Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB) or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Current Hacking Methods

We’ve received such a wide range of questions about hackers and hacking that we decided to make hacking the general theme for this month’s Tips. The variety of questions we’ve received on these topics is very diverse, to say the least. We had great fun answering several of the questions, and providing what we believe is a very valuable activity for the month for readers to perform.

But if you’re not all that keen on technical hacking topics, no worries; we’ve included many other items for other topics as well! We threw in some great questions about privacy and security laws, which align nicely with the topic of the Data Security and Privacy with the Privacy Professor episode, about how to successfully propose a new privacy law. We also included some fun hacking history, and more.

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips. 

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 



Thank you for reading!

Rebecca

We would love to hear from you!

September Tips of the Month



• Monthly Awareness Activity
• Privacy & Security Questions and Tips 
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

September 10 is International Grandparents Day. Spend some time with your grandparents, or the grandparents of others who live in retirement centers, nursing homes, gated communities, apartment complexes, etc., and offer to help them strengthen cybersecurity and privacy protections against current hacking attacks. Be with them in person if at all possible. If it’s impossible, use an online face-to-face tool to communicate in real time with them. Set strong security and privacy settings when connecting with them online. 

Here are three areas where not just grandparents, but people of all ages and generations, often need help to strengthen security and privacy protections, and three of the most powerful actions to take within each area that will bring you the most security and privacy protection bang for your buck and time.

• Technical:
• Enable automatic systems and applications updates on all computing devices. This will help close new security holes before hackers discover and use them to hack into the devices. 
• Encrypt all personal and other types of sensitive data. We like the free tool, Encrypto, for the general public. It is easy to use and free, and uses strong encryption. Many other good tools are available for encryption as well, if you want even more capabilities. Take a few minutes to show your loved ones how to encrypt and decrypt files.
• Enable multi-factor authentication. This is particularly important to use to log into and unlock devices, and to authenticate to online sites.

• Physical:
• Keep screens locked, with sensitive information out of view, and access to data via the keyboard blocked, whenever the phone, laptop, or other computing device is not being used. As part of these screen lock settings, also set the screens to automatically lock after a period of no activity. Depending upon the person and their typical device use and location habits, this would likely be somewhere between 5 minutes to 15 minutes.
• Keep documents (books, papers, wills, checkbooks, etc.) with sensitive information, like bank account numbers, IDs and passwords, safe combinations, etc., and information you do not want to lose (e.g., photos, vacation souvenirs, etc.) locked somewhere no one else can get to except for a person(s) who is completely trusted. We like using home safes that are fire- and waterproof. They are often the size of a 6- or 12-pack ice cooler or a bit larger. 
• Physically block access to home wi-fi routers, phones, computing devices, and external storage devices (USB thumb drives, etc.). This will help to keep someone from resetting the router, changing the settings, etc.

• Human activities:
• Stay aware of scams. For example, such as romance scams (listen to Rebecca’s August podcast pointed to later in this issue), that try to trick you into giving up your personal identity, money, etc. You can do so by subscribing to this Tips message, listening to Rebecca’s podcast, and subscribing to a wide range of other informative podcasts and newsletters.
• Never, ever, ever, give an unsolicited caller any of your personal data. If they claim to be from the FBI, don’t believe them; they are trying to trick you! If they claim to be from the IRS, police, or any other type of organization, don’t believe them! Even if they threaten you or give you some type of big sob story, don’t believe them. If it makes you feel more sure they are crooks, ask them for their phone number extension and let them know you will call back the IRS/etc. main phone line in a couple of minutes, and connect to them that way. If they refuse, they are pretty much letting you know they are crooks. We actually keep a whistle on our desk, and when we get such calls, we give the crooks an earful of what we hope to be unpleasant high-pitched whistling sounds! Then, hang up.
• If someone calls and says they are your friend or relative, and that they are in trouble and need you to wire money to them, or send cryptocurrency, don’t believe them. Even if the voice sounds like theirs, and even if the situation sounds dire. Instead, either hang up or put them on hold, then call that person’s actual phone number, or call that person’s parent, life partner, etc. These scams using AI to sound like an actual person you know are increasing dramatically. Don’t hand over any money. Call them directly, or call someone who can tell you if they know for sure where that person is located.

What other activities do you suggest for taking some time to help your grandparents on Grandparents Day? Or to help anyone in observation of that day? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in September?

Hacking and cybercrime are now in the news literally every day. And the hackers are not only targeting businesses and other types of organizations. They are also targeting the general public, and individuals. Hackers and cybercriminals will target, and are targeting, anyone online.

We received a variety of questions about hacking tactics, as well as ongoing HIPAA and healthcare data questions. Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: Hello. I am writing about your article dated March 28, 2020, by Rebecca Herold, titled HIPAA and Calling Out Full Names In Waiting Rooms. I’m now retired from working as an optometrist for over 30 years. My staff was instructed to address our patients by their full names, including calling them out in a waiting room. We did that to show respect for people, including our patients, and to preserve their dignity. Ms. Herold disagrees with me and says that HIPAA requires not calling out a person’s full name in the waiting room. Every consultant I spoke with about this issue has told me to address a patient only by their first name, and it’s a HIPAA violation not to do so. However, the US HHS website clearly states that calling out a patient’s name in a waiting room is not a HIPAA violation. In 1996, when HIPAA was enacted, I was uncertain about this issue, so I consulted my daughter-in-law. J is a partner in an international law firm representing several pharmaceutical companies, including [NAME REDACTED]. Shortly after HIPAA was enacted, in 1997, J was assigned to lead a team in writing [PHARMACEUTICAL NAME REDACTED]’s HIPAA Compliance Manual, which is still used today. When I asked J if my staff would violate HIPAA by calling out a patient’s full name, J responded, “Dad, absolutely, address your patients by their full names. It does not violate HIPAA, and it’s the right thing to do.” J says what she told me in 1997 still stands. J also told me that lawyers and consultants often opine on the “safe side.” Calling patients by their first names reveals a lack of respect pervasive in today’s society. – Dr. D.

A: Dr. D, thank you for your question and for reading my post! I love these types of questions, because they give me the opportunity to point out the need to approach HIPAA based upon the context of each situation, which HIPAA compliance requires.

First, I want to point out some important facts related to the years you indicated. It is true that the U.S. Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, on August 21. However, that law passed at that time required regulators, the Department of Health and Human Services (HHS), to create regulations to support the law. The initial regulations were developed over a period of 5-6 years. The HIPAA Privacy Rule, went into effect in 2003, and the HIPAA Security Rule, went into effect in 2005. The HIPAA Privacy Rule is the regulation that includes contextual-based requirements related to limiting the disclosure of PHI, including within patient waiting rooms. To your statement that the HIPAA Compliance Manual was created in 1997, that was before the requirements were even finalized, let alone put into effect to limit the patient data that could be disclosed. So, any HIPAA Compliance Manual created in 1996/1997 would not have had the final requirements within the HIPAA Privacy Rule, which is where the requirement to limit disclosure of protected health information, or PHI (which includes first and last name), is found; specifically, within § 164.502 Uses and disclosures of protected health information: General rules. (b) Standard: Minimum necessary (1) Minimum necessary applies. If that covered entity (CE) pharmaceutical truly has not updated their HIPAA compliance manual since 1997, then they are woefully out of compliance with not only the initial HIPAA regulations, but also with the additional regulations enacted since 2005, the changes made to the existing regulations, and also according to the many guidance statements provided by the HHS since then.

Now to specific violations of HIPAA; they depend upon the context of each associated situation. You reference the answer to the question, “May physicians' offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?” Actually, you only referenced a portion of the answer. For the full name consideration, the HHS answered, “The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate.” That second sentence is critical. Two major points to consider: 

• This answer was provided on December 19, 2002, before the Privacy Rule went into effect, then updated on March 14, 2006, after the Privacy Rule had been in effect for a couple of years, and early experience demonstrated the need to consider the context for each situation. For example, if there is only one person in the waiting room at a mental health clinic, then calling the first and last names within that context would likely not result in a fine or penalty, but perhaps a reminder from the HHS, if they found out about this, to be careful to not get used to using full names when others are present. However, if there are others in the waiting room of a mental health clinic and the full name is called, the patient whose full name was used could report that to the HHS as a violation of HIPAA (for not using the minimum necessary), and the clinic could face fines and/or other penalties following any investigation. This would especially be more likely if the patient had someone in that waiting room tell others, and the patient ended up losing their job, or some other harm, as a result of being outed as being a patient at a mental health clinic.
• I certainly understand your view of being respectful. I personally grew up in a very tiny, rural town, with one doctor. Long before there was HIPAA. And everyone in the waiting area knew who each other was by their full names. Dr. W called everyone by their full names. He probably had a view similar to yours. But since he was a family doctor, he treated every type of health issue. And back then, that literally meant EVERYTHING. So, even though he called our full names and we all knew each other, he did not tell anyone else about our medical reasons for seeing him. However, throughout the past 25 years or so, with the ever-increasing numbers of privacy breaches, a large portion of the population would say that not using their full name is more respectful, because you are not telling everyone in the vicinity something about their health that they may not want others to know, especially if it involves health issues for which they’ve had good reason to not tell even their family members or friends about yet.

So, for the reasons in that article of mine you referenced, and elaborated upon with the previous information, I still stand by those statements, even if you disagree. I hope the additional facts and examples provided previously also helped to provide better understanding of this aspect of HIPAA requirements.

Q: Are malware programs in browser extensions a problem for users?



A: Malware programs in browser extensions are absolutely a problem for users. We witnessed that almost exactly a year ago, when it was widely reported that five malicious browser extensions were redirecting 1.5 million Chrome browser users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. These are problems that can cause privacy breaches, and cybersecurity incidents. Malicious browser extensions are also being used for surveillance, to track not only the browsing histories of users, but also to combine with the times and GPS/locations of the users, to determine where and when the users were at any point in time. There are more problems for users, but this should provide you with a few significant problems as examples.

Q: How widespread is the problem of malware in browser extensions, and being hackable? How can I protect myself; what actions should I take?

A: When these browser extensions are being spread from the browser provider, they will likely infect most to all using those browsers. It is a worldwide problem; about as widespread as you can get. Before installing browser extensions, even those from the browser manufacturers, pay close attention to the permissions they are requesting prior to installation. The more access they want to your computer, and to “read and change all your data on all websites”…an actual permission asked by many of the browser extensions…ask yourself if you really need that extension. I would never allow any extension to read all my data, copy, change, or delete my data, or share my data with others, or to change my computer, browser, or online settings. Those could lead to many much bigger problems for the users. When such requests are made, prohibit such permissions, and do not install the extension.

Q: Can Meta Pixels be hacked?

A: Yes, in a variety of ways, some of which are more like exploitations of poor implementation than any traditionally thought-of “hacking” activity. The ways we’ve seen published so far were through misuse and unauthorized sharing of the Meta Pixels. Two of many examples:

• Advocate Aurora Health (AAH), a medical services provider serving Wisconsin and Illinois, was hit by a data breach affecting over 3,000,000 patients. AAH websites have/had many Meta Pixels implemented within them, and hackers used a vulnerability in the software tool to access information.
• 1.3 million Novant Health patients were informed their data was disclosed to Meta through misconfiguration of the Meta Pixels on its website.

However, other vulnerabilities are apparent through inspection of how the Meta Pixels are implemented. For example, in two different expert witness cases I have done, involving analyzing the implementation of Meta Pixels and use of the associated data, I’ve seen the data collected and transmitted via the Meta Pixels often include confidential information, even IDs and passwords, and that data is often transmitted to hundreds of third parties in clear text, leaving it not only available to all those third parties, but also open to interception, and subsequent use to gain access to the data in the associated accounts.

Q: So many new “comprehensive” privacy laws exist in the U.S.! How are these new privacy laws impacting the business processes of organizations?

A: In the U.S., consumer privacy laws, often also called, “comprehensive privacy laws” by law firms and privacy compliance pros, are very different from most of the other types of U.S. privacy laws and regulations for which most organizations, and a significant portion of the public have been aware. Those other types have been more narrowly scoped in applicability, more prescriptive in nature, and have focused more on the business obligations and requirements around personal data, and have not focused as much upon the rights of the individuals about whom the personal data applies, otherwise known as the data subjects.

To those who may not be familiar with the term, a comprehensive privacy (aka data protection, or consumer data) law is one that generally applies to all types of personal data, in all sectors/industries, and provides all the individuals rights to access, correct, delete and control their own associated data that organizations, and in many instances individuals, have about them. They also include requirements for organizations (not just businesses, but also non-profits, and other types of groups) and individuals to safeguard personal data in a wide variety of ways. Unlike the U.S. laws to date (with the exceptions of at least a few regulations, such as HIPAA, for the healthcare industry, and The Privacy Act for federal agencies), comprehensive/consumer data privacy laws give individuals a wide range of rights and controls over their own associated personal data.

Currently, twelve U.S. states have enacted comprehensive consumer privacy laws. No comprehensive consumer laws have yet been enacted in any U.S. territories, however, there are a few bills that have been proposed in some of them. My Privacy & Security Brainiacs business tracks these. Here is one of our tables that we maintain:

Many new state laws exist, with many more looming on the horizon to be enacted soon. They will impact organizations in many ways. A few of the most significant will be to require them to:

1. do more extensive logging of access to personal data;
2. establish procedures to give individuals access to their associated personal data, in an easy-to-read format, upon the individuals’ requests;
3. allow individuals to actively opt-in to allowing their data to be used, instead of simply telling them they must take actions to opt-out to limit use of their data; and 
4. update data security and privacy policies and procedures, provide expanded and more business-focused training to employees and contracted entities about how to protect all types of personal data, limit sharing of it, and to establish identity verification procedures. 

Another significant way business/organization processes will be impacted is that the scope of applicability for personal data under these comprehensive/consumer privacy laws generally apply to all personal data; not just active customers or patients. So now organizations must also apply security and privacy controls to employees, consumers who are not customers (e. g., those who have given their personal data to the organization, but have not paid them for a service or product), contracted worker data, and any other type of personal data they possess or otherwise access within their overall business ecosystem environment. 

In a nutshell, the organizational processes will need to be significantly expanded to generally include all types of personal data, no matter the relationship of the associated individuals to the organization.

Notably, individuals will also be impacted, by now having more rights and control over their own associated personal data.

Q: Do you believe a federal consumer data privacy law should be passed, and how would that change the game for organizations?

A: A federal consumer privacy law would certainly add all the remaining 38 states into the scope of all types and sizes of organizations. However, given that comprehensive regulations already exist in specific industries (HIPAA for healthcare, FERPA for education, FISMA and The Privacy Act for federal, GLBA for financial, etc.), there are already millions of organizations that have such comprehensive law requirements they must follow. Many of them serve multiple industries, and so must comply with multiple federal regulations, in addition to the state laws, and other legal requirements.



I believe if a federal consumer data privacy regulation was created, it should first look at what is working within each of the existing regulations, and then see how all the most effective practices could be utilized within one overall federal personal privacy regulation. Too many lawmakers talk about starting with GDPR; but that has some substantially different perspectives than the vast number of compliance frameworks and practices that have already been long-established in the U.S. If the U.S. Congress could start with the U.S. privacy protection regulations that are already in place, do a thoughtful analysis for what is working and not working, and create a comprehensive consumer regulation that would not only support adequacy for data sharing worldwide, but also limit the amount of recreating security and privacy programs throughout the U.S. it could be very beneficial. I am concerned, though, that with the congressional members demonstrably and increasingly stating their divided views and goals, and simply refusing to work collaboratively, often for no other reason than to claim in their political campaigns that they don’t cooperate with other parties, we would end up with an unworkable consumer privacy regulation. I do not know if we will see the cooperation necessary, from all parties, in my lifetime to see such a comprehensive regulation. Perhaps I will be pleasantly proven incorrect.

Q: When organizations operate in multiple states, how can they ensure they stay abreast of all privacy regulations so they don’t run afoul of the law?



A. A variety of resources to stay up-to-date exist. One great free resource I always recommend is the NCSL.ORG. The National Conference of State Legislatures provides a great site with abundant news about new privacy and security laws, activities, etc.

Keeping our clients updated is also something that my Privacy & Security Brainiacs business provides. Each quarter, we create privacy and security laws and activities reports for some of our clients and include some advice for key new laws, actions, fines, penalties, etc. 

Most privacy law firms also provide annual reports, and legal analysis papers. Many of these are found on their websites.



Organizations absolutely need to stay up-to-date with all privacy regulations. That is when collaborating with businesses, like mine, which focus solely on privacy and security can give them the expertise, and time saved, necessary to support the organizations’ own business goals.

Q: What are some key privacy and security controls organizations can implement to get into and stay in compliance with privacy laws?

A: Key privacy and security controls organizations can deploy include each of the management components that establish the full framework around which all other controls are applied, in addition to some specific technical and non-technical controls that organizations commonly struggle to implement in a way that is compliant with all their applicable privacy laws. These include:

Management Components:

• Governance practices: Document the roles that need to be accountable for privacy laws compliance, along with those who will have responsibilities for ensuring workers within their scope of management (e.g., business units, departments, teams) are aware of the privacy laws requirements as they apply to their respective areas and work responsibilities. Along with providing the associated supporting documentation (e.g., position descriptions, forms, etc.).
• Policies, procedures, and forms: Documentation that is key and required by generally all types of security and privacy laws, regulations, and other legal requirements.
• Risk management: A number of ongoing risk management practices must be performed on an ongoing basis. Most folks just think of risk assessments when they think of risk management. Risk assessments certainly are necessary, but they are just one of the important activities needed. Other risk management would include vulnerability assessments, pen testing, doing off-hours work-area security and privacy reviews, keeping software and systems updated and patched, etc. Also using tactics such as zero-trust, and others.
• Employee and contractor/third-party/vendor education. This includes ensuring every individual working with personal data, and accessing it in any way and in any form, receives regular training for the associated legal requirements, along with the policies/procedures for their organization. In addition to sending out regular awareness reminders for specific security, privacy, and compliance topics.
• Third party/vendor management: Organizations that must comply with security and privacy laws and regulations are ultimately responsible for the actions of their contracted entities as they relate to the contracted services and products. It necessitates having ongoing security and privacy oversight of such entities to ensure that they are also meeting the same base security and privacy practices as the organizations themselves.

Specific technical and non-technical controls:

• Identity verification tools and practices: For individuals calling or otherwise requesting access to personal data. Many organizations don’t have such tools or practices, and of those that do, a large portion are using extremely poor/inadequate and what regulators would find as unacceptable, identity verification practices.
• Data inventory and mapping tools and practices: Organizations must know where data is located to be able to answer the questions and provide the information required by the privacy laws.
• Network security tools: Anti-malware, intrusion prevention systems/intrusion detection systems (IPS/IDS), logging, data backup, etc.
• Endpoint security: For internet of things (IoT) devices, laptops, tablets, desktops, employee-owned devices, etc.

Q: I learned a lot about juice jacking in the PDF you provided in your July issue of the Tips. However, I’ve read that there is no evidence that juice jacking has actually happened “in the wild.” So why should I be worried, and take the actions you recommended to reduce the risks you described?



A: Thank you for the feedback! We appreciate it. By the way, we’ve updated and added more information to that PDF since July, so please check it out again.

It is important to understand that juice jacking typically leaves no digital evidence of the data stolen, access into the network, etc. However, despite typically leaving no digital evidence that juice jacking occurred, it can still result in malware being planted on the device or other component of a connected network, or data being stolen, or some other harmful result.

If individuals or organizational management have read an article claiming juice jacking risks have never been seen “in the wild,” and have not occurred in real-life juice jacking incidents, they are not getting full, accurate information. The fact is that just because evidence has not been left behind does not mean that these incidents have not been occurring in real-life. If management makes a decision that it is not worth taking actions to prevent juice-jacking because of the lack of evidence to validate the incidents, the management’s organizations will become a favorite target of those who will plant juice-jacking tools within their environments, and management will be left scratching their heads wondering how a privacy breach occurred, or malware was planted, when they followed the advice of all those juice-jack-nay-sayer security “experts.”



As a metaphor, consider this: You are seated in an airport boarding gate waiting area. Someone sits right behind you, and he starts talking on his phone to his manager in his outdoor voice, telling the manager that he just met with Company ABC about helping them strengthen their information security practices with systems AB, BC, DE and HK, and that he believes he’s sold the CISO, Ms. X, on hiring him because he learned Company ABC had XX privacy breaches and YY security incidents in the past year, through exploitations of network, application and systems vulnerabilities A, B, C, D and E. If you are a cybercrook, you now have information to hack into Company ABC in multiple ways. And the salesman on the phone and Company ABC will have no evidence that the information that was used to hack them was provided from your overhearing that phone conversation; the salesman’s loud talking behind you will not leave any trail to provide evidence of you having obtained that information. This situation (without the hacking) actually happened to me a few years ago. I was waiting for my flight and a sales guy sat right behind me. I heard such sensitive information being described by him in his outdoor voice (I called the CISO, who I knew, and let her know about this information leak by the salesman). If I had been a malicious cybercrook, I could have exploited all the vulnerabilities I heard described, and that organization would have been left wondering how information was obtained that allowed for the security incidents and privacy breaches to occur. Similar to how juice jacking tools, like USB skimmers, can go undetected, and why they are risks that wise business leaders must invest a little bit of time and resources into mitigating and preventing.

Q: What are some issues that organizations of all sizes need to consider regarding how and where their client data resides and is backed up/stored?

A: To be able to fulfill all the established legal rights of consumers/individuals to their associated personal data, organizations who are collecting, processing, and storing personal data for their business/organizational clients will need to maintain data inventories to be able to quickly, upon request, to pull specific records, collect logs associated with the records, and other types of associated data, for specific individuals upon their request. Because the laws throughout the world are not the same, they will need to ensure they are meeting all the backup and data retention requirements to support accessibility to the data when legitimate requests for such access are made. This is typically accomplished by retaining personal data for the longest period required when considering all the privacy laws/regulations. A caveat to this is that the organization may need to carve out exceptions for laws that have specific requirements for deleting personal data after a certain period of retention.

Regarding restrictions on where data is backed up to, or stored, under U.S. laws there are generally no current specific restrictions for this. There may be contractual requirements applicable to an organization, though, that established such restrictions. And, there have been bills proposed in not only states, but also at the federal level, to restrict data access and storage based on location, so this situation could change in the foreseeable future.

Q. What is a current cybersecurity hacking tactic that could easily be prevented if businesses and individuals would simply take a little time and effort?

A. I’ll give you two! 

1. Keep your phone and computing devices updated with the latest patches. Cybercrooks and other types of hackers love to exploit holes in the device systems; most people never apply patches, so it is easy for hackers to find victims.
2. Use strong passwords and multi-factor authentication (MFA). Too many people still have weak, or no passwords, making them very easy targets for hackers. Oh, and don’t write those passwords on sticky notes stuck to your keyboards…or anywhere else!

Q: Tell me something about hacking and/or hackers that most people today don’t know.

A: A history question; I love it! Today hackers are generally considered to be those who have malicious intent, to steal personal data or bring down networks, and researchers who try to break into applications, systems, and networks are typically called ethical hackers. However, what is generally considered to be the first system hack was executed by John Draper in 1964. He figured out how to be able to use a whistle, or some other object, that could make a high-pitched noise to trick a landline phone into making free long-distance phone calls, which used to cost a lot more extra money to make than simply calling local phone numbers. Way back then AT&T controlled all the phone calls in the U.S., and generally, all calls went through their centralized switching system. Very generally, that switching system would listen for specific tones and pitches of sounds to connect to long-distance phone numbers. Back then boxes of cereal used to have some really cool free little toys in them. As legend has it, John Draper liked his Cap’n Crunch cereal and he found that his box contained a really cool whistle, the Cap’n Crunch Bo’sun whistle which was supposed to replicate the whistles used by boatswains (sailing officials) to signal to the crew mealtimes or to signify other types of commands. John Draper was a former U.S. Air Force electronics technician, and he had heard that the Cap’n Crunch Bo’sun whistle blew a tone at 2600Hz…the tone that the AT&T switching system used to send through the long-distance calls. So, Draper became infamous for using the Cap’n Crunch Bo’sun whistle to make many free long-distance calls, through phone breaking…or phreaking (a mash-up of the two words). He even gave himself the name Captain Crunch. So, imagine that; hacking computer systems is almost 60 years old!

We get many suggestions for beacons from our readers and Rebecca’s podcast/radio show listeners; thank you! We include many of them when the suggestions are for businesses other than their own that the suggester feels deserve recognition or for people other than themselves who do something noteworthy about data security and privacy. However, we do not include businesses, organizations, or people trying to promote themselves to get free marketing, and we do not take payments to put organizations or people on this list. We try to contact as many as possible after publishing our Tips to let them know we put them on our beacons list, though. If you have someone or an organization to suggest, let us know! We may include them in an upcoming Tips issue.

• Pentera for their Snow White privacy toon.  
• The White House for gathering together the US Federal Communications Commission (FCC), the US Department of Education (DOE), the Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Guard Bureau, for launching multiple programs to strengthen K-12 schools’ cybersecurity. 
• Christopher Janero for his interesting and insightful PC Magazine article, “Haggling With Hackers: Surprising Lessons From 50 Negotiations With Ransomware Gangs." Ransomware negotiations are usually shrouded in secrecy, but some security experts think that we should make them public and analyze them to glean insights. So that's exactly what we did.”
• Anu Joy at AndroidPolice.com for her article, “How to set up Google's Inactive Account Manager. Control What Happens to your Google Account After You're Gone.”
• GoTo, which is the online meeting app I use for my business. Soon after the Zoom revelation about using participants’ data, recordings, and other user data to train their AI tools, I contacted GoTo and asked them questions about their use of AI. Their first response to me was unsatisfactory and pretty much a canned type of “we comply with all data security, protection and privacy laws and regulations,” type of statement. That did not answer any of my questions that were specific to the AI algorithms, their privacy notice, etc. So I let them know this. Unlike other organizations that I’ve asked to answer specific privacy questions, I was pleasantly surprised to now have been engaged with GoTo in getting my specific questions answered. Below is an excerpt from one of their recent messages to me with more answers to my questions. It is good to know they are taking questions from a client seriously, and now answering them more specifically. All is not perfect yet, but they are doing much more than most other businesses to whom I’ve sent similar types of questions.

• Daniel Kelley for the list of "Here's 30 fun cybersecurity search engines" he posted to his LinkedIn page. This fits especially well for this issue's Tips cybersecurity topic, along with privacy! Rebecca has used Shodan in her IoT research for many years now to identify and locate privacy problems and leaks. Plus several of the others. But, we also learned some new ones from this list.
• Tom Kemp for his new book, "Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy." Listen to Rebecca's interview with Tom Kemp in her September Data Security & Privacy with the Privacy Professor show episode. See the link and show description below.
• James M. Clarke, Maryam Mehrnezhad and Ehsan Toreini for their Cornell University paper, "Invisible, Unreadable, and Inaudible Cookie Notices: An Evaluation of Cookie Notices for Users with Visual Impairments." This is great research and insights on the accessibility of privacy information for the visually impaired, who absolutely need to be able to understand the privacy promises, or lack thereof, at the websites they visit online. In fact, it has motivated us to improve upon our own notices.
• CBS News for raising awareness of a new tool car thieves are using to locate electronic devices in parked cars, even when the devices are hidden from view.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other helpful information on our site. Our goal is to post 3-4 times a week. We’d also love to see your comments and thoughts on our posts.

Check It Out!

We have excellent feedback on our course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Similar statements about our “HIPAA Basics for Covered Entities 2023 Edition” course have been made. We’ve included many real-life experiences within the courses, and also many supplemental materials, which we update as changes occur so our clients and learners can use their Privacy and Security Brainiacs portals as a source of not only learning but also to keep up with regulatory changes, and even where they can store their organizations’ security and privacy policies. Please check them out! 

Students of each Master Experts “Online Education” course receive certificates of completion showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class and much, much more. Have questions about our education offerings? Contact us!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. September 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.