Why Are You Getting This?
You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
| |
We’re Late with This Month’s Tips. I’m Sorry!
I apologize for being later than usual with publishing this month’s Tips!
May was a hectic month for client work. Sadly, I’ve also been dealing with the deaths of a family member, a friend, and a client. As we know, life sometimes throws us curveballs.
The latter inspired me to revisit the topic of privacy after death in my July Tips.
| | |
Graduating to “Smart” IoT Devices
Many students of all ages are graduating this season! High-tech gifts (such as “smart" internet of things (IoT) devices) are trendy but come with risks along with congratulatory wishes.
Although privacy and security never take a summer break, we’re cutting back a bit on the questions in this issue. We’ve even gotten some from graduates! We will answer those in upcoming issues of Tips, or in some of our other publications.
Oh, and have we told you lately, we appreciate you! We love your feedback and questions. Please keep them coming!
Read, learn, and become a smart cookie…not a victim of a tracking cookie!
Do you have stories, examples, or concerns about the topics covered in this issue that you would like to provide feedback on? Send them over! We may discuss them in an upcoming Tips.
We hope you are finding all this information valuable. Let us know! We always welcome your feedback.
Stay aware, go to the head of your privacy/security class, and keep more money in your pockets and online accounts!
Thank you for reading!
| |
Rebecca
We would love to hear from you!
| |
June Tips of the Month
- Monthly Awareness Activity
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons*
- Privacy and Security News
- Where to Find the Privacy Professor
| |
Monthly Awareness Activity | |
|
June 7 was World Caring Day. Perfect! How about focusing on caring about the security and privacy of others and making June World Caring for Personal Data Month?
Then, help out those who are risky in sharing personal data, who have previously asked for help with their security settings, who still need help, and more! Here are a few ideas for what you can do to raise awareness of security and privacy risks and show you care about how they impact others. Offer your help with mitigating those risks.
Consider doing one or more of these actions and activities to show you care about the security and privacy of your employees, co-workers, friends, and family.
1) Invite guest speakers to give presentations and talks about strengthening information security and privacy within homes, while traveling, and otherwise out in public. This will demonstrate you care for them!
2) Point the people in your circle to one of the Data Security & Privacy with the Privacy Professor episodes that covered real-life accounts of privacy breaches, security incidents, and identity fraud to show you care and want to keep them from experiencing the same.
Here are a few for you to consider:
3) If you are tech savvy about IoT product settings, and other types of tech, offer to help friends, family and co-workers who may not be tech savvy. They need your help to protect their data, networks, devices and privacy. Show them you care! Need some resources to help guide you? Check out our free IoT security and privacy information and tips here:
What IoT questions, comments, or tips do you have? We are targeting the end of this year to finish our series of new books on IoT security and privacy risk management. We’d love to know your questions so we can include information answering them in our books. And also possibly within an upcoming issue of our Tips!
4) Watch a movie with good examples and lessons about security and/or privacy. Rebecca issued the first list of such films and shows in 2002 for a course she created and delivered several times -- “Building a Privacy Management Program.” It was also in the first (and an update in the second) edition of her book, “Managing an Information Security and Privacy Awareness and Training Program.” Her current list has over 400 movies and show titles listed. Here are a few good ones:
-
Home Alone: to show you care about in-person social engineering.
-
Otto: to show you care about protecting health data. (It also contains social media lessons.)
-
The Truman Show: to show you care about how people are being surveilled without being aware of it
-
The Brave Little Toaster: to show you care about using and securing IoT for good and protecting privacy, not for evil and violating privacy. This is still the best movie I’ve seen with IoT at the center of the story line…even if they didn’t call it IoT back then!
What movie or show do you love to point to that provide lessons about security and/or privacy? Let us know!
5) Show you care about how your family, friends and coworkers are being digitally tracked online by showing them how to block tracking cookies. Need some guidance about this? Check out the useful, “How To Enable and Disable Cookies on Every Web Browser [Guide].”
What other activities do you suggest for making your own World Caring for Personal Data Month, with the subject of care being cybersecurity and privacy? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event this month for a different recognized day or week?
| |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
June 2023
| |
We received several questions about IoT product security and privacy and some about privacy after death. We couldn’t possibly respond to all of them in this issue. We’ll address some about privacy after death in the July issue. Here are two prominent ones about healthcare privacy, and privacy where we live.
Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!
| |
|
Q: A few years ago, I saw a healthcare specialist for the first time. He went to his computer and searched for me in a database. Then he said, "You're not the only (insert my first and last name) in town." I assume it was a patient database, even if I didn't have much data besides my name and basic information. I didn’t see his screen. Was my doctor violating HIPAA by disclosing that there were other (possible?) patients on record with the same name?
A: Great question! I need more facts to answer your question accurately and thoroughly. But, I’ll provide a few points and thoughts working with what you provided.
You indicated you didn’t know what kind of database the specialist looked through and noted that you’d never been to him before. It could have been a database not associated with his specialty-specific health data. Maybe it was a database of patients for the entire health system; many healthcare providers use such databases if they are part of a health data exchange.
Another possibility: I don’t know how large or small your town/city is, but perhaps he simply looked at the online white pages to learn more about you before starting your appointment and saw others with your name listed.
He may have used something like MyLife, or LinkedIn, Facebook, etc. Many healthcare providers I communicate with say they use those types of tools much more often to learn more about their patients, which can help them to provide better care to them by knowing more about their lives.
Also, as you described, he made this remark casually. I did an online search and found tens of thousands of people with your name in the U.S. and about 150 here in the greater Des Moines, IA area. If he checked a database that wasn’t part of the hospital’s/clinic’s database of patients, then he’s most likely not breaching PHI or violating HIPAA.
I don’t know the context of your specialist physician’s statement, "You're not the only (insert your full name) in town." He could have just been trying to provide some humor.
If he didn’t say anything more than that about a different person with your first and last name, and without knowing all the details, it would be a feeble case to make for this being a PHI breach as defined by HIPAA.
Also, if he didn’t say anything that would pinpoint a specific person with your same name, or show you any PHI from another person with your name, it would be hard to make the case that this was a HIPAA violation based on the information you provided.
This is somewhat similar to situations where, in the waiting areas, the staff will often call the next patient by a first name, or sometimes the first name and last name initial. And then, everyone in the waiting area sees that person heading to the patient area in response. These situations aren’t considered to be HIPAA violations even though everyone is collecting visually and audibly more information than what you described. A specific person's appearance in a clinic would generally be considered PHI. However, in this type of waiting area situation, such disclosures are considered by HIPAA to be acceptable as an “incidental disclosure.” You know in the waiting area that the person called is a patient for a doctor, possibly of a specific specialty. Still, beyond that, you don’t know anything else. The staff used “reasonable safeguards” by not using the full name, even though everyone in the waiting area would have seen you.
Your example seems more like an offhand remark, with no context applied, and without even knowing if the other people with your name in town are even patients for this particular specialist.
Based solely on what you provided, this likely wasn’t a HIPAA violation.
| |
|
Q: Do laws exist that would prevent my neighbor from recording my minor children here in Iowa when they are in my yard? My neighbor has a security camera pointed into my backyard and also flies drones (a type of IoT device) over our backyard and sometimes live streams the video.
A: Keep in mind that laws don’t prevent actions; they govern the results of breaking the laws. The laws governing recording children and others vary from country to country, state to state, and city to city. Most privacy laws restricting recording children cover recordings made online, not in the physical world. In the US, with a few exceptions, it is not illegal to photograph or videotape children, even in their own yards.
In Iowa, a law governs photographing and recording individuals of all ages. It is “Iowa Admin. Code r. 441-28.5 - Photographing and recording of individuals and use of cameras.” Here is the content of the full regulation:
(1) Use of still or video cameras or voice recorders by anyone other than an authorized employee, individual, parent, guardian, or legal representative to photograph or record an individual shall be allowed only with the prior authorization of the superintendent or the superintendent's designee. Permission to photograph and record shall be granted for one specific use, and the authorization shall not extend to any other use.
(2) Photographs, videos, and recordings of an adult individual shall be taken for publication only with a signed informed consent from the individual or the individual's guardian or legal representative.
(3) Photographs, videos, and recordings of a minor individual shall be taken for publication only with a signed informed consent from the parent, guardian, or legal representative.
(4) Every effort shall be made to preserve the inherent dignity of the individual and to preclude exploitation or embarrassment of the individual or the family of the individual.
(5) Photographs, videos, and recordings of individuals are not to be altered to prevent identification in any manner that would tend to perpetuate the stigma attached to the public image of individuals with mental illness or an intellectual disability.
This rule is intended to implement Iowa Code sections 217.30 and 218.4.
Notes
Iowa Admin. Code r. 441-28.5
ARC 8094B, IAB 9/9/09, effective 11/1/09; ARC 1145C, IAB 10/30/2013, effective 1/1/2014
Notice this law is within the Iowa “Policies for Mental Health Institutes and Resource Centers,” and that item (1) applies to recording for specific uses, (2) applies to recordings made for publication, (3) applies to children’s recordings for publication, (4) applies to how the images look, to preserve dignity and avoid embarrassment, and (5) applies to subjects with mental illness or an intellectual disability. We could find no other Iowa laws specific to recording children, or anyone generally, in their own yards.
Other states have also passed laws, some with more restrictive legislation to change this permissiveness. School districts throughout the country also typically set their own rules to protect their children. But those laws and rules also tend to be specific to online and digital privacy.
In other countries, such recordings are illegal, and significant fines have been applied. For example, a judge in the UK ruled that security cameras and a Ring doorbell (another IoT device) installed in a house "unjustifiably invaded" the privacy of a neighbor under GDPR. The person with the security cameras and Ring doorbell was ordered to pay the court fees, lawyer fees, and a £100,000 (approx. USD $125,574) fine.
It is worth discussing this with your neighbor. Perhaps you’re in an unfriendly or awkward situation. Maybe you spoke to them, and they didn’t respond favorably. If so, we suggest discussing with your local police, county attorney, or State Attorney General to see if they know of any applicable laws that may not be apparent from how the law is titled or worded. Good luck!
| |
Data Security & Privacy Beacons*
People and Places Making a Difference
| |
-
IoTHub for recognizing those building IoT products by announcing the 2022-23 IoT for Good, Security and Interoperability Awards finalists. The winners were announced on May 23. Congratulations to the winners, who include:
- The Farmdeck: Monitoring Fridge Sensors pilot project
- The Non-Urban Water Meter Monitoring solution from SigSense and Kallipr
- The Meter Data Logger Program, developed by Telstra and Jemena
- Western Sydney University, uses machine learning modules tied to 202 micro-locations
- Bodd – 3D Body Scanners from Bodd Technologies
- TransportDeck: Pick-Up and Drop-Off Bays
- The Digital Utility at Scale project
- The Smart Parks Can Cool Our Cities project
You can see them here.
| | |
-
Identity Theft Resource Center (ITRC) for compiling research each year and recently releasing their report, “2022 Trends in Identity Report.”
-
Hideyuki Matsumi and Daniel J. Solove for their thoughtful new paper, “The Prediction Society: Algorithms and the Problems of Forecasting the Future.” Free download. 62 pages.
-
Trustwave for their warning and instructive report about targeted, and highly effective, Microsoft 365 phishing attacks using encrypted RPMSG messages.
-
Sharyn Alfonsi’s 60 Minutes segment with Rachel Tobac, “Cyber scammers target parents, grandparents for digital theft.” Great tips are included within this 13:29 min video.
-
Philippines National Privacy Commission for their redesigned website and abundance of great privacy information. Including requests for public feedback on a variety of privacy topics.
-
Paschalis Bekos, Panagiotis Papadopoulos, Evangelos P. Markatos, and, Nicolas Kourtellis for their ACM paper, “The Hitchhiker's Guide to Facebook Web Tracking with Invisible Pixels and Click IDs.”
-
The NextDoor social media site for having a Beware of Scammers group in most of their neighborhood groups. Scammers have fallen in love with using NextDoor to launch their scams. It is good to see them establishing some areas to raise awareness of those scams. I think they could do more, but this is a good start.
| |
-
USA Today for their article about current brushing scams in Europe, the US, and other countries, “Got an Amazon package you didn't order? It could be a sign your account has been hacked.”
-
Gema de las Heras from the FTC for their page explaining how to spot job ad scams.
-
Larry Magid for sharing the details of his virtual kidnapping call, which he almost fell for because the voice was his wife’s! AI generated the call message using recordings of his wife. Give it a read. This is a quickly growing threat to everyone with a phone. Stay aware!
-
Joanna Stern, WSJ Personal Tech Columnist for doing an experiment that, among other things, demonstrated how easy it is to use AI voice cloning to defeat voice authentation methods, and to create convincing deep fake videos. It's a short (6:51 min) video; sip your coffee, tea or wine and have a short informative break!
-
ITPro Today and Information Week for their virtual event, "The Intent for Automation: Six Ways AI is a Gamechanger" event. Thanks to all the folks there for also including me in this great event. We had a wide-ranging and informative conversation!
-
The Washington Post for their informative article, “A curious person’s guide to artificial intelligence: Everything you wanted to know about the AI boom but were too afraid to ask.”
| |
*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices. | |
Privacy & Security News
Visit the PSB News Page often!
| |
Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. | |
We have great feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements have been made about our “HIPAA Basics for Covered Entities 2023 Edition” course. The real-life experiences we’ve included within the courses, and also the many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning, but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out!
Students of each Master Experts “Online Education” course receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Have questions about our education offerings? Contact us!
| |
Where to Find the Privacy Professor | |
|
If you haven't checked out Rebecca's radio show, Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of
real-world topics within the data security and privacy realm.
Latest Episode
First aired May 6, 2023
Rebecca Herold
IoT Stalking, IoT Jewelry, JuiceJacking, AI, CheckWashing & More!
Back by popular demand, Rebecca continues answering reader/listener questions about IoT security and privacy, Meta Pixels and other tracking tech, and more.
Next Episode
First aired June 3, 2023
Ron Woerner
Individuals & Businesses: Mitigate! Those! Risks!
Everyone is at risk of cybercrime, privacy breaches, and associated physical risks. Individuals in their personal lives, as well as businesses and their employees within work areas…which are often in homes, and other locations outside of physical business facilities…are at risk. Rebecca speaks with Ron Woerner, a noted international consultant, keynote speaker, teacher, blogger, and writer in the Privacy and Cybersecurity industry, about these issues.
| | | |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. June 2023 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |