In Like a Lion, Out Like a Lamb 

Before the week is out, it'll be March. Yay! In my neck of the woods (central Iowa), we can't wait for spring. We've had more than 25 inches of snow... just this month! 

The old saying that March comes in like a lion and out like a lamb reminds me a lot of the technology we've let into our lives, just in reverse. We download apps, add smart devices to our homes, join new social networks... all with the notion we are in charge. And yet, so often there are data predators lying in wait, licking their chops at the prospect of dining on our delicious data. 

Technology: In like a lamb, out like a lion.

Of course, the news isn't all bad, and we've rounded up a set of admirable companies, organizations and individuals to reassure you there are people out there going above and beyond to protect us and our most private information. 

Read on to learn some of the latest risks to your data security and privacy, as well as hear about the beacons of data security and privacy setting a new standard for excellence. 


us  Data Security & Privacy Beacons
4 data privacy stewards deserving of our admiration

NATO organized a dramatic internal awareness activity that really got its service members thinking. The agency catfished its own people! The test was to see  how much they could influence soldiers' real-world actions through social media manipulation. The entire exercise cost $60!

Accenture has not only studied the issue of employee data vulnerability, but has prepared a 3-point framework for how employers can protect employees. It's great to see an organization addressing privacy beyond customer data.

A Stanford student found and reported a huge security and privacy flaw in the university's student records system. Concerned that the Social Security numbers of other students were accessible to anyone with the right knowledge on web development, the student spoke up. This is an excellent example of "See Something Say Something" done right. 

Julie Rinehart at CVS Health (you may recognize her as one of our 2018 Privacy Heroes!) is doing amazing and creative work to get CVS employees engaged in the security effort.  Custom Valentine candies for staff is just one recent example (see photo below)

hero2Social Media Scandals           
Internet giant vulnerabilities exposed, penalized

Technology firms continue to find themselves in hot water over careless mistakes, and sometimes what appears to be wanton disregard, over data privacy protections. Here's a quick roundup of just a few news items from Facebook, Twitter and Apple's Facetime. 

Germany and Great Britain Lower Boom on Facebook

A 3-year investigation by German officials concluded  Facebook "abuses a dominant market position" by making users consent to having their data shared across other apps, namely  Instagram  and WhatsApp. The finding likely added to the government's decision to prohibit Facebook from combining user data from different sources.

At the same time, a British parliamentary committee, which also conducted an investigation into Facebook, found the Internet giant has broken data privacy and competition laws. As a result, the committee is calling for new regulations that could potentially impact the entire technology industry. 

FaceTime Bugs Lets Callers Hear You Before You Answer

Have you ever chosen not to take someone's call and then hoped they weren't across the room watching you ignore it? Well, a vulnerability in Apple's FaceTime, the video calling app, enabled something pretty similar. The bug let callers listen to the conversations of the people they called, even if you they didn't answer the call! 

And Then There's User Error...

It isn't always a known vulnerability or bug in social media that gets people into trouble. Sometimes, it's their own irresponsible use of the technology. Take the president of Brazil, for instance. He and his son recently published images that could expose the country to cyber attacks. Read more about the incident on A Agencia,including my comments on some of the risks (You may need to use your browser's translator if you require English language.).

votesHow Much Do You Know about Your Student's Data?
Recently weakened laws have made it easier to access the data of children 

When originally passed, the U.S. Family Educational Rights and Privacy Act (FERPA) prohibited schools from sharing student data with government agencies. That protection has since changed. 

Today, student data can be shared with anyone authorized by a school district, including for-profit companies.  Most concerning of all, this data can be shared without parental permission or even notification. 

The other thing to keep in mind is that the school may not even be aware of all the ways student data is being collected on children within their systems. Google, for instance, has admitted to mining the data of students who use their educational apps. 

In many cases, there may be legitimate use of student data to make the educational lives of children better. But for every ethical use of data, there are 100 unethical, (perhaps even criminal) ones. See the  story below for one such circumstance. 

What can parents, caregivers and guardians do? 

First, ask questions of your school administration, including what data is collected, how it is stored and with whom it is shared. You may be surprised at the answers. 

Second, check out the latest report from The  Parent Coalition for Student Privacy  and the  Network for Public Education  (of which I am a proud member). It takes a state-by-state look at the strength of data protections in schools. 

Want more?

Randi Weingarten, president of ABT and a passionate privacy in education advocate, was a  recent guest of my radio show, Data Security & Privacy with The Privacy Professor. 

Two additional guests, Leonie Haimson and Marla Kilfoyle, talked on a separate show about creating the "Educator Toolkit" to mitigate teacher and student privacy risks. 

Listen to the archived episodes anytime; the shows are available at the Voice America website and on nearly every podcast app imaginable.

ftcScam Targets International Students in the U.S. 
Crooks pose as embassy agents, extort students for money
In the U.S. state of Ohio, a university student from China began receiving ominous phone calls from people who pretended to be with the Chinese embassy in New York. The callers threatened to turn the student into the FBI for fraud if they didn't receive money. 

The student rightly called the police to report the calls. Unfortunately, he had already transferred $54,000 to the scammers

International students are increasingly under attack from fraudsters taking advantage of the U.S. political climate, in which ongoing immigration debate has created a fear of unjust deportation in many communities. 

If you know an international student in the U.S., share this warning with them, along with the following red-flags and tips:

Government agencies in the U.S. will not call students regarding suspected fraud, tax bills or fines. Nor will they  require you to pay fines or bills immediately. Government offices will never require you to purchase gift cards, go to Western Union or ask you how much money you have available. 

If you get a call from someone saying they are from one of these agencies, follow these steps:
  1. Ask what the call is about. Take specific notes about what the caller is saying and requesting, and if you can record the conversation, even better. 
  2. If the caller threatens you, say you will call back with your attorney. The scammer may say you are prohibited from disclosing the conversation with anyone, even your lawyer. That is not correct. 
  3. Get the self-proclaimed agent's full name, agency, government ID and direct phone number. If the caller refuses to give you this information, it is probably a scam. Hang up. 
  4. Report the incident in one or more of the ways recommended by the FBI
Look out for LinkedIn look-alikes
A university president from my home state of Iowa was recently impersonated on LinkedIn . The scammer behind the look-alike profile secured several LinkedIn connections and then asked for money... in the form of $500 iTunes gift cards. The scammer would then ask for the victim's bank account information so they could be paid back. 

There are several things you can do to reduce the chances of someone using your name or likeness on LinkedIn:
  • Once each quarter, perform a LinkedIn search of your name. Search not only for your full name, but also common nicknames associated with it. Check to see if any of the resulting accounts, aside from your own legitimate profile, display your photo. Also check their posts to see if they are similar to yours and how many people they are connected with. New fake accounts often have 0 to just a few connections.
  • Capture images, such as screenshots, photos, and/or videos of the false identity and save them, along with the date and time, in case you need them later. (See below for the screenshot I took today of a my own look-alike profile. Notice it used a nickname I never do, but could fool someone who didn't know me well. I'll certainly be keeping my eye on this account.)
  • If you believe someone is attempting to impersonate you, report it to LinkedIn by following these steps: 
    1. Click the "More" icon on your profile.
    2. Click "Report/Block."
    3. Select "Report this Profile" in the "What do you want to do?" pop-up.
    4. Select the applicable reason for flagging the profile in the "Describe the situation" pop-up.
    5. Click "Submit" to complete the report or "Back" to review your options.

 easyA Class You Won't Want to Miss
SecureWorld Expo course on tools that prevent privacy missteps
I'm so excited to be hosting another SecureWorld Expo class in May. If you are planning to attend the conference, or to be in the Kansas City area on May 7, I hope you'll consider sitting in. 

If you can't make this one, keep an eye out for this class at  future SecureWorld  Expo  events throughout the year.  I'd love to see you at one of these classes in 2019!

Here's a bit of what you can expect...

This course will provide an overview of privacy frameworks and techniques to support a privacy program and to perform a privacy impact assessment (PIA). 

Attendees will receive:
  • An overview of the most widely used privacy frameworks, along with an update on the NIST privacy framework currently under development.
  • Training on how to recognize and distinguish between privacy risks and privacy harms.
  • A richer understanding of tools and methods to mitigate privacy risks and harms that also support legal requirements for personal information protection.
  • An overview of how to perform a PIA and to identify the associated risks and harms mitigation actions.
  • A walk-through of several PIA case studies.
GET INVOLVED: I'm honored to be a part of the core working group developing the NIST Privacy Framework, which is coming together in stages to enable the greatest amount of feedback from the public. Please take a moment to review our working drafts and let us know what you think.

womenMarch is Women's History Month   
Let's celebrate the many female leaders who have improved security
In addition to marking the beginning of spring in the Northern hemisphere, March also honors the contributions of women throughout history with  Women's History Month.
Not coincidentally, the theme for this year's SecureWorld Expo shines a light on Elizebeth Friedman, whose contributions to cryptography and code-breaking have long been overlooked, or in too many cases, dismissed. 
I will be dedicating one of my March radio shows to Elizebeth Friedman and her contributions. Please be sure to tune in, and if you have suggestions for other women I should discuss on shows this month, give me a shout!

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

On the road...
If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics.

Some of the many topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

A Agencia

Enterprise Security


Nerd Wallet


Tech Target

USA Today

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Hopefully the weather is perfect where you are, and not causing you any headaches or wish for change. We'll keep our fingers crossed here in the U.S. Midwest that the snow will begin melting soon. 

So many of you have reached out to ask if you can share these tips with your own audience, and I always respond with a resounding Yes! That's the entire purpose behind this monthly email, so please, share far and wide. (See more about this in "Permission to Share" below.)

Here's to a wonderful spring, wherever you are,

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. March 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at [email protected]

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter