Hunkering Down Takes Many Forms 

The fallout from disasters, both natural and man-made, seems to be all around us these days. Time and again, however, we see the benefits of planning ahead. 

Thinking through how you and your family, your business, your home will weather the storm can make all the difference to a speedy recovery. 

Read on to learn some of the information security and privacy threats that may be ahead, as well as some practical tips for how to prepare. 

October is Cybersecurity Awareness Month
You can participate with these easy, weekly tasks

A lot of people ask me what they can do to mark October's Cybersecurity Awareness Month. I typically encourage them to block off just a small amount of time each week throughout the month to do something simple, yet meaningful, to improve their personal data hygiene. 

Here are some ideas.

Back up your computer:  If you use a cloud service, double up and use a physical device, too. Make sure that device is not attached to your computer (except when actually backing up, of course).

Buy a cross-cut shredder and establish a routine: Invest in a good piece of equipment so you don't get frustrated having to stop and clear rogue papers or staples every five minutes. (They have dropped a lot in price in recent years.) Once you have your shredder in place and plugged in, commit to a time each day, week or month (depending on how much paperwork goes through your life) that you will use it.

Plan your social after life: It's difficult enough to get people to plan for end-of-life by obtaining insurance, planning funerals and drafting wills. It's even more challenging to get them thinking about what will happen with their Twitter, Pinterest, Gmail, Facebook and other online and social accounts after they've passed. Many of these tools have settings and services designed to help with this. Choose one online or social site each week to contact and configure for the inevitable. 

Smartly and safely dispose of old electronics: Research the local providers in your area that can properly dispose of your old phones, tablets, smart watches, smart picture frames, computers, printers, etc. Remember, anything that has the ability to house data should be wiped clean before disposing; sometimes this can be done by resetting the device to the manufacturer default. But make sure you have done your homework to understand if that truly wipes the device clean.  (See below for more info on device disposal.)  

hero2Privacy Hero: Daniel J. Solove      
Internationally known expert in privacy law devotes career to raising awareness

Daniel Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. He founded TeachPrivacy, which provides privacy and data security training to businesses, schools, health care institutions and other organizations.

One of the world's leading experts in privacy law, Daniel is the author of 10 books and more than 50 articles. As a long-time expert in privacy law, he has contributed so much to the business community. I am the proud owner of several Daniel Solove books. And, I know many business leaders who also use his books as an important legal resource when they are confronting privacy issues.

Over the many years I've known Dan, I've always been impressed by his dedication to increasing awareness of privacy laws and related risks. He does so much to raise awareness of privacy issues through his many speeches, events and his own training business.

Please take the time to poke around his website. It's full of great information and inspiring educational pointers and take-aways. The Privacy+Security blog is especially rich with content.

We want to know: Who is your privacy hero?
Throughout 2018, we'll introduce an individual or team who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply  drop us a note and explain why we need to know your hero.  If you have someone in mind, don't wait; we only have two months and two privacy heroes left to name!
At the end of December, we will announce our Privacy Hero of 2018. The hero will receive a token of appreciation and commemoration of outstanding work.

Physical and digital insecurity causes concern
Intelligence agencies have confirmed suspicions that Russian hackers were behind 2016 cyber attacks on U.S. election and related servers. 

Other digital attacks on voter registration servers have occurred in nearly every state (if not all states). In a few cases, hackers have even accessed voter records (fortunately no actual ballots, yet). Now, we have voting occurring in non-traditional channels, such as email, fax and even mobile apps.

These incidents have shown the entire U.S. voting infrastructure -- from polling places to records servers -- carry significant security vulnerabilities. This is mainly due to a wide diversity of systems and administration practices throughout the country, along with a growing number of risks from aging technology. 

I recently discussed this issue with the president of Verified Voting, Marian Schneider, when she appeared as a guest on my radio show Data Security & Privacy with The Privacy Professor. 

The episode is available for on-demand listening, so when you get a chance, tune in. We talk through the growing number of security risks in U.S. voting systems, software and technology and the benefits of risk-limiting audits. It's an important topic everyone should be aware of, particularly as we go into October's Cybersecurity Awareness Month. 

What to know more about voting security?

Another great thing to do during Cybersecurity Awareness Month is check out this series of radio shows on voting security (I'm hoping to have another one for Oct. 23.). 

world'Bring Your Own Device' Threats Often Overlooked
Employees unwittingly expose companies to risks with personal gadgets
The average employee does not consider cybersecurity at work, unless they work in technology, security or privacy divisions, of course. The last thing many think through is that the personal smartphone, laptop, tablet or wearable they bring into the office could be opening a digital door to their employer's systems. 

Here's a quick round-up of considerations relevant to the growing Bring Your Own Device (BYOD) threat. 
  • Any electronic device that can access or store personal data of EU citizens or those living in the EU is subject to GDPR restrictions. This includes employee-owned devices used for work-related tasks. How often do your employees check work emails from their personal smartphones? How many of those emails contain customer information?
  • Gadgets that get power from a USB port (e.g., portable speakers, cup warmers, reading lights, desktop fans) are often low cost and produced overseas by no-name companies. Any one of them could be loaded with malicious software that infects your office the minute it's plugged into a networked computer. 
  • Employees are not the only ones to bring unsecured devices into a space. Guests, too, can put a company at risk. Hospitals, universities, meeting facilities and organizations that operate public venues cater to a segment of the population that expects easy access to the Internet when they are visiting. Do you have controls in place to check devices for anti-malware before allowing them a connection to your Wi-Fi?
Each of the above underscores the need for a strong BYOD policy (and I could have easily added dozens more!). If you need help researching or putting together one such policy for your company, I'd be thrilled to help. Drop me a note!

youWhat Do Your Apps Know about You?
At the very least, they may know what you've been searching for

Trend Micro, Inc., which distributes apps on the Mac App Store, was recently caught collecting users'  Safari, Chrome and Firefox browser histories. 

One such app, Dr. Unarchiver, was at one time the No. 12 most popular free app in the U.S. Mac App Store.

Reportedly, the apps got to the histories from separate files specifically dedicated to storing users' recent Google searches, as well as information about other apps installed on the same devices.

The data was captured anytime a user launched the app. A zip file containing all of the information was then sent to the developer's servers. 

This finding should serve as a reminder to keep only those apps you REALLY need and frequently use on your device. Make it part of your monthly routine to go in and delete any apps you no longer use or don't recall downloading. 

... and in breaking apps news... 

Facebook  injected personal data-collecting ads into  WhatsApp,  reportedly to avoid complying with EU privacy laws. We will provide more information on this in November's Tips.

Breaking just from today... Have you used Facebook's "View As" feature? If you have in the past year or so, I recommend you change your Facebook password. 50 million user accounts, those who have used the "View As" feature, were breached. 

U.S. States As Laboratories of Privacy Laws

Vermont, Illinois, California take action to protect citizens

As the U.S. government wrestles with how to more comprehensively protect the privacy of its citizens, some states are taking matters into their own hands.  

Here are a few examples of what they're up to:
  • Vermont's new data privacy law seeks to protect consumers from data brokers by forcing the brokers to register with the state and to adopt comprehensive data security programs. 
  • California recently enacted its  Consumer Privacy Act, which imposes new rules on companies that gather, use and share personal data. Because the regulation will impact any state that has patients or customers from California, many have referred to it as the U.S. state-level version of the EU GDPR (It does, however, have significant differences). The rules are to become effective in 2020. 
  • Illinois has a law on the books that, created nearly 10 years ago, was fairly progressive and some might consider ahead of its time. Called the Biometric Information Privacy Act, the legislation seeks to regulate the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.
If you're curious how U.S. states rank for their privacy laws, check out this map by ComparitechScores are displayed as percentages (e.g., a score of 20 out of 20 is 100 percent).

PPInewsWhere to Find the Privacy Professor  

In the classroom... 

After years of  providing a regularly updated set of online employee training modules for my SIMBUS business clients,  and on-site certification teaching for IAPP, I'm excited to now also be teaching online IAPP-approved CIPP certification classes. 

As an instructor for AshleyTrainingOnline, an IAPP-registered certified training partner, I will host a full schedule of classes

Do you have a team or group you'd like to coordinate training for? We can often arrange a discounted price for organizations and associations based on the number you have participating.

Hope to see you in the virtual classroom sometime soon!
 ** I also teach CIPM and CIPP/US classes, so if you are interested in those, let me know!**

On the road...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the events I have scheduled for the upcoming season.

Photo courtesy of Roeland van Zeijst

I was disappointed my recent trip to the Philippines for the Data Privacy Asia was cancelled due to Typhoon Mangkhut. But, thanks to my ability to create a video of my keynote on Day 1, and a video of my workshop on Day 2, then connect to the live event via Skype to virtually attend and answer questions, I was able to attend the full conference digitally!  

October 10-11: Giving keynote at SecureWorld Dallas in Texas. 

November 7-8: Giving keynote at SecureWorld Seattle in Washington. 

On the air... 


I'm so excited to be hosting the radio show  Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . All episodes are available for on-demand listening on the VoiceAmerica site, as well as iTunes, Mobile Play, Stitcher, TuneIn, CastBox, and similar apps and sites. 

Hear the perspectives of incredible guests as they talk through a wide range of hot topics. We've addressed identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, government surveillance, swatting and GDPR, just to name a few. Several episodes provide career advice for cybersecurity, privacy and IT professions.

Please check out some of my recorded episodes, and let me know what you think! I truly do use what I hear from listeners.

SPONSORSHIP OPPORTUNITIES: Are you interested in being a sponsor or advertiser for my show? It's quickly growing with a large number of listeners worldwide. Please get in touch! There are many visual, audio and video possibilities.

In the news... 

Digital Journal

HCCA Report on Patient Privacy

Healthcare Info Security

Make Use Of

SC Magazine

Successful Meetings

Recent Recognition

I am always sincerely thrilled when I receive these. Thank you!

Clear Risk

3 Ways to Show Some Love

The Privacy Professor Tips of a Month is a passion of mine and something I've offered readers all over the world for since 2007 (Time really flies!). If you love receiving your copy each month, consider taking a few moments to...

1) Tell a friend! The more readers who subscribe, the more awareness we cultivate.

2) Offer a free-will subscription! T here are time and hard dollar costs to producing the Tips each month, and every little bit helps. 

3) Share the content. All of the info in this e mail is sharable (I'd just ask that you follow

Here's hoping the planet calms down for a bit and gives us a break from the torrent of storms. I'm equally as hopeful we can all weather the security and privacy tempests that seem to be around every corner. 

Here's to a safe, healthy and happy October!

Rebecca Herold, The Privacy Professor

Need Help?

share2Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share  excerpts, as well, with the following attribution:

Source: Rebecca Herold. October 2018 Privacy Professor Tips.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Infoprivpolicy

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through
2) making a request directly to Rebecca Herold; or 
3) connecting with Rebecca Herold on LinkedIn

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraged communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter