Why are you getting this? Please read our Privacy Notice & Communication Info at the bottom of this message.
|
|
|
A Season of Transformation
It’s graduation time! Whether coming out of preschool or into a new job, students of all ages are moving on to exciting new phases of life.
As the rest of us celebrate their achievements (and maybe even our own), scammers and other bad actors are enjoying the revelry, as well. Crooks love times of transition, as they can leverage all forms of “newness” to take advantage of unsuspecting victims.
Keep on celebrating, but don’t drop that guard. And, as you sign those grad checks and greeting cards, share your privacy tips and tricks with your community, too. Need some more for your collection? Read on!
|
|
|
Rebecca
We would love to hear from you!
|
|
June Tips of the Month
- Alzheimer’s & Brain Awareness Month
- Privacy & Security Questions and Tips
- Data Security & Privacy Beacons
- Privacy and Security News
- Where to Find the Privacy Professor
|
|
Alzheimer’s & Brain Awareness Month
|
|
|
Although I didn’t realize it until many years later, she started showing signs of the illness during the end of my senior year in high school.
|
|
|
There are many ways in which Alzheimer’s patients must be kept safe, both physically and from a cybersecurity and privacy standpoint. Here are some things you can try if you are caring for someone going through the many pains of Alzheimer’s and other types of dementia.
-
Remove sensitive personal data from online profiles. This includes phone numbers, mailing addresses, email addresses, birth dates, health information and other information specific to the individual.
-
Assemble a list of names and photos of people you trust to communicate with your loved one. Place it next to the computer. Advise them, verbally and in written words, not to connect with anyone not on this list. This means do not accept invitations, email, live chats or any other type of outreach online. People with dementia are common phishing targets.
-
Disallow, using the social media control settings, people who are not trusted family members or friends from being able to post on your loved one’s social pages.
-
Regularly review your loved one’s social media page and delete inappropriate comments.
-
Limit computer usage to times of the day when the dementia victim is most aware. And sit with them when they are online.
-
Run anti-malware continuously and employ the use of spam and pop-up blockers.
-
Speak about online fraud and cyber security often. You will probably need to speak about the same things repeatedly. Please do not get frustrated and stop talking about these important issues! I know from long experience that repeating important information is necessary, and shows you love your family member or friend. Keep in mind that compared to the terrible disease they are going through, repeating the same information multiple times is really not a problem for you, but a benefit to them.
-
Check for spoofing at least weekly. Folks over 50 are targeted often for online identity theft. Cybercrooks use look-alike accounts for phishing and other malicious activities. My own aunt’s account has been spoofed more than 20 times on Facebook. You can watch out for them with a simple Google search of their name once per week. I also recommend you search the major social media networks weekly; at a minimum Facebook, which is running rampant with spoofed accounts.
-
Ensure in-home caregivers respect privacy. Caregivers have been known to ask dementia patients to do things that put their privacy at risk, such as to allow them to be recorded doing things the insensitive caregiver thinks is entertaining. Consider installing in-home security cameras to monitor actions happening in the home.
-
Ask residential facilities about their privacy and cybersecurity policies and procedures. Understand how privacy and personal data are protected. Most of these facilities are covered entities under HIPAA, so they must comply with specific privacy and security requirements.
-
Make sure apps for Alzheimer’s patients have strong security and privacy controls. These should be built into the app. Don’t use apps or allow your loved one to use apps that do not have clearly stated, and strong, privacy policies.
There are many more actions you can take, but this hits some of the major ones. Do you have additional actions to suggest? Let us know!
|
|
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
|
|
We have gotten so many fantastic questions since the last Tips message; thank you. Keep ‘em coming!
|
|
Q: We saw the local police department rummaging through the trash bins in our neighborhood. Is this legal?
A: Police generally can search trash if a person does not have a reasonable expectation that it is private.
The Fourth Amendment to the US Constitution protects individuals from unreasonable searches and seizures. However, the police generally cannot search the following types of trash unless they have a warrant or probable cause:
- Trash inside a home
- Trash outside of a home on the person's property
- Trash in a person's pockets or bags
- Trash in the back of a car
What’s more, in some jurisdictions, courts have found that when garbage is placed in a location that is accessible to the public, such as a street curb, law enforcement is legally permitted to search that garbage. Check your city ordinances (most are posted online) to see what the laws are for your location.
|
|
Q: My family’s US doctors have told me conflicting information about the health records that family members can access under HIPAA. What does HIPAA allow my doctor to share with my family members? How about friends?
A: The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation that applies to healthcare providers, insurers and clearinghouses in the US. Collectively, as defined by HIPAA, these are called covered entities (CEs), and businesses they hire to support activities involving the health records are aptly called business associates (BAs). HIPAA does not require a CE to share health information with a patient’s or insured’s family or friends, unless they are the patient’s or insured’s legally designated personal representatives.
But, it is very important to understand that a CE can share a patient’s or insured’s health data with the patient’s/insured’s family or friends under certain circumstances, including when:
- They are involved in the patient’s or insured’s health care or payment for health care.
- The patient or insured gives the CE permission to share.
- The patient or insured does not object to the CE sharing the information.
- If, using its professional judgment, the CE believes that the patient or insured does not object.
|
|
Q: We are planning an extended road trip. Do you have security and privacy tips for us?
A: This is a popular question this time of year. And yes, there are several actions steps you can take before, during and after your trip:
Before traveling
- Ensure any sites you use to book reservations, tickets and other trip-related experiences are legitimate. There are many bogus sites out there posing as legitimate businesses.
- Watch out for sites that promise too-good-to-be-true deals.
- Hold your mail and package deliveries until you return.
- Ask a trusted person to check your doors and mailbox while you’re away for packages you can’t stop. Ask them to keep the fact that you are out of town confidential.
- Make sure your phones and other computing devices (laptops, tablets) are all updated with the latest software patches.
While traveling
-
Take portable USB charging devices with you and keep them charged. This way if you are out hiking in the wilderness (as I was recently) and your phone runs out of power, you will be able to use these handy little devices to help you stay in touch with the rest of the world. Even if you cannot get internet access, that GPS ping will help to locate you if necessary.
- Use a juice-jack blocker for charging in publicly available USB ports, which can contain USB skimmers. Most people do not have the technical tools necessary to determine if USB skimmers are loaded in the USB ports, so using these inexpensive blockers is a cybersecurity and privacy must for traveling.
- Add privacy screens to your devices to keep those nearby from seeing personal or sensitive information on your screens.
- Don’t leave your printed boarding passes behind. Shred them when you get home. A simple barcode reader app can scan them for access to your personal information, such as frequent-flyer numbers.
- Use your own mobile hot-spot wi-fi router instead of public wi-fi. This prevents an unlimited number of people sharing the network, getting into your device or intercepting data you are transmitting and receiving.
- Lock your computing and digital storage devices in the hotel safe, or some other location that only you can access, or that only another person or position can access who can be held accountable for any unauthorized access.
- If you are using a home-sharing service, ask if surveillance is in use within the property. Do a sweep of the rooms to make sure there are no cameras installed. If you find one, contact the rental service.
- Use a money belt, fanny pack or cross-body bag to with RFID-blocking to carry credit cards, money and other valuables.
After traveling
- Log into all credit card and bank accounts to review your account profile and activity to ensure all information is valid.
- Do an online search, including social media, to look for any of your personal information from your trip is posted.
|
|
Image source: Andrew Grossman, Scop.Io
|
|
Q: I just graduated college and will be moving many states away to start my career. My new employer is reimbursing me for my moving costs. What should I be thinking about when hiring a moving company?
A 30-year veteran of fraud and cybersecurity investigation estimated he believes as many as 10% of employees in the moving industry have used their position at least once to steal documents, computing devices and other valuables.
There has also been a dramatic increase in so-called “hostage loads.” Movers insist customers pay more than the quoted amount to get their deliveries. Even after paying the “ransom,” many people never receive their property.
Here are some tips for a security and privacy safe move:
- Transport personal information and other irreplaceable valuables in your own vehicle. If you have a lot, consider renting a truck or van. Or ask a friend to help. Your employer is likely to cover this along with your moving company expenses.
- Contract with a trustworthy moving service. 10 red flags to watch for…
-
Complaints about the service on sites like the Better Business Bureau.
- Requirements for cash, direct deposit or gift card payments.
- Demands for full payment up front
- Mandates for a large deposit of 50% or more during the off-season.
-
Not being registered with the Federal Motor Carrier Safety Administration (FMCSA).
- Instant quotes vs a quote following an onsite inspection. These can include huge price increases for a wide range of situations.
- An exorbitant amount of fine print in the contract (or no contract at all).
-
No copy of “Your Rights and Responsibilities When You Move” is provided. Movers are required by US federal law to give this booklet to consumers. Other countries may also have such requirements; if you are in another country, please let us know!
- Too many unresolved customer complaints or no reviews at all.
- Requirements to sign blank contracts or paperwork before the move.
|
|
Q: My family uses an Amazon Fire Stick. I was recently alarmed to learn that it is recording our conversations! How can I remove what it has recorded?
A: Indeed, Fire Sticks have been found to be recording everything in their vicinity. In these circumstances, the device had design flaws that created privacy glitches, and disastrous ones at that. Sadly, these types of glitches can happen with any “smart” device engineered to listen and record, often when they are not thoroughly tested before being sold to the public, or when updates are made and not thoroughly tested.
As with most Internet of Things (IoT) devices, recording of private conversations depends on several factors:
- The capabilities the manufacturer or its contracted engineers built into the device.
- The device’s default privacy and security settings.
- How well the seller communicates instructions for changing those settings.
- Whether the manufacturer and/or seller additionally provided some type of training (e.g., videos explaining the capabilities) for how to securely use the devices.
-
And, when such instructions and training are provided, whether users then follow those instructions and take the training.
The Amazon Fire Stick was designed to always be listening so it can pick up the trigger word. To complicate matters, there are many different Fire Stick models. Each has slightly differing capabilities. That said, Amazon does enable Fire Stick owners to remove all data that has been knowingly or unknowingly collected.
|
|
Q: I received an offer from Amazon Prime to preview the first three episodes of a brand new show. Is this a scam?
A: I received the same offer (see screenshot above and below). While it is not a scam, it is a seriously privacy-invasive activity. Here’s why:
Participants must share a copy of their driver’s license to verify their identity. Amazon already has a huge amount of its users' personal data they could certainly use to authenticate identity.
There is no reason for people to provide sensitive, government-issued identification to an online store, particularly in return for the preview of a show and a $15 credit. Not worth it.
Amazon Studios’ communication says they “must” ask participants to provide their driver’s licenses. That is not true; there are no laws that require this. Worse, the company is working with a third-party contracted entity, Veriff, to collect this sensitive data. What might that contractor do with the data? How are they keeping it safe? Are they sharing it with other third parties? If you read Veriff’s privacy policy, you can assume they are. Here is just one excerpt, “…Personal Data can be shared with our advertising and marketing partners, companies carrying out satisfaction surveys, debt collection agencies, credit registers, authorities and organizations intermediating or providing (electronic) mail, compliance or payment services and the like…”
|
|
Data Security & Privacy Beacons*
People and places making a difference
|
|
-
AtSign innovated new way to protect personal data… by “flipping the internet” to give individuals control over their own personal data. We are going to keep our eye on how this concept progress.
-
Google has made it possible for users to remove some personal data from its search results. Google may also consider the removal of professional contact info “in the context of doxxing.” If you use this, let us know how it worked.
-
Amazon Prime is sending awareness messages about scammers to its customers (see screenshot below). In light of the last Q&A above on Amazon Studios, you can see why we include our disclosure statement below. A company can do great things in the name of privacy while also falling down on privacy protections elsewhere.
|
|
*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.
|
|
Privacy & Security News
Visit the PSB News Page often!
|
|
The PSB News page contains news grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.
|
|
Brand New Training Courses
Clearing up common confusion around HIPAA
|
|
Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to “HIPAA Basics for Business Associates 2022.”
|
|
Where to Find the Privacy Professor
|
|
|
real-world topics within the data security and privacy realm.
Latest Episode
First aired on Saturday, May 7, 2022
Adam Dodge
Assaulters and stalkers are increasingly using IoT tech to target, surveil, and attack their victims. What types of popular, tiny, inexpensive IoT devices are increasingly used by assaulters and stalkers for surveilling and then tracking down victims to abuse and assault? In what ways do IoT devices provide a sense of false security, that then actually makes weaponizing them to commit crimes easier? What can people do to keep from being victims of assaults through the IoT devices they use? Tune in to hear Adam Dodge, founder of Ending Technology-Enabled Abuse (EndTAB), provide answers to these and many more questions.
Next Episode
First airing on Saturday, June 4, 2022
Dr. Clifford Stoll
Dr. Clifford Stoll wrote the book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989 which provides his first-person account of his Russian KGB hackers-catching odyssey. In this episode we cover additional facts about the hack, that include more discussion of the technical and security perspectives, still applicable, and some of the specific work that Dr. Stoll did during his tracking of the wily hackers, that actually seem to have inspired some of the tools commonly used by cybersecurity pros today…that they probably don’t even realize were first established by Clifford Stoll!
|
|
|
|
Privacy & Security Brainiacs| Website
|
|
|
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Info
You are receiving this Privacy Professor Tips message as a result of:
2) making a request directly to Rebecca Herold; or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
|
|
|
|
|
|
|