidance included important clarification, such as masking or obscuring patients' faces or identifying information before broadcasting a recording of a patient is not sufficient. 

We are again including the FTC in our Privacy Beacons round up for raising awareness of COVID-19 related scams. This week, the commission reminded consumers that the government will never call, text, email or ask people to click on a link they sent to activate their Economic Impact Payment debit card or get their money. In addition, the FTC communicated in great detail the steps people should take to secure their funds should they receive them on a debit card. 

**Privacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
tracingPrivacy Risks of Contact Tracing
Overreaching contact tracing methods are spreading as fast as the virus.   

Technology has proven to be an incredible ally in the battle to slow the spread of COVID-19. Mobile apps have allowed many restaurants to pivot to delivery and pick-up business models. Contactless payments have kept cashiers from having to handle shopper's cards and cash. Advanced machine learning and AI is helping researchers learn more about the virus so they can develop treatments and vaccines on an accelerated time table.  No one wants a cure for COVID-19 more than I. And I know that also applies to my privacy expert colleagues.

But, as we've discussed many times, for every upside of technology, there's at least one downside. And, as technology is deployed to trace human contact from community to community, and person to person, there are very serious privacy concerns that must be addressed. 

Take the contact tracing app, for example. The tool's online survey, although designed to help restore our state's economy through the use of real-time data and improved testing of suspected infections, asks entirely too many questions. A birth date, for example, is a highly vulnerable piece of personally identifiable information that goes for big money on the dark web. Collecting everyone's specific birthdate is not necessary to aid contact tracing efforts. Asking for general age range or category, which is what is reported from the state, would have been privacy-friendly.

Aside from the over-collection of private data, raises a few other concerns. First, the provider was selected by the state's governor through what appears to be a very haphazard, no-bid process lacking appropriate due diligence. Second, as reported by the Cedar Rapids Gazette, the tech start up behind the tool has no health care experience, and therefore, may not have much, if any, appreciation for HIPAA rules and regulations. While the rules may not apply to the tool specifically, they serve as a best practices doctrine for developers, providing them with the long-standing, expected and de facto privacy practices that should be implemented in a consumer-facing tool like
Across the globe, several other examples of overreaching contact tracing methods are setting a frightening precedent. Take China, for example, which surveils its citizens directly through GPS-enabled spyware installed on their smartphones. Per an April 20 Fortune article:

At checkpoints throughout the city, police and security guards demanded that anyone seeking to come and go present a QR code on their mobile phones that rates the user's risk of catching the coronavirus. Green codes granted unrestricted movement. A yellow code required seven days of quarantine. Red meant 14 days of quarantine.

What color would show on your phone if your country demanded such activity? And how accurate would it be? Allowing devices manufactured and managed by unrestricted technology behemoths or hungry startups with questionable experience with or respect for data security and privacy controls is a slippery slope to say the least. 

I spoke  recently   with Bruce Sussman for his SecureWorld Sessions podcast about some of the improvements that need to be made to the contact tracing apps and tools that have been quickly created and put to use. Listen to the show  when it first airs Tuesday, June 2, and share your feedback with Bruce and me. We'd love to hear it!

Spreading misinformation is a dangerous pastime.   

Hop on social media today and you're sure to see false information relayed about the coronavirus pandemic. Unless you're viewing information from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC), don't believe everything you see. Even more important, don't share everything you see.
With few rules around fact-checking, social media has become a hotbed of misinformation . The situation is even more troubling during this global health crisis because so many people turn to online sources for answers. 

The spread of dangerous rumors and conspiracy theories is scary. Especially when people are feeling overwhelmed, uncertain or confused, they may be drawn into believing or doing something they wouldn't otherwise.  I see it now occurring daily on LinkedIn, Facebook, Twitter, YouTube and Instagram. It's discouraging to see so much verifiably false information spread.
Consider the video claiming a COVID-19 patent has existed for years . Before being removed from YouTube, the video had more than 2.6 million views. The video's claims may have sounded legitimate. However, the truth is that the patent is for another strain of coronavirus, not COVID-19. And, the existence of a patent for a virus is not unusual. In fact, it's a best practice among researchers, not a signal of a conspiracy.
Several Big Tech companies claim to be working to curtail the spread of misinformation , but such an undertaking will not be easy. T witter and Facebook, for example, have started taking some actions. Other social media outlets, however, are still spreading massive amounts of misinformation, often through bots. Listen to more about these misinformation campaigns in my show with Theresa Payton from earlier this year.
Facebook, Twitter, LinkedIn, Google, YouTube and Microsoft have announced they will combine efforts to combat false information. Unfortunately, removing information from these sites often feeds conspiracy theories. 
Also not helping is the fact social media algorithms are designed specifically to show more people the posts that get the most engagement, regardless of whether the post is true. Sharing, commenting on or liking a post, even to express how ridiculous it is, further compounds the issue.
Each of us has a choice to be part of the solution rather than part of the problem. The next time you see something that seems "off," do your homework. See if you can find a second, trustworthy source that supports the facts or ideas contained in the content. And, while I certainly understand it can be tempting to jump in the fray, keep in mind that commenting only tells the social media algorithms that more users are interested in the content. 

delicateThe Delicate Balance of Privacy and Productivity
Measuring productivity doesn't require surveillance.

Leading a remote workforce is new territory for many employers, especially when it comes to the data security and privacy risks the shift opens up. One of the biggest areas for concern developing in the new world of remote work is employee surveillance. 

A great number of companies have integrated employee monitoring into their remote environments. Various software solutions keep tabs on keystrokes, websites visited, attentiveness in Zoom meetings, time tracking and even periodic webcam photos to ensure employees are at their computers.

Surveilling " on the clock"  activities is not new. Yet, depending on where a business operates, this type of activity may be considered unethical, intrusive and potentially even illegal. This is especially true if employers fail to get consent, or at minimum notify employees they're being monitored. Proactive communication can help maintain high morale and keep a strong company culture intact.

No doubt, productivity is a concern for employers. However, with remote work likely to increase in a post-pandemic workplace, employers should be thinking through how they will set expectations around performance in the future. There are many ways to measure productivity beyond watching an employee's every move, remotely or otherwise.

Productivity aside, an even more valid concern for surveillance is that of data security. In most cases, an employer is liable for security and data breaches even if it's a remote worker who causes the breach. As such, it's important employers have the proper security controls in place.

Employers and employees alike are entering a new era. Our new normal will be full of challenges, such as attacks against trade secrets, employee personal data and other treasure troves of intelligence opened up by remote work. Mitigating these risks  while also being mindful not to cross the line into an employee's personal information, is expected to become a larger area of focus in the coming months and years. 

Check out Privacy Security Brainiacs for Resources

To help organizations address  work-from-home  and other mobile computing  security and privacy concerns, my team is providing complimentary templates of relevant policies. The templates can be used to update existing policies or to establish new ones. 

We will continue adding more information on the site and here in the Tips message in the coming weeks and months. I am also excited to announce my book on the topic will be coming out at the end of 2020 through Taylor & Francis.  In the meantime, I encourage you to check  Privacy Security Brainiacs  often for updates. 

Do you have a topic or question you'd like us to address? Please let me know .

If you're a team leader or business owner, consider carving out some time to think about how to effectively (and respectfully!) manage productivity, worker's (and their family's) privacy, as well as overall data security in a remote environment. If you haven't considered the impact to your business, review this article for few legal and employee relations risks.

A Nation Divided over Paper Ballots
The debate: Which is more secure, mail-in or in-person voting?

Like many of Americans, I just mailed in my absentee ballot for the June primaries. Casting my vote via mail is simple and convenient, not to mention, healthier. Subjecting myself to crowds at a polling location when I don't have to seems sort of silly given the COVID-19 risks.

I've been exercising my right to vote ever since I was old enough. Due to the extensive amount traveling I've done over the years, I've probably voted by mail 60% - 70% of the time. And, I know from understanding the procedures and the controls in place, that my vote is being counted, and that it can only be counted once. Thanks to the types of ballots, the "secrecy envelopes," control numbers, and several other security controls, its entirely possible to verify that my vote through the mail was received, and that it was counted. (See below.)  


Even so, there is much debate -- and even litigation -- over whether mail-in voting is  secure. In Texas, the Democratic party sued Republican leaders to allow mail-in absentee ballots.

The pandemic has thrust absentee voting into the spotlight. But, the concept is far from new. Since 1980, California has conducted all of its elections by mail. Now, Hawaii, Oregon, Utah and Washington do, as well. Other states rely on a combination of mail-in and in-person voting.

The Case for Mail-In Voting

I've researched the security technologies and procedural controls of both mechanisms for many years. My findings indicate mail-in voting controls are much harder to hack. Altering physical paper is much more difficult than digital records. 

The procedures established in the past few decades have corrected the lack of security at voting poll locations in the 1930s. Unfortunately, those century-old tactics are still pointed to as reasons not to allow mail-in voting.

Those who have long been responsible for voting security also provide compelling reasons mail-in voting is one of the most secure ways to vote. FEC Commissioner, three-time Chair and ethics/election lawyer Ellen Weintraub recently posted compelling facts and evidence about the security of mail-in voting. She pointed out that secretaries of state, including in Iowa, are debunking the fraud conspiracy theories. In addition, the U.S. Election Assistance Commission has provided much analysis about the security of mail-in voting. 

Tune In for More on Voting Security 

Because I continue to find the topic so fascinating, I've  talked extensively on my radio show with voting security experts . Together, we've covered everything from voting and election security and vulnerabilities to the mobile voting app issues my home state experienced during the Iowa caucuses. I will be doing more shows on voting security and fraud in the near future. See the "Voting Security" section of my radio page for links. 
Mail-in voting is an ideal option for those unable or unwilling, especially during the pandemic, to go to a physical voting site. In the coming months, I have no doubt the debate will become even more heated. 
 simProtecting Against SIM Swaps
While I wouldn't say having your mobile identity stolen is commonplace, it is something to be aware of, especially as so-called SIM swap incidents pose such incredible risks. (In October 2018, a SIM swap cost one man his life savings.)

The hacks work like this: A cybercrook contacts your wireless carrier pretending to be you, which is increasingly simple given the amount of personal data exposed in thousands of data breaches. The crook then convinces the carrier to switch the SIM card linked to your phone number, replacing it with a SIM card they own. Now that your phone number is associated with that SIM card, the crook will receive all of your incoming texts and calls on whatever device they insert the card, typically a smartphone. 

With our phones on us practically all the time, it makes sense for the phone number to become a unique identifier. Today, the 10-digit "code" is used for a wide range of things we do online, from setting up social media accounts and signing up for services to resetting our passwords with two-factor authentication. 

This has made the phone number a digital key to a person's private data castle. 

Unfortunately, SIM swaps aren't entirely preventable, but  you  can take steps to limit the chances that a SIM swap attack will happen to you . Wired magazine put together a good roundup of four fairly easy-to-deploy preventative actions:
  • Enable a passcode or PIN on your wireless carrier account. 
  • Consider using an authentication app instead of relying on text messaging for 2-factor authentication code delivery.
  • Remove your phone number as an identifier on sensitive accounts. 

noticesFresh Phish: Scammers Claim to Have Spied on Me
Yet another attempt to get me to click. 

Take a look at the below phishing attempt I received just days ago. Because it attempts to play on fear and employs the element of surprise, I  anticipate many people will fall for this and similar messages.

The numbers of phishing attempts my business team and I have received in recent months has increased greatly. I received more phishing emails in the first week of April than I had received for the months of January and February combined! 

Some have been very clever and convincing. Others look like the early types of phishing attempts first used in the late 1990s and early 2000s. 

L ongtime cybercriminals, and people who seem to want to be cybercriminals, are getting into the phishing scams more than I've ever seen before.

whereWhere to Find the Privacy Professor  

On the air... 


Do you have an information security, privacy or other IT expert or luminary you'd like to hear interviewed on the show? Or, a specific topic you'd like to learn more about? Please let me know!

I'd also love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Some of the many topics we've addressed... 
  • student privacy
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Privacy Security Brainiacs

The Spies Who Eavesdrop on Your Work from Home: 

Advertising Now Available!

Tips of the Month is now open to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Hungry yet? Let's eat cake!

In all seriousness, I hope you've been able to discover some new things about yourself, your family and our world that give you hope. Please continue to be safe and well. And, p lease be kind; appreciate how so many people are risking their health to provide services for others.

COVID-19 has put us all through a range of experiences we will never forget. In the words of Bill Gates, the pandemic will define this era.  (And no, the ridiculous conspiracy theories about him are not true.)
The data security and privacy community is doing its level best to ensure one of the outcomes is not the loss of our collective appreciation for privacy and protection. The more we know, and the more we speak out against sacrifices to both, the better of our generation and those to come will be.

Wishing you the best and lots of cheesecake,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. June 2020 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter