School's in Session, Data's at Risk

Faster than students flood the halls when the bell rings, private information can be stolen from vulnerable academic institutions, as well as directly from the students who attend them. With treasure troves of personal data, much of it belonging to young people with squeaky clean credit histories, schools, colleges and the students themselves are big-time targets for cyber criminals. 

One of the best things you can do to protect the students in your life is become aware of the security controls (and gaps in protection) that govern the devices they use, as well as the data collected, stored and shared by their schools. 

When you're curious, ask questions. A+ for following up if you get an "I'm not sure. I'll have to look into that" type of response. 

Read on to learn more about  back-to-school time risks and other threats to your d ata security and privacy. 

Jackson Lake in the Grand Teton National Park, just one of several breathtaking views from my summer travels. 

us  Data Security & Privacy Beacons
People and places making a difference**

Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!

Elementary school parent Brad Shear inspired the development of a student "data deletion week." When his son accidentally stumbled on a song online with explicit lyrics, he was concerned the search would remain in his digital footprint and "come back to bite him" later. To prevent such a result, Montgomery County Public Schools will devote a week to purging its online databases of unnecessary student information each year. This is so innovative, and a great example of how important it is to speak up when you have questions about your child's data security and privacy. 

Another U.S. school district, the Denison Independent School District, has proposed to ban devices with listen-in and student-tracking capabilities. The superintendent explained that such recording devices in a classroom setting presents privacy and confidentiality issues. The ban would restrict parents and others who may not even be onsite from eavesdropping on conversations happening around their child while at school. 

Although far from perfect when it comes to privacy, Apple is taking publicly visible, pro-privacy action with the development of a new policy. Any advertiser the company believes is tracking users without consent will be kicked off the platform. Apple is taking steps to at least appear to hold a hard line against this kind of behavior, stating in its updated policy that it will be viewed "with the same seriousness as exploitation of security vulnerabilities."

The Breach Exchange listserve creators Destry Winant and Audrey McNeil have curated important data security and privacy news for many years. I've been a long-time subscriber and believe their messages offer great tips and news people may not otherwise come across. I recommend all my readers sign up today and share their newsletter with everyone they know who is interested in keeping their personal data secure and private. (NOTE: I realized they do not have a privacy notice posted on their page and sent some suggestions for them to consider.)

Kudos to the 50 voting nations on 6 continents that unanimously approved development of international cybersecurity, privacy and safety standards for Internet of Things (IoT) in homes and buildings. For all you fellow standards nerds out there, I'm talking specifically about ISO/IEC 15045-3-1: Gateway Privacy, Security and Safety; and ISO/IEC 15045-3-2: Gateway Privacy Framework. So excited to see headway being made on the creation of universal rules around the gateways attached to IoT devices. Special kudos to Timothy Schoechle who has led development of these standards, as well as other ISO/IEC standards.

An anonymous "white hat" hacker is responsible for alerting Capital One to a potential vulnerability in its system. The tipster found a store of leaked data online and let the company know. Capital One was able to inform 100 million people in the U.S and another 6 million in Canada that their information, which included  names, addresses, dates of birth, self-reported income and credit scores, had been stolen. It was also able to fix the improperly configured firewall that allowed the breach. 

**P rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
Approaching the Grand Tetons _from the east going west_
realMandatory  Saliva Testing in Schools
Refusal to give up your sample leads to a guilty verdict   

While drug screening certainly isn't new, particularly for student athletes, it is becoming riskier for participants. 

The increased threat is not because students are at greater risk of getting caught using drugs. Rather it's due to the fact some new policies are akin to extortion. In other words, the school district insists you get tested or you don't get to be involved in your activity. Period. 

The irony is that requirements like this require students and parents to say they are "freely giving consent." 

In this Texas school district , for instance, students who refuse testing are considered to have a positive result. So, if you decline the test, you are automatically labeled as guilty. What's more, the scope of students that can be randomly tested has been expanded to include much more than athletes; those participating in extracurricular activities and those who request a parking permit for the school's property are also subject to testing. 

Consider the consequences for a privacy-aware child or parent who opts out because they aren't satisfied with the security controls of the school or its third-party testing service!

Keeping students and school grounds safe and drug-free is, of course, a valiant mission. It's just as important, however, to protect the data security and privacy of students. I certainly hope the school district has asked some tough questions of the third-party in charge of collecting, testing and storing the samples of the young people they are in charge of protecting. These samples, after all, contain a whole lot more than drug evidence (like DNA profiles!). 

If the district did, in fact, ask those tough questions and received satisfactory answers, it would be nice to communicate that information. Yet, I did not see any information on the following in the district's letter  to parents  :
  • privacy policies
  • descriptions of how the samples or results would be protected
  • how parties would be held accountable for that protection
  • how the analysis results would be used
  • rights the students/parents had to access the data
  • rights to delete or correct the analysis results
  • rights to restrict the entities to whom the data would be given
One more VERY important consideration... 
  • If organizations/vendors collecting and analyzing saliva are NOT healthcare providers as defined by HIPAA, HIPAA information security and privacy protections do not apply. This means the orgs/vendors do not have data security or privacy regulations obligating them to protect student data or give the students rights over that data. 
School administrators, teachers and parents must do more to protect students' privacy. The these increasing number of ways their sensitive personal data is being collected calls for everyone to step up their game.

Wild Horse Canyon_ Wyoming
fifteen15 Sneaky Kid Apps Parents Should Watch For
'Don't talk to strangers' is great device, especially in the digital era. 
One of the biggest risks to children's safety is their ability to talk to anyone from anywhere at anytime, right from their device. And, that person they are talking to may not be who they pretend to be -- that's the particular danger of digital communication. 

While there are plenty of apps and sites that allow strangers to message one another, law enforcement officials recently identified 15 in particular. Each one, they say, is popular with both children, and sadly, with predators. 

The next time you review your kids phones, be sure to check the apps list. If you see any of the following, talk with them about the danger and consider removing it. 
  • Grindr
  • Skout
  • WhatsApp
  • TikTok
  • Badoo
  • Bumble
  • Snapchat
  • Kik
  • LiveMe
  • Holla
  • Whisper
  • Calculator%
  • Hot or Not
If you know of others that should be added to this list, let me know!

My son exploring at the edge of Wild Horse Canyon with Castle Rock in the background

New tool's "erase" feature is misleading. 
It's no secret Facebook has become embroiled in a series of controversies surrounding the security and privacy of users' data. Over the last year or so, we've seen moves by the internet giant that appear to demonstrate they are paying attention to the public's waning trust. 

One such announcement came just a few weeks ago when Facebook launched Off-Facebook Activity. It's a tool that allows users to view, and supposedly erase, data that sites and apps outside the social network have shared with Facebook. Of course, there's no deleting the data from the original sources, although this tool may create that false sense of security. 

In other Facebook news...

Instagram, a Facebook-owned social property, is suffering from a look-alike scam that ironically plays on users' fear of cyber crime. 

An email phishing attack claims "Someone tried to log in to your Instagram account," and asks the victim to use a six-digit code to reactivate their frozen account. But, when they click on the embedded link to do so, they are sent to a malicious domain. It looks a lot like the real Instagram and even has a HTTPS certificate!

According to SC Magazine, the scam isn't perfect, as there are still a few red flags:

1) Legitimate companies do not provide links for logging in to an online service. 
2) The domain contained a .CF extension, which is unusual. 
3) The email misspelled "login."
4) There was also a notable punctuation error in the body of the email. 

If youor any of the students in your life, receive this or a similar email, go directly to the site of the service in question. Never click on a suspicious link, as it could very well lead you down a path you can't come back from.

There were several varieties of dessert flowers that seemed so healthy... hard to imagine in such barren conditions.
 easyWhat To Know Before Sharing Kids Lives on Social Media
Best practices for posting about the children in your life
We all know folks who "overshare" on social. The risks of doing so run the gamut, from simply irritating people to permanently damaging your reputation to putting yourself in a position to have your identity stolen. 

The same risks exist when posting about others, especially young people. I was recently interviewed for Medium on this very topic, and thought I would share a few tips in addition to those that made the article. 

Here are a few best practices to keep in mind when posting information about the kids in your life: 
  • Never use apps that put digital hooks into your device. These are services that automatically assume access to your photos, videos, contacts, etc. when you post to their sites. Always check the privacy policy and watch for any language that says they will post "on your behalf." 
  • When posting photos of kids, make sure you've removed as much of the meta data as possible. 
  • Don't post photos that give away personal information about your child, such as a birthday party photo that includes the date. Criminals can deduce your child's birth date and use that along with your child's image to create a false identities. 
  • Ask children (and their parents) if it is okay for you to share their photo online. This helps inspire others to practice empathy and respect for privacy. 
  • Change the settings on your device to update your system as soon as security patches and updates are released. 
  • Ask the organizations that your child belongs to (e.g., schools, churches, social groups, art clubs, athletic teams) how they use images of the kids. If you don't like the answers, ask the group to stop. 
freshFresh Phish: Call for Help to My Inbox
Scammer attempts to prey on my passion for privacy. 

If it weren't for the obvious spelling and grammar issues, not to mention the suspicious domain of the sender, which is  a well-known originator of scams, I would have felt very badly for this individual. 

In an exhaustive, 600-word email "Mina" claims to be the victim of cyber stalking. The scammer used several key words and phrases that appeared to be written especially for the target -- me! My favorite among them was " i wanna get back my right to have my privacy."

Here's just a small excerpt so you can keep an eye out for similar communication. (I'm happy to share the entire thing upon request.) 

Regardless of the platform you prefer, there are privacy pitfalls to watch for.
Apple and Android each have incredibly loyal fans. If you ever want to start something, just ask a small group which they prefer. Sit back and watch the fireworks. 

But, no matter which one you love, there are still data security and privacy gaps you'll want to control for. Here's just two recent bits of news prompting all smartphone users to keep a watchful eye on their devices and the software installed. 

Apple's iPhone FaceID Hacked In Less Than 120 Seconds: With glasses, tape and the face of a sleeping iPhone user,  researchers bypassed the phone's facial recognition feature to unlock a phone. They discovered FaceID won't extract full 3D data from the area around the eye if the person is wearing glasses. Whoops. 

More Than 1,000 Android Apps Steal Your Data Without Permission: A new study found at least a thousand apps sneak past Google restrictions to collect the location and phone data from users. Keep that list of apps refreshed! If you're not using them, delete them. And, turn they off when not actively engaged with them. 

droneRansomware on Your Digital Camera
Scammers now have a way to get to your offline photos. 
We often think of ransomware attacks as going after files on our computers and other connected devices. But, researchers have found a way for cyber criminals to go after our offline images -- via the Picture Transfer Protocol (PTP) of digital cameras.

What they did was download firmware from a popular DSLR camera and reverse engineer the code. They found several vulnerabilities that would allow a cyber crook to take over the camera remotely and lock down any photos on the device.

The key takeaway: Any USB or WiFi capable digital camera is vulnerable to this type of attack. To mitigate your risks, be sure you are using a secure WiFi connection, or if using an USB, that your computer is up-to-date on its security patches. 

And always, always, always, have a back up for your images... never keep them on a camera. Regardless of the evolving digital threats to them, your camera could easily be lost or stolen, taking all of your memories away instantly. 

Craters of the Moon Lava National Monument; lava stones cover 1,117 sq mi.
womenThe 'Anti-Privacy' Trend     

The key point everyone missed in the FaceApp controversy.

The following is an excerpt from a recent article I wrote for ISACA. For the full article, visit
The FaceApp uproar highlights a long-time problem that is getting even worse... the way privacy policies are written.

Organizations should never use privacy policies as a way to remove privacy protections from individuals. Sadly, that's exactly what many are doing. 

From 2000 to around 2010, I saw many companies actually try to address this issue. What happened around 2011 and after? A perfect anti-privacy storm. The increased use of search engine optimization (SEO) resulted in the communication of deceptive statements on websites and in privacy policies. There was also a huge jump in use of social media and blogging sites. 

To succeed in these areas by ranking the highest in searches, gathering the most personal data to monetize, getting the most likes and achieving the highest degree of amplification through partnering, marketers began to deceptively modify privacy policies. 

Almost a decade later, these practices are still in place, and FaceApp's privacy policy is a prime example. 

Just one of several vague and problematic areas of FaceApp's privacy policy: 

"We may remove parts of data that can identify you and share anonymized data with other parties. We may also combine your information with other information in a way that it is no longer associated with you and share that aggregated information." 

Does this give you assurance? It doesn't give me any. The way this policy is written indicates FaceApp can send my personal data to other parties that may combine it with other information to actually re-identify me.

Of course this problem is not unique to FaceApp, not by a mile. In my experience, 90 to 95 percent of organizations are NOT in compliance with their own posted privacy policy. 
PPInewsWhere to Find the Privacy Professor  

On the road...

North Side of Devil's Tower in Wyoming. (Carrying too much ; I left my backpack at home, so was left with the shoulder straps to lug around my stuff.)
Here are a few of the places I'll be speaking, hosting or teaching courses on data security and privacy over the next few months. If you're in the area or attending the events, be sure to say hello. 

September 5, 2019: Lunch keynote, "Corral Your Data or You'll Stampede Over Privacy," at FutureCon Des Moines CyberSecurity Conference , Des Moines, Iowa, USA

September 12, 2019: Keynote address, "Strategic Security Moves to Win Emerging Privacy Challenges," at 34th Annual SoCal Security Symposium, hosted by ISSA Orange County, Costa Mesa, California, USA


October 24 & 25, 2019: Giving two talks at PwC Cybersecurity Day  and then a half-day workshop the next day , in Luxembourg City, Luxembourg

May 2020: Speaking at the Contact Center Association of the Philippines (CCAP) Privacy Summit. More details to come!

If you're looking for an experienced speaker who knows how to bring data security and privacy risks to life... on stage, on the airwaves or over the internet, please get it touch

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network

I took a break in recording shows over the summer, but new episodes will start airing again in September. I'd love for your organization to be a sponsor! Shoot me an email and I'll send you more details.

All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox,, iHeart Radio and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics. As for student privacy, we've discussed the topic on two shows specifically:
Some of the many other topics we've addressed... 
  • identity theft
  • medical cannabis patient privacy
  • children's online privacy and safety  
  • applications and systems security
  • cybercrime prosecutions and evidence
  • government surveillance
  • swatting 
  • GDPR
  • career advice for cybersecurity, privacy and IT professions
  • voting / elections security (a series)
Please check out some of my recorded episodes. You can view a complete listing of shows to date, grouped by topic. After you listen,  let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

We have current sponsorship openings in three of the four weeks' shows each month. If your organization wants to sponsor one show each month, I will cover topics  related to your organization's business services and/or products.

In the news... 

Advertising Now Available!

After repeated requests from some exciting brands, we've decided to open Tips of the Month up to sponsors. If you're interested in reaching our readers (maybe you have an exciting new privacy product or service or an annual event just around the corner), the Tips email may be just the thing to help you communicate to more people! 

We have a variety of advertising packages to meet every budget. 

3 Ways to Show Some Love

The Privacy Professor Monthly Tips is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

My son, enjoying the gorgeous views and fresh air of the Grand Tetons in Wyoming.
I truly love this time of year. Makes me want to run out and buy a brand new pack of freshly sharpened pencils. Being a life-longer learner is a passion of mine, so if I could run right back to high school and grab a seat right at the front I would. 

I hope you are able to spend time chasing your passions this month, and that you get inspired by the open minds of the young people in your life. Do your level best to keep them privacy aware and making good choices... who knows, it may spill over into your own life, too. 

Have a beautiful and safe back-to-school season!

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. September 2019 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
View our profile on LinkedIn     Follow us on Twitter