Many Ways to Be Heroic
May is anniversary month for the American Red Cross, which mobilizes volunteers for disaster relief all over the world. This got me thinking about heroes. 
When tragedy strikes, they run headlong into the danger. They push aside roadblocks (and human instinct) to save others at risk. They are unafraid to get their hands dirty, fixing a million small problems until one big one is solved.
Not everyone is called to be a hero in the strictest sense. Yet there are many ways to be heroic in our daily lives.
For instance, data security and privacy advocates are my heroes. Pushing against societal, political and legal roadblocks, this community forges ahead, unafraid to bring up the unpopular or inconvenient to affect change. 
You can be a part of the movement, too. Just by staying aware of the risks to your security and privacy, you are making a difference. Even better if you share what you learn. And look, you've already started contributing by reading this email! Forward it on if you are feeling extra heroic today... 

Privacy Advocates Sound Off about Wireless Headphones
Lawsuit alleges unjust enrichment from the sale of customer data

Yet another Internet of Things (IoT) device is in hot water with consumers after seeking to collect and sell data on their behaviors and preferences. Bose, a manufacturer of wireless headphones, has been gathering the audio history of its users through an app associated with the Bluetooth-enabled devices. They have also been selling that data to third-party marketing companies, a new lawsuit alleges.
How much can be gleaned from your audio history, you might wonder. Plenty, says the complaint:
... one's personal audio selections - including music, radio broadcast, podcast, and lecture choices - provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity...
...When it comes other types of audio tracks, the personality, values, likes, dislikes, and preferences of the listener are more self-evident. For example, a person that listens to Muslim prayer services through his headphones or speakers is very likely a Muslim, a person that listens to the Ashamed, Confused, And In the Closet Podcast is very likely a homosexual in need of a support system, and a person that listens to The Body's HIV/AIDS Podcast is very likely an individual that has been diagnosed and is living with HIV or AIDS...

The take-away for consumers: Be mindful of the apps you download and the permissions you allow.
The take-away for business: Transparency is key. Always ask for permission to collect data and be crystal clear about how you plan to use or sell that data.  
Are the Seniors in Your Life Safe?
Older individuals are prime targets for scammers
Criminals almost always take the path of least resistance. Hackers and other digital scammers often consider older individuals to be ideal victims for several reasons.
Just a few of the vulnerabilities attractive to crooks include healthy bank accounts and established credit histories, as well as a deep love and generosity for kids and grandkids. Add an ailment like dementia to the mix and older people become incredibly compelling targets.
Fortunately, there is a new remedy for this kind of crime. A small device that plugs in between a phone and wall outlet can block recorded messages, silent calls and calls from unknown numbers.  I've not actually tried using this. If you have, please let me know what you think.

Tipping Your Hand to Fraudsters
Hackers crack PINs with data on wrist and hand movements

The smart devices many of us have attached (either literally or metaphorically) to our bodies may be giving away even more information than we thought.
Researchers at the Stevens Institute of Technology showed how hackers might access data on the movement of wearable devices to guess at the wearer's ATM PIN. And their colleagues at at Newcastle University discovered the same about the way we tilt our smartphones when entering unlock codes.
How are they able to do it? According to Info Security, it's all about the sensors found in these devices. Without needing user permission, smartphones and wearables often send data on things like the directional orientation of a device to websites and apps.
This is why building security and privacy controls into emerging smart and Internet of Things devices is so important. The data being sent may look benign or seem unworthy of protection, but criminals are crafty. They can do a lot with a little, especially when that "little" is data.
Consider, too, many people use the same 4-digit code to unlock their phone, their house, their  bank accounts, their work computers. So a criminal who unearths the code for one device or one account likely now has access to several things. 

VPN Is No a Magic Bullet

The extra security is good, but not a sure thing

In the U.S., the  FCC Internet privacy rule would make it illegal for Internet service providers (ISPs) to sell user data. Now that the U.S. Congress has repealed the Internet privacy rule, many ISP customers are nervous and are, rightly so, looking for answers from their providers.

Here are few things to keep in mind as you research your own ISP and its plans for using and sharing your private data or confidential business data:
  • You will hear many people talk about installing virtual private networks (VPNs) to reduce the amount of data shared with an ISP. Understand this is not a complete fix (VPNs can sell your data, too. That data reveals a lot about you, such as when, where and how you are using the Internet.
  • Crooks pay attention to the hottest products and most in-demand apps. Be on the lookout for spoofed VPN services masquerading as the real deal.
  • You may be able to opt out of having your data tracked. Check with your ISP. While you're at it, read their privacy policy top to bottom. If something bothers you, ask questions.
I spoke about this on a recent visit to the CWIowa Live morning show studio. Have a listen!

Every Digital Move You Make is Recorded
Google automatically creates a search 'journal' for you  
If you're a Google or Android device user, every topic you search, every query you speak, every app you use is recorded by Google. And Google makes that data available to you (or anyone logged in as you) online.
Looking back at every digital move you've made can be eye-opening. If you're a Google user, check it out at:

You do have the opportunity to remove any activity you want from this auto-populated journal.
According to Tech News Inc, the feature began in June 2015. Meaning everything you have asked of Google since that time has been logged. Keep in mind, you do have the option of deleting any activity.
It's also important to note the My Activity journal is far from comprehensive in describing the information Google has collected on you or anyone using your devices/accounts. So while you can delete data from the log, you are not deleting it from Google's servers. That is up to Google, and you can be sure they are not deleting any of it!


Business Associates Have to Know HIPAA Inside and Out
Many of us in the health care compliance field have been warning organizations known as business associates (BAs) about the increased scrutiny examiners are placing on their HIPAA compliance activities.
Case in point: CardioNet, a BA that provides remote/mobile heart technology for patients, has been assessed a $2.5 million penalty for the impermissible disclosure of unsecured electronic protected health information (ePHI).  
Quick Overview:
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the patient medical records of 1,391 individuals.
Mistakes that led to the breach and resulting huge fine/penalty:
  • The laptop contained clear text patient data (it should have been encrypted).
  • The laptop was left in a car (highly vulnerable to thefts).
  • CardioNet had insufficient risk analysis and risk management processes (which could have identified the risks).
  • CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented (so basically useless).
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for patient records, including those for mobile devices (so workers had not received rules for protecting laptops).

SeventhPrivacy Professor On The Road & In the News  

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

May 23, 2017: Giving webinar, "Strategies for Effective 3rd Party Risk Managementsponsored by IT GRC Forum.

June 14, 2017: Giving webinar, "Building a Framework for Data Privacy and Protection in the Cloud," sponsored by IANS Research

July 27, 2017, 1:00 p.m. to 3:30 p.m. EDT: Co-Chair of the The Internet of Medical Things: Balancing Benefits with Risks, hosted by the BioPharmaceutical Research Council, Princeton, NJ.

In the news...

Information Security Buzz

Credit Union Times

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio on April 10, during which we talked about the changes to Internet privacy law and some of the steps consumers might want to take to protect themselves. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

A birthday gift from my sons_ complete with a handmade vase
Spring is here! As the grass greens up here in Iowa, I'm reminded of the cycles we experience in everything from weather to politics. Privacy and data security issues persist, though, and will be here for the foreseeable future. 

If you see something, share something. The more individuals we can mobilize to care about and advocate for solving the growing problems of data security and privacy, the better.  

Have a fabulous May,

Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter