Just Published – Data Privacy and Cybersecurity Best Practices Train-the-Trainer Handbook

Cover of the "Data Privacy and Cybersecurity Best Practices Train-the-Trainers Handbook".

Happy October! Depending on who you ask at LDH, October is either:

  1. Cybersecurity Awareness Month
  2. An excuse for the Executive Assistant to be extra while we try to work
  3. The time to wear flannel and drink coffee nevermind, this is every month in Seattle

Since the Executive Assistant lacks decent typing skills (as far as we know), we declare October as Cybersecurity Awareness Month at LDH. Like last year, this month will focus on privacy’s popular sibling, security. We also want to hear from you! If there is an information security topic you would like us to cover this month (or the next), email us at newsletter@ldhconsultingservices.com.

We start the month with a publication announcement! The Data Privacy and Cybersecurity Training for Libraries, an LSTA-funded collaborative project between the Pacific Library Partnership, LDH, and Lyrasis, just published two library data privacy and cybersecurity resources for library workers wanting to create privacy and security training for their libraries:

  • PLP Data Privacy and Cybersecurity Best Practices Train-the-Trainer Handbook – The handbook is a guide for library trainers wanting to develop data privacy and cybersecurity training for library staff. The handbook walks through the process of planning and developing a training program at the library and provides ideas for training topics and activities. This handbook is a companion to the Data Privacy Best Practices Toolkit for Libraries published last year.
  • PLP Data Privacy and Cybersecurity Best Practices Train-the-Trainer Workshops (under the 2021 tab) – If you’re looking for train-the-trainer workshop materials, we have you covered! You can now access the materials used in the two train-the-trainer workshops for data privacy and cybersecurity conducted earlier this year. Topics include:
    • Data privacy – data privacy fundamentals and awareness; training development basics; vendor relations; patron programming; building a library privacy program
    • Cybersecurity – cybersecurity basics; information security threats and vulnerabilities; how to protect the library against common threats such as ransomware and phishing; building cybersecurity training for libraries

Both publications include extensive resource lists for additional training materials and to keep current with the rapid changes in cybersecurity and data privacy in the library world and beyond. Feel free to share your training stories and materials with us – we would love to hear what you all come up with while using project resources! We hope that these publications, along with the rest of the project’s publications, will make privacy and cybersecurity training easier to create and to give at your library.

Privacy Roundup – Heat Dome Edition

8:31 am - 90 degrees at SeaTac and it's 8 a.m. Here we go.
Welcome to Monday morning in Seattle. Source: The Seattle Times.

Seattle is in the middle of a record-breaking heatwave, with Monday predicted to be in the low 100s F, making this the third consecutive day of 100+ temperatures. This week’s newsletter comes to you in three short parts as we take advantage of the cooler temperatures to write.

What’s going on in Colorado?

When we last wrote, Colorado lawmakers passed the Colorado Privacy Act, making it the third state to enact data privacy regulations, behind California and Virginia. While the bill has yet to receive the governor’s signature, the privacy world is already planning for CPA. CPA stays relatively close to California and Virginia data privacy regulation, though CPA also takes some inspiration from GDPR. There is one key distinction that sets CPA apart from the other states’ laws – the inclusion (or, more accurately, the lack of exemption) of non-profit entities alongside their commercial counterparts in the scope of the Act. This inclusion could mean that many non-profit library vendors who fell outside the scope of CCPA, CPRA, and CDPA might need to assess if their data privacy practices need to change to comply with CPA.

What does compliance to CPA all entail? The charts from the National Law Review comparing CPA with GDPR and the California data privacy laws are a good place to start. The write-up on CPA from Thompson Hine LLP provides a more focused overview of Colorado’s (soon to be) new law. Finally, an IAPP article about the CPA talks about the strengths, missed opportunities, and less than stellar parts of the Act.

Privacy webinars and websites and resources, oh my!

Are you looking for library privacy webinars? How about recordings? Resources? No matter what you’re looking for, we got you covered!

  • This Tuesday, June 29th, at 4 pm Eastern Time, Safe Data | Safe Families will be hosting a free webinar sharing materials and resources to help public libraries and patrons face the challenges around data privacy and security at the library and beyond.  Even if you can’t make it to the webinar, check out the staff training resources on the website, particularly the personas you can use for your library privacy training.
  • If you missed the Health Literacy and Privacy in a Pandemic webinar series, don’t fret! You can access and download notes, graphs, and other documentation from the conference at https://healthandprivacy.com/notes/. Looking for the videos? You can watch them as well on the front page.
  • Last but not least, if you missed our founder’s keynote at the Evergreen International Conference, you can now watch the recording on YouTube. Download the slides to follow along as well as resource notes!

Reader survey

Thank you all again for those who filled out the reader survey. While we had a small number of respondents, the responses were all positive! Based on the survey, we will hold off on membership levels and monthly subscription memberships for now but will continue to provide the vast array of content to continue to be helpful in your work.

On the other hand, the Executive Assistant was slightly disappointed that more people did not demand more cat photos in the survey. We will attempt to cheer her up with a nice cool can of tuna, though that could mean changing our donation from a cup of tea to a can of tuna.

Write about library privacy (and more) at the ALA Intellectual Freedom Blog!

Is the library privacy muse inspiring you to write a blog post or two about library privacy topics? Sign up to be a blog writer for the ALA Intellectual Freedom blog! This is an excellent opportunity for those wanting to share your thoughts about library privacy to a large library audience or those looking for a service opportunity (I’m looking at you, academic library folks!). Go to the Blogger Application page to learn more about becoming a writer for the blog.

Upcoming Library Privacy Trainings

A grey and white tabby cat laying down on top of a binder of handwritten notes sitting on a table.
The cat wishes to discuss your professional development plans for 2021. Image source – https://www.flickr.com/photos/donabelandewen/3543134442/ (CC BY 2.0)

It’s already the second month of 2021 – have you had some time to figure out your 2021 professional development goals? Here are a couple of privacy training opportunities for you or to pass along to your colleagues! 

Library Data Privacy Fundamentals (February 16 – March 15, 2021) – This month-long course (taught by Becky Yoose of LDH) will go through the foundations of library data privacy for library workers who are new to the library world or wish to strengthen their core understanding of library data privacy. We’ll cover the basics of the data lifecycle, privacy policies and procedures, and vendor privacy management. The course will also explore the “what” and “how” in communicating privacy to both patrons and library colleagues, including administrators.

Library Freedom Project Crash Courses – The Library Freedom Project will be offering a pair of free two-month courses during the summer and fall of 2021. Their first Crash Course, Systems & Policies (May -June 2021), will dive into privacy and data governance policies, privacy audits, vendor privacy management, and working with IT. The second Crash Course, Programs & Training (September-October 2021) will cover how to teach privacy to patrons and library staff alike, including creating privacy programs. These courses are free, but there is an application process. Applications for both courses will open in March 2021.

PLP Data Privacy and Cybersecurity Training for LibrariesHello to all the Pacific Library Partnership (PLP) member libraries reading right now! You might have attended one of the trainings last year as part of the Data Privacy Best Practices for Libraries project. If you want to learn more about how to train your library in data privacy and security, you’re in luck – thanks to continued funding through LSTA, we are happy to announce our second year of the project and our Train-the-Trainer series!This year we are offering two month-long training series on Data Privacy (offered in March and April 2021) taught by Becky Yoose of LDH and Cybersecurity (offered in April 2021) taught by Blake Carver of Lyrasis.

Don’t fret if the course dates don’t work for you – we will keep you posted throughout the year of additional library privacy-related professional development. Stay tuned!

The Threat Within

A headshot of Chadwick Jason Seagraves with text overlay: 'Anonymous Comrades Collective - Doxer Gets Doxed: "Proud Boy" Chadwick Jason Seagraves of NCSU'

People sometimes ask what keeps privacy professionals up at night. What is that one “worst-case scenario” that we dread? Personally, one of the scenarios hanging over my head is insider threat – when a library employee, vendor, or another person who has access to patron data uses that data to harm patrons. A staff person collecting patron addresses, birthdays, and names to steal the patrons’ identities is an example of insider threat. Another example is a staff person accessing another staff’s patron records to obtain personal information to harass or stalk the staff member.

Last week, an IT employee at NCSU was doxed as a local leader of a white supremacist group. This person, who worked IT for the libraries in the past, doxed individuals, including students in his own university, to harass and, in some cases, incite violence toward the people being doxed. As an IT employee, this person most likely had unchecked access to students, staff, and faculty personal information. It wouldn’t be a stretch to say that he still had access to patron information, given his connections to the library and his IT staff position.

Libraries spend a lot of time and attention worrying about external threats to patron privacy: vendors, law enforcement, even other patrons. We forget that sometimes the greatest threat to patron privacy works at the library. Library workers who have access to patron data – staff, administration, board members, volunteers – can exploit patrons through the use of their data for financial gain in the case of identity theft or harm them through searching for specific library activity, checkouts of certain materials, or even names or other demographic information with the intent to harass or assault. The reality is that there might not be many barriers, if at all, to stop library workers from doing so.

The good news is that there are ways to mitigate insider threat in the library, but the library must be proactive in implementing these strategies for them to be the most effective:

Practice data minimization – only collect, use, and retain data that is necessary for business operations. If you don’t collect it, it can’t be used by others with the intent to harm others.

Implement the Principle of Least Privilege – who has access to what data and where? Use roles and other access management tools to provide staff (and applications!) access to only the data that is absolutely needed to perform their intended duty or function.

Regularly review internal access to patron data ­­– set up a scheduled review of who has what access to patron data. When an employee or other library worker/affiliate changes roles in the organization or leaves the library, develop and implement policies and procedures in revoking or changing access to patron data at the time of the role change or departure.

Confidentiality Agreements For Library Staff, Volunteers, and Affiliates – your privacy and confidentiality policy should make it clear to staff that patrons have the right to privacy and confidentiality while using library resources and services. Some libraries go further in ensuring patron privacy by using confidentiality agreements. These confidentiality agreements state the times when patron data can be access and the acceptable uses for patron data. Violation of the agreement can lead to immediate termination of employment. Here are some examples of confidentiality agreements to start your drafting process:

Regularly train and discuss about privacy  – ensure that everyone who is involved with the library – staff, volunteers, board members, anyone that might potentially access patron data as part of their role with the library – is up to date on current patron privacy and confidentiality policies and procedures. This is also an opportunity to include training scenarios that involve insider threat to generate discussion and awareness of this threat to patron privacy.

A note about IT staff, be it internal library IT staff or an external IT department (campus IT, city government IT, or another form of organizational IT) – Do not automatically assume that IT staff are following privacy/security standards and policy just because they are IT. Now is the time to discuss with your IT connections about their current access is and what is the minimum they need for daily operations. However, even if the IT department practices good security and privacy hygiene (such as making sure they follow the Principle of Least Privilege), any IT staff member who works with the library in any capacity must also sign a confidentiality agreement and be included in training sessions at the very minimum.

A data inventory is a good place to start if you are not sure who has access to what data in the library. The PLP Data Privacy Best Practices for Libraries project has several templates and resources to help with creating a data inventory, assessing privacy risks, and practical actions libraries can take in reducing the risk of an insider threat.

Libraries serve everyone. We serve patrons who are already at high risk for harassment and violence. Libraries must do their part in mitigating the risk that insider threat creates for our patrons who depend on the library for resources and support. Otherwise, we become one more threat to our patrons’ privacy and potentially their lives or the lives of their loved ones.

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

NaNoWriMo: Data Privacy Edition

A Siamese cat sitting in front of an open laptop computer.
‘Tis the season for all things writing. Your cat might have some opinions about that… Source: https://www.flickr.com/photos/cedwardmoran/4179761302/

Welcome to this week’s Tip of the Hat!

Today marks the second day of NaNoWriMo – National Novel Writing Month. For years many aspiring (and established) writers spend countless hours writing to reach the goal of a 50,000-word manuscript. If you do the math, you would have to write about 1700 words a day to reach the goal! Novels are the primary genre for NaNoWriMo, but that hasn’t stopped others from taking the idea of a writing month and using it for other genres. For example, this month is also AcWriMo, or Academic Writing Month, for academics who need to buckle down to write that research book or article.

With November being the month of writing, why not join in the fray with writing about data security and privacy? Our recent Cybersecurity Awareness Month posts discussed the importance of interactive and engaging training, so the question now is how you can build a data security and privacy training that won’t put staff to sleep, or worse, demotivate them from taking proactive privacy and security measures to protect patron data. One way to create engaging training is to use stories and scenarios. Drawing from real-world examples is a start, but the challenge is turning that example into a scenario where training participants are invested in addressing the problems presented in the story. Here are a few tips to help you with the writing process!

Characters – who are the major players in the scenario? Staff person, patron, vendor, random person who comes off the street, the cat who keeps sneaking into the library building? Once you have the characters, what roles do they play? What are their motivations? Why do they do the things they do or think the way they think?

So many questions, even for a short scenario! Take a page from User Experience (UX) and create personas to help with the character-building process. Even a shortlist of who they are, what motivates them, what they want, and what they know can help hone the scenario narrative as well as introduce common types of motivations, knowledge/skill levels, and different types of threat actors or people that might face additional privacy risks to training attendees. 

If you need more inspiration for characters, may I introduce you to Alice and Bob and their crypto-friends?

Story – Your real-world examples or the case studies you learn from others are two good places to start. That shouldn’t stop you from exploring building scenarios from scratch! Or perhaps you would like to modify the real-world examples into a scenario that would be a better fit for the training you’re developing. One concept to explore for your scenario is threat modeling, or identifying potential weaknesses at the library (systems, procedures, policies, etc.), who or what might take advantage of the weakness, and what can be done to either avoid or mitigate the threat. The threat modeling process can uncover a complex web of threats and vulnerabilities that interact with each other. On the other hand, it could lead to valuable conversations with trainees about how one vulnerability can create a ripple effect if exploited, or how a threat actor isn’t always acting with malicious intent. Sometimes the most dangerous threat actors are not aware that they are putting data privacy at risk such as a staff person with good intentions sharing patron data without knowledge of patron privacy procedures. 

Visual aids – What’s a story without visual aids? You might not have the resources or acting chops to create scenario videos, but there are always pictures to give life to your characters and scenarios. Luckily, there are several Creative Commons licensed resources to choose from:

You can also search for CC-licensed photos on Flickr and Creative Commons.

There are a lot more you can do with building scenarios for your data privacy and security trainings, but these three areas will hopefully get you started down the path of becoming an accomplished author… of training scenarios 😉 Enjoy your writing journey, and good luck!

Roll for Initiative! Gaming in Cybersecurity Training

Welcome to this week’s Tip of the Hat!

We learned last week that cybersecurity training is not as simple as choosing a particular training and rolling it out – training methods, goals, and context all determine the effectiveness of the training. While interactive training engages trainees and helps with understanding and motivation, the type of interaction matters. Simulations such as the phishing simulation test can backfire if not planned and deployed with care, but other types of interactive training engage users in a more controlled space and minimize unintended consequences… and you might level up in the process.

Games in training are not new, but turning training into a game by incorporating game elements or using existing games to teach particular concepts has grown in popularity in the last couple of decades. You’ve encountered gamification in other areas of your life – badges, leaderboards, and point systems, to name a few. These elements play into common human desires and motivations, such as collaboration/competition and accomplishment, which in turn can boost morale and knowledge retention. When combined with story elements and a positive reinforcement approach, training with game elements have a better chance overall of being more effective than traditional lecture-based training.

Libraries are no stranger to gamification. Academic, school, and public libraries use gamification for instructional sessions as well as patron programs. ALA has a Games and Gaming Round Table, as well as several resources for libraries, including two new books published this year about gamification in academic libraries and ready to use gamified programs for libraries of all types. It wouldn’t be a big stretch, therefore, for libraries to incorporate game elements or entire games into a training program, including cybersecurity training.

What does gamification look like in security and privacy training? Here are a few examples that you can use for both staff and patrons:

  • Tally Saves the Internet – This browser extension turns the Internet into a turn-based RPG where you fight an invisible enemy – online trackers. Players not only gain points and badges for fighting these online tracker monsters but also actually blocks trackers 😊
  • Cybersecurity Training for Youth Using Minecraft: A Field Guide – You can use existing games to teach cybersecurity, too! This field guide provides ways in which library staff can use Minecraft to teach patrons threat modeling in a way that doesn’t require prior knowledge of cybersecurity concepts but instead uses an environment the patrons might already be familiar with in their daily lives.
  • Tabletop exercises – unlike the other two examples above, tabletop exercises (TTE) have been around for a while in the cybersecurity world. One common TTE in cybersecurity is incident response, going through how an organization would respond to a particular scenario, such as a data breach. Think of it as a one-shot TRPG, but you role play as yourself, and your abilities and inventory consist of whatever policies, procedures, and resources you have in your organization at that moment. You can include other gaming elements and methods within TTE, such as Lego Serious Play, for additional collaborative/competitive opportunities in the scenario.
  • Cybersecurity games – There are several off-the-shelf cybersecurity games that you can use in existing training or at game night at your library!

There are many paths to incorporate game elements into cybersecurity training, so the best approach to take is to, well, play around and find which ones best fit your training audience. Don’t forget to have fun in the process, and may the dice roll in your favor!

Friendly Phishing, or Should You Phish Your Own Staff?

Welcome to this week’s Tip of the Hat!

October is a very important month. Not only does October mean Halloween (candy), it also means Cybersecurity Awareness Month. This month’s TotH posts will focus on privacy’s popular sibling, security. We start this month by focusing on one common “trick” – phishing – and why not all cybersecurity training is created equal.

A hooded middle aged white man wearing sunglasses laughs as he holds a fishing pole with a USB drive at the end of the line.
This is also the month where we get to use our favorite phishing stock photo. Image source: https://www.flickr.com/photos/hivint/36953918384/.

We wrote more about phishing in a previous post if you need a refresher; the tl;dr summary is that phishing is a very common attack method to gain access to a variety of sensitive systems and data by pretending to be an email from a trusted source (business or person). Phishing can be very costly on both a personal level (identify theft) and an organizational level (ransomware, data breach, etc.), so it’s no wonder that any digital security training spends a considerable amount of time on teaching others on how to spot a phishing email and what to do to prevent being phished.

It turns out that this type of training, for the amount of time spent in covering avoiding phishes, might not be as effective, and in some cases, can actively go against the goal of the training itself. A good portion of cybersecurity training comes in the way of lectures or an online web module, where users listen/read the information and are then tested to assess understanding. While that has been the main mode of training in the past, lecture/quiz style training, trainers realize that interactive training that goes beyond this model can be more effective in knowledge retention and understanding.

A growing number of organizations are using another type of security training – sending out phishing emails without warning to their employees. The phishing email, created by an external cybersecurity training company or by the local training team, would be sent out to spoof ether an organizational email or an email from a trusted source. This live test, theoretically, would more accurately assess employees’ knowledge and awareness of phishing methods and provide on-the-spot results, which could include corrections or remedial training. There are a variety of vendors offering both free and paid tools and services, such as KnowBe4 and PhishingBox.

Simulated phishing tests appear like a great addition to your organization’s training approach; however, these simulated tests can backfire. One way it can backfire is turning staff against the organization. One recent example of this comes from a simulated phishing email sent to Tribune Publishing staff, promising staff a chance of a company bonus if they clicked on the enclosed link. This email was sent out after staff went through furloughs and other drastic budget cuts, and the staff reaction to this email led to further erosion of trust between employees and administration. The debate extended to the security field, questioning the ethics of using content that otherwise is used in common phishing emails in an organization where employees went through considerable stress due to budget cuts. 

Another way simulated phishing tests can backfire is when the tests focus on shaming or negative outcomes. Some phishing tests focus on those who do not spot the phish, providing on the spot corrective training or assigning the employee to a future training. However, research has shown that focusing on shaming to correct behavior doesn’t work in the long term and might lessen the chance of someone reporting a possible phishing email or other cybersecurity issues to the organization. Negative reinforcement serves to create a more insecure organization by creating an environment where staff either are not motivated to or fear reprimand if they report a cybersecurity issue.

The use of simulated phishing tests will be the topic of debate for some time, but this debate presents two takeaway points to consider for any type of cybersecurity training:

  1. Context and methods matter – simulated tests can be effective, but the test’s logistics – including timing and content – can work against the desired outcomes of the trainers. Trainers should also consider the current state of the organization, such as staff morale and major crises/events in the organization, in choosing and developing cybersecurity training for staff. Another thing to consider is the effectiveness of training methods, including how often training has to be repeated to keep staff current on cybersecurity threats and procedures.
  2. Positive reinforcement – positive reinforcement, such as awarding staff members who do not click on the test phish email, can help with creating a more security-conscious organization. 

Next week we will dive into another type of cybersecurity training that is a simulation of another kind – stay tuned!

Privacy Film Party

Welcome to this week’s Tip of the Hat!

Even if the groundhog in your area didn’t see their shadow yesterday, we in the Northern Hemisphere still have a long winter ahead of us. How will you spend the long winter nights for the next few months? Might we suggest that you stay inside where it’s warm and watch a film? Better yet, make that film about privacy! Here are some privacy film recommendations depending on what you’re looking for:

For library programming about data and privacyScreening Surveillance [Content warning – suicide, mental health illness] is a grant-funded project to raise awareness around big data and surveillance. The project produced three short films – 10 minutes in length each – approaching specific issues of data sharing, data ownership, and sensor and facial recognition software. These three short films come with facilitation guides that help audiences process and discuss the specific issues raised in each film.

For a succinct introduction into general privacy concepts Privacy International’s Privacy 101 is a series of short animated videos introducing viewers to the concept of privacy as well as various topics in privacy, including metadata, big data, and data protection. These videos are a good way to acquaint someone with privacy concepts, in short, bite-sized portions. These videos are short enough that you can use these videos in staff training or discussions around privacy, as well as any public programming around data security and privacy.

For when the college instructor gives you the entire class session to teach their class about privacyThe Power of Privacy by The Guardian is a 30 minute documentary about the major challenges to privacy in the digital age. The film provides a balance between the historical “how did we get here?” and the present and near-future realities of data privacy. Library workers have choices in using this film to teach privacy, either by choosing to show segments to focus on specific topics, like phishing or IoT, or show the entire film for a holistic view of the current issues around data privacy.

For the library worker who is trying to navigate student privacy – Student privacy is governed by additional regulations, such as FERPA, which makes protecting student patron privacy more complex in academic and school libraries than in other libraries. The School Safety and Privacy video series from Future of Privacy Forum delve into this complex topic, including approaching the creation of policies, digital equity, facial recognition in schools, and how to talk to administrators and leadership about privacy matters.

BONUS! If you want more videos on student privacy, The Student Privacy Resource Center has a playlist to meet your additional student privacy video needs.

Finally, an artistic philosophical video for your night offPhilosophy Tube’s video on Data [NSFW – language, adult topics] gets into data, surveillance, algorithms, machine learning, structural inequality, targeted advertising, monetization of data, consent, notice, data rights, and how technology shapes society and how society shapes technology (phew!). All of this takes place in a 30-minute discussion-turned-machine-learning-simulation between a bouncer and a person in front of a nightclub.

There are plenty of other videos and films on privacy not covered here, but these recommendations are just a start. If you have a privacy-related film or video that you like, reply to this email and we’ll provide a list of subscriber-recommended videos in a future newsletter.