Why are you getting this? You signed up to receive the Tips, asked to stay in touch with Rebecca and/or PSB, or consented to receive them. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Note! We mistakenly published to many of our subscribers a draft version of the September Tips, which included content we did not intend to be included. We apologize for the error and any confusion this caused. Please see the final published version here. 

Rebecca

We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at [email protected].

Here are more memorable moments from my travel to national parks with my son.

Monument Valley in Arizona.

This iconic view was in a famous scene in the movie Forrest Gump.

October Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

October is Cybersecurity Awareness Month! Kicked off in the U.S. in 2004, it's now recognized worldwide.

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead collaborations between government and industry to raise cybersecurity awareness nationally and internationally.

The 2022 theme is, “See Yourself in Cyber,” which emphasizes that ultimately, cybersecurity is all about, and depends upon, individual awareness.

What can you do to raise awareness in your own organization and community? Here are just a few of the many proven-effective activities we have successfully planned and launched over the past 30+ years.

• Invite guest speakers to give presentations and interactive workshops about information security and privacy topics. Great speakers and/or engaging topics make long-lasting impressions, and raise awareness for many months, and even years! The first event I organized (in the 1990s) featured Clifford Stoll. Listen to his recent conversation with Rebecca here. Consider pointing to it as part of your activities.
• Everyone loves clever snacks. Distribute food items with awareness taglines. For example, “Maintaining Privacy is Sweet” can be a message on a bag of candy. Or you can label cans of SPAM with a sticker that says, "Identify spam trying to get into your devices."
• Non-food swag can be effective too. How about flashlights with labels that say, “Spotlight information security and privacy?” They are useful AND memorable.
• Show movies related to and supporting information security and privacy. For example:
• "The Billion Dollar Bubble" with James Woods highlights the need for internal controls to prevent fraud.
• "The Brave Little Toaster" reminds us of IoT privacy and security risks.
• Watch The Circle with a group and analyze how it's realistic in terms of privacy and security threats and what's technically impossible. 
•  Listen to a podcast about privacy or cybersecurity. Of course, we would love for you to listen to all the episodes of Data Security & Privacy with the Privacy Professor!

Rebecca includes a list of 250 security and privacy awareness activities and resources within her book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Have your own ideas for Cybersecurity Awareness Month? Let us know!

 Listen to a podcast about privacy or cybersecurity. Of course, we would love for you to listen to all the episodes of Data Security & Privacy with the Privacy Professor!

Here are a few of the questions we’ve received over the past several months that cover situations that could occur at various points in everyone’s lives. We’ve received many! Was this information interesting and/or useful to you? Please let us know! Also, please keep your questions coming!

Q: Why can first responders, police, and journalists legally film and take photos of fatal car crashes, and other types of victim scenes and release them publicly? That seems like a huge privacy invasion. 

A: We agree that the public distribution of (often disturbing) images can bring distress to victims' families and friends. However, the media and self-proclaimed influencers love the fact that lurid content drives web traffic.

Sadly, few laws throughout the world protect the privacy of the deceased. And in the U.S. no federal law applies to post-mortem privacy protection across entities. Let’s consider the applicable laws, though. Some industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) apply to healthcare covered entities and their business associates. HIPAA has general restrictions on releasing protected health information (PHI) for 50 years after death.

Privacy laws specific to each state that cover the deceased vary greatly. They generally cover privacy as applicable to property rights, and also the use of photos within state-issued documents, such as drivers' licenses.

The concern over the lack of post-mortem privacy rights has been growing as the posting of images online has been increasing, as witnesses of crimes or accidents become "self-appointed journalists" via social media. 

This may soon be changing, though, as high-profile cases are settled for large amounts when images of celebrities and government figures after their death are shared inappropriately with others. For example, in March 2021, Vanessa Bryant sued the County of Los Angeles, the Los Angeles County Sheriff’s Department, the Los Angeles County Fire Department, and collectively the individual fire department and sheriff’s department deputy defendants seeking damages to remedy violations of rights under the United States Constitution and for negligence and invasion of privacy pursuant to California law.

On August 24, 2022, a federal jury ruled that Los Angeles County must pay Vanessa Bryant $16 million for emotional distress caused by deputies and firefighters sharing photos of the bodies of NBA star Kobe Bryant and his daughter taken at the site of the 2020 helicopter crash that killed them. The jury deliberated for 4 1/2 hours before reaching the verdict. The nine jurors returned a unanimous verdict that the photos of the remains of Kobe Bryant and their 13-year-old daughter Gianna invaded her privacy and brought her emotional distress. Bills regarding releasing images of the dead are now being considered in several states. 

Q: How can I protect my baby’s privacy? It seems like everyone was asking for her data as soon as she was born! 



A: Criminals love obtaining children’s personal data; the younger the better! Why? Because most victims will not discover the crimes until many years later when typically mid-teens get their first car, job, or credit card. That gives criminals 10-15 years to commit identity fraud, and other crimes, using children’s personal data with a much lower risk of getting caught. The damage has been done to the children, though. They often start their financial lives with bad credit right out of the gate, as a result of misuse of their information.

Here are a few actions you can take to dramatically decrease the risks to your newborn:

• Don’t post publicly-accessible photos or recordings of your newborn or young child to social media sites. Ultrasounds and gender reveal images (depending on how much is revealed!) can also create issues. If you want to publish to show to specific family and friends, then make sure you change your settings to allow only those specific individuals to view. And also disallow reposting by those individuals.
• Don’t use “smart” IoT baby monitors, security cameras, and other devices in the environment where your baby is located. The old-style monitors collect less (or no) data. Or, if you can't resist a smart monitor or security camera, check the privacy policy and cybersecurity capabilities to ensure you have controls for restricting the IoT product’s collection, sharing, storage, and deletion of data. Make sure the product logs everyone that accesses the data, as well as everyone who makes, or tries to make, changes to the configuration. Personal data should ideally only be stored locally (within one of your home computing devices) for even more privacy protection.
• Secure your wi-fi routers to ensure unwanted interlopers do not get into your house through an unsecured wi-fi router, and then get to your other devices, to steal data. Compromised data can include information about and images of your children and entire family and visitors.
• Set up a search engine (e.g., Google, DuckDuckGo, Bing, CC Search for copyrighted free content, StartPage, SearchEncrypt, etc.) alert for your baby’s name. Look into any suspicious posts that you subsequently find.
• Check your child’s credit reports regularly. Request a report from one of the three major credit reporting agencies (CRAs) every 4 months; a different CRA throughout each year. And, freeze your baby’s credit to help prevent most financial-related identity frauds.
• Secure all your baby’s personal information, in digital and hard copy forms.
• Don’t post anything about your baby online that is embarrassing to them, or could come back to haunt them through rejected school enrollments, lost scholarships, rejected job applications, and unapproved loans.
• Never use your baby’s, or other children’s or family members’, personal information to commit crimes. For example, submitting a claim for a government benefit available to adults using your children’s names is irresponsible and illegal. 
• Educate your pre-teen and teenage kids about cyber-security and privacy.

Q: I'm over 70 and suspect many people my age have the same challenges regarding medical care and privacy. I saw two different orthopedic surgeons for an ongoing shoulder issue. I decided to see a third specialist and wanted my x-rays transferred to them. The two physicians sent me a forms release document via e-mail, but the form isn't editable using the technology I currently own. I suspect that other patients (especially those of us who grew up in the analog era) have this challenge. How can I get high-quality and timely medical care without investing in state-of-the-art technology and devices?

A: Let’s start with the legal requirements of healthcare covered entities (CEs), including healthcare providers of all sizes including single-professional practices.

HIPAA established a “Right of Access” for patients and insurers to obtain a copy of their personal health information (PHI), which includes x-rays.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has been very active in applying penalties over the past three years against CEs for not fulfilling this requirement. In fact, on September 20, the OCR announced three more penalties applied against dental practices for not complying with the right of access requirements.

• Family Dental Care, P.C. (FDC) in Chicago, Illinois. FDC must pay $30,000 and implement a corrective action plan (CAP).
• Great Expressions Dental Center of Georgia, P.C. (GEDC-GA), is a dental and orthodontics provider with multiple locations throughout the state of Georgia. GEDC-GA must pay $80,000 and implement a CAP.
• B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental (Paradise) in Las Vegas, Nevada. Paradise must pay $25,000 and implement a CAP.

Access must be provided in a timely manner (within 30 days, with a possible extension of an additional 30 days). The covered entity (CE) must provide the individual with access to the PHI in the form and format requested by the individual if it can. If it is not readily producible, then the PHI must be provided in a readable hard copy form, or other form agreed to by the CE and the individual.

Additionally, if the requested PHI is digitally maintained in one or more designated record sets, and if the individual requests an electronic copy, the CE must provide the individual with access to the PHI in the digital form requested by the individual, if it is readily producible. If it is not readily producible, it must be provided in a readable digital form agreed to by the CE and individual.

The CE may also provide the individual with a summary of the requested PHI in lieu of providing access to the protected health information or may provide an explanation of the PHI which was requested, but only if:

1. The individual agrees in advance to such a summary or explanation AND
2. The individual agrees in advance to the fees imposed, if any, by the CE for such summary or explanation. CEs have been fined for overcharging, so be confident and protect your consumer rights.

If your rights under HIPAA are being denied, or your health information isn’t being protected, you can file a complaint with your provider or health insurer, and/or file a complaint with HHS here.

If your physician's office mailed you the PHI, in a form to which you agreed, that's great! However, they are obligated by law to work within your technology needs.

Q: A bouncer at a bar cut up my ID claiming it was fake. It wasn’t fake. I’m 24 and I’m proud to have lost 110 pounds since that photo was taken. What can I do?

A: It depends on the location where this occurred and their associated laws.

In the U.S., Canada, and other countries, the destruction of a government-issued document is a crime.

I understand that in Canada, a driver’s license is considered personal property, and as such, the bouncer could possibly also be convicted of theft. In the U.S. this would depend upon the state where the incident occurred. This could also fall under the definition of “vandalism” in some jurisdictions.

You could:

1. Contact the bar, or have your lawyer do so, explain the situation, and ask to be compensated for the cost of replacement for the driver’s license, and any additional costs as advised by your lawyer.
2. Consider pressing charges, as applicable to the situation location, and the outcome of #1

Q: My daughter (5^th grade) wants to take a DNA ancestors test for extra credit at her school, as part of a social studies class. The data from students will be compiled into a report, using an app. My daughter loves getting extra credit, so what should she do to help protect her privacy?

A: Congratulations on having a child who loves to learn! We understand her enthusiasm. There are many concerns with this, though. Ask her teacher the following questions:

• What DNA test is going to be used? Ask to see a copy of the associated privacy policy. Read it carefully and make sure you have the right to delete all the data produced by the test after the test results have been delivered to you and before any of this data is shared with any other entities. If not, then we wouldn’t agree to do this. DNA results are increasingly being used for more and more purposes, that have had some good results, such as catching murderers. However, it has also resulted in bad results, especially when the results are incorrect…and none of those consumer grade tests are completely correct.
• What data is going to be requested to be reported through the app? What app is being used? Ask to see a copy of the associated privacy policy. Read it carefully and make sure you have the right to delete all the data collected and derived by the app, after the app reporting results have been delivered to you, and before any of this data is shared with any other entities. If not, then we wouldn’t agree to do this.
• Who in, and outside of, the school will get a copy of each student’s app report, and DNA results? Will the teacher summarize all results, and then destroy each individual student’s associated personal data and report? Prior to any sharing with others? The only purpose for collecting this information is for the extra credit activity. So, that data should not be used for any other purpose and should be destroyed as soon as it is no longer needed. 

Q: I’m considering using medical cannabis to relieve my chronic pain. However, my parents (in their 70s) and my children (in their 20s) are telling me that doing this could lead to ridicule and that those records are not protected by HIPAA. Is that really true?

A: That's a very timely question! The answer is that it depends on your source of medical cannabis if you got a prescription from your physician, and what state you are in, as primary factors.

My October Data Security & Privacy with the Privacy Professor podcast episode is about cannabis security and privacy, with Michelle Dumay, who has discussed this topic with me in 2018 and 2019; see more below. We cover this topic at length. Ultimately, the decision is up to you. If cannabis relieves your chronic pain, consider ignoring your family and make the best choice for yourself.

• The FTC for convening its first meeting of the Scams Against Older Adults Advisory Group on September 29. Representatives from multiple government agencies, and the private sector, will address ways to collaborate to protect older adults.
• Burton Kelso’s article, “How To Tell If Your Smartphone Has Been Hacked.” You'll find it very useful!
•  Wired, for their article: How to See Instagram, Facebook, and Twitter Posts Chronologically. Review to discover posts made from your account that you did not make. You can also see posts that you may no longer want to the entire world to see. 
• CBS News New York for sharing some great back-to-school cybersecurity tips for all those first days of photos parents love to put on their social media sites! We would love to see every local news station dedicate some time to privacy and cybersecurity tips. The media can play a significant ongoing role in educating the public and preventing scams. 
• Celebrities who protect their children’s privacy: Ryan Reynolds and Blake Lively; Mindy Kaling; Constance Wu and Ryan Kattner; Kristen Bell and Dax Shepard; Halle Berry; Jennifer Garner; Zayn Malik and Gigi Hadid; Priyanka Chopra and Nick Jonas; Sophie Turner and Joe Jonas; Mila Kunis and Ashton Kutcher; George and Amal Clooney; Kerry Washington and Nnamdi Asomugha; Brenda Song and Macaulay Culkin; Adele; America Ferrera and Ryan Piers Williams; Eva Mendes and Ryan Gosling.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts.

We have added a large amount of news on our three news pages since the last Tips! We have our all topics Privacy & Security Brainiacs News Page. It contains news grouped by each month, and within each month by specific topic. We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here.

HIPAA Basics for Business Associates is getting great reviews!

Clients who took “HIPAA Basics for Business Associates 2022” have told us they have learned about issues that were not covered in other classes they’ve seen and taken. They also have found the real-world examples particularly helpful in not only identifying where they need to beef up their own HIPAA compliance practices, but also in helping them see where they, and their family member and friends in the U.S., have rights under HIPAA that they didn’t even know about before.

NEW!

We also are in the pilot phase of our first new Master Experts education classes, with the brilliant Dr. Mich Kabay, who create and was the former director of the NSA-accredited Norwich University Master of Information Security and Assurance Program, as our first Master Expert in residence. His first class being offered is Secure Coding, and his second class is Software Quality Assurance.

Now would be a perfect time for you and/or your colleagues and cybersecurity and privacy pros to take these classes. Students receive certificates, showing 2 continuing professional education (CPE) credits. class. The certificates will also reflect how well you did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing. 

See our Privacy & Security Brainiacs page for our business in the news!

Did you miss attending the in-person FutureCon Des Moines event on September 8? You can view Rebecca’s session, leading a discussion with prominent CISOs in different industries here.

Did you miss attending the online September 13th ISACA event presented by Rebecca, “Post-Dobbs Privacy & Compliance”? The controversial Dobbs decision, overturning Roe v Wade, is the topic for this provocative online session, covering implications for HIPAA compliance, employee security and benefits, and privacy of women's health data. You can view the recording for free, but registration is still required. Just click on the link below. 

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. October 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1. subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com;
2. making a request directly to Rebecca Herold; or
3. asking Rebecca Herold to be a connection on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at [email protected].

If you wish to unsubscribe, just click the Unsubscribe link below.