Know When to Pivot

The world we live in today is a tumultuous place. If the past two years have taught us nothing else, it has provided invaluable lessons on the ability to adapt and overcome. When the coronavirus pandemic traveled quickly throughout the globe, every business in every industry scrambled to find new ways to serve their customers and new ways to approach problems they didn’t even know they were going to face until they were suddenly confronted with them.

Have you ever been following a recipe, but realized halfway through that you don’t have the right ingredients? You might look around, wondering what you could use instead. You may even think about giving up on the recipe entirely and just ordering takeout. Or you can pivot. Pivot means to turn or spin around a center point, like the basketball player who changes direction suddenly and sharply in order to avoid and get around the player guarding him. In other words, it means “to adapt and change quickly.” Sometimes, no matter how well you’ve planned, things change. The market shifts, customers’ needs change, a pandemic rapidly spreads, a war is waged….and suddenly everything changes. In today’s fast-paced world, the one thing that can help us weather the storm of sudden change is knowing when to pivot our strategy and adjust our thinking.

After the COVID-19 pandemic rocked businesses worldwide, banks and other financial services providers (and many other companies) pivoted by moving or enhancing their services online, creating digital solutions for clients that could not visit them physically, and taking advantage of new opportunities that these challenges presented. When residents of Ukraine’s second-largest city, Kharkiv, woke up on one day last week to find that Russia had disrupted their internet access, tech billionaire Elon Musk, founder of aerospace manufacturer SpaceX, provided them with access to its satellite-internet system, Starlink.

The Russian invasion of Ukraine and rapidly evolving situation will have long reaching impacts for the rest of the world and impacts the global financial sector. Regulators are issuing guidance to U.S. banks reiterating that regulated entities should fully comply with U.S. sanctions on Russia and the elevated cyber risks for the U.S. financial sector. OFAC’s orders and guidance on implementation of these sanctions, including financial entities on the Specially Designated Nationals (SDN) List, are accessible on the U.S. Treasury Department’s website. Stay on top of the latest updates to ensure timely implementation of any further sanctions by signing up for email updates directly from the U.S. Treasury.

The escalating tension between the U.S. and Russia greatly increases the risk that Russian threat actors will directly target U.S. critical infrastructure in retaliation for sanctions or other steps taken by the Biden administration. Now is a good time to review and test your cyber response and business continuity plans, and provide additional cybersecurity awareness training and reminders for all employees. Your security and IT teams should closely track guidance and alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Centers (ISACs). Indicators of compromise for known threat actors should be immediately incorporated into your network’s cyber defenses.

Flexibility is key. Especially in the banking industry, where this kind of thing happens all the time: a new regulation goes into effect and suddenly your revenue stream dries up; a new competitor emerges and suddenly you’re losing market share; a product or service comes along that changes customer expectations, and suddenly you have to work harder than ever just to stay competitive. It’s time to think outside the box.

Disruption is the new normal in banking. From the financial crisis of 2008 to the global pandemic to a raging international crisis, these disruptions present opportunities for us to rethink problems and look for new ways to solve them. They are lessons in knowing when to pivot to adapt and overcome.

As the saying goes and couldn’t be more true in banking, “That which doesn’t kill you makes you stronger.”

Written for and originally appeared in Bankers’ Hotline Vol. 32, No. 2, 2/28/22

Data Privacy: What It is and Why Should You Care About It

We live in a world where technology is constantly evolving and new ways to collect and use data are being developed every day. It can be hard to keep up with all the changes and understand what they mean for your privacy. This post will explain what data privacy is and why it’s important.  You’ll also learn more about how companies collect and use your personal and the inherent risks of data sharing every time you go online.

 What is Data Privacy

Data privacy is the right for an individual to control what information they share about themselves. For example, companies might collect your personal information (i.e., email address, phone number), store it, access it, use it and share it with other people. Every time you give out your phone number, address, or email address, you are sharing your personal data for someone else to use in some way.

When you’re online, your computer is constantly sending and receiving data. This includes information like your IP address, the type of device you’re using, and what browser you have installed. While this data is necessary for the functioning of websites and online services, it can also be used to track your behavior and interests. Data privacy is the practice of keeping your personal data secret from companies and other third parties. To protect your data privacy, you should know how companies collect and use your data and how you can limit the amount of data you share.

How Companies collect and Use Your Data

The Internet has become an integral part of our everyday lives. It is a place where we can communicate with other people, explore new ideas, and share our thoughts and opinions. It is also a place where we can buy and sell goods, learn about the world, and do many other things. The pandemic has rapidly accelerated the use of online services for both individuals and businesses in terms of how we work, learn, and interact with others.

Online companies collect and use your private data to provide you with a better experience. They collect your personal information and browsing history to help improve their services and target advertisements. However, there are many risks that come with giving these companies, such as Google or Facebook, your personal information. Many of them (most of them, actually) use that data for various purposes, i.e., advertising, research, and even to influence how you vote, without your knowledge or explicit consent.

There are many ways in which online companies can access your private data, such as cookies (not the chocolate chip kind!), your IP address, location data, and other third-party tools that they may use.  While this can be useful and convenient at times, like when you are looking for specific services or products, in many cases the risks associated with many of these data collection practices outweigh the benefits. 

The Risks of Not Protecting Your Data

While giving websites and apps access to your personal data can help you find things faster and do things easier, did you know that personal data might be used against you? You don’t have to be paranoid or a conspiracy theorist, but there’s no denying that when big corporations get their hands on our personal data, bad things can happen to good people – and often do!

There are many ways in which hackers can steal your personal sensitive information. They might break into a company’s computer system and steal all the data that is stored there, or they might try to trick you into giving them some of your personal information by sending you an email that looks like it’s from someone you know, which is known as Phishing. Learn more about how data thieves are phishing for your data and how they reel in unwitting victims.

In September 2017, Equifax announced that 143 million Americans had their data compromised in a data breach. Hackers were able to breach one of the nation’s three major credit reporting firms after Equifax security officials failed to install a software upgrade that had been recommended to keep digital intruders out. The information stolen by the hackers included names, addresses, Social Security numbers, and birthdates. The company was widely criticized for not doing enough to protect the sensitive information of their customers. Equifax also came under fire for not disclosing the breach in a timely manner. We should be aware of the risks that come with having our personal data stolen.

When hackers or other bad actors get your personal information, they can use it to steal your identity and disrupt your life or business. Stolen personal data can be used for all kinds of things like stealing money from bank accounts, applying for loans, opening new credit card accounts, filing fraudulent tax returns, and more.

The good news is that there are ways you can take back control of your digital identity. To start, many states now require businesses to disclose the types of personal information they collect from customers (California being one example) so we’re not completely powerless! You are your own best advocate, however.

5 Tips for Keeping Your Data Private

We all want our lives to be more convenient, but we also need to know that our private information will remain safe from those who would do us harm – whether by stealing our identity or exposing sensitive details about us on the Internet. The good news is there are steps everyone can take today to protect their own privacy online while still enjoying the benefits of technology like social media platforms and the myriad mobile apps that make life easier in so many ways!

1. Don’t overshare. Be smart about the information you share. Don’t give away more personal information than is necessary. The best way to do that is to manage your privacy settings on mobile devices, social media accounts, and apps.

2. Use strong passwords (with a variety of characters) for all of your accounts, and never reuse the same password.  With so many sites and apps requiring logins that you need to remember, the best tool to help protect your logins is a password manager, such as Dashlane. Password managers can create, store, and even autofill secure passwords for everything you need to log into. Add another layer of security by enabling multifactor authentication (MFA) wherever possible, especially on accounts with sensitive information, according to the National Cybersecurity Alliance.

3. Keep all your software and apps updated. Make sure that you have up-to-date antivirus software installed on your devices and that you keep them patched with the latest security updates. Regularly check that web browsers and security software have the latest security patches and updates as well.

4. Think before you click. Hackers use phishing and other social engineering methods to target users. Avoid clicking on suspicious links or opening attachments. If you get an email you weren’t expecting or you’re not sure is from someone you know, always contact the sender directly from a phone number not listed in the email. Never click links in a suspicious email or open attachments. Always err on the side of caution and go to verified websites directly.

5. The best defense is the best offense.  Stay informed by keeping track of the latest cyber threats and how they are targeting people like you. If your data is stolen or compromised, act fast! Change your passwords, monitor your credit report closely for any suspicious activity, and reach out to the credit bureaus to place a fraud alert on your credit file. That way, if the thief tries to open up new accounts in your name, they won’t be able to.

With the rise in technology and online use, our personal information is increasingly being shared every day. It’s more essential than ever to ensure that you are protecting your data and to understand what happens to it when you share it with someone else. Always being mindful of what you share online and knowing how to secure your devices and accounts can safeguard your digital footprint and protect you and your business from emerging risks.

Data Privacy Week is January 24-28, 2022. Sponsored by the National Cybersecurity Alliance, data privacy week helps spread awareness about online privacy and educates individuals on how to manage their personal information and keep it secure. It also encourages businesses to respect data and be more transparent about how they collect and use customer data.  Whether you’re an individual who wants to learn more about how to protect your data or a business that wants to ensure you are taking the appropriate steps to protect your customers’ data, learn more at https://staysafeonline.org/data-privacy-week/.

You Better Watch Out!

Dr. Seuss’ The Grinch is a holiday favorite this time of year. Just as that green grump disguises himself as Santa Claus to steal Christmas from his neighbors in Whoville, malicious cyber actors leverage the holiday spirit to stealthily target networks and systems belonging to organizations, businesses, and critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a cybersecurity advisory for public and private sector organizations to remain vigilant and to take appropriate precautions to reduce their risk to ransomware and other cyberattacks leading up to and during the holiday season.

The joint alert includes best practices and steps users and organizations should take to mitigate the risk posed by holiday cyber Grinches, including identifying IT security employees who would be available during the holidays in the event of a cyberattack. The joint agencies recommend maintaining vigilance against the multiple techniques cybercriminals deploy to gain access to networks, including:

  • Phishing scams, such as unsolicited emails posing as charitable organizations
  • Fraudulent sites spoofing reputable businesses, particularly those often visited by users doing their holiday shopping online
  • Unencrypted financial transactions

Training your staff to be on the lookout for these nefarious cyber Grinches trying to sneak into your networks is essential this time of year. You can add a little holiday spirit to the task, like this Night Before Christmas parody that a Florida trucking company sent to their employees as a reminder to stay safe during the holidays.

You can have some fun with it and personalize it for your institution.

From all of us at Bankers’ Hotline – have a happy, cyber safe holiday season! 

Originally appeared in Bankers’ Hotline, Volume 31, No. 11, 11/30/21

Be Cyber Smart. Are You Doing Your Part?

October crept up on us as hot summer nights quickly turned to cool, crisp evenings and green leaves have begun transitioning to yellows and reds in preparation for the annual autumn spectacular.  Children across the country are deciding which favorite Superhero or villain they want to be when they participate in the annual tradition of “guising” on All Hallows Eve, aka Halloween. 

It’s a spooky time of year with all the ghosts, goblins, witches, and other scary characters wandering around creating mayhem and mischief.  These days, going online to chat or follow your friends and family on social media, doing research for school, and even working, has become precarious every day of the year.  There are a lot of hackers, fraudsters, and other bad actors lurking behind the anonymity of the World Wide Web disguised with tricks designed to steal your personal information.

The National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Security Agency have kicked off their annual October Cybersecurity Awareness Month to raise awareness about the importance of cybersecurity and provide individuals and businesses with the tips and tools to be safer and more secure online. This year’s Cybersecurity Awareness Month theme is “Do Your Part. #BeCyberSmart.

The 2020 Verizon Data Breach Investigations Report found that 61% of data breaches used compromised credentials. When your email address, passwords, and usernames are compromised by a hacker, there’s a good chance those credentials will be sold at some point (now or in the future) to cybercriminals who will use them to breach websites or apps and pilfer online data.  Phishing attacks account for more than 80% of reported security incidents, according to Verizon’s report. The Federal Bureau of Investigations (FBI) reported that phishing was the most common type of cybercrime in 2020, with the FBI receiving 241,342 complaints in 2020. Read more about phishing and how to avoid being lured by phishing attacks.

Staying safe online and practicing good cyber hygiene starts with you.  It’s up to you to take responsibility and own your role in protecting your personal information and securing your systems and devices. The NCSA has eight basic steps you can take to enhance your cyber safety.

NCSA CYBERSECURITY BASICS

MAKE A LONG, UNIQUE PASSPHRASE

Length trumps complexity. A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember.

Use 2-factor authentication or multi-factor authentication (like biometrics, security keys or a unique, one-time code through an app on your mobile device) whenever offered.

WHEN IN DOUBT, THROW IT OUT

Links in email, tweets, texts, posts, social media messages and online advertising are the easiest way for cyber criminals to get your sensitive information. Be wary of clicking on links or downloading anything that comes from a stranger or that you were not expecting. Essentially, just don’t trust links.

KEEP A CLEAN MACHINE

Keep all software on internet connected devices – including personal computers, smartphones and tablets – current to reduce risk of infection from ransomware and malware. Configure your devices to automatically update or to notify you when an update is available.

BACK IT UP

Data loss is spooky. Protect your valuable work, music, photos and other digital information by making an electronic copy and storing it safely. If you have a copy of your data and your device falls victim to ransomware or other cyber threats, you will be able to restore the data from a backup. Use the 3-2- 1 rule as a guide to backing up your data. The rule is: keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them located offsite.

Editor’s Note: With a secure cloud service like Backblaze Computer Backup you can have peace of mind knowing your files are safe and secure. Back up your Mac or PC for just $7/month with Backblaze.

OWN YOUR ONLINE PRESENCE

Every time you sign up for a new account, download a new app, or get a new device, immediately configure the privacy and security settings to your comfort level for information sharing. Regularly check these settings (at least once a year) to make sure they are still configured to your comfort.

SHARE WITH CARE

Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit how much of your own personal information you share.

GET SAVVY ABOUT WIFI HOTSPOTS

Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them. Limit what you do on public WiFi, and avoid logging in to key accounts like email and financial services.

Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection.

Beware the Lure of Data Phishers! Don’t take the bait.

It’s that time of year when anglers take to the waters and cast their lines in hopes of hooking bass, salmon, and other savory fish.  While spring and fall are peak times for sport fishing, there’s a different kind of “phishing” that’s always in season. 

Phishing is when someone uses fake emails or texts (even phone calls) to lure you to share valuable personal information, such as your Social Security number, your login IDs and passwords, or bank account numbers. Scammers are phishing for this information to pilfer your money, your identity – or both. In some cases, they may even use this information to gain access to your, phone, computer, or network. They hook you when you click on a link in one of these emails or texts, which enables them to install ransomware or other malicious programs designed to steal your personal information.  These nefarious actors will often use familiar or seemingly legitimate names or pretend to be someone you know, and will pressure you to act immediately to avoid an alleged negative outcome if you fail to follow through.

The most dangerous mindset is thinking that it can’t happen to you or that you would most certainly recognize a scam. Earlier this year, 10,000 Microsoft users were targeted in a phishing campaign.  Emails were sent out to intended victims purporting to be from FedEx, DHL Express, and other shippers containing links to phishing pages hosted on legitimate domains.  The phishers were after recipients’ work email credentials. By using legitimate domains, the emails were able to evade security filters.  The high success rate of these emails were contributed in part to the fact that so many people have come to rely on delivery services during the pandemic.  Scammers prey on the vulnerability of people during a crisis.

There are Three Types of Common Attack Methods

PHISHING – Hackers send out legitimate-looking emails that contain a link to a spoof website, or an attachment with malware or malicious code included. These attacks have been around for quite some time. Originally targeting individuals, the  attacks have gotten more sophisticated and now commonly target companies to gain network access, launch malware and ransomware attacks, and aim directly at C-level executives.

SPEAR PHISHING – Spear phishing is a more targeted and customized attack. The bad guys will do a little research and find out specific information about the target.  It may be from the company website, social media, financial reports, or industry sources. Using that information, they will customize an email to make it appear more legitimate.

WHALING – Whaling is a form of a more sophisticated form of spear phishing aimed at corporate CEOs, CFOs, and other high-level executives. Because of their status, if these executives take the bait they are considered the Big Fish or “Whales.” Criminals can generally net a bigger catch from these victims.

Phishing is a booming business for hackers. According to a recent Forbes article, Google reported a record 2.1 million phishing sites in 2020 (an increase of nearly 25% from 2019). Even more staggering is that Google has been proactively blocking over 18 million phishing emails each day since the start of the Covid-19 pandemic. Security firm PhishLabs reports that social media has emerged as one of the fastest growing attack vectors, rising 47% in the first six months of 2021.

This year-round online sport has evolved to what security researchers refer to as “Deep Sea Phishing” – which is the use of a combination of techniques to cast more aggressive lures. Cybercriminals and organized crime groups have adopted various pandemic-themed bait for phishing and they are taking advantage of the cybersecurity chaos that has followed the rapid transition to remote working and learning. 

Even more alarming is the growing use of disinformation and deepfakes in phishing expeditions. Deepfakes use deep learning artificial intelligence to replace the likeness of one person with another in video and other digital media. Deepfake technology can be used to create fake news and misleading, counterfeit videos.  There have been reported uses of deepfakes being used by cybercriminals to produce the voice of CEOs requesting payments to be sent to an attacker’s account.

Don’t Get Hooked

There is a popular Russian proverb that was adopted as a signature phrase by former President Ronald Reagan that anyone who uses the internet should follow: Trust, But Verify.  At one time or another (or more than once), you have forgotten a password and requested a link to reset it. But if you receive one of these requests without initiating it yourself, there’s a good chance it’s not legitimate. The same applies if you receive an email asking for personal or login information out of the blue.  A healthy degree of caution and skepticism is necessary today when navigating the world wide web to avoid getting hooked by phishers.

If you’ve ever been to the beach you may have come across warning flags that are posted by many coastal communities to warn beachgoers when there are dangerous surfing, swimming, or high/low tide warnings.  Red flags are used to warn people about the highest degree of danger. Following are some red flags you can look for to avoid being lured and hooked by a phishing scam:

  • Email address is different or looks off: If you’re getting an email from someone claiming to be someone you know, but the address is different from what you have on file or looks like it doesn’t make sense, that’s a good indication that this person isn’t who they say they are.
  • The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
  • There’s a request for personal information such as social security numbers or bank or financial information. Official communications won’t generally request personal information from you in the form of an email.
  • Strange tone or incorrect grammar: If the sender is someone you know and are usually friendly with, but the tone of the email is formal or otherwise off, it’s a red flag. The same goes for grammatical and typographical errors, especially if the person is usually diligent about their writing.
  • The web address is misspelled or different from where you usually go: Phony websites that are linked directly from an email might look authentic but will have a different URL than the website you usually visit when you log in.
  • Unsecure connection: Most web browsers will warn you if a website’s link is unsecure, but an easy way to tell for yourself is to look for “https” at the beginning of the URL. If you only see “http,” you’re not on a secure site.

When you receive an email or text message that you weren’t expecting, particularly from what appears to be your financial institution, contact the institution or business directly by phone to verify if the  emails or texts were in fact sent from them.

When fishing in deep waters, sportsmen wear a safety vest to prevent drowning. When navigating the murky waters of the world wide web and sharing your personal data, bring a safety net of awareness and caution – and beware of phishers!

Fight For Your Right to Data Privacy

In 1973, the U.S. Supreme Court struck down a Texas statute banning abortion, effectively legalizing the procedure across the United States. In the landmark Roe v. Wade case, the court held that a woman’s right to an abortion was implicit in the right to privacy protected by the 14th Amendment to the Constitution.

In the midst of a global pandemic, the mask mandates have sparked another 14th Amendment and right-to-choose controversy. Americans who are vehemently opposing the requirement to wear masks at work, in government and public places, and on any type of public transportation are citing the 5th and 14th Amendments. “The government cannot deprive us of our life, liberty, or property without due process of law.”  The right to liberty includes the right to make choices about one’s health and body.

“Freedom” and “Right to Choose” are among the buzzwords of 2021.  More than ever before (or maybe just more evident given the availability of the online soapboxes at our disposal) individuals and groups are taking a stand and championing for their rights.

Data Privacy is a Right!

Data privacy is a fundamental right.  When you engage in online activity or share your data with a company who has requested it to provide products or services, you have the right to trust that your personal data will be handled with care and safeguarded against misuse.  At the very least, you should have the right to be informed when your personal data will be, is being, or has been, collected and shared.

But in many cases, that’s not happening.  Your data is collected, bought, and sold by hundreds of companies – from big tech to advertisers to data brokers – without your knowledge or consent.  Everywhere you go and everything you do online leaves digital breadcrumbs that form an entire digital profile (exposing more personal data than you can even imagine) that is for sale without your knowledge or consent. That data is used to influence the information you see, how you spend your time and money, the prices you pay for products and services, and even how you vote!

Data Privacy vs Data Security

You may think you are taking the necessary precautions to secure your data – using complex passwords, installing a VPN (Virtual Private Network), deploying biometric authentication on your mobile devices. But data security and data privacy are two different sides of the coin. Security refers to the ways we protect ourselves, our property and personal information. It’s the first level of defense against unwanted intruders. Data Privacy is our ability to control access to our personal information.

The global pandemic has shifted how we work, shop, and interact, heightening data security risks and exposing your personal data more than ever before.  Results of a recent poll released by the Associated Press-NORC Center for Public Affairs Research and MeriTalk revealed that most Americans don’t believe their personal data is secure online. Half of Americans believe their private text conversations aren’t secure, and 64 percent say their social media activity is not very or not at all secure. About the same number of respondents have similar security concerns over online information sharing their physical location.

Consumers aren’t just concerned about companies collecting their data; they are worried about how their data may be compromised or sold to other parties. And they should be! Just this year alone, there have been multiple incidents that have compromised Americans’ personal data.

Most recently, the Federal Trade Commission (FTC) issued a warning that health apps and devices that collect or use personal health information must comply with rules requiring them to notify consumers if their health data is leaked. “Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said FTC chair Lina Khan.

On August 17, mobile data provider T-Mobile disclosed that their systems were breached and that data of millions of their current and former customers was compromised. The hackers obtained users names, SSNs, addresses, dates of birth, and driver’s license/ID information.

According to security firm Risk Based Security, there were 1,767 publicly reported breaches in the first six months of 2021, which exposed a total of 18.8 billion records.

In the U.S., the data collected by the vast majority of products people use every day isn’t currently federally regulated and many companies are pretty much free to do what they want with the data, unless a state has its own data privacy law. But in most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so. Furthermore, if a company shares your data (even sensitive data, such as your health or location) with third parties, those third parties can further sell it or share it without notifying you.

And don’t even get me started on privacy policies! The entire U.S. Constitution is only 4,543 words. Most privacy policies contain never ending paragraphs of legalese that people don’t understand and takes a lot of time to read through. It’s even more challenging when using a mobile device! If you are like the majority of us mere mortals, you’re not taking the time to read these lengthy and complex disclosures.

Data Privacy Champions

“With great power comes great responsibility.” This often-repeated adage popularized by Stan Lee’s writing in Spider-Man applies to anyone who collects and manages sensitive information, identity, and personal data.  Spider-Man, like many comic book superheroes, is diligent about protecting the identity of his alter-ego, Peter Parker. He represents you, the consumer, who has the power to safeguard their your own privacy and identity in new ways. New laws and policies are being proposed and enacted by federal and state legislatures to help you fight for your right to protect your personal data.

In November 2020, the California Legislature passed the Consumer Privacy Rights Act (CPRA), which goes into effect on January 1, 2023. The CPRA amends and expands the existing California Consumer Privacy Act (CCPA) that was effective January 1, 2020. The CPRA clarifies that people can opt out of both the sale and sharing of their personal information to third parties. Some disparate states are following in California’s footsteps.

New York is taking steps to enact its own consumer privacy legislation. The state’s Data Economy Labor Compensation and Accountability Act would establish the Office of Consumer Data Protection to create and enforce data protection rules. The New York law would tax Google, Facebook, and other companies for using and monetizing consumer data. Another bill that just became law on August 29 in New York regulates data collected by food delivery apps. That law goes into effect in December.

Colorado recently enacted a new comprehensive data privacy law, the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023. The CPA extends consumer data protections and business compliance obligations in a manner similar to California’s Consumer Privacy Act.

Ohio also recently introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (OPPA). The OPPA outlines multiple consumer rights, including rights for access and deletion, as well as an opt-out right for the sale of personal data.

The federal government is taking steps toward passing an overarching bill to legislate consumer data. The Social Media Privacy Protection and Consumer Rights Act is designed to protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information. It would also require social media platforms to provide service agreements written in simple terms users can understand when agreeing to using the platforms. In addition, if passed, the bill will require websites to notify users within 72 hours if their website suffers a data breach.

Europe is way ahead of the U.S. with their single piece of legislation, the General Data Protection Regulation (GDPR), which provides the strongest protections established for consumer data. The GDPR requires companies to ask for some permissions to share data and gives individuals rights to access, delete, or control the use of that data.  Privacy activists have been championing for a U.S. GDPR-style federal privacy law to replace the multifarious federal and state laws in place at present.

The mix of laws the U.S. does have are designed to target only specific types of data in special circumstances and go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, VPPA.  How many of you did (or will) drop those terms in a Google search, because not only does the average American not  know what all those acronyms mean, they have no idea what rights they do and don’t have under them.

Even as laws governing data remain ever evolving, what I’m championing for is that consumers will be the superheroes in this story when they take back control over their own data. 

You can start defending your data today by practicing the following data privacy tips from the National Cyber Security Alliance (NCSA):

Personal info is like money: Value it. Protect it. Information about you, such as your purchase history or location, has value — just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions.

Share with care. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future.

Own your online presence. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information.

Think before you act. Information about you, such as the games you like to play, your contacts list, where you shop and your geographic location, has tremendous value. Be thoughtful about who gets that information, and understand how it’s collected through websites and apps.

Safeguarding Your Children’s Privacy

Facebook’s recent announcement that it plans to launch an Instagram for Kids under the age of 13 has put children’s privacy in the headlines and in the forefront of parents’ minds. 

In 2017, Facebook – who owns Instagram –  launched Messenger Kids for children between the ages of 6 and 12. At that time a group of more than 95 children’s health advocates sent a letter to Facebook CEO Mark Zuckerberg. The group urged the CEO to discontinue the Messenger Kids platform, citing research that “excessive use of digital devices and social media is harmful to children and teens, making it very likely this new app will undermine children’s healthy development.”  While studies have shown that the use of digital devices and social media can have a negative impact on a child’s development, the growing concern today is protecting children from online predators and other privacy risks.   In 2019 a bug was discovered in Messenger Kids that enabled children to join groups with strangers, despite Facebook’s claims that the product had strict privacy controls. The Messenger Kids platform remains active today.

In response to the planned release of Instagram for Kids, more than 40 state attorneys general sent a letter to Zuckerberg compelling him to scrap the preteen social media app.  “Facebook has historically failed to protect the welfare of children on its platforms,” the lawmakers wrote.  As we publish this article, it remains to be seen if the tech conglomerate will move forward with yet another platform designed explicitly for children that puts their safety and privacy at risk. 

Targeting Children – There’s an App for That Too!

Social media sites aren’t the only ones targeting young kids and putting children’s privacy at risk.  In April, lawmakers called for the Federal Trade Commission (FTC) to investigate Google for marketing apps in its Play Store as part of Google’s Designed for Family program. The program pushes apps that the tech firm claims are compliant with the Children’s Online Privacy Protection Act (COPPA) – the law that regulates user data collection from sites with users who are under 13 years old.  However, recent research conducted by child advocacy nonprofits that examined more than 150 of the program’s apps found that almost half of them share user data with outside parties. “The FTC must use its full authority to protect the interests of children,” said the lawmakers in their letter, urging the FTC to investigate whether the Google Play Store “has engaged in unfair and deceptive practices that mislead parents and harm kids.”

Take Proactive Steps to Protect Your Children’s Privacy

With today’s kids increasingly using digital devices and connecting beyond their network of local friends to unknown online communities, there are steps you can (and should) take to help safeguard your children’s privacy and security –   regardless of their age.

  1. If you haven’t already, start building digital skills. The tween years are critical to preparing your child to eventually spend more time on social platforms for kids over 13. In addition to privacy, consider other important topics such as digital literacy, cyberbullying, online scams, and other online risks.
  2. Keep an open dialogue with your children. Communicate with your kids about their social media and app use. Make sure they know your expectations for their online behavior and the limits you set for them that they must abide by.
  3. Educate them on the risks. Discussing the risks the internet presents can help your kids understand why your rules are important and make it easier for them to spot warning signs. Remind them that not everyone is who they say they are online, and to never meet an internet friend in real life without extreme caution and parental supervision. Make sure they understand that links and downloads can lead them to phishing scams, viruses, or malware.
  4. Set Guidelines for Social Media Use. Have a conversation with your kids about what they’re allowed to post, the accounts they follow, and how often they’ll be allowed to use social media. Frankly discuss what kinds of things they should look out for online, including bullying, predatory behavior, and inappropriate content.
  5. Discuss personal privacy and monitor your child’s privacy settings regularly. One of the biggest risks to kids online is privacy and how social networks collect and use kids’ data. It’s never too early to start talking about privacy and ways to reduce your family’s digital footprint. Some platforms make profiles public by default, so it’s best to check out their privacy customization options. In particular:
    • Location privacy: Apps can share the geographic location of your child, and you probably want to keep that feature disabled.
    • Private profile: The less information a stranger can view publicly about your children, the better.  Use privacy settings to ensure the platforms don’t showcase your kid’s real name, age, birthday, phone number, or other information that can be used to target them. Keep tabs on what they’re posting as well. Children should be advised not to publicly post private details such as your home address to invite people to a birthday party. Also, talk to them about not accepting friend requests from people they don’t know!
  6. Install content filters: It’s all too easy for children to stumble across sexually explicit or otherwise inappropriate content online. Set their profiles to block at least a portion of the age-inappropriate social media out there.
  7. Monitor app activity and permissions. When using apps, make sure your children are aware that accepting permission requests – to access their phone’s camera or microphone, for example, or to turn on location services – makes their device vulnerable. They should be taught to think about whether the permissions sought by an app are necessary, i.e., why would a puzzle game need to access their camera or location? And they should be instructed to close apps when they finish using them. Apps that continue to run in the background when not in use can continuously track your child’s location and usage.

It’s More Essential Than Ever to Safeguard Your Children’s Privacy

With school and many extracurricular events – and even in-person playtime with their pals – significantly reduced this past year, kids are spending increasingly more time indoors and online. Predators and other nefarious actors leverage social platforms, games, and video-sharing apps to target children with harmful or age-inappropriate content. They may also send private messages via these channels that can trick unwitting youngsters into giving up their personal information.  As a parent, it’s your job to guide and protect your kids as they navigate the ever-evolving (and risky!) online landscape to ensure they become responsible and safe digital citizens.

Digital Spring Cleaning

The days are getting longer and the nights shorter. Daffodils are blooming and birds are chirping. Spring is in the air! Cracking open the windows to let the warm breeze in, it’s also the time of year when many homeowners participate in the annual rite of passage known as spring cleaning.   As you dust and de-clutter your home this spring, don’t forget to do some digital spring cleaning as well.

Just as clearing out the cobwebs and freshening up the floors of your physical space leaves your home sparkling and fresh, digital spring cleaning can free up more space, improve your privacy and security, and ensure that your data and the devices your family uses at home are not only more efficient, but safer!

First and Foremost:  3 Essential Steps to Safeguard You from Cyber Criminals

Lock Down Your Login. One of the first things you should do is ensure that passphrases for your accounts are lengthy, unique, and safely stored. Enable 2-factor authentication on all accounts that offer it.

Update Your Software.  Even if it may seem inconvenient at the time, don’t postpone critical software updates. Having the most current security software, web browsers, and operating systems are some of the easiest ways to protect your data.

Back IT Up. Protect your data by making backups of your most important files. Use the 3-2-1 rule to help guide you: 3 backup copies, 2 different media types, 1 offline and in a separate location.

7 Action Steps to Spring Clean Your Digital Devices

Digital devices, including smartphones, iPads, laptops, kindles, and even TVs, cars, and baby monitors store personal data.  You can speed up your devices and secure the personal data these devices with these digital spring cleaning activities.

  1. Update your logins and passwords –  With the treasure trove of personal and private information that is stored online and vulnerable to cyber threats, your login credentials are the key that provides access to much of your personal information. Do a sweep of your accounts and review the logins to make sure you use strong and unique passwords and have the strictest authentication options. If you are using the same password for multiple sites – STOP!  That is one of the easiest ways for a criminal to get access. Choose a unique password for every device and website.
  2. Review and update privacy and security settings on your accounts – Many of us select privacy and security settings when initially creating an account and then never look at them again. Right now is a great time to go through your accounts to check that you have enabled the strongest possible security settings. Be sure that only the people you want to see your information on social media sites, and no one else, are able to.
  3. Clean up the files stored on your devices – Just as you would shred paper files that contain personal information, clean out your digital files as well. Delete old and unused files, downloads, apps, pictures, and emails from your devices. You can permanently delete the files by using a program that wipes them off the device’s hard drive.  
  4. Delete unused programs and apps – Delete any unused programs or apps on your mobile devices and computers. Some apps require large amounts of storage, can introduce new vulnerabilities, and may even slow things down. The fewer apps you have, the more secure your system and your information. Many devices show you how long it has been since you’ve used an app – if it has been more than a few months, chances are you don’t need the app!
  5. Brush up your browser settings: Review any and all add-ons or plugins installed in your browser. Review the permission settings. Do the plugins really need access to your location, passwords, or contact lists? If you are no longer using certain plugins, delete them.
  6. Scrub social media: Check out your online presence and own it. Review your privacy settings and delete any photos and videos that are no longer accessed or needed. Limit how much information you share, and even with whom you choose to share it with.
  7. Eliminate excess email: Perform an email file purge, delete what you don’t need, and organize what you do. Pay particular attention to any sensitive documents, such as those with your date of birth or Social Security number, and permanently delete those!

The National Cyber Security Alliance (NCSA) has a downloadable Digital De-Clutter Checklist you can save and use to check off your digital spring cleaning tasks at home as well as at the office.

5 Steps to Secure Your Mobile Device

Instead of being chained to a desk and PC (or Mac) or even a laptop, people are increasingly connecting for work, play, and entertainment “on the go” via smartphones and other mobile devices. According to Pew Research, nearly all Americans (97%) own a cellphone of some type, and 85% own smartphones.  The number of smartphone users worldwide is 3.8 billion, and that number is projected to increase to 4.3 billion in 2023.

Statistic: Number of smartphone users worldwide from 2016 to 2023 (in billions) | Statista

Today, 15% of American adults are “smartphone-only” internet users – meaning they own a smartphone, but don’t have traditional home broadband service.  More than 50% (2 billion) smartphone users worldwide exclusively access the internet through their smartphones.

Mobile Threats are Real…and on the Rise

Mobile devices inherently put users’ data privacy at risk. Carrying a smartphone is like being tracked by an ankle bracelet! Just as your PC is vulnerable to viruses, malware, and spyware, mobile devices are even more susceptible to a variety of threats.  Contrary to popular belief, existing mobile device security does not fully protect your data, even if you use an iOS (Apple) device.  Whether you use an Android or Apple device, the following are ever-present risks you need to be aware of:

Mobile devices are easily lost or stolen. The devices are valuable not only because the hardware itself can be sold on the black market, but more importantly because of the sensitive personal and even financial information it may contain that can also be sold to nefarious buyers.

Malicious apps can be created by almost anyone. These apps are designed to  allow hackers to access your information. Even legitimate software can be exploited for malicious gain.

Malware and Spyware can be installed on your phone without your knowledge. Malware can make changes or send unsolicited messages to your contacts, or even give an attacker control over your device. Spyware collects or uses your private data, such as browser history, location, and more, that can be used for identity theft or fraud.

Privacy Threats may be caused by applications that are not necessarily malicious, but gather or use sensitive information (e.g., location, contact lists) that is necessary to perform their function but could be shared with third parties who don’t necessarily need your data.

The more people use their mobile devices, the more mobile security threats will increase as hackers and trackers target the vast amount of data that is being stored and shared on these devices.

5 Steps You Can Take to Secure Your Mobile Device

  1. Use Screen Lock. Even if you are obsessively careful with your device, life happens. You could inadvertently leave your phone somewhere or drop it out of your pocket. Having the screen lock set gives you time to locate the device before your data is breached. 
  2. Only Download Reputable Apps. As a basic rule, only download apps from reputable sources, such as Google Play or the iOS App Store. Even that’s not a guarantee so check the reviews and research the app before downloading it.
  3. Disable App Permissions: Review app permissions when you download a new app and periodically to make sure they only have access to the data they absolutely need to have.
  4. Never Connect to Public Wi-Fi.  When you connect to a Wi-Fi network all your data is transmitted through it. If you connect to an open Wi-Fi network that doesn’t require a password, your online activities could be intercepted by malicious entities or even other nearby devices.  
  5. Install Privacy-Conscious DuckDuckGo. If you’re using Chrome as your web browser and Google as your search engine, your online activity is constantly being tracked. Switch to another search engine that offers greater privacy protections, such as DuckDuckGo.  You can change your default search engine from Google to DuckDuckGo or do away with Chrome altogether and download the DuckDuckGo app.

Operation Data Privacy Defense

From the time you joined the U.S. armed forces and solemnly swore to support and defend the Constitution of the United States against all enemies, foreign and domestic, the military has prepared you to fulfill that mission. You are armed with the training, knowledge, skills, and weapons to launch an effective defense against enemy forces.


Aside from defending our nation on the front lines of conflicts around the globe, there are other threats that all Americans and members of the military face today. Unseen forces are overtaking the technological landscape — and their target is you and your family. Active duty military members, veterans, and their families are increasingly being targeted by online scams, predatory ads, and data thieves. And it’s not just these nefarious characters you need to be on guard against. Big tech and data brokers are tracking you and listening to your private conversations to manipulate your thoughts, your actions, and even your votes!

In 2017, the fitness-tracking app Strava released a publicly available “heat map” of user activity, including location data uploaded by military members stationed at military bases in Afghanistan. By unwittingly disclosing usage data to Strava, service members also revealed critical habit patterns to potential attackers. Many other popular personal and IoT devices that you use daily track and report user data, putting you and your family at risk.

Early this year, the DoD confirmed that a 2019 breach of a Defense Information Systems Agency (DISA) computer system exposed the personal data of 200,000 service members. In September, the Department of Veterans Affairs (VA) Office of Management disclosed a data breach involving the personal information of approximately 46,000 veterans.

In order to fight back against data theft and tracking, you need an operational plan and a weapon.

Join forces with Winston Privacy to defend yourself against big tech and other online hostiles who take advantage of your military service and steal your personal information for their illicit gain.

Winston Privacy was founded in 2017 by former digital “Ad Man” Richard Stokes after he discovered how digital advertising platforms were collecting the various digital bread crumbs we drop every day into a modern surveillance equivalent of a credit report… and he didn’t like what he saw. “I saw platforms which were stitching together individual users, identifying virtually everything about them and even exposing their locations in real-time,” says Stokes. So he decided to do something about it and down the privacy rabbit hole he went. He emerged with a mission and a comprehensive privacy weapon to complete that mission — Winston.

Winston Privacy

Armed with a Winston Privacy data filter, you can defend yourself and your family from unwanted intruders. Trackers, spies, and hackers gone in just a few minutes. The device sits inline with your router and protects every device on your WiFi — all computers, tablets, phones, and internet-enabled devices. It also has a software component that is updated on an ongoing basis to ensure that your protection is current. This defensive device provides:

  • Traffic analysis: Automatically assigns a privacy risk score to each site, blocking unnecessary connections that pose the greatest threat to your online privacy.
  • Blocklists: Automatically blocks connections to sites known as security threats. It is also equipped with a managed blacklist. You can add customized lists and choose from well-known third-party blocklists, including advanced filters for blocking objectionable sites you don’t want your kids to see.
  • Encrypted DNS: Internet Service Providers (ISPs) use DNS lookups to spy on you and generate metadata profiles. Winston automatically encrypts the DNS lookups of all the devices on your network, preventing your ISP from tracking your browsing activity, and protecting your devices from pervasive DNS Rebinding attacks.
  • Distributed Privacy Mesh Network: Optional access to a virtual, distributed private network with no logging. This network scrambles your internet activity with up to 30 anonymous users, making it incredibly difficult to track your IP address to a physical location.
  • Browser Extensions: Modify or block suspicious tracker cookies, protecting your browser history from prying eyes. They also automatically detect and block sophisticated browser fingerprinting techniques, which exploit manufacturing differences between otherwise identical hardware devices to determine who you are, even if you’re blocking cookies, browsing in incognito mode, or using a VPN.
  • Mobile Protection: Winston will soon release a mobile app that will provide protection for your mobile devices no matter where you are.
  • More than a VPN: VPNs are terrific for protecting file-sharing services and unlocking content. But they don’t do privacy very well. Trackers don’t need your IP address to build a profile on you and hit you with ads. And if you’ve used VPNs, you know they tend to be slow. Winston is not. Winston stops the junk (advertising, tracking, and other annoyances), meaning your computer and network have to do less work. Less bloat means faster browsing speeds.

Winston is a U.S. company, headquartered in Chicago, with some members working remotely. Nearly half of the team are military veterans. Chief among their core values is “Extreme Ownership,” based on the book of the same name written by former Navy SEALs Jocko Willink and Leif Babin. The Winston Privacy Filter is designed, packaged, sold, and shipped in the U.S. Most important, it is a zero-knowledge platform. Winston was founded on the belief that you have the right to live your life without being watched, packaged, and sold. There is no logging or knowledge of your internet activity by anyone other than you. In fact, their technology is designed specifically so that even they cannot see or decrypt your internet activity.

Originally published on SOFREP.com for Winston Privacy