It's Official!
Did you celebrate Data Privacy Day on January 28?

Our team certainly did.

And, boy were we thrilled to open the mail to find the official signed proclamation from the Governor of Iowa for Iowa Data Privacy Day…for the twelfth year in a row!

Have you already fallen in love with privacy and cybersecurity? Do you have a tip to share with our readers? Let me know.

I just may include your tip in an upcoming issue.

Choosing to Fall in Love with Privacy and Cybersecurity

Now that Data Privacy Day is past, will privacy go by, unnoticed and unconsidered, for another long year? I hope not!

Each person is a privacy officer and cybersecurity VP…for each of their own lives. Every person needs to take responsibility for asking vendors hard questions about how their personal data is secured, with whom it is shared and how individuals can obtain copies of the personal data each organization possesses about them.

The more you realize the importance of privacy and cybersecurity to your life, and the lives of your family and friends, the more you will realize how important it is to be proactive about privacy.

It is time to fall in love with privacy and cybersecurity! And in this month of Valentines and hearts, it is a great time to start.

Have you found a way to meet the privacy and cybersecurity challenges of work-from-home situations? I am in the final few weeks of finishing my 20th published book (from CRC Press), “Security & Privacy When Working from Home and Travelling.” I’m including tips based upon real-life situations and events (all names and other identifying info can be removed) from pros who have met one or more challenges with these situations.

Send me your advice or tip related to improving the security and privacy of work-from-home situations, and I may include it in my book (and provide you with a copy!l). Get it to me soon, though, I will be submitting my manuscript for my book by the beginning of March.

This month, I am restructuring the Tips message.

The goal is to shorten each month’s issue and to point to more free resources that my team at Privacy & Security Brainiacs made available in the past month. I know many of you share my Tips with your family, friends and co-workers. And, many of you have asked for other types of awareness media, such as more pointers for my podcasts and audio clips, e-books, infographics and videos.

So, even though my Tips are shorter now, you will be getting a wider variety of multi-media items to read, listen to, watch and use for your own awareness-raising initiatives.

I welcome your feedback about these changes!

Read on to learn more about the ways in which we are all being watched and otherwise surveilled, as well as what we can do to reduce the everyday intrusions into our private and professional lives.
February Tips of the Month

  • Data Security & Privacy Beacons

  • Featured News Story: SolarWinds Hack

  • Quick-Hit News

  • Privacy and Cybersecurity Tips

  • Where to Find The Privacy Professor
Photo by Andreas Steidlinger on Scopio
Data Security & Privacy Beacons*
People and places making a difference
Marie Claire published a privacy-focused edition in October 2020! In addition to the feature article, Invasion of Privacy, the editorial also pointed to nine other articles about specific privacy topics. They included discussion of a range of apps, including fertility, dating and contact-tracing, as well as issues such as employee monitoring. Also included was a quiz for readers to measure how well their personal data is protected online. It is great to see a mainstream magazine, focusing on women’s issues throughout the globe, dedicate a large portion of the monthly magazine to privacy.

The FCC has a history of publishing warnings to the public about scams. They had a couple of great publications in the past month warning consumers about a wide range of scams and how to avoid them. These would be useful for organizations and their employees to know. as well. One covered warnings for a long list of COVID-19 scams. Another provided warnings and tips for online shopping scams, for which consumers are particularly vulnerable during the pandemic and with online shopping activities at an all-time high.

The Verge is a beacon this month for providing easy-to-follow instructions for how to make a copy of, and then remove, all information from Facebook. I also like how they included the following warning: “Beware: once you delete your account, it cannot be recovered.”

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
Featured News Story
SolarWinds Hack
If you haven’t heard about the SolarWinds hack in December 2020, you've missed news of a very significant hack. Everyone needs to be aware when things like this happen.

If you are a business leader or person who does business online; if you're a person who uses a computing device (including that phone in your hand); if you are ever online; if you use any one of the hundreds of social media sites, this news impacts you directly!
Here’s a quick overview of the SolarWinds hack:

SolarWinds, a US-based cybersecurity software business with about 300,000 customers, including Fortune 500 companies and government agencies, hired FireEye to perform a breach investigation in December 2020.

FireEye discovered that SolarWinds Orion updates had been corrupted and weaponized by hackers. This breach event is often referenced as SUNBURST. (Other variants include SUPERNOVA, Teardrop and Raindrop.) As it turns out, there were many vulnerabilities within the practices and technologies used by SolarWinds.

The result of the SUNBURST breach was that a large number of SolarWinds' clients, including U.S. government agencies, business customers and consulting firms, were hacked, as well. Notably, at least four of those clients were security companies, a fact we only just learned on January 20, 2021. 

Hacks like this underscore the need for strong security controls to be built into EVERY application, server and system. They also demonstrate the surreptitious, insidious, and harmful ways in which supply-chain attacks often occur, doing significant and often unrepairable damage for a long period of time before they are even noticed. This makes repair extremely challenging, and for some of the damage. 

In February, Privacy & Security Brainiacs will offer high-level overviews of the SolarWinds attack in both an eBook and a short video.

In the meantime, you can learn more within the following:

The SolarWinds Hackers Used Tactics Other Groups Will Copy. (Good for those with technical knowledge)

In related news, we may soon see more attention being paid to cybersecurity and privacy if this funding bill is passed: Biden-Harris Admin Proposes $10B in New IT and Cyber Funding for Federal Agencies.
Quick-Hit News
Stories you may have missed, but should know about. Don’t let these happen to you...

Be aware of swatters! Swatters hijack smart home devices to watch emergency responders.

EXTRA! Hear more about swatting in my VoiceAmerica show episode, Swatting Dangers and Defenses with Tom Conley, President & CEO of The Conley Group.

Everyone needs to be on the lookout for ransomware. 2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments and everyone else, it’s going to get worse before it gets better.

Time to request your personal data to be deleted? Google announced on January 14, 2021, it had completed the purchase of Fitbit. From a privacy viewpoint, it's concerning that all the fitness, health and personal data owned by Fitbit may now be combined with all the other personal data Google possesses about virtually everyone on the planet. This creates the potential to gain much deeper insights into everyone’s lives, especially when fed into artificial intelligence (AI) technology. Now would be a good time to limit the amount of data Google has about you (and your family and friends) by requesting Fitbit delete all the data it has about you that you no longer need. You can remove data you don’t want to be retained by following these instructions. You also have the option to completely remove your Fitbit account. This is a short, nice video on how to do so.

Unemployment Fraud in the Criminal Underground. This report reviews the current threat landscape of unemployment fraud in the United States within closed sources and underground reporting. It will be of interest to organizations seeking to better understand unemployment fraud within the criminal underground, as well as investigators of threat actors performing such attacks.

Windows 10 Serious Flaw Could Corrupt Hard Drive If You Open A Folder. Microsoft has said it will fix a Windows 10 bug that can corrupt a hard drive just by opening a folder or just by looking at an icon.

Online scammers are getting rich; millionaires! A newly uncovered Russian-based cybercrime operation helped classified-ads scammers steal more than $6.5 million in 2020 from buyers across the US, Europe and former Soviet states. Here’s a long (but not even all!) list of current scams to be on the lookout for!

Delivery message scams find a legal loophole that can cost you a lot of money. Delivery scams are now topping the list of the most reported fraud because more people are buying and shipping packages during the pandemic. If you receive a confirmation email from United Parcel Service (UPS), watch out. It could be a trick. Scammers are posing as the UPS and shooting out fraudulent emails to trick you into clicking malicious links. Similar traps are being set in Ireland, as Gardaí issued a warning to online shoppers over courier payment scams in the country.

WhatsApp scam tries to steal your account: how to avoid it. WhatsApp is a hunting ground for crooks looking to swindle your PIN.

Looking for inauguration gear? Watch out for fakes, scams.

Investment scammers prey on dating app users. Interpol has issued a warning about the emerging threat.

No such thing as a free lunch, or free Netflix. If you get a text message for a free year of Netflix, you’re being scammed.

Identity Theft Scam Hits Elk Grove Village, IL, Hard. Cases in this corner of the world rose from 40 In 2019 To 315 in 2020. What's more, there were already 58 cases in the first 13 days of 2021. The former police chief was among those targeted.
Privacy & Cybersecurity Tips
A Quick HIPAA Lesson
Recently, I was motivated to post to Twitter about the entities that must comply with the US Health Insurance Portability and Accountability Act (HIPAA). The post was inspired by months of social media posts from a wide variety of folks (politicians, business leaders and the general public) threatening to sue various organizations "...for violating HIPAA!”

The overwhelming majority of these threats were based on completely incorrect statements about HIPAA. The posts claimed that individuals who are not covered entities (CEs) or business associates (BAs) as defined by HIPAA, nor CE/BA employees, are violating HIPAA by reposting or otherwise using individuals' health data inappropriately.

While other data protection and privacy laws and regulations may apply to those individuals and organiations, HIPAA generally does not apply to non CE and non BA entities.

Now, that does not mean you do not have recourse against anyone using your health data inappropriately. If other types of entities or people are accessing your health data without your consent, take action:

  1. Change the cybersecurity controls in the location for where your health data is stored to keep such access from happening. This may be in your fitness tracker, your smart assistant device, a cloud service you use as a health vault or any number of other devices and accounts that house your information.
  2. Contact the applicable cloud provider, IoT device vendor, business, etc. and ask them to strengthen their data security controls.  
Where to Find the Privacy Professor
Here are just a few of the podcasts, webinars and media I've either joined or created to raise awareness of privacy and cybersecurity issues.
I’m greatly honored to be a member of CompTIA’s new Cybersecurity Advisory Council! CompTIA Introduces New Cybersecurity Advisory Council. Top security executives will offer advice and guidance on staying ahead of cyber threats.

I was also honored to be named a top "100 Most Influential People in Cyber Security" by Cyber Security Newsletter.

Security Threats Soar From Nation-State Bad Actors as the New Year Gets Underway. Published in the Health Care Compliance Association journal.

GDPR regulators are sinking their teeth into violators. 2020's fines are proof. Cybersecurity Dive
2020 Was a Privacy Wake-up Call: Don't Go Back to Sleep in 2021! SecureWorld

Customer Data Privacy 2021: It's No Longer Just Business, It's Personal Panel discussion held Thursday, January 28, 2021.

NIST Cybersecurity for IoT Draft Guidance: Rounding Up the Requirements Fellow NIST authors and I presented key ideas on January 26, 2021.

And Security for All hosted by Kim Hakim on the Voice America Business Channel.

Shoering Up Security
On this episode of CompTIAWorld's Shoering Up Security, MJ Shoer and I talk about how to implement cybersecurity best practices—and how to get everyone involved in the conversation (not just IT). We also offer up advice for anyone thinking about starting their own business, as well as the terrific topic of women in tech.
On this Trility podcast, we discussed infosec and privacy specifically for senior living facilities.
Listen in to learn more about pandemic-era threats to consumer data security and privacy. 
The topic here was how to protect your home, kids, finances, health data and business from hackers. 

Here is another episode that covers privacy risks and impacts of contact tracing, IoT device use and the Surprising Places Your Data is Being Tracked.
Tips4Tech 12 Tech Resources
I was honored to be included in a list of a dozen resources for people turning to tech to help them through the COVID-19 crisis.

A couple recent industry articles to which I've contributed thoughts...
Defense-in-Depth (DiD) Strategies: Protect Higher Ed Users Against Cyberthreats
VA Did Not Disclose Huge Data Breach for 7 Weeks
My Radio Show
If you haven't checked out my radio show, Data Security & Privacy with the Privacy Professor, please do so. We discuss a wide range of real-world topics within the data security and privacy realm.

Latest Episode

Next Episode

Healthcare Privacy & Security with Chief Information Security Officer for Indiana University Health, Mitch Parker, who oversees cybersecurity for more than 30,000 employees at 18 hospitals.
New IoT Cybersecurity Drafts from NIST Will Impact the Ecosystem
On December 15, 2020, NIST released four new draft IoT cybersecurity documents to provide guidance for federal agencies and device manufacturers. Additionally, NIST is updating its catalog of IoT cybersecurity capabilities.
Please provide your feedback to NIST.
NIST Wants Your Feedback
In this video, Michael Fagan, technical lead for the NIST Cybersecurity for IoT program, and I, a subject matter expert (SME) on the NIST Cybersecurity for IoT program team, describe the path that led to the GitHub posting and its role in developing the Federal Profile.
The Privacy Professor | Website
Privacy & Security Brainiacs| Website
Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. February 2021 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.