Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Note & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Ah, February!

Emotions -- especially LOVE -- are in the air.

Scammers also love this month because they can play on people’s emotions and trick them into handing over personal data, and other valuable information when their guard is down. 

Valentine’s Day doesn't just mean candy and flowers. It gives rise to online shopping scams, such as fake websites, bogus giveaways and surveys, and perennial romance scams. 

Add to these a wide range of other types of scams that play upon emotions, and this short calendar month in calendar days often ends up being the largest month for online cyber scams. 

This month we answer several of the questions we’ve received asking about such scams. Plus we tackle evergreen concerns about HIPAA compliance for EMTs, security cameras disliked by neighbors, and naked baby photos. 

And you’ll really love this “secret admirer!” Did the Iowa Governor approve of our Iowa Data Privacy Day proclamation that we told you about last month? Read on to find out!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like for us to provide feedback on? Send them over! We may discuss it in an upcoming Tips. 

Thank you for reading! We all wish you a very lovely, scam-free February! 

Ensure the only thing that’s stolen is your heart!

Do you have stories, examples, or concerns about the topics covered in this issue that you would like for us to provide feedback on? Send them over! We may discuss it in an upcoming Tips.


We would love to hear from you!

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

FebruaryTips of the Month

  • Monthly Awareness Activity
  • Privacy & Security Questions and Tips
  • Data Security & Privacy Beacons*
  • Privacy and Security News
  • Where to Find the Privacy Professor

Monthly Awareness Activity

February 7th is International Safer Internet Day and is now celebrated in approximately 180 countries and territories worldwide. It started in 2004. 

This aligns perfectly with our emotional scam theme. Why? Because emotional scams are not new. Crooks have been using them since long before the internet existed. And the scams are getting more creative, and playing on people’s emotions more than ever. 

They target everyone on the internet -- of all ages and on various sites.

What is Sextortion?

The US Department of Justice and the FBI just released this past December a warning about sextortion, a mashup of “sex” and “extortion.” 

Sextortion occurs when an individual is threatened or extorted, usually online, by a person demanding sexual content (photos/videos) or money from the targeted victim against his or her will. For example, after a child, teen or adult shares an image with someone they thought they knew or trusted. The sextorter gains the victim’s trust through deceit, coercion, or deception.

This often happens when the crooks falsely claim that they have obtained illicit photos of a person through the phone or computer webcam. We’ve gotten MANY of these messages, but we also know that there was no way they had such photos or videos.

Scammers will tell their target lies. For example, they may say they took photos or videos of someone in the bathroom or shower. 

The scammer then threatens to release the compromising material unless the victim sends additional images, money, cryptocurrency, etc. If the crooks have been able to convince the victims to provide such images, they will go ahead and release the images even if payments are made. Victims’ shame, fear, and confusion often keep them from asking for help or reporting the abuse.

For Safer Internet Day consider:

  • Showing the example of a real-life extortion scam email I received: 

Compare our real-life extortion scam email with a description of this widely-used message…the verbiage is the same! This is commonly called the “Professional Hacker” extortion scam. If you get such an extortion email, copy and paste one of the sentences from the message, do a search of it, within quotation marks (“”), and you will probably find similar messages that show it is an extortion scam.

What other activities do you suggest for Safer Internet Day? Are you planning to do my suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in February? Let us know!

I include a list of 250 security and privacy awareness activities and resources within my book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Privacy & Security Questions and Tips

Rebecca answers hot-topic questions from Tips readers

February 2023

Here are a few questions we’ve received over the past several months about privacy, security, and current trends and products. We've received many!

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: I'm 16 and an EMT. My mom wants me to share my location 24/7 including when I’m on calls. I know she just cares about me. But I’m worried too. Would that sharing violate HIPAA?

A: You are very smart to wonder about this! Organizations where EMTs work have been penalized for HIPAA non-compliance. For example, in 2019 West Georgia Ambulance, Inc. had to pay $65,000 and adopt a corrective action plan (CAP) after an unencrypted laptop containing the clear text health records of 500 patients fell off the back bumper of an ambulance. The laptop was not recovered. It contained a lot of protected health information (PHI), including the patients’ mailing addresses. 

Roughly 50% of ambulance calls are to residences. So if your mother had access to your location, she might be considered to have personal health information (PHI) for the patients you help and you could possibly be liable for releasing it. Some lawyers argue that the address is associated with the vehicle and not the patient, but others argue that within the context of the use of an ambulance to provide medical care to a patient, that address would be associated with the patient and thus then considered to be PHI.

How about a compromise with your mom? Keep your location device active when you are not responding to a patient call. As soon as an emergency call comes in, deactivate your location tracking. Discuss this with your employer and see if this is acceptable to them. If it is, let your mom know that you need to do this to protect patient privacy, and comply with legal requirements. I’m a mom too, so I understand both perspectives! Good luck!

giphy image

Q: We just had our first baby. We’re so excited and babies are so cute that we’d like to share some photos with family and friends. Is sharing a photo of a naked son or daughter illegal?

A: Great question! Posting pix of a naked newborn can create problems. How are you sharing the photos? On social media or Google Photos, or another type of photo/video sharing cloud service? Via email? Hard copy? On a USB thumb drive?

Sharing naked photos of anyone of any age online and through cloud and synced services is risky. 

When you share photos of anyone under 18, that’s especially risky. Artificial intelligence (AI) is increasingly being used throughout the internet in a noble effort to identify possible pedophiles, but baby photos can often wind up triggering the senders as being possible pedophiles.

For example, a father concerned about his toddler’s swollen and rash-covered genitals took multiple photos to send to a pediatrician. The pediatrician diagnosed the problem and prescribed medicine, and the toddler was soon better. 

However, the father sent the photos using Gmail, which he had synced with Google cloud, and a few days later the Google AI flagged the father as a possible pedophile, disabled his account and alerted police, who then obtained everything in his Google account including all his internet searches, his location history, his messages and every document, photo and video he had stored within his Google accounts. Ultimately the police determined he had not been doing anything illegal. But, he never got access back into his Google account and lost all the information he had there. 

Ultimately the determination of what is illegal depends largely upon local, federal and international law enforcement decisions, often (but not always) relating to the context of the photos, videos and other types of images.

Those many different laws do not always align. For example, in the European Union sharing nude images of children under 18 is generaly illegal. Even when photos and videos are determined to not be illegal, tech companies housing the images may use AI that is engineered to remove access to accounts where the images are housed. As demonstrated with the example of the father sending photos to his pediatrician.

Here’s another consideration. When children get older, they may exercise their legal rights to bring charges against those who shared their naked baby pictures/videos without their consent. 

Case in point: A naked baby in a pool appeared on the cover of a Nirvana album. As an adult, the young man filed a lawsuit against the band for violating a federal child sexual exploitation law. (It was ultimately dismissed…twice so far.)

Consider the points in all the previous information before posting photos of your naked child. Use alternatives that do not involve online storage or sharing if you want to capture an innocent photo of a baby in a bubble bath. And consider how your child might feel as an adult.

Q: Where should I report online scams when I encounter them?

A: You can report online scams to various authorities.

In the U.S.:

Report scams to your local government 

Report the scam to your state consumer protection office. If you lost money or other possessions in a scam, report that to your local police too.

Report scams to the Federal government

You can report scams to the federal government. Government agencies use reports of scams to track scam patterns. They may even take legal action against a company or industry based on the reports. However, agencies don’t typically follow up after you report, and can't recover lost money.

Do not use the contact information included in scam messages. Use verified contact information in the USA.gov Federal agency directory to report other government imposters. 


Report online and international scams

Report fake websites, emails, malware, and other internet scams to the Internet Crime Complaint Center (IC3). Those living in the US are often targeted by criminals from other countries. If you have been affected by an international scam, report it through econsumer.gov. Your report helps international consumer protection offices spot trends and prevent scams.

Do you have more suggestions? Drop us a line.

Q: My neighbors are upset that I installed a surveillance camera in front of my door. Is that reasonable? 

A: Neighborly love (or at least respect) is important. Whether or not your decision is unreasonable depends on several factors. Are you pointing the camera at their windows or doors? Or, into their yard? Perhaps into a backyard with a privacy fence? 

In the UK the court ruled in the favor of the neighbor of a homeowner who installed a security camera in his backyard.  It captured both audio and video and was pointed at an angle that also captured his neighbor’s backyard. The neighbor claimed this violated the Data Protection Act 2018 and the UK General Data Protection Regulation and took him to court. The man who installed the camera was fined £100,000 (approximately $124,000 USD).

Is this perhaps why your neighbors are offended? Is your camera capturing them on their property? Or recording the sounds from their property? 

If you are not capturing your neighbors on their property, then they do not seem to have a basis to be offended by what you are choosing to do for your own safety on your property. 

If you are not recording them or their properties, have you asked them to explain why they do not like your use of the surveillance camera? Perhaps they would love to know that you are concerned about their opinions, and then may agree that if you don’t capture them in your video feed that it will no longer be a concern.

Q: What are the most common online scams targeting those in Europe?

A: According to research and scam crackdown operations by Europol throughout October, 2022, the most common current scams include the following:

  • Phishing, vishing and smishing fraud: Stolen credit card numbers are often obtained through phishing/vishing/smishing attacks when criminals contact people by phone, text messages, messaging apps or email and attempt to convince them to hand over their credit card information.
  • Account takeover fraud: This fraud occurs when a criminal gains access to a user’s account on an ecommerce store. 
  • Triangulation fraud: This type of fraud happens when online criminals set up a fake or replica website and entice buyers with cheap goods. The catch is that these goods don’t actually exist, or of course are never shipped.

Q: Is sextortion a problem in Australia?

A: Yes. Sextortion is a problem throughout the world. In Australia, children between 10 and 17 are most commonly targeted, with boys 15 to 17 years old being the majority of victims, according to Australian Federal Police (AFP). The average extortion amounts are between $50 and $1,000 AUD, but the AFP indicates some have been as high as $10,000 AUD. The AFP recommends parents who are concerned about a conversation their child is having with someone online should:

In the U.S. 25% of sextortion targets are boys age 13 or younger.

Q: Did the Iowa Governor grant the Iowa Privacy Day proclamation request this year? If yes, YAY! If not, why not?

A: The answer is, YAY! We just found out on January 25 that it was accepted. Here is a photo of the official proclamation, with the pressed gold seal! Zoom in to see the verbiage. We have also posted a copy of it on our Privacy & Security Brainiacs page.

Q: What are the penalties for scams that prey on people’s emotions? 

A: We love the fact that hefty penalties are being assessed for online scams. These penalties can be significant, and include prison time, as well as fines. They vary from case to case, and from judge to judge. Here are a few U.S. examples:

  • A 31-year-old man was sentenced to 97 months in federal prison for mail fraud and money laundering offenses related to his role in a nationwide elder fraud “grandparent” scam.
  • A 36-year-old Oklahoma man was sentenced to four years in prison and ordered to pay $500,740 in restitution to the victims of the crime for an online romance scam that defrauded multiple victims across the U.S. of at least $2.5 million. 
  • A 33-year-old man was sentenced to serve 27 years in prison and ordered to pay $1.7 million in restitution to his victims for a romance scam. 
  • A 55-year-old man was sentenced to three years and five months in prison, to be followed by five years of supervised release, and ordered to pay restitution in the amount of $541,032.10 for committing a charity for veterans fraud scam.
  • A man was sentenced to 43 years in prison followed by a lifetime term of supervised release for victimizing more than 1,100 minor girls across the US and other countries throughout the world in an extensive online sextortion scheme. 
  • Two South Carolina prison inmates, ages 59 and 43, were charged with a sextortion scam that targeted an Army veteran shortly before he killed himself on Sept. 11, 2018. One of the criminals was sentenced to 10 years in prison with the last three serving on parole. The other criminal was already serving a 15-year sentence for assault and battery, and will complete that term with no additional time for the sextortion.

Data Security & Privacy Beacons*

People and Places Making a Difference

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Privacy & Security News

Visit the PSB News Page often!

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page

Check It Out!

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions which support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard before. We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing.

Where to Find the Privacy Professor

Congratulations to Rebecca for being recognized as one of the

Top 40 Data Privacy Pioneers!


Radio Show

If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of

real-world topics within the data security and privacy realm.

Latest Episode

First aired January 7, 2023

Christine Abruzzi

A Cybersecurity Expert’s Real Life Identity Theft Experience

Even world-renowned information security experts can be hit by identity theft, and learn even more about how these frauds occurred, are handled by law enforcement, and can be resolved. Hear Christine describe details and lessons learned from her own current identity theft situation.

Next Episode

First airing February 4, 2023

Rebecca Herold

Listeners’ Questions about Health Data, IoT, Tracking Tech, Scams and More!

Rebecca answers a few of the many listener questions she has received over the past few years since her last listener questions episode. There are some very interesting ones; don’t miss it!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Facebook  Twitter  Linkedin  

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. February 2023 Privacy Professor Tips


NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:


1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com


If you wish to unsubscribe, just click the SafeUnsubscribe link below.