'Falling' Into Traps 'Leaves' Unprotected Data Vulnerable 

It's easier than ever to fall into data privacy and security snares these days. With new technology at our finger tips promising unprecedented thrills and convenience, we often jump in head first without thinking through all of the ramifications. 

Fortunately, more consumers, business leaders and government officials are paying closer attention to the tricks and traps targeting our private data. 

Just ahead of the holidays, data transactions inevitably increase. More online shopping, more travel and the injection of more connected devices into our living, working and leisure spaces means greater risk of data compromises. Making matters worse, many people have their guards down against online deception during these times, creating a climate for the perfect data breach storm.

Read on to learn more about some of these vulnerabilities, as well as how to keep your data as private and secure as possible. 

Before You Buy USB Gadgets This Holiday
Checking it twice is good advice

Overseas manufacturers of connected devices and other Internet-enabled gadgets are excellent at offering their products for extremely low cost. Cheaply made (and rarely secured), they can sell these items at rock bottom prices, fooling consumers into thinking they discovered a real bargain.

And that's a massive motivator for many shoppers. 

In Deloitte's annual holiday retail survey, they found consumers are most motivated by "Getting a good deal." (74% listed this as important when holiday shopping.)

Be very careful as you're scouring the Internet for these deals. There are so many ways your data can be exploited by gadgets that get power from a USB port (e.g., portable speakers,  cup warmers, reading lights, desktop fans). They may be pre-loaded with malware or just so security lax that they attract cybercriminals the minute they are attached to your system. (Researchers recently uncovered 29 different exploits that can be deployed via USB devices.)

WHAT YOU CAN DO:  If you're unsure about a device's security, ask the manufacturer. If they don't respond to your direct inquiry, ask via social media. Sometimes, the public nature of asking via Twitter, Facebook or Instagram gives brands an added incentive to respond. No response still? Do not buy. 

And, I always love getting your questions. If you're considering a purchase you feel is questionable, send me a note, and I'll look into it. I may even publish my findings in an coming Tips Message!

hero2Privacy Hero: Joanne McNabb       
California privacy expert blazes trails for legislation, awareness, rights

As the former chief of the California Office of Privacy Protection, Joanne McNabb has been front and center for some of the United States' most meaningful advances in privacy legislation. She was involved in the first U.S. state breach notice law, SB 1386, which became the de facto model for most subsequent U.S. state and territory breach notice laws. In fact, she wrote the first breach notice ever (before the law had even taken effect). It was for the breach of state employee data that inspired the legislation.

Under her leadership from 2001 to 2012, Joanne's office continued to research consumer privacy issues and weigh in on additional privacy laws for California. Many of these laws became models for other states, and in many ways, federal regulations emerging during that time.

When Joanne became Director of Privacy Education and Policy for the California Department of Justice, she created an entirely new online resource. Yet again, her efforts set the stage for the development of the many important privacy rights, laws and awareness websites and digital resources that exist today.
In 2017, Joanne retired from state service. Today, she is a consultant for California Privacy Consultants, providing a variety of organizations with research and recommendations on privacy issues and practices.

Considering the consumer privacy rights, education and legal protection trails she blazed, Joanne is a privacy hero to so many. The impact of her passion and effort expands far beyond California, throughout the U.S., and in other parts of the world that have often looked to California for examples of privacy education and legal protections.

We want to know: Who is your privacy hero?
Throughout 2018, we'll introduce an individual or team who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply  drop us a note and explain why we need to know your hero.  If you have someone in mind, don't wait; we have just one month left to name another hero!
In the January 2019 Tips Message, we will announce our Privacy Hero of 2018. The hero will receive a token of appreciation and commemoration of outstanding work.

kanyeDon't Be Like Kanye, Use a Strong PIN
Dos and don'ts for every smartphone owner
When entertainer Kanye West revealed his terrible iPhone password (000000), he inadvertently upped consumer awareness around smartphone security. 

This, of course, is not the first time an individual has "spilled the beans" about his or her password. Remember that man-on-the-street segment from a couple years ago in which the reporter fooled people into revealing their passwords on camera?!?

The incident sent quite a few questions my way, so I compiled the following list of ALWAYS and NEVER for smartphone users. 

Other tips are available by listening to this recent episode of Data Security & Privacy with the Privacy Professor

  • A PIN (even when you have fingerprint or facial recognition enabled; layers of protection are best). 
  • A PIN you can remember but is not publicly available (e.g. your birthday is NOT a good idea, as most everyone has shared that data broadly).
  • As many digits as possible. 
  • A fresh PIN (change regularly; change Immediately if you suspect someone has access to it). 

  • Consecutive numbers. 
  • A repeating number (Kayne's 000000 is a great example of what NOT to do). 
  • Famous dates.
  • Your phone number, Social Security number, home address or zip code.   
worldWhatsApp Users (Unwittingly) Pulled Into Facebook Ecosystem
With Facebook as owner, WhatsApp becomes another targeting tool
Since the purchase of WhatsApp in 2014, Facebook has left ads out of the WhatsApp user experience. But, that's about to change, writes TechCrunch's Natasha Lomas:

So WhatsApp's [approximately] 1.5 billion monthly users can look forward to unwelcome intrusions as they try to go about their daily business of sending messages to their friends and family.

[Facebook] is also set to charge businesses for messages they receive from potential customers via the WhatsApp platform.

The original founders of WhatsApp claim to be surprised and disappointed in Facebook's decision to monetize their app. But, considering the $19 billion Facebook invested in the purchase, it's not terribly shocking. 

The other non-surprise stemming from the marriage of Facebook and WhatsApp was the intermingling of user data from both platforms. European regulators, which keep a close eye out for "conjoining" of this sort, were not happy and levied a fine of $122 million against Facebook for misleading them about the possibilities of such data sharing between apps. 


Facebook has been vocal about its attempts to thwart election interference, but as the Verge points out, that could be difficult, given one of its corporate "kids" is extremely well-positioned to help the bad guys. 

...media companies [with interest in Brazilian elections] are buying large groups of phone numbers and blasting them with anti-leftist propaganda on [WhatsApp]. While it's often discussed as a chat app, WhatsApp has message-forwarding mechanics that strip away the identity of the sender and allow messages to spread virally with little accountability.

youFRESH PHISH: Threats Delivered To My Inbox
Real-life phishing and ransomware claims

Every few months, I like to share real-life examples of nefarious emails circulating on the Internet to help readers spot these fakes. 

If you receive something like the below, do not be fooled. Although ransomware is very real, messages like this should be seen as precisely what they are -- empty threats. 

( And no, I've not done what is claimed in the threat letter, nor set a password like the one they claim. Hopefully none of my readers has used such an easy-to-guess password either!)


READER QUESTION: Should I try CLEAR to get through lines faster?

New York startup promises faster lines in exchange for biometrics

I'll admit to being intrigued by CLEAR, which gets its members through airport security in less than five minutes (currently in 35+ U.S. airports). I've even considered signing up. 

However,  with scary new initiatives proposed by many in the U.S. Congress and the White House, I've ultimately decided to wait and see. 

The U.S. government, at least for the time being, seems intent on scooping up as much personal data possible. What's most concerning is their plan to pool that data and use the results as a sort of terrorist data bank.

I already have TSA Precheck, which gets me through lines much faster (critical for someone who spends a lot of time in airports). And, TSA Precheck doesn't need the additional biometric and other personal data used by CLEAR. Not to mention, CLEAR is not in most of the airports I fly through. 

I don't see the need to give more of my personal data to the government, especially if they plan to use it before there any real rules for its use have been established. 
Shaving off a minute or two (and only at some locations) isn't worth the exchange of my biometrics and other personal data -- particularly if it's to be handed over to government agencies and others with undetermined rules for securing it. 

Whatever you end up deciding, I recommend reading CLEAR's privacy policy for more information on how the startup uses, shares and discloses the personal data it collects from members. 

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

After years of  providing a regularly updated set of online employee training modules for my SIMBUS business clients,  and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes. 

As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I will host a full schedule of classes

Do you have a team or group you'd like to coordinate training for? We can often arrange a discounted price for organizations and associations based on the number you have participating.

Hope to see you in the virtual classroom sometime soon!
 ** I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Next up...

November 7-8: Giving keynote at SecureWorld Seattle in Washington. 

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, Player.fm and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics. We've addressed identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, government surveillance, swatting and GDPR, just to name a few. Several episodes provide career advice for cybersecurity, privacy and IT professions.

In October, we talked at length about voting and elections security. With U.S. elections coming up on November 6 and October being National Cyber Security Awareness month, I answered a wide range of questions received in recent months from Tips readers and show listeners. 

Please check out some of my recorded episodes, and let me know what you think ! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 


Global Business Travel Association

Health Care Info Security

LA Times



The Privacy Advisor


3 Ways to Show Some Love

The Privacy Professor Tips of a Month is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

View from my 3rd floor office window this past weekend
This is such a beautiful time of year, especially here in my home state of Iowa. I hope you get a chance to explore the real world this fall. Just be safe as you do, keeping an eagle eye out for those data privacy and security snares. 

Here's to a safe, healthy and happy November. Enjoy!

Rebecca Herold, The Privacy Professor

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. November 2018 Privacy Professor Tips. www.privacyprofessor.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter