April Showers Bring May Flowers

A plethora of cyber incidents have rained on more than one parade so far this year. 

But it's not all bad news.

With each new breach, data exposure or discovered vulnerability, new buds of awareness sprout.

Facebook's PR troubles, for instance, may have done some good along with the harm, at least from an awareness perspective. A seemingly unending stream of news coverage about the social giant's data security and privacy practices has educated more people than ever before on the dangers of oversharing on social media.

Read on to learn how this and other data security and privacy incidents may turn out to be positive teachable moments!

Data security & privacy's elephant in the room

Facebook is in hot water. But should that water be quite so hot?

While the recent Cambridge Analytica news may seem like a revelation, it really shouldn't be. Facebook has told users for years they were taking and sharing data. (If you'd like to see screenshots of notices from as far back as 2014, send me a note.)

Many in data security and privacy circles contend the recent outcry over Facebook's data collection and sharing practices is more evidence the vast majority of people do not read privacy notices

Now, could Facebook have  been more specific in its privacy notice? Of course. 
Because they were vague, most Facebook users did not realize how much data was actually being collected. Many believed the best -- that Facebook was only taking and sharing data specific to what users intentionally posted. 

So, while I stop short of calling this a revelation, I will call it a wake-up call. The Cambridge Analytica incident proves we all must:
  1. Read privacy notices to understand how sites, apps and others are sharing and using our data.
  2. Demand all organizations be transparent within privacy notices
  3. Insist on knowing the types of data collected, how it's being used and with whom it's being shared.

If you are wondering what you can do to reduce the risks of your own Facebook data overexposure ( short of moving off the planet) , take a look at this guide from EFF on adjusting your Facebook settings .

Here's what the article recommends, in brief:
  • In Facebook's Settings Menu, select Apps.
  • Click Edit under Apps, Websites and Plugins. Chose Disable Platform.
If you don't want to disable the entire platform...
  • Click Edit under Apps Others Use. Uncheck the info you don't want accessed by friends apps.
hero2Privacy Hero: Pauline Reich  
American cybersecurity and privacy expert, lawyer, professor takes education to the world

Pauline Reich
Pauline has spent the past sixteen years as a tenured full professor in Japan teaching, founding and directing the Asia-Pacific Cyberlaw, Cybercrime and Internet Security Research Institute, speaking at conferences and collaborating with law, policy and tech experts across the globe about cybersecurity and privacy laws, regulations and other legal matters. She recently retired after 22 years as a tenured full professor at Waseda University School of Law in Tokyo, Japan.

Pauline has been sole editor of the long-running privacy and cybersecurity law publication Cybercrime and Security (Thomson Reuters/West/Westlaw), updated quarterly for three consecutive U.S. law publishers since 2003. The three volume law treatise includes among its contributors former White House cyber officials. 

Another publication, co-authored with the late Dr. Eduardo Gelbstein, formerly of the United Nations, is Law, Policy and Technology, published by IGI Global in 2012. She continues to be a frequent speaker at conferences throughout U.S., Europe and Asia and a consultant.

In 2017, Pauline was named an Information Security Educator honoree by (ISC)┬▓. She is an incredible example of how much awareness can truly be created when a career is devoted to opening eyes and minds to the important data security and privacy issues we face today.

We want to know: Who is your privacy hero?
Each month in 2018, we'll introduce an individual who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply drop us a note and explain why we need to know your hero.
At the end of December, we will announce our Privacy Hero of 2018. He or she will receive a token of appreciation and commemoration of outstanding work.
netFresh Phish: A Real-Life Catfishing Example
Anyone can be anyone on the Internet
Periodically, I share some of the more interesting scams that come my way to raise awareness of what these communications can look like. In the past month, I've had tons to choose from, and largely, they have been catphishing attempts. 

Catphishing occurs when a victim is lured into an online relationship with someone who is not what they seem. Often, these relationships spill over into the real world, and the victim is shocked to learn the real identity of the scammer. Worse,  that realization often comes after they have been scammed out of money or other possessions.

Here is a recent catphishing attempt I received on Facebook. 

Right from the beginning, there were red flags on the profile of this individual "Lee Park" who sent me a Friend request: 

The account was brand new; the user had just joined Facebook. 

There was very little information in the About page of the account. 

He had no other friends. 

T here were inappropriate comments on the profile picture, a young girl. 

When I submitted the photos "of himself" to Google images, they came up as actually belonging to Lt. General Charles Bouchard .
If you receive what appear to be catphishing attempts, take some screenshots and send them to me . I love to see how these scams evolve over time. 

Criminals' tactics are ever-changing. As Facebook and other social platforms learn of their exploits, they build in protections, keeping the scammers on their toes. But, they always adjust, finding new ways to victimize the unaware. 

Keep in mind catfishing is hardly a Facebook-only problem. These scams are running rampant on LinkedIn, Twitter, Instagram and other social media sites, as well.

Why was I targeted?

While I don't have validated proof (yet), I believe it's because I joined a couple of large fan groups for a TV show. As soon as I did, I started receiving these friend requests. So, it's possible some of the 20,000+ others in those groups were looking for victims within the membership. Something for us to think about when we join online discussion groups.

Warning for CraigsList, Ebay & Marketplace Shoppers
The online second-hand market is rife with danger
Before you buy any big-ticket item online, do some checking and watch for these warning signs:

Seller asks to be paid by untraceable means, such as a money card (e.g. Reloadit), wire transfer (e.g. Western Union) or in cryptocurrency (e.g. Bitcoin).

Seller asks you to visit a different site, outside of where the ad was listed, to pay for the item.

Seller wants to communicate directly through email, not through the marketplace's private messaging system.

Seller is charging an exorbitant shipping fee.

Seller has bad ratings or negative feedback on the marketplace or other marketplaces. (Watch out for ratings and comments that seem out of the ordinary; as they may be posted by fake or look-alike users.)

Make sure you are actually on CraigsList, eBay or Facebook Marketplace by looking closely at the URL. Many scammers have URLs that are close, just a little off.
quickQuick-Hit Online Safety & Privacy Tips

4 easy things you can do today

Find out what data Facebook has on you.  Facebook has long  allowed users to download an archive file of all interactions with the network. It's a 5-click easy process. (Thanks to my friend Dr. Mich Kabay for this pointer.)

Read a privacy policy. Make a promise to read one privacy notice or privacy policy on a website or app you use each week (or more frequently if you can). You may be surprised to learn how your data is being used by the companies you engage with online (and off). 

I once heard of a privacy advocate who launched an experiment to see just how many people read and actively agreed to his privacy notice. He included a sentence requiring users to give up their first born child. Shockingly, m ost people agreed to those terms! I'm guessing that's because they didn't actually read them.

Double check that post.  Before you hit "post" or "send," ask yourself if you would say or show that same thing on stage in front of a room full of convicted scammers, cons and hackers. Now ask if you would say it in front of your boss. Remember, n othing can ever really be deleted on the Internet. A simple screenshot can bring it right back, as   one Facebook exec recently experienced

Over the years, there have even been entire websites created to track Twitter users and save their deleted tweets.

Something else to keep in mind is what we say and how we behave in the physical world. Anyone around us is capable of video or audio taping our words or actions and publishing them online.

Check your child's phone.  (Or encourage a parent you know to do so.) Kids are increasingly vulnerable online as scammers and predators find that they are only a click away. Check for apps you don't know or trust, and give even the ones you do a critical review. Better yet, sit with your child to go through them; it could lead to the creation of good habits and also be great together time!


Careful with the Recycle Bin

How many of your patients' details end up in that green tub?

Recycling paper is always at the top of how-to lists on running an environmentally friendly business. But for entities that print sensitive customer information on paper, including medical providers, extra caution must be applied to recycling strategies.

Researchers recently scoured the recycling bins of health institutions and came out with thousands of documents containing sensitive and potentially identifying patient information.
One of the suggestions bandied about is for medical offices and hospitals to use less paper. But, let's get real. Caregivers are going to have paper patient files. It's unrealistic to suggest otherwise.

What providers really need are clear, documented and fresh policies and procedures detailing how staff will securely dispose of that paper. Compliant tactics include the use of cross-shredding and incinerators, which many medical providers already have installed.

PPInewsPrivacy Professor On The Road & In the News  

On the road and in the ethernet...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the places I have been recently and a few of the events I have scheduled for the upcoming season.

April 24: Teaching online GDPR Compliance MasterClass for IT GRC Forum 

April 26: Teaching ISACA ILLOWA Chapter 1-day ISACA ILLOWA Spring Seminar on Privacy Management & Privacy Impact Assessments (8 CPEs) at the ProCircular facilities in Coralville, Iowa.

May 3: Providing identity theft information at Compass Financial 
in Des Moines, Iowa at their  free, public event.

May 30-31: Giving Keynote SecureWorld, Atlanta, Georgia. 

September 19-20: Giving keynote and sessions at Data Privacy Asia, Manila, Philippines.

Privacy Professor in the news...


I'm so excited to be hosting Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . Our first several episodes are available for on-demand listening. Hear the perspectives of incredible guests as they talk through a wide range of hot topics, including identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, and government surveillance. Please check out some of my recorded episodes, and let me know your feedback! I truly do use what I hear from listeners.

Friday, Mar. 30, I'll be talking with the always brilliant Linda Cadigan on whether data security and privacy experts have to specialize in one or two areas to have a great career. 

Do you have an idea for a show topic? Or would like to suggest someone who would be a great guest? Please let me know!

CPO Magazine

SIMBUS Blog Posts

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On February 19, we talked through a different type of identity issue on the internet, specifically the case of the California man tied to Russian interference in the U.S. presidential election. 

If you're in Des Moines, Iowa, tune in live on  April 2  at  9:30 am  central. I'll be on to discuss some other interesting and important privacy and cybersecurity topics you need to know about. If you're located elsewhere, keep an eye on my YouTube channel, where you can catch up on many of my visits to CWIowa Live. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show or on my VoiceAmercia radio show? Or, a question I can answer in my next monthly Tips? Let me know!

April Fool's Day is just around the corner. Use it as inspiration to ensure no one is making a fool out of you and yours. 

Be mindful of the data you share and ask tough questions of the businesses, networks, brands and apps who request it. Why do they need it? Who are they sharing it with? And can you decide to stop that sharing when you're done working with them?

Have a great April!

Rebecca Herold, The Privacy Professor

Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter