Real Consequences of Overzealous Data Collection
Retailers, tech giants, hospitals, app developers, marketers, law enforcement, government agencies - the list of those clamoring for every scrap of consumer data and the associated intelligence goes on.

I couldn't help but see parallels between today's overzealous data collection and the seemingly obsessive collections of Alex Jordan when I recently visited the eccentric's famous House on the Rock . (The pictures below come from that trip).

Jordan could never have enough; he even reportedly said so. Even when his collections threatened the peace and tranquility of his home, he just had to have more.

While data collection has around for decades, the exponential power of computers and the shear amount of data we can throw at them is relatively new (and also growing exponentially). So, too, is the massive and growing Internet of Things. And we're starting to see the fallout, including data breaches, credit card compromises, rampant identity theft.

But all of those consequences are creating one good thing - awareness. The more we know about the ways our data is procured, the better able we are to make decisions about sharing it.
Awareness is key to maintaining our data security and privacy. It's the reason for this "heads up" email. Thank you so much for reading!


Equifax Creates a Series of Breach Blunders

Just when you think it can't get worse...

Aside from failing to patch known vulnerabilities that ultimately led to a breach exposing the private data of 143 million people, Equifax committed a series of embarrassing (and avoidable) mistakes.

Here are just a few that serve as cautionary tales. Quiz your teams - could this happen at your company?
  • Equifax did not have enough bandwidth - human or tech - to handle the massive surge of inquiries. As a result, calls went unanswered, or worse, were handled by uninformed customers service reps, and its "security freeze" website went down.

  • In addition, Equifax asked impacted consumers to return to the site - sometimes weeks later - to complete the credit monitoring enrollment process. When they did, many reported broken web forms and downed sites.

  • Although the development of a fake phishing site was not their fault, it's a common practice during circumstances like this. The company was apparently unaware of it, though, as they directed their customers right to the fake site, presumably on accident. But, it goes to show, you need to validate every site you advise customers or clients to visit.
Face ID Presents a Double-Edged Sword
Biometric feature offers protection, but also risk
iPhone fans are very excited about Face ID, the new facial recognition features that allows users to unlock their phones simply by looking at the screen.

What they may not be consider is the feature's risks, namely being compelled by law enforcement to provide your face to unlock your phone. In the recent past, courts have forced defendants to hand over their fingerprints so law enforcement could access their iPhones content. The same, says CNET , could happen with faces. That's because, courts have ruled that facial recognition, unlike passwords, aren't protected by the U.S. Constitution.

TIPS FOR YOU: Do not rely on facial recognition alone to keep your data private. And if you're worried about law enforcement requests to access, add a password as a second layer of protection. Additionally, you may consider encrypting your phone data (I do!). 

A wooden leg with a gun attached once used in the old west of the U.S.
We might consider this one of the earliest medical devices.
(Seems they posed just as much of a personal security risk centuries ago as they do today!)
GoodGood to Know: 5 Emerging Threats

Quick roundup of personal security risks 
iPhone users now have the ability to better control which apps monitor their location, but they need to take action to do so. Change your settings today.

Be careful when buying pets through classified ads; many are scams! This is a growing threat, as more people are looking for their pets online.

A two-part ATM skimming scheme is circulating at ATMs in the U.S. Be aware and report anything suspicious you see at these machines. (Thanks to Scott Schober for contributing this!)

Sound commands that can't be heard by humans could one day attack Siri, Alexa and other voice-enabled devices. Keep a close eye on system patches for all of your connected devices. (Thanks to SecureWorld for providing this news!)

Celebrity contact information for sale on the web, thanks to an Instagram flaw. Don't be fooled by the stardom aspect. Average Joe's and Average Jane's on Instagram could be victimized just as easily. 

Natural Disasters Serve as Reminders
Physical security just as important as virtual

Recent hurricanes and earthquakes have brought home a very real danger - physical security of data. With so much emphasis on cybersecurity, it can be easy to overlook the physical threats facing our systems, networks, and of course, the data they house.

I often hear business owners claim to have this covered because "It's all in the cloud." That may be, but consider "the cloud" isn't some virtual warehouse floating in the sky. The cloud is a collection of physical servers sitting in buildings somewhere. Are those buildings secure? What happens if they are damaged or destroyed? 

These are critically important questions every business owner should ask of its cloud providers.

TIPS FOR YOU: Don't forget about your vendor partners. How far into the cloud are their heads? Chances are they are also relying on physical servers to store and create backups of your data. Are they secure?

WARNING: Put your antenna up to avoid scams related to disaster relief. While it's beyond despicable, crooks continue to play on emotions and goodwill during times of tragedy. 

Recent incidents raise important concerns 

On the heels of breaches at Equifax and other financial entities like Wells Fargo, the Securities and Exchange Commission (SEC) announced it, too, had been attacked.

In its coverage of the incident, the New York Times raised an important question:

Will the recent onslaught of breaches targeting banks, credit bureaus and regulatory bodies "intensify concerns over potential computer vulnerabilities lurking among pillars of the American financial system?"

Consumer trust has been shaken, there is no doubt. When will the financial community begin to see the results of these concerns, and how deep will the impact go? Are we starting to see, as NY Times writers Alexandra Stevenson and Carlo Tejada suggest, the "underbelly of the internet" is joining forces with the "darker corners of Wall Street?"

TIPS FOR YOU: Ask tough questions of your bank, credit union, financial advisor, insurance broker - anyone within arms' reach of your finances. How are they keeping your personal data safe? If you don't get sufficient answers, take your business elsewhere. 

October event acknowledges something real to be scared about   
Frightening masks, haunted house tours and scary ghost stories will thrill us all month long as we prepare for Halloween. But as you're enjoying the entertainment, consider stopping every now and then to acknowledge another of October's notables - Cyber Security Awareness Month.

Here are a few ways you might consider celebrating:
  1. Host or participate in a paper shredding event.
  2. Look into obtaining cyber liability insurance (NOTE: I will have a big announcement about this in next month's Tips!).
  3. Coordinate or take part in a phishing competition, rewarding employees who spot and report decoy emails.
  4. Update your software to patch security and privacy vulnerabilities.
  5. Create or update a data breach response plan.

It continues to impress me how much expertise exists within this email's readership. Some incredibly smart people belong to this community. And that brings me to something that's been on my mind...

Professionals with years of experience in their fields can forget to keep it simple. Before they know it, they're in the weeds, getting into the nitty-gritty technicalities of an issue, rather than communicating the larger message. It happens to me, too.

I'm grateful for the moments I'm asked to clarify an acronym or an industry term. They remind me how important it is to choose my words carefully.

As I pursue higher awareness for data security and privacy issues(throughout the general public), I'm going to stay at a high level as often as possible. You may notice that here in this newsletter. There will be technical nuances and other "in the weeds" information I will leave out.

Please trust this is strategic. Certain omissions or uses of terms the public are familiar with may grate the nerves of experts, but please know I have the best interests of all readers in mind. We can all make the argument "It should be 'tissue' not 'Kleenex'," but the last thing I want to do is jargonize this newsletter. It is, after all, dedicated to awareness among as many within the population as possible.

I encourage you to do the same. Before you hit send on a communication or get on stage to give a talk, ask yourself if the information is digestible and understandable. Consider your audience. Are they ready to hear what you have to say? Do they have the background to receive it? If not, you may be defeating your purpose.  

ppPrivacy Professor On The Road & In the News  

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

October 7, 2017: "Are you ready for 2018's compliance firestorm?" Hosted by CSO Australia and sponsored by ISACA

October 11, 2017 : Providing private executive briefing on healthcare security and privacy in the Internet of Medical Things in northern Rhode Island

October 24, 2017: Giving webinar, "Risk Management - Third Party Vendors," hosted by ASAE

October 25, 2017: Leading a webinar, "A Data Security Survival Guide in an Interconnected World, h osted by the IT GRC Forum

January 12, 2018: Panel discussion session, "HIPAA Protections for Cannabis Patients and Dispensary Profits," at The Medical Cannabis Business Executive Convention in Washington, D.C.

Privacy Professor In the news...

Insurance News Net

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On my August 1 visit to the studio , I spoke about new risks with USB drives, along with privacy risks and what you can do about them for your personal assistants, such as Amazon Alexa and Google Home. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

Will you do me a favor and drop me a note to let me know if your organization is celebrating Cyber Security Awareness Month? I always like to hear from my colleagues as to the ways in which they are taking it to the streets!

Halloween is just around the corner, too. Send me pics of your costumes (I f you are sending photos of others, make sure you get their consent to share!). If I get enough I'll share them in my November Tips message, which should come out right around Oct. 31. 

Here's to an excellent October! Stay safe!

Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor®,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter