Thieves in the Night, and Plain Sight

When we think of people stealing from us, we often picture masked criminals sneaking into our homes or businesses under cover of darkness. In fact, much of today's theft is happening right under our noses. 

I'm talking, of course, about the siphoning of our personal data. It's occurring from all kinds of well-known places, such as social media sites, business databases  and business websites, not to mention through security holes in organization networks, wi-fi networks, and "smart" Internet of Things (IoT) devices.  

Sharing personal data  with and within  these places can be like leaving your front door wide open for any old crook who happens by.   

Read on to learn more about the latest threats against our personal data and tips you can do to lessen the risk. 

three International Privacy Regulations Go Live
GDPR went into effect May 25

Those of us in the data security and privacy industry have been talking about the  European Union's (EU) General Data Protection Regulation (GDPR) for what seems like ages. It finally went into effect in May. 

As expected, a tidal wave of GDPR complaints began pouring in as soon as the calendar flipped to May 25, 2018. More are expected. 

Will your organization be named as a violator of GDPR? Those in the US, and other non-EU countries, may very well need to comply with this wide-ranging law.

A common complaint, one already sparking lawsuits, is an ineffective privacy policy. It's incredibly important to get your policies up to snuff with GDPR as soon as possible if you haven't already. Remember, GDPR generally applies to any organization or person that currently has (or targets) EU citizens as customers, users, patients, employees, contractors or some other stakeholder. 

GDPR Info & Resources

Below is a sample of the GDPR resources I've prepared over the past 18 months. Please use them. If they spark any questions, don't hesitate to get in touch.

DPIA Tool: GDPR Data Protection Impact Assessments  (This is a tool I was happy to create for ISACA, which is now making it available at no cost for a limited time) 

Voice America Radio Show: EU GDPR Sanity: Practical Advice for Effective Compliance  (a second GDPR-focused episode will air first on June 12; periodically, I will have more GDPR experts on the show)  

The GDPR Deadline Is Here - Are You Ready? New ISACA research shows the answer to that question is probably not

NOTE: GDPR content and automated DPIAs will be incorporated into my SIMBUS business services in the coming weeks.

hero2Privacy Hero: Tara Taubman-Bassirian    
Early adopter learns tech so she can teach others

Tara goes by many titles: lawyer, advocate, mediator, researcher, consultant, speaker and writer. With incredible expertise in areas like privacy, intellectual property and data protection, she has made a name for herself in several areas of the world, most notably the UK, France and the US.

An early adaptor of emerging technologies, Tara makes it her business to understand intimately the challenges presented by regulations in the era of high connectivity. This is how she has become a trusted advisor to individuals and businesses looking to navigate the legal pathways to justice in the internet age. Over the past couple years, Tara has been very active in raising awareness of the new EU General Data Protection Regulation (GDPR), advising businesses on the relevant compliance requirements.

Tara is heavily involved raising awareness around privacy issues, rights and regulations. She is a member of ICANN's Noncommerical Users Constituency, the European Network and Information Security Agency (ENISA) and Society for Computers Law. She co-authored "Online as Soon as It Happens" and is a volunteer mediator for Mediation North Surrey where she extends community mediation to copyright conflict resolution.

A few years back, Tara and I co-founded a Facebook group, Fly A Kite, dedicated to coping with and eradicating cyber-bullying, something near and dear to the two of us.

We want to know: Who is your privacy hero?
Throughout 2018, we'll introduce an individual who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply  drop us a note and explain why we need to know your hero.
At the end of December, we will announce our Privacy Hero of 2018. He or she will receive a token of appreciation and commemoration of outstanding work.

A lexa Privacy Fail Makes Headlines

Smart speaker records, sends private conversation
Can you imagine having a private conversation with your loved one secretly recorded and sent to his or her colleague via email? That's exactly what happened to a Portland, Oregon, woman in May. Luckily, the content of the conversation wasn't salacious... the pair was talking about hardwood floors. What if they had been talking about something more private, disclosing bank account information or passwords? What if those recordings had been sent to someone less friendly?

In an interview with NBC News, I talked about why incidents like this are happening with some regularity. 

For starters, the engineering of devices in the burgeoning Internet of Things (IoT), like smart speakers, is far from perfect. The "wake words" that trigger recording and transmission of their owners' voices to servers in the cloud are very often misinterpreted by the device, turned on when the owners have no idea. And, if their volumes are low enough, smart speaker owners cannot hear the command verifications Alexa and others emit before taking actions... like sending audio recordings to your contacts.

If you insist on having a smart speaker, or other type of smart device, in your home or business, here are a few tips courtesy of Lifehacker for lessening the risk to your privacy:

Block all incoming voice calls - Anyone can dial into your smart speaker, and depending on the device you have, listen to or watch what's happening in the room.

Delete your data regularly - Amazon, Google and others keep recordings of the commands and discussions they have "heard" through your smart devices. Purge them every week or two. Delete immediately if you realize a sensitive conversation may have been recorded. 

Turn off the mic, camera when not in use - Doing so helps to keep your smart speaker from engaging accidentally.

Atlanta SecureWorld Expo 2018

The  Atlanta SecureWorld Expo  keynote I gave on May 30 touched on this topic and was well received by attendees. "Preventing Privacy and Security Nightmares in the Internet of Things" provided details on how digital interlopers take advantage of the vulnerabilities in these devices as they exist today. Look for more of my IoT work and tips to be published in the coming months.

How can I make my cell phone more secure?
I'd like to make my cell phone secure enough to store passwords. What steps should I take?

Cell phones can be secure, but usually only with additional protections beyond what is built into them. 

First, check to see if your phone has have the following:

1) Encryption. If you have this option, turn it on. This helps to protect the data stored within your phone.

2) Passwords / Authentication. Use 2-factor authentication to make it harder for a crook to crack into your phone by guessing/cracking its password or PIN. 

It's important to note these features alone will not provide sufficient security for passwords you store in your phone. In addition to encryption and 2-factor authentication, consider using a strongly secured password manager app, which stores data on one of your local devices

generally advise against storing passwords within a cloud service. If that cloud service gets hacked, all your passwords will likely be exposed. Plus, if the cloud service goes down, or goes out of business, you could be in trouble if you depended solely on that service and didn't create a backup. You may need to go through a lot of work to re-establish all your passwords (which isn't always possible with every site, app or device). 
quickThe Secrets DNA Can Tell

Advancements in technology give DNA even greater power

A high-profile murder charge in Texas and another in California are bringing more attention to the capabilities of DNA in solving some of the coldest cases. Of course, solving crime is not the only use for DNA testing. 

As more consumers readily share their DNA with all kinds of places, from law enforcement agencies using a shotgun approach to cold case investigations to for-profit ancestry firms, it makes sense to raise awareness of the implication of such decisions. 

That's why I'm devoting a full hour of my new radio show to the topic. Tune in June 5 at 4 p.m. central to hear from my guest  Mellissa Helligso, a forensic DNA expert, about what is and is not possible with DNA forensics. We will also talk about the privacy risks that come along with DNA collection, analysis and sharing.  

Mellissa and I will seek to answer a wide variety of questions, including how valuable is DNA in making criminal convictions, as well as exonerating the innocent? What parts of the human body provide the best types of DNA for analysis? And, of course, what are privacy considerations for DNA sharing?

confJust How Confidential is Gmail's New 'Confidential Mode?'

Best bet is to consider every email accessible

The Los Angeles Times recently reviewed Gmail's new privacy feature. Called "Confidential Mode," its been added to give Gmail users a greater sense of privacy. The feature allows senders to remove recipients' options to forward, copy, download or print certain emails. A premium version will also allow senders to require an email recipient to use a passcode to view the email. 

Look closer, though, and you can see this is really just window dressing.  Here are just two of the flaws the LA Times highlighted:

  • Much like SnapChat's early claims that pictures its users sent would "disappear," Gmail's new feature does not prevent screenshots from being taken of emails and their attachments. 
  • Gmail's servers will still maintain a copy of the email.
I've long warned against using Gmail, and other "free" email services, to share business or confidential messages.   Any email sent through these platforms should be considered open and accessible. Use these services only for communications that do not involve sensitive information or communications. You might consider them for signing up for coupons, discounts or other temporary email needs. 

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

After years of  providing a regularly updated set of online employee training modules for my SIMBUS business clients,  and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes.

As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I will host a full schedule of classes beginning  June 21 & 22  with a CIPT certification course. Hope to see you in the virtual classroom sometime soon!

On the road...

Compass Financial ID Theft Event, May 3, 2018
ILLOWA ISACA Privacy Class, April 25, 2018

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

June 21 & 22: Teaching IAPP Data Privacy Certification class for CIPT certification (see promo below)

June 26: Facilitating the online s
eminar, "Practical Steps to 
Scale Your Vendor Risk Management Program," IT GRC Executive Forum
July 13: Giving keynote, Electric Grid Security, at the Central Iowa Power Cooperative (CIPCO) IT 
Users Group in Des Moines, Iowa.

September 19-20: Giving keynote and sessions at Data Privacy Asia, Manila, Philippines.

On the air... 


I'm so excited to be hosting Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics. We've addressed identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, government surveillance, swatting and GDPR, just to name a few. One of our recent guests even talked about his personal experiences with historical notables Jimmy Hoffa, Gloria Steinem and Fidel Castro

Several episodes provide career advice for those in, and wanting to pursue, cybersecurity, privacy and IT professionsPlease check out some of my recorded episodes, and let me know your feedback! I truly do use what I hear from listeners.

Do you have an idea for a show topic? Or would like to suggest someone who would be a great guest? Please let me know!

In the news... 

ABC News (Des Moines)

Health Care Info Security


Kyodo News Service
"GDPR articles with experts" available in Japanese in the "Clue" Kyodo News service and "Eikon" Tomson Reuters service.

NBC News

Pro Resource

SC Magazine

CWIowa Live

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On April 2, we talked about the recent headlines Facebook has made, as well as the implications of our online behavior. 

Keep an eye on my YouTube channel, where you can catch up on many of my visits to CWIowa Live. 

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show or on my VoiceAmercia radio show? Or, a question I can answer in my next monthly Tips? Let me know!

Summer is finally here. Warm weather brings open doors and windows. Just as you are mindful of your physical security, keep an eye on your digital well being, too. It's increasingly becoming the go-to path for crimes of opportunity. 

Have a wonderful, safe and privacy aware June!

Rebecca Herold, The Privacy Professor

Need Help?

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. June 218 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message stating that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter