I hope you enjoy the images throughout this month's Tips Message. Each was captured on my recent trip to Bogota, Colombia. What an interesting and beautiful city, high in the Andes!


The World Sets Sail and Hackers Can't Wait


Summer getaways, although still considered a luxury for many, are much more common today than they once were. In the U.S. alone, 41 million people are expected to hit the road for the 4th of July weekend. 


During America's colonial times, taking a break from work was frowned upon. Today, however, vacation time has become something of an expectation among several generations of workers. 


The view of Bogota from Mount Monserrate, in the center of the city

As stretched professionals the world over plan their travels, it's important for them to remain diligent about their security. What will they leave behind that may be extra vulnerable? Will their journeys take them to places inhabited by experienced con artists? Can they trust the security measures they have - or believe they have - in place?


To truly unwind, it's essential to feel safe. Read on for some tips on staying safe and protecting your privacy both while vacationing and at home. 


He who travels more, sees more...

Dropbox and other file-storage and sharing applications like it are incredibly helpful to business travelers. Not having to lug along a laptop or risk misplacing a thumb drive certainly add to the enjoyment of time away from the office.


However, these applications do come with some risks. This is especially true when users generate links to share information with others. Several basic flaws within Box and Dropbox specifically allow the shared documents to be viewed by third parties.


It comes down to this: Many people do not take basic security steps, even when communicating highly sensitive information. Worse, they may even mix their personal communications and information with confidential workplace data.


For its part, Dropbox disabled all access to public links and created a patch to keep shared links from becoming public. However, this is the third security breach for Dropbox in as many years, so diligence on the site and others like it has to be considered among users.


When considering a file-sharing service site, follow these rules of thumb:
1) Use a strong password.
2) Encrypt files in storage ("files at rest").
3) Encrypt files sent to and obtained from the site ("files in motion").
4) Look for a third-party security and privacy audit or some other validation that the site truly is secure.
5) Do an online search to see if the service has been breached in the past year or two.
6) Make sure that you can completely remove all files from the site when you stop using it.


The Catholic church and religious sanctuary on Mount Monserrate was built in 1640. Most of the population of Bogota is Catholic, which is reflected in their many statues and other artworks.


Travel is good for the soul, the spirit and the body...

I work with a lot of healthcare covered entities (also called CEs, which include doctors, hospitals, clinics and other healthcare providers, in addition to health insurers and healthcare clearinghouses). I also consult with the organizations that do work for them (also called BAs or business associates) to help them better protect health information, as well as meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. 


The Department of Health and Human Services Office of Civil Rights (HHS OCR), which is the regulatory oversight agency for HIPAA and HITECH, recently released some reports to the U.S. Congress about health and information privacy breaches and security and privacy compliance between 2009 and 2012.


I advise everyone to review these reports to see the ways in which CEs and BAs need to improve in their protection of patients' health information. In addition, the reports contain a wealth of information on the different types of breaches that have occurred and their associated penalties. 


While the reports do contain a good amount of information, there is more that should have been included. I recently spoke with Theresa Defino, editor of the Report on Patient Privacy about the necessary improvements. Check out her site for more information, and to see the upcoming article she writes on this.

"Travel is the only thing that makes you richer..."

 ...unless, of course, you are the victim of an ATM skimming attack. The criminals who affix nefarious devices, such as skimmers and video cameras, to ATM machines typically do so in off-the-beaten-path areas. Adventurous travelers who also like to explore the world's nooks and crannies may find themselves in just such an area.


I recently posted photos, from my friend Lisa, on Facebook of what an ATM skimmer may look like. Interestingly, Frank, one of my Facebook friends brought up an important point as he commented on the post. His call was for card companies to begin to roll out "smart cards." Sometimes referred to as "chip cards" or "EMV cards," these pieces of plastic are much harder for criminals to duplicate because there is no magnetic stripe from which to pilfer the data they need to create counterfeits.


Many banks and credit unions across the U.S. are right now migrating their cards to the EMV chip standard. Retailers and ATM operators, too, are preparing for this eventual switch. You may want to ask about it at your financial institution to see when you can expect your old mag-stripe card to carry a chip.  Be aware, though, that with this security improvement, you must still protect your credit card information and watch out for other credit card fraud that doesn't require the physical card.  




Return home as happy as you left... 

Securing the old homestead before an extended time away is important. With the "over sharing" of travel plans and destinations on Facebook and other social networks, criminals looking for a safe-bet break-in have a real advantage.


One of the latest scams is tailor-made for a traveling victim. Imagine if you got a message like the one below while out of town. Would you click the link? (I've removed it for the purposes of this email, but it was originally in the top section with a second near the bottom.)


I have received several of these fake emails myself in the last few weeks. What's interesting is that they tend come multiple times to the same recipient within a short period of time (e.g. 1 hour to 1 day). If you get unexpected messages similar to this, DON'T CLICK ANY LINKS!




From: Home-Depot [mailto:[email protected]]
Sent: Tuesday, June 03, 2014 4:31 PM
Subject: Service installation #444008959


Scheduled Home Depot Windows Installation





Installation Scheduled For: Rebeccaherold

On: Wednesday, June 4th


As a valued customer, you were selected to receive this service:


Home Depot New Windows Installation Package (1)

From Local Store: #444008959

[Malicious link embedded here]

We look forward to servicing you,




Once in a lifetime experiences await...

The other day, I read an article that started like this: If you're reading this, there's a 69 percent chance you will become a victim of hacking at some point in your lifetime.


New numbers from CNNMoney seem to corroborate the author's estimate. Its recently released research shows that hackers exposed the personal information of 110 million Americans - nearly half the U.S.'s adults - in the past year.


Even more sobering for both consumers and business is this stat: In a survey of 500 U.S. businesses, law enforcement services and government agencies, three out of four said they had detected a security breach in the past year.


A really great infographic published by the Huffington Post is a wonderful thing to share with your colleagues, friends, family and others. It talks through the methods hackers use to access your information, what they can do with it - and most importantly, how to protect yourself.


Click the image below to visit the infographic. 


When a moment becomes a memory...

Vacations are all about the experiences you have and the memories you make - and in today's society, the memories you share with the world. But what about your "right to be forgotten?" Have you heard the scuttlebutt about this new concept?


After a European Court of Justice ruled that Google must respect a "right to be forgotten," the Internet giant established a search removal request process for people living in Europe. If you are a European who believes Google has indexed irrelevant or outdated information about you, you can request to have it removed. Naturally, this has caused some controversy. And it's not a cut-and-dried issue.


Removal of erroneous information is one thing. For example, the credit bureaus have mechanisms in place for consumers to dispute false entries on their credit reports. But what about accurate information? Just because it's old, should it be removed? Does it depend on whether you posted it yourself, or if someone else posted it? What becomes of our history if we begin to remove everything unseemly from the record? This seemingly simple question involves a lot of complexity and issues to consider.


Some are speculating that even removed information will still be at least referenced by Google. You can see here an example of how the company is predicted to reflect "missing" results online.


It will be interesting to see this if this concept takes hold in other areas of the world. It's hard to imagine such a ruling in the U.S., what with the government's well-documented goal to gather intel on its citizens from ISPs, Internet companies and telcos. 



Keep calm and travel on...

As mentioned earlier, I have just returned from an international trip to Bogota, Columbia. I stayed diligent to make sure I didn't have any information stolen; hopefully I was successful! Here are some good tips for protecting information security and privacy while you are away from home:

In addition to keeping your information safe, don't forget to use common sense and your gut instinct to protect your physical self. Years ago, I was nearly tricked into opening the door of my hotel room to who-only-knows after receiving a call from "hotel security" at 2 a.m. Be suspicious of anything that doesn't sound right, and keep your guard up at all times!

Bogota is known for the abundance of graffiti art throughout the city.


Privacy Professor on the Road

I love traveling the country and beyond to raise awareness of data security and privacy. See below for two of my upcoming destinations. If you're in the area, stop by to say hello!


August 19: Providing a session called "Cybersecurity & Business Data Privacy" at the IT Service Management Leadership Forum in Scottsdale, AZ


October 16 & 17: Providing a keynote at the Australian Information Security Association's National Conference in Melbourne, Australia. 



Need Help?


If you need any help with information security or privacy training and awareness, or if you must comply with HIPAA and need help (especially important now that the Omnibus Rule has gone into effect), please check out my Compliance Helper site or get in touch with me; I would love to help you!


You Have My Permission to Share


I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along.


Source: Rebecca Herold (a.k.a. The Privacy Professor), privacyguidance.com[email protected].



Exploring the country -- and when I get a chance, the world -- is a great passion of mine. Fortunately, my family shares in that passion and is always ready to hop in a car, set sail on a ship or board a plane to journey to places far and wide. 


I wish  you great memory-making trips this summer. Please remember to take a few extra steps to ensure your safety and secure your information and privacy. Only then can you truly unwind!


See you next month!

The Privacy Professor®
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564