It’s already the second month of 2021 – have you had some time to figure out your 2021 professional development goals? Here are a couple of privacy training opportunities for you or to pass along to your colleagues!
Library Data Privacy Fundamentals (February 16 – March 15, 2021) – This month-long course (taught by Becky Yoose of LDH) will go through the foundations of library data privacy for library workers who are new to the library world or wish to strengthen their core understanding of library data privacy. We’ll cover the basics of the data lifecycle, privacy policies and procedures, and vendor privacy management. The course will also explore the “what” and “how” in communicating privacy to both patrons and library colleagues, including administrators.
Library Freedom Project Crash Courses – The Library Freedom Project will be offering a pair of free two-month courses during the summer and fall of 2021. Their first Crash Course, Systems & Policies (May -June 2021), will dive into privacy and data governance policies, privacy audits, vendor privacy management, and working with IT. The second Crash Course, Programs & Training (September-October 2021) will cover how to teach privacy to patrons and library staff alike, including creating privacy programs. These courses are free, but there is an application process. Applications for both courses will open in March 2021.
PLP Data Privacy and Cybersecurity Training for Libraries – Hello to all the Pacific Library Partnership (PLP) member libraries reading right now! You might have attended one of the trainings last year as part of the Data Privacy Best Practices for Libraries project. If you want to learn more about how to train your library in data privacy and security, you’re in luck – thanks to continued funding through LSTA, we are happy to announce our second year of the project and our Train-the-Trainer series!This year we are offering two month-long training series on Data Privacy (offered in March and April 2021) taught by Becky Yoose of LDH and Cybersecurity (offered in April 2021) taught by Blake Carver of Lyrasis.
Don’t fret if the course dates don’t work for you – we will keep you posted throughout the year of additional library privacy-related professional development. Stay tuned!
People sometimes ask what keeps privacy professionals up at night. What is that one “worst-case scenario” that we dread? Personally, one of the scenarios hanging over my head is insider threat – when a library employee, vendor, or another person who has access to patron data uses that data to harm patrons. A staff person collecting patron addresses, birthdays, and names to steal the patrons’ identities is an example of insider threat. Another example is a staff person accessing another staff’s patron records to obtain personal information to harass or stalk the staff member.
Last week, an IT employee at NCSU was doxed as a local leader of a white supremacist group. This person, who worked IT for the libraries in the past, doxed individuals, including students in his own university, to harass and, in some cases, incite violence toward the people being doxed. As an IT employee, this person most likely had unchecked access to students, staff, and faculty personal information. It wouldn’t be a stretch to say that he still had access to patron information, given his connections to the library and his IT staff position.
Libraries spend a lot of time and attention worrying about external threats to patron privacy: vendors, law enforcement, even other patrons. We forget that sometimes the greatest threat to patron privacy works at the library. Library workers who have access to patron data – staff, administration, board members, volunteers – can exploit patrons through the use of their data for financial gain in the case of identity theft or harm them through searching for specific library activity, checkouts of certain materials, or even names or other demographic information with the intent to harass or assault. The reality is that there might not be many barriers, if at all, to stop library workers from doing so.
The good news is that there are ways to mitigate insider threat in the library, but the library must be proactive in implementing these strategies for them to be the most effective:
Practice data minimization – only collect, use, and retain data that is necessary for business operations. If you don’t collect it, it can’t be used by others with the intent to harm others.
Implement the Principle of Least Privilege – who has access to what data and where? Use roles and other access management tools to provide staff (and applications!) access to only the data that is absolutely needed to perform their intended duty or function.
Regularly review internal access to patron data – set up a scheduled review of who has what access to patron data. When an employee or other library worker/affiliate changes roles in the organization or leaves the library, develop and implement policies and procedures in revoking or changing access to patron data at the time of the role change or departure.
Confidentiality Agreements For Library Staff, Volunteers, and Affiliates – your privacy and confidentiality policy should make it clear to staff that patrons have the right to privacy and confidentiality while using library resources and services. Some libraries go further in ensuring patron privacy by using confidentiality agreements. These confidentiality agreements state the times when patron data can be access and the acceptable uses for patron data. Violation of the agreement can lead to immediate termination of employment. Here are some examples of confidentiality agreements to start your drafting process:
Regularly train and discuss about privacy – ensure that everyone who is involved with the library – staff, volunteers, board members, anyone that might potentially access patron data as part of their role with the library – is up to date on current patron privacy and confidentiality policies and procedures. This is also an opportunity to include training scenarios that involve insider threat to generate discussion and awareness of this threat to patron privacy.
A note about IT staff, be it internal library IT staff or an external IT department (campus IT, city government IT, or another form of organizational IT) – Do not automatically assume that IT staff are following privacy/security standards and policy just because they are IT. Now is the time to discuss with your IT connections about their current access is and what is the minimum they need for daily operations. However, even if the IT department practices good security and privacy hygiene (such as making sure they follow the Principle of Least Privilege), any IT staff member who works with the library in any capacity must also sign a confidentiality agreement and be included in training sessions at the very minimum.
A data inventory is a good place to start if you are not sure who has access to what data in the library. The PLP Data Privacy Best Practices for Libraries project has several templates and resources to help with creating a data inventory, assessing privacy risks, and practical actions libraries can take in reducing the risk of an insider threat.
Libraries serve everyone. We serve patrons who are already at high risk for harassment and violence. Libraries must do their part in mitigating the risk that insider threat creates for our patrons who depend on the library for resources and support. Otherwise, we become one more threat to our patrons’ privacy and potentially their lives or the lives of their loved ones.
What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy. At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.
This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.
Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!
Today marks the second day of NaNoWriMo – National Novel Writing Month. For years many aspiring (and established) writers spend countless hours writing to reach the goal of a 50,000-word manuscript. If you do the math, you would have to write about 1700 words a day to reach the goal! Novels are the primary genre for NaNoWriMo, but that hasn’t stopped others from taking the idea of a writing month and using it for other genres. For example, this month is also AcWriMo, or Academic Writing Month, for academics who need to buckle down to write that research book or article.
With November being the month of writing, why not join in the fray with writing about data security and privacy? Our recent Cybersecurity Awareness Month posts discussed the importance of interactive and engaging training, so the question now is how you can build a data security and privacy training that won’t put staff to sleep, or worse, demotivate them from taking proactive privacy and security measures to protect patron data. One way to create engaging training is to use stories and scenarios. Drawing from real-world examples is a start, but the challenge is turning that example into a scenario where training participants are invested in addressing the problems presented in the story. Here are a few tips to help you with the writing process!
Characters – who are the major players in the scenario? Staff person, patron, vendor, random person who comes off the street, the cat who keeps sneaking into the library building? Once you have the characters, what roles do they play? What are their motivations? Why do they do the things they do or think the way they think?
So many questions, even for a short scenario! Take a page from User Experience (UX) and create personas to help with the character-building process. Even a shortlist of who they are, what motivates them, what they want, and what they know can help hone the scenario narrative as well as introduce common types of motivations, knowledge/skill levels, and different types of threat actors or people that might face additional privacy risks to training attendees.
Story – Your real-world examples or the case studies you learn from others are two good places to start. That shouldn’t stop you from exploring building scenarios from scratch! Or perhaps you would like to modify the real-world examples into a scenario that would be a better fit for the training you’re developing. One concept to explore for your scenario is threat modeling, or identifying potential weaknesses at the library (systems, procedures, policies, etc.), who or what might take advantage of the weakness, and what can be done to either avoid or mitigate the threat. The threat modeling process can uncover a complex web of threats and vulnerabilities that interact with each other. On the other hand, it could lead to valuable conversations with trainees about how one vulnerability can create a ripple effect if exploited, or how a threat actor isn’t always acting with malicious intent. Sometimes the most dangerous threat actors are not aware that they are putting data privacy at risk such as a staff person with good intentions sharing patron data without knowledge of patron privacy procedures.
Visual aids – What’s a story without visual aids? You might not have the resources or acting chops to create scenario videos, but there are always pictures to give life to your characters and scenarios. Luckily, there are several Creative Commons licensed resources to choose from:
There are a lot more you can do with building scenarios for your data privacy and security trainings, but these three areas will hopefully get you started down the path of becoming an accomplished author… of training scenarios 😉 Enjoy your writing journey, and good luck!
We learned last week that cybersecurity training is not as simple as choosing a particular training and rolling it out – training methods, goals, and context all determine the effectiveness of the training. While interactive training engages trainees and helps with understanding and motivation, the type of interaction matters. Simulations such as the phishing simulation test can backfire if not planned and deployed with care, but other types of interactive training engage users in a more controlled space and minimize unintended consequences… and you might level up in the process.
What does gamification look like in security and privacy training? Here are a few examples that you can use for both staff and patrons:
Tally Saves the Internet – This browser extension turns the Internet into a turn-based RPG where you fight an invisible enemy – online trackers. Players not only gain points and badges for fighting these online tracker monsters but also actually blocks trackers 😊
Cybersecurity Training for Youth Using Minecraft: A Field Guide – You can use existing games to teach cybersecurity, too! This field guide provides ways in which library staff can use Minecraft to teach patrons threat modeling in a way that doesn’t require prior knowledge of cybersecurity concepts but instead uses an environment the patrons might already be familiar with in their daily lives.
Tabletop exercises – unlike the other two examples above, tabletop exercises (TTE) have been around for a while in the cybersecurity world. One common TTE in cybersecurity is incident response, going through how an organization would respond to a particular scenario, such as a data breach. Think of it as a one-shot TRPG, but you role play as yourself, and your abilities and inventory consist of whatever policies, procedures, and resources you have in your organization at that moment. You can include other gaming elements and methods within TTE, such as Lego Serious Play, for additional collaborative/competitive opportunities in the scenario.
Cybersecurity games – There are several off-the-shelf cybersecurity games that you can use in existing training or at game night at your library!
There are many paths to incorporate game elements into cybersecurity training, so the best approach to take is to, well, play around and find which ones best fit your training audience. Don’t forget to have fun in the process, and may the dice roll in your favor!
October is a very important month. Not only does October mean Halloween (candy), it also means Cybersecurity Awareness Month. This month’s TotH posts will focus on privacy’s popular sibling, security. We start this month by focusing on one common “trick” – phishing – and why not all cybersecurity training is created equal.
We wrote more about phishing in a previous post if you need a refresher; the tl;dr summary is that phishing is a very common attack method to gain access to a variety of sensitive systems and data by pretending to be an email from a trusted source (business or person). Phishing can be very costly on both a personal level (identify theft) and an organizational level (ransomware, data breach, etc.), so it’s no wonder that any digital security training spends a considerable amount of time on teaching others on how to spot a phishing email and what to do to prevent being phished.
It turns out that this type of training, for the amount of time spent in covering avoiding phishes, might not be as effective, and in some cases, can actively go against the goal of the training itself. A good portion of cybersecurity training comes in the way of lectures or an online web module, where users listen/read the information and are then tested to assess understanding. While that has been the main mode of training in the past, lecture/quiz style training, trainers realize that interactive training that goes beyond this model can be more effective in knowledge retention and understanding.
A growing number of organizations are using another type of security training – sending out phishing emails without warning to their employees. The phishing email, created by an external cybersecurity training company or by the local training team, would be sent out to spoof ether an organizational email or an email from a trusted source. This live test, theoretically, would more accurately assess employees’ knowledge and awareness of phishing methods and provide on-the-spot results, which could include corrections or remedial training. There are a variety of vendors offering both free and paid tools and services, such as KnowBe4 and PhishingBox.
Simulated phishing tests appear like a great addition to your organization’s training approach; however, these simulated tests can backfire. One way it can backfire is turning staff against the organization. One recent example of this comes from a simulated phishing email sent to Tribune Publishing staff, promising staff a chance of a company bonus if they clicked on the enclosed link. This email was sent out after staff went through furloughs and other drastic budget cuts, and the staff reaction to this email led to further erosion of trust between employees and administration. The debate extended to the security field, questioning the ethics of using content that otherwise is used in common phishing emails in an organization where employees went through considerable stress due to budget cuts.
The use of simulated phishing tests will be the topic of debate for some time, but this debate presents two takeaway points to consider for any type of cybersecurity training:
Context and methods matter – simulated tests can be effective, but the test’s logistics – including timing and content – can work against the desired outcomes of the trainers. Trainers should also consider the current state of the organization, such as staff morale and major crises/events in the organization, in choosing and developing cybersecurity training for staff. Another thing to consider is the effectiveness of training methods, including how often training has to be repeated to keep staff current on cybersecurity threats and procedures.
Positive reinforcement – positive reinforcement, such as awarding staff members who do not click on the test phish email, can help with creating a more security-conscious organization.
Next week we will dive into another type of cybersecurity training that is a simulation of another kind – stay tuned!
Even if the groundhog in your area didn’t see their shadow yesterday, we in the Northern Hemisphere still have a long winter ahead of us. How will you spend the long winter nights for the next few months? Might we suggest that you stay inside where it’s warm and watch a film? Better yet, make that film about privacy! Here are some privacy film recommendations depending on what you’re looking for:
For library programming about data and privacy – Screening Surveillance [Content warning – suicide, mental health illness] is a grant-funded project to raise awareness around big data and surveillance. The project produced three short films – 10 minutes in length each – approaching specific issues of data sharing, data ownership, and sensor and facial recognition software. These three short films come with facilitation guides that help audiences process and discuss the specific issues raised in each film.
For a succinct introduction into general privacy concepts – Privacy International’s Privacy 101 is a series of short animated videos introducing viewers to the concept of privacy as well as various topics in privacy, including metadata, big data, and data protection. These videos are a good way to acquaint someone with privacy concepts, in short, bite-sized portions. These videos are short enough that you can use these videos in staff training or discussions around privacy, as well as any public programming around data security and privacy.
For when the college instructor gives you the entire class session to teach their class about privacy – The Power of Privacy by The Guardian is a 30 minute documentary about the major challenges to privacy in the digital age. The film provides a balance between the historical “how did we get here?” and the present and near-future realities of data privacy. Library workers have choices in using this film to teach privacy, either by choosing to show segments to focus on specific topics, like phishing or IoT, or show the entire film for a holistic view of the current issues around data privacy.
For the library worker who is trying to navigate student privacy – Student privacy is governed by additional regulations, such as FERPA, which makes protecting student patron privacy more complex in academic and school libraries than in other libraries. The School Safety and Privacy video series from Future of Privacy Forum delve into this complex topic, including approaching the creation of policies, digital equity, facial recognition in schools, and how to talk to administrators and leadership about privacy matters.
BONUS! If you want more videos on student privacy, The Student Privacy Resource Center has a playlist to meet your additional student privacy video needs.
Finally, an artistic philosophical video for your night off – Philosophy Tube’s video on Data [NSFW – language, adult topics] gets into data, surveillance, algorithms, machine learning, structural inequality, targeted advertising, monetization of data, consent, notice, data rights, and how technology shapes society and how society shapes technology (phew!). All of this takes place in a 30-minute discussion-turned-machine-learning-simulation between a bouncer and a person in front of a nightclub.
There are plenty of other videos and films on privacy not covered here, but these recommendations are just a start. If you have a privacy-related film or video that you like, reply to this email and we’ll provide a list of subscriber-recommended videos in a future newsletter.