Freedom From Privacy Invasion
Privacy & Security Brainiacs(R)
Providing effective education and tools to help organizations of all sizes meet their privacy and security obligations.
As the US celebrates its independence, it’s a good time to think about what freedom means in the digital era.?
Over decades in the privacy industry, I’ve heard this from countless people: “My life’s an open book. I have nothing to hide.” While that may feel true, the unfortunate fact is that we all have something to hide?– our?personal data, and other data that can be used to reveal intimate details of our lives. And increasingly used by artificial intelligence (AI) to make assumptions (often incorrect) which a large number of organizations are already using to make decisions that impact our lives, often in detrimental ways.?And?our personal data is also?incredibly valuable on the digital criminal market.??Protecting it is vital to remaining free from the digital chains of identity theft,?other cybercrime?and physical crimes, and to help prevent having decisions made that harm us in ways that often can be financially, physically, and mentally damaging.
If it helps, don’t think of privacy as having something to hide. Think of it as having something to protect.?Your autonomy. Your choices. Your freedom. Which makes it so important to think about on US Independence Day, no matter where in the world you are located.?Privacy is a fundamental right. Protecting it does not make you a closed book. It makes you a smart person.?
Also, please "Follow" our Privacy & Security Brainiacs page! We would like to start publishing our Monthly Tips as a company newsletter on LinkedIn in addition to sending via email subscriptions (thousands of subscribers forward them to their employees, family, and friends). To meet LinkedIn requirements for company newsletters we must get more folks following our company page. We will also be providing more posts on our company page containing our original research and work, so we are trying hard to make it worth your while to click that "Follow" button. Thank you!
Rebecca
We would love to hear from you!
Did you find the tips we provided in this month's issue useful??Did you like this issue? Do you have questions for us to answer? Please let us know via email using?[email protected].
NOTE: This is a copy (slightly modified to better fit the publish date and format) of the monthly Privacy Professor Tips of the Month for July 2022 email newsletter that subscribers received on June 29, with the exceptions that Rebecca's personal photos from her recent road trip with her son to US national parks, and almost all of the other cartoons and images have been removed. We will more easily be able to include images when we use the LinkedIn Newsletters platform.
July Tips of the Month
Monthly Awareness Activity
July 1 was?International Joke Day In conjunction with this day, or any other day, here's a fun way to raise privacy and security awareness through humor at work. Inject comics, written, audio or video jokes into your regular communication. (Pro Tip: Clear them with your HR area first; you never know what may fall under unacceptable).?
Another idea: host a contest for the best privacy- or security-related joke. Here are a few for your funny bone:
Silly? Yes. Memorable? Yes! Even a groaner of a joke sticks around the memory banks, which makes even goofy humor a great way to advance awareness.?
Do you have a joke to share??Send them on over!
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
Seems the June Tips got many of you thinking. We received several new questions related to our topics in that issue. Below is an assortment. Please?keep your questions coming.
Q:?A business partner is making threats during our phone meetings. Is it illegal to record our conversations without telling the person threatening me???
A:?I’m so sorry to hear you are dealing with such a stressful situation. The legality of recording depends on where you and the other person are each located.?
Whereas US federal law only requires one-party consent, some state laws are stricter and explicitly state or imply that all parties much consent. Those states include California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington.
Another factor to note is that federal law stipulates that you must be participating in the conversation to legally record it. If you are not part of the conversation, federal statutes consider that illegal eavesdropping or wiretapping.
Justia offers a nice summary of the U.S. laws?governing the recording of both calls and in-person conversations.?
Here are the general legal requirements of a few international call recording laws:
?If you have different laws where you live,?let us know!
Q:?Do patients in the US have the right to deny their employers access to their protected health information (PHI) inside of a worker’s compensation situation?
A:?The short answer is that patients do not have rights under HIPAA as it pertains to preventing their employers’ from accessing the specific PHI associated with workers’ compensation cases. Here’s why:
?HIPAA does NOT apply to the following three types of entities:
The above entities need access to the?applicable health information?of workers to process claims and coordinate care.?
Typically, in these circumstances, a worker’s PHI is obtained from the health care provider who treated them. Those providers are considered covered entities (CEs) and are obligated to follow HIPAA?requirements, which includes directives for worker’s compensation cases.?
HIPAA distinguishes the legitimate need of insurers and other entities involved in workers’ compensation systems to have access to individuals’ PHI as sanctioned by state or other laws. Because of the extreme variability among those laws, HIPAA allows disclosures of PHI for workers’ compensation purposes in a number of ways, to entities not defined as CEs under HIPAA.?
You can learn more at the?Department of Health and Human Services (HHS) website.?
Richard Ryan, a longtime Tips reader,?sent us a follow-up to our June Tips, pointing out that there were differences in rights to access what is defined as protected health information (PHI) for worker’s compensation situations, which inspired this question.??Thank you, Richard!
Q:?I own and operate a cannabis dispensary in the U.S., selling both recreational and medical cannabis. Do cannabis dispensaries like mine have to follow HIPAA requirements?
A:?The Department of Health and Human Services (HHS) considers medical marijuana dispensaries as being health care provider covered entities (CEs) under HIPAA when a physician’s prescription is necessary to obtain medical marijuana, and when the dispensary meets the other characteristics of a healthcare provider. Generally, in such situations the dispensary would usually need to comply with HIPAA requirements. However, each medical cannabis dispensary should do an individual analysis of its own specific business factors involved, which will be unique to each operation, along with considering state laws that may be related. ?
HHS extended its oversight to medical marijuana transactions after reviewing the practice and context within which medical cannabis is obtained today.??
Medical cannabis expert Michelle Dumay has been a frequent guest of the Data Security & Privacy with the Privacy Professor podcast. Over several years, she and I have discussed a range of topics related to the applicability of HIPAA to dispensaries?along with some specific privacy and security issues. Take a listen to the still applicable advice:
Q:?I just discovered a huge amount of my personal data on ZoomInfo. I never gave consent. I’ve never even used ZoomInfo. Why are they allowed to sell my personal data?
A:?We share your concern. ZoomInfo and other data brokers scrape personal data from a wide range of sources, including publicly accessible sites and also through apps.?Businesses often use this data to build marketing lists. These apps often take all the personal data available from the computing devices of the people who are using those apps.?Most people have no idea they are serving as unwitting sources of data, having never actively or knowingly given consent to have their data taken or sold.?
Consider the number of people you have emailed or received an email from. The personal data of all those people lives in your computer and on your devices. Data broker apps siphon off all that data from email repositories on your devices (and the devices of hundreds of thousands of others) and dump it into their for-profit databases.
I recently spoke with a reporter at The Capitol Forum about the sneaky ways data brokers skirt privacy law requirements to take all this data. We will post the story on the?Privacy & Security Brainiacs?In the News?when it publishes.?
In the meantime, Duke Sanford Cyber Policy Program talks about this a great deal in its report, “Data Brokers and Sensitive Data on US Individuals Threats to American Civil Rights, National Security, and Democracy."
领英推荐
Another interesting research paper submitted in 2022 to Usenix discusses this issue in, “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.”
Q:?My neighbors post images and videos of people walking by their house and in the street on NextDoor. Some of the images have been humiliating to those pictured. Are those posts breaking any laws???
?A:?There is no single, easy answer to this question. Legality depends on many factors, such as…
?WIRED recently covered this topic in its article, “Do People Caught on Ring Cameras Have Privacy Rights? Surveillance devices are becoming more ubiquitous. Do those who unknowingly appear in cam footage have rights—and who gets to decide?”?
We also cover many of the associated issues in our upcoming IoT security and privacy book (more on that in the August Tips issue).
Q:?I’m starting a career in IT as a programmer. I’d like to specialize in cybersecurity. Do you have any recommendations for building skills in cybersecurity while creating code?
A:?The global business community is sorely in need of programmers who are proficient in cybersecurity. Specifically, we need programmers who understand secure coding and applications testing. Until we get there, businesses will continue to push into production products that have not been given thorough quality assurance for code.?
Get as much experience as you can in these areas. Build expertise by looking for opportunities to do these activities where you work. Take classes. Read books. You will be in high demand.?
The lack of cyber-proficient programmers is one of the reasons I built the SaaS business,?Privacy & Security Brainiacs. The soon-to-be-released Master Expert education service was designed in part precisely to train the next generation of programmers to think differently and with a cybersecurity mindset. One of our first Master Experts is the professor who led the creation of the?NSA-certified?National Center for Academic Excellence (CAE)?Master’s in Information Security and Assurance program at Norwich University, Dr. Mich Kabay. And, we would love to have you as a student! (See more about this at the end of this issue.)?
All the best for a fabulous and successful career, which I’m confident you will truly love.?
Data Security & Privacy Beacons*
People and places making a difference
*Privacy Beacons do not necessarily indicate an organization or person is?addressing every privacy protection?perfectly. It simply highlights a noteworthy example of privacy-aware practices.
Privacy & Security News
Visit the PSB News Page often!
We continue to get great feedback on the?Privacy & Security Brainiacs (PSB) News Page.?Thank you!
PSB News pages contain articles grouped by month and by topic. We curate the news we find of most concern and interest, so you can see the kind of info we pass along to our own clients and employees.
Brand New Training Courses
Clearing up common confusion around HIPAA
We are excited and proud?to announce our new online class!
Too few healthcare employees are confident in their understanding of HIPAA. We want to change that. Beginning this month, HIPAA covered entities (CEs) and their business associates (BAs) will have access to?“HIPAA Basics for Business Associates 2022.”?
The course includes coverage of both temporary HIPAA requirements that are still in effect, as well as proposed permanent HIPAA rules. It also covers common BA misconceptions and HIPAA compliance errors.?Ask us about our deeply discounted beta testing user pricing.?
Where to Find the Privacy Professor
See our new?Privacy & Security Brainiacs page for our business in the news!?We have added several new items.
Rebecca's Podcast/Radio Show
If you haven't checked out Rebecca's radio show,?Data Security & Privacy with the Privacy Professor, please do. Guests discuss a wide range of real-world topics within the data security and privacy realm.
June Episode
First aired on Saturday, June 4, 2022: Dr. Clifford Stoll
Dr. Clifford Stoll wrote the book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, in 1989 which provides his first-person account of his Russian KGB hackers-catching odyssey. In this episode, we cover additional facts about the hack, that include more discussion of the technical and security perspectives, still applicable, and some of the specific work that Dr. Stoll did during his tracking of the wily hackers, that actually seems to have inspired some of the tools commonly used by cybersecurity pros today…that they probably don’t even realize were first established by Clifford Stoll!
July Episode
First aired on Saturday, July 2, 2022: Dr. Joseph Turow
Dr. Joseph Turow wrote the book, “The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet,” and describes how your voice, and video, recordings are collected, analyzed, and used to do marketing, and make many other decisions that impact your life based upon the associated AI algorithms…which are often not accurate.
The Privacy Professor?|?Website
Privacy & Security Brainiacs|?Website
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share?excerpts, as well, with the following attribution:
Source: Rebecca Herold. July 2022 Privacy Professor Tips.??www.privacysecuritybrainiacs.com
NOTE: Permission for excerpts does not?extend to images.