'Spring' into Action on Privacy Protections 


People of all ages and walks of life are prone to oversharing these days. While most often this publication of personal details is intentional, there are plenty of circumstances in which people are completely oblivious to their information being shared or even broadcast widely.


Precious few things are held sacred these days. Your privacy, however, must be one of them. For those of you in leadership positions, the privacy of those you serve must also be among the things you guard intently.


As we approach spring and celebrate renewal, it's a great time to spruce up your approach to privacy protection. Much of this begins with education, and reading up on hot-topic privacy issues is a great first step toward achieving that end.


What follows are a few noteworthy pointers I hope help you "spring" into action on updating those privacy practices, policies and procedures. If I can provide any assistance or answer any questions as you go about beefing up your processes, certainly don't hesitate to ask. 


If drones made you nervous before...  

...Facebook's play for drone maker Titan Aerospace could really flip your lid. These unmanned flying objects, equipped with everything from cameras to weaponry, are the cause of an intensifying debate in many areas of the world.


With an extra $60 million in the bank and a pretty clear desire to be the world's largest aggregator of valuable consumer data, Facebook is naturally drawn to the drones. While they say it's for the machines' ability to beam wireless Internet access to undeveloped locations, they likely have many different plans for the units. As this Washington Post article points out, the social networking giant would be operating drones that fly so high they reach places that may not be regulated by the United States. It's important to note, however, drones up this high can still see places far below on the ground.


Iowa, my home state, is one of the first states leading the charge where governance of drones is concerned. Many states are predicted to follow suit. 

Another Facebook notable

Thanks to my friend Faith Heikkila for drawing my attention to this Facecrooks article. The author discusses a very important topic - securing your Facebook profile - and gives step-by-step instructions for enabling two-factor authentication. The idea is to keep out anyone attempting to access your profile from a device Facebook doesn't recognize.


Astoundingly, two years ago at least  13 million U.S. Facebook users didn't use or weren't aware of the social network's privacy control settings. Based on various news reports covering Facebook privacy, I anticipate this number has not gotten smaller, but more likely has increased (perhaps by a significant amount now that there are more than a billion active mobile Facebook users).  


How many of these millions are within your employee, patient or customer communities? And how does that open your company up to compliance or security risks?  How does this impact you personally, or put your own information at risk? Remember, your privacy can be impacted simply by being associated with "friends" who don't activate their privacy control settings. 


Understanding how your stakeholders use Facebook and other social networks is a critical component to protecting yourself, your organization and the people it serves.   



What metadata reveals about you

If anyone ever tells you, "Don't worry; we're only tracking /storing / sharing metadata," ask more questions. Despite the popular belief that metadata reveals nothing more than benign, anonymous information, it's actually quite the opposite.


Consider telephone metadata, for example. As this Web Policy blog post demonstrates, the data taken in aggregate can reveal a great deal about the person or people originating it. After conducting its own brief study, Web Policy found that even a small amount of metadata allowed them to "infer medical conditions, firearm ownership, and more," about the study's participants using solely phone metadata.


How Web Policy conducted its study is detailed here, and it's worth the read. Very interesting (and disturbing) stuff!


The U.S. National Security Agency (NSA) famously explained that it only tracks metadata by way of convincing the public that the actual content of calls and messages is not gathered. However, it's important to understand that just as much information (possibly more) can be siphoned from powerful and telling data. 


It's Open Season for Phone Scammers

Mobile and land-line phone calls can land you in a heap of trouble when a clever fraudsters is on the other end. I've recently published two blog posts outline several of these traps. 


The first is for business executives (and the general public, too), and it details three types of current phone scams that everyone must have on their radars.


The second is for the general public, as I go through scams targeting the elderly and the homeless. 


If you're the victim of a phishing attempt (either by phone or another mode of communication), share it with the authorities first. And then shoot me a note, as I would be very interested to know how the fraudsters managed to work their craft.



Countdown to the end of Windows XP

We're closing in on April 8, 2014, the day Microsoft will no longer offer support for the Windows XP operating system. The impact of this change is expected to be far-reaching, affecting everything from your local ATM machine to your own desktop and laptop computer. 


Of particular worry is the fact many medical devices run on the XP system. The discontinued support of XP will mean that medical devices running on, or connected to, XP devices will no longer receive security patches to protect them from viruses, spyware and other malware. I'll be covering this, along with a wide range of other risks, at my medical device information security and privacy workshop in May. I sure hope a lot of medical device manufacturers attend; they really need to beef up their protections!  


While it may take a significant investment to upgrade, the downside of not doing so could be every more costly in the long run. For personal computer users with XP systems, Microsoft is offering a $100 rebate to upgrade their systems, so take advantage! You'll save money in both the short, and definitely, the long term. 


Your car doesn't have to be "smart..."

... to open you up to risk. Back in the day, we used to worry about leaving our wallets in plain sight. Now we have to be worried about much more sophisticated leave-behinds, like portable GPS systems, smartphones with navigation apps and home-security controls.


For the past several years, criminals have been known to break into cars and play around with the GPS until they find the driver's stored "home" address. They then continue their rampage at the house, aided even further by the car's automatically programmed garage door opener.


A colleague of mine recently called to say she had thought about me when she sold her car. A loyal reader of the Tips Message, she said she likely would not have remembered to de-program that on-board garage-door opener had she not been so in-tune with privacy and security risks. 


I love to hear stories like this because it shows the differences (both large and small) that privacy and security advocacy and education can make!


A few new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:


New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.


Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!


Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.


The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.




New life for old tech books (and a great home for new ones) 

I recently joined a group effort to help clients of Central Iowa Shelter and Services develop themselves as programmers. It's a really innovative and meaningful program designed to give people an in-demand skill and a leg-up as they work to develop a career path and a way out of homelessness.


The idea, spearheaded by Tom Vance, Development Coordinator at the shelter, was born of a concept started in New York City. Last summer, New Yorker Patrick McConlogue offered a homeless man a choice: $100 cash or JavaScript textbooks, a laptop and an offer to teach him how to code.


My role in the new Iowa-based club is to keep the importance of security and privacy at the forefront as these new programmers build out their concepts into actual products. I will guide the trainers in this respect and also participate in the actual classes as often as possible. It is something I'm incredibly excited about and honored to be a part of.




To get our coding club off the ground here in Iowa, we're asking for donations of new or lightly used and fairly recently issued coding and programming text books, such as those covering HTML, CSS, Javascript, web design, app design, etc. If you are able to contribute, please send me a note, and I'll get you a mailing address. 



Speaking of Education...

The number of privacy breaches continue to increase. I, and many others who have studied breaches over the past couple of decades, believe a large portion of these could have been prevented if there had been regular, effective information, security and privacy training and ongoing awareness communications provided to all employees. 


Too many organizations do scant-to-no awareness activities. Regulators are cracking down on organizations that do not provide sufficient education. Because providing such education is a requirement under multiple regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA), just to name a couple, the fines are often increased when regulators discover organizations did not provide such education.  


Have you received information security and privacy training from your employer? Do the organizations that collect your personal information provide adequate education to their employees? Don't be afraid to ask them about this.  


I provide the quarterly Protecting Information Journal to organizations to help ensure everyone knows how to appropriately protect personal information, and as a result, prevent breaches from occurring. If your organizations don't have such education, please point them to this resource.

Privacy Professor on the Road

I love traveling the country to raise awareness of data security and privacy. If you ever have need for a speaker, presenter or workshop host, please get in touch. In the meantime, take a look at the schedule below, and if you'll be in the neighborhood during these events, I hope you'll attend. 


April 9 & 10: Attending the NIST Privacy Engineering Workshop in Gaithersburg, VA, and will be on the practitioner's panel


April 30: Conducting a workshop for the ISACA North America CACS conference in Las Vegas


May 1: Presenting a session about privacy auditing and metrics at the ISACA North America CACS conference in Las Vegas


May 12: Conducting a workshop for Medical Device Security and Privacy at the 10X Medical Device Conference in Minneapolis


May 19Presenting a HIPAA session at the Long Term Care Solutions Summit

in Kansas City


June 16: Providing the keynote about privacy and the Internet of Things at the International Information and Computer Security Conference in Bogotá, Colombia 



August 19: Providing a session called "Cybersecurity & Business Data Privacy" at the IT Service Management Leadership Forum in Scottsdale, AZ


October 16 & 17: Providing a keynote at the Australian Information Security Association's National Conference in Melbourne, Australia. 



Need Help?


If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my Compliance Helper site or get in touch with me; I would love to help you!


You Have My Permission to Share


I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.


Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.com[email protected].



Spring is (finally, at long last) in the air... in my neck of the woods anyway. It's the perfect time of year to clear the windows, clean out the closets and organize the office. It's also an ideal time for energizing teams with information on how they can secure their devices, homes and lives by better protecting their personal information. If I can be of any help to your crew, certainly get in touch!


Here's to a lovely April and an amazing spring!



The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564