by Josh Lake

As the media attention surrounding the repeal of the data privacy framework begins to calm down, now is the perfect time to examine where the USA stands with our current laws. As one of the most culturally and economically similar parts of the world, comparing our laws against Europe’s can provide a good frame of reference.

While the US government is focusing on stripping back red tape in a bid to kickstart business, the European Union has gone in the other direction and is stepping up its bureaucracy with the General Data Protection Regulation (GDPR). These new laws come into play in May 2018, so businesses are hard at work to make sure they will be compliant when the date swings around.

This question came in via Ask Erik:

Hi Erik,

I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session.  I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons.  In any case my questions is quite simple.

My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted.  I understand that I can’t control what happens with other e-mail servers.  What I am trying to understand is what does it mean to be encrypted?  When an e-mail leaves my computer how much of the message is encrypted?   Are the e-mail headers encrypted including the sender and recipient e-mail addresses.  I would assume so but nobody talks about the details.  What metadata trail does a user leave when using SSL/TLS.  Is it is as simple as the destination and sending IP address with everything else encrypted?  Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail.  At the end of the day I am trying to understand how much protection SSL really provides.

SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work?  However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear.  Lets address them one by one.

In July 2016, Hilton HHonors loyalty program members received an email asking them to log into their Hilton HHonors account to confirm their correct email address, mailing address, and other personal details.

The email set off alarm bells for a number of customers. One tweeted a screenshot of the email to the Hilton HHonors Twitter account, asking, “… is this legit? Looks very much like a phishing email…”

Hilton’s support team responded, “This is not an email from the HHonors team. Please do not share your account details.”

The only problem? It was a legitimate email from Hilton HHonors, but it so closely resembled a phishing email it fooled Hilton’s own IT team.

Hilton is not the only company to inadvertently send customer emails that are nearly indistinguishable from phishing emails. Many companies send emails asking their customers to log in to confirm account information or confirm payment details. Sometimes, cautious customers will reach out to the digital community for feedback on whether an email is real or fake.

These emails are a problem because not only do customers believe them to be phishing emails, but they normalize emails that ask for personal information—making people more vulnerable to real phishing scams in the future.

Marketers need to understand email marketing best practices to send secure customer messages that don’t endanger customer privacy and data. Here’s everything you need to know from a technical and content perspective to make sure your email isn’t mistaken for a phishing scam.

As with any politicized issue, there is a lot of misinformation surrounding the repeal of the data privacy framework. Regardless of whether you are a Republican or a Democrat, your online security and privacy rights are going to be affected, so let’s just get the story straight.

This whole issue began back in February 2015, when the Federal Communication Commission (FCC) set up an Open Internet Order. This established net neutrality rules and also reclassified ISPs as carriers under Title II of the Communications Act. This meant that ISPs would be subjected to a new set of regulations.

Many marketers are engaged in a mad scramble to make the most of social media platforms. Unfortunately, these channels have some major drawbacks. Unlike email and text messaging, social media communications generally lack the security and oversight controls required in regulated industries like health care. Secure text message marketing is an excellent addition to boost your marketing results even if you have to operate under heavy regulations.

Last Thursday, a Google developer announced that Chrome will be reducing its levels of trust in Symantec issued SSL certificates, as well as those issued by its subsidiaries. This comes after a two year skirmish between the two companies, with Google asserting that Symantec has continually failed to follow appropriate verification practices.

Under Google’s proposal, the Extended Validation status from Symantec issued certificates will be removed, the validity period of newly issued Symantec certificates will be gradually reduced to a maximum of nine months, and current Symantec certificates will be incrementally distrusted with each Google Chrome release up to 64. These measures aim to balance out compatibility problems alongside the security risks.

We received this questions via Ask Erik from a Physicians’ Association:

“Our company website does not contain any patient information.  As a healthcare group, do we need to worry about HIPAA compliance for our site? It contains forms, news and some company polices and procedures but no patient information whatsoever. Thank you.”

Thank you for your question!  Here, we delve into how you can answer this for your site.

This year kicked off with a sophisticated phishing scam that fooled users and cybersecurity experts alike. Users were giving away their passwords to scammers through a seemingly legit Gmail login page. The scam had all the markers of a legitimate email, including the appearance that it was sent from a known sender.

There are many articles out there about the warning signs of phishing scams. We know the rules: Don’t click on URLs you don’t know, beware of emails that sound urgent or feel pressuring, etc. The reality is that many of these tips aimed to protect against phishing attacks would not have worked in the case of the Gmail attack.

Gmail’s spam filters already capture many emails that display common signs of scamming (formal language, unknown senders, etc.). However, phishing scammers and hackers, in general, are becoming more sophisticated in their techniques. A greater understanding of security will help you keep up with hackers in 2017. Here we’ll dive into the details of what made the Gmail scam so unique and address some sophisticated phishing scam avoidance tips you can start trying out today.

If email marketing is known to produce results across a variety of industries, why do some professionals feel uncomfortable with it?  Why do they feel “slimy”?  It is not uncommon for people to feel hesitant to engage in email marketing because it somehow feels “wrong” to them.    There are several factors at play in this limiting belief; in this article, we shall shed light on them to help dispel this feeling so that you can confidently get to work and grow your business, knowing that you are actually helping others.

Vault 7, the WikiLeaks release of CIA cyber intelligence documents, has been one of the biggest news stories of the past month. Now that the dust has settled and the media hype has died down, we can finally go through the leaks in a rational way and understand their real world implications.