Another post pandemic fallout is the fact that rental car agencies have sold their fleets, for obvious reasons. In doing so, there aren’t enough rental cars for all of us who have been stuck at home and are now raring to go on vacation.

While the shortage of rental cars naturally means higher prices, and some entrepreneurs are responding to the shortage with offerings of an Airbnb-type model, scammers also are aware of the shortage and the frenzy to confirm a rental car and see an opportunity to fleece consumers.

According to a Federal Trade Commission Scam Alert, scammers are designing spoof websites to lure consumers and deceive them into believing they can provide a rental car at a deep discount. When you click on the website to rent a car, they ask you to pre-pay with a gift card or a pre-paid debit card. RED FLAG. Your gut should be telling you that a legitimate rental car agency would not be asking for payment with a gift card!

According to the FTC:

To avoid rental car scammers driving off with your money:

  • Research the rental car company by searching for the name of the company and words like “scam,” “complaint,” or “review” to check if other people have had a bad experience.
  • Verify deals with the company directly. If you need customer support, look for contact info on the company’s official website. Don’t use a search engine result. Scammers can pay to place sponsored ads in search results, so they show up at the top or in the sponsored ad section.
  • Pay with a credit card if possible, and never pay with a gift card or prepaid debit card. You can dispute credit card charges, but gift cards and prepaid debit cards can disappear like cash. Once you give the number and PIN to a scammer, the money is gone.

Before you rush to book that miraculously available rental car, take a beat and read up about things you should consider when renting a car. If you spot a rental car scam, tell the FTC at

And I’ll add a couple more:

  • If a deal is too good to be true, it’s exactly that—too good to be true, and probably a scam.
  • Be cautious about any “deals” you get through an email, as it may be malicious.
  • Be cautious about calling any customer support numbers you get through emails.

Happy vacationing, and be safe while reserving car rentals.

It has been reported by Bloomberg Law that the Colonial Pipeline ransomware attack was caused by a “single compromised password.” The Colonial Pipeline ransomware attack had consumers hoarding gasoline and disrupted distribution of gas along the east coast. One single compromised password.

Colonial Pipeline paid $4.4 million in ransom following the attack, although the Department of Justice (DOJ) was able to recover $2.3 million of that payment  by seizing the crypto wallet used by the attackers. A payment of $4.4 million because of one single compromised password.

What is worse is that the account the password was connected to was not an active account, but could still be used to access the network. I am surmising, but this usually happens when someone leaves the company and the account and access is not terminated. The initial user may have used the password across platforms, the password was compromised and obtained by DarkSide on the dark web, and presto!, they can go into Colonial’s system with the valid password undetected.

We constantly are told how important passwords are. I like to use long passphrases. We are told not to use the same passwords across platforms. We are told not to use passwords that are related to anything we post on social media or online platforms. We are told all of this for a reason. Because one compromised password can cause a gas shortage, a meat shortage, contaminated water, millions of dollars paid in ransom, and disruption to our lives. Do your part and focus on password management for yourself personally, as well as for your employer.

When I conduct employee education sessions on data privacy and cybersecurity, I am often surprised that employees are unaware that their employers are legally able to monitor their use of company assets, and that employers are indeed doing just that. Although some might find this creepy, if an employee is using an employer’s laptop, network or other technology, it is well known that monitoring is being done and is allowed. I tell employees that some employers are monitoring if they are sending things to their personal email account, and that they might get a call from IT or management if they send things to their personal account. Invariably, eyebrows shoot up.

An interesting survey by ExpressVPN was released recently that highlights the gap between employers’ monitoring of employees’ use of company assets and how it is affecting employer-employee relations. Although I could infer these result anecdotally, the survey is quite revealing and is worth a read, especially if you are a human resources manager.

The survey found that especially during the pandemic and with a remote workforce, “bosses are uneasy about remote workers’ productivity.” This makes sense to me, because it is difficult to monitor employees’ productivity when they aren’t in the office. A whopping 74 percent of bosses say that “remote work makes them feel a lack of control over their business,” while 69 percent say they “feel uneasy about remote work because they can’t observe employees in person.” Even more disturbing is that 57 percent of bosses “don’t trust their employees to work without in-person supervision” and 59 percent say that “don’t trust their employees to work without digital supervision.”

The survey shows that surveillance of employees has been “rapidly increasing in recent months,” 78 percent of the companies surveyed reporting they are using monitoring software to track employee performance and/or online activity, and 90 percent of those companies surveyed saying they are actively tracking time spent by their employees doing work or other activities unrelated to work (like online shopping, for instance). Forty-six percent of those surveyed have terminated an employee based on remote monitoring.

On the other hand, employees are quite uneducated about the fact that they are being monitored or how. Only 53 percent of employees are aware that their employer is monitoring their communication and online activities, and one in six were completely unaware that it was even possible for employers to monitor their communication and online activities.

Uh oh—one in three employees report that they have “used their work computer for purposes that they’d find embarrassing should their employer find out” including chats and messages, google searches, visiting job application websites, and “visiting inappropriate sites.”

Employers believe that monitoring is a way to keep work productivity and quality high, while the monitoring makes employees feel “stressed, unappreciated, and resentful.”

The bottom line is that more and more employers are implementing monitoring software, and some may not inform their employees that they are being monitored. Some employees feel so strongly about it that a majority say they would quit their job if their employers started monitoring them.

The survey results are fascinating and insightful for both employers and employees. Employers need to be able to evaluate employees’ work productivity and quality, and with a remote workforce, it is harder than ever to complete that evaluation.

On the other hand, employees need to be treated as professionals and with respect, but also need to understand the challenges employers are facing with a remote workforce and having to contro the quality and volume of work being performed by employees.

Sounds like a town hall in the making—even if it is over Zoom or Teams—which, of course, can be monitored!

Robocalls continue to be irritating and their increased frequency is distracting and exhausting, at least in my experience. We can usually spot them when our caller ID says “potential spam” or if we don’t recognize the number, but robocallers are getting more sophisticated, just like other scammers.

A frequent and increased scam is one alleging that your car warranty is expiring and that you need to renew it. The messages sound legitimate, but they are not. It has become such a problem that the Federal Trade Commission (FTC) issued a warning this week advising that you hang up when you receive an auto warranty call.

According to the FTC, “This is an illegal robocall and likely a scam. The companies behind this type of robocall are not with your car dealer or manufacturer, and the ‘extended warranty’ they’re trying to sell you is actually a service contract that often sells for hundreds or thousands of dollars.”

I was raised not to hang up on anyone, but following the FTC’s advice to hang up on auto warranty robocalls seems like a good exception.

If you have seniors in your life who could become a victim of this type of scam, let them know so they, too, can follow the FTC’s advice.

The Electronic Frontier Foundation (EFF) ( is a wonderful resource for privacy-related issues and concerns. I check its website frequently to make sure I am aware of the latest issues and concerns around privacy. On May 6, 2021, EFF posted a blog that is relevant to my experience when I give training to employees about data privacy and security—people are unaware how their information is being tracked through their phone.

In EFF’s blog post, it launches a new breakdown of mobile phones that is “an online guide to defending yourself and your friends from surveillance by using secure technology and developing practices. This guided tour walks through the ways our phone communicates with the world, how your phone is tracked, and how that tracking data can be analyzed.”

The guide is designed “to give the reader a bird’s-eye view of how that rectangle in your hand works, take away the mystery behind specific privacy and security threats, and empower you with information you can use to protect yourself.”

Even the most savvy users may wish to check it out as a refresher.

Once again, Apple is leading the pack on privacy and implementing new privacy controls, starting next week. What does this mean for you?

If you are an iPhone user, you will start seeing more pop-ups from apps asking you for permission to collect your data. Apple is requiring apps that it believes are collecting our data and using it to track our browsing habits across apps and websites so they know what we like and can build very detailed profiles of us to first obtain our permission to do so.

Starting next week, if you get a pop-up while using an app that specifically asks for your permission to collect your data, don’t just click on it and say, “I agree.” READ WHAT IT SAYS, and only then make an informed decision about whether you want that app to collect your data, share it, aggregate it, and track you. Apple is providing a service to educate you on which apps are collecting your data and tracking you, so take advantage of the service, be informed, and make an educated decision.

In addition, via a new menu in a phone’s Privacy settings, iPhone users will have the ability to opt-out of tracking by all apps on their phone or pick and choose among apps to allow permission to track, just like when you choose to allow apps to have access to your microphone, camera, and location.

There is a reason Apple is implementing these new features – Apple is assisting consumers with protecting their privacy. Follow Apple’s lead and read and understand what the app is collecting and tracking before you click “I agree.”

The United States government, states, municipalities, and private companies all have been trying to defend themselves from cyber warfare from foreign adversarial governments, including Russia, China, and North Korea, for years—actually, for decades. Even when I started practicing full time in this area of law in the early 2000s, we were talking about not traveling to those countries with work laptops for fear that data on the laptop would be stolen or misappropriated.

Every time a foreign adversarial government attacks a U.S. government agency or business with a cyberattack, it should be viewed like what it is: a bomb. Although it does not blow up bricks and mortar, it blows up the ability for the target to do business and forces it to rebuild its network and system in order to function. Every time a ransomware or malware code, or other bug, virus, or malicious tool is downloaded into a system, it should be viewed as what it is as well: an act of war by an adversary.

Last week, President Biden called out Russia for its part in wreaking havoc on tens of thousands of businesses when it launched the SolarWinds attack, and put sanctions in place. This will not be the last word in cyber warfare.

Russia and other foreign adversaries have sophisticated capabilities in cyber warfare. We don’t want to talk about it, but cyber warfare could cripple the economy, critical infrastructure, monetary transactions, health care, food supply, access to accurate information, communication, and our livelihoods. Everything is connected to the internet. Everything. And everything is vulnerable to cyber warfare.

Take time to determine what you would need in the face of cyber warfare. I liken it to what you would need if a very powerful hurricane came through, taking out the power, the water, the banking system, the grid, the ability to use a credit card (because there is no power), to get food and sustenance, gas or electricity for your car, or to get medical supplies or treatment. Some thoughts about what to stock up on include cash, a generator or other power supply, potable water, non-perishable food, medical supplies, an alternate form of communication and supply of energy, an escape route, and an escape plan. Whether it is cyber warfare, a hurricane, or worse, preparing for an emergency will help you weather it, and hopefully, the preparation will never be needed.

Many individuals already use facial recognition technology to authenticate and authorize payment through their smartphone. According to Jupiter Research, by 2025 (only four years away), 95 percent of smartphones will have biometric technology capabilities for authentication, including face, fingerprint, iris, and voice recognition. According to Juniper Research, this will amount to the authentication of over $3 trillion in payment transactions on a yearly basis.

Technology vendors are starting to use biometric information more and more to provide services to consumers. For instance, Spotify recently released its “Hey Spotify” feature for its app. If you use Spotify, and the new feature is rolled out to your device, you will see a pop-up with a big green button at the bottom that reads, “Turn on Hey Spotify” and a very small link in white that reads, “Maybe later.” Above the big green button in white is text that reads, “LEARN HOW WE USE VOICE DATA” and “When we hear ‘Hey Spotify’ your voice input and other information will be sent to Spotify.”

The big green button is very noticeable and the white text less so, but when you click on the “LEARN HOW” button, you are sent to a link that reads, “When you use voice features, your voice input and other information will be sent to Spotify.” Hmmm. What other information?

It continues, “This includes audio recording and transcripts of what you say, and other related information such as the content that was returned to you by Spotify.” This means that your biometric information–your voice–and what you actually say to Hey Spotify is collected by Spotify. Spoiler alert: you only have one voice and you are giving it to an app that is collecting it and sharing it with others, including unknown third parties.

The Spotify terms then explain that it will use your voice, audio recordings, transcripts and the other information that is collected “to help us provide you with advertising that is more relevant to you. It also includes sharing information, from time to time, with our service providers, such as cloud storage providers.”  It then explains that you can “interact with advertisements on Spotify using your voice. During a voice-enabled ad, you will hear a voice prompt followed by an audible tone.” Of course, you should know that your response will then be recorded,  collected, and shared.

In response to the question “Is Spotify recording all of my conversations?,” the terms state that “Spotify listens in short snippets of a few seconds which are deleted if the wake-word is not detected.” That means that it is listening frequently until you say, “Hey Spotify.” It doesn’t say how often the short snippets occur.

Consumers can turn off the voice controls and voice ads by disabling their microphone. This is true for all apps that include access to the microphone, which is why it is important to frequently look at your privacy settings and see which apps have access to your microphone and to manage that capability (along with all of the apps in your privacy settings).

It is important to know which apps have access to your biometric information and who they share it with, as you cannot manage that biometric information once you give it away. You don’t know how they are really using it, or how they are storing, securing, disclosing, or retaining it. Think about your Social Security number and how many times you have received a breach notification letter. You can try to protect your credit and your identity with credit monitoring and credit freezes, but you can’t use those tools for the disclosure of your biometric information to scammers and fraudsters.

Your voice can be used for fraudulent purposes. It can be used for authentication to get into accounts, and for vishing (see blog post on vishing here).  Your voice is unique and sharing it with apps or others without knowing how it is secured is something worth considering. If the information is not secured and is subject to a security incident, it gives criminals another very potent tool to commit fraud against you and others.

Before providing your biometric information to any app, or anyone else for that matter, read the Privacy Policy and Terms of Use and understand what you are giving away merely for the convenience of using the app.

How many times can we say that the Internal Revenue Service (IRS) will NOT email or telephone you? We will say it again. If you receive a telephone call, email or text from someone saying they are from the IRS, it is A SCAM. It’s that simple. If you don’t believe me, check out the IRS website which will this fact.

Imposters, fraudsters, and scammers have been launching scams scaring people into believing that they owe money or back taxes to the IRS for years, including threatening victims with arrest and jail.

Instead of relying on that old trick, the fraudsters are now targeting students and faculty with .edu emails with tag lines like “Tax Refund Payment” or “Recalculation of your tax refund payment.”

Students and faculty with .edu emails in higher education should know better, but unfortunately, the Federal Trade Commission has had to issue a warning to students and faculty that they are being targeted because some victims have been scammed.

If a victim clicks on the link to submit a form to receive the tax refund from the “IRS,” the form requests highly sensitive and useful information to the scammers to perpetrate identity theft, including name, address, Social Security number, driver’s license number, electronic filing PIN, and last year’s income. This is all information that can be easily used to file a fraudulent tax return in your name.

Don’t fall for any emails, telephone calls, or texts that say they are from the IRS. Delete, delete, delete! The IRS DOES NOT email, call, or text.  It is prime season for tax return and refund fraud, so be cautious and vigilant to protect yourself.

Many people continue to be unaware of how their data are collected, stored, used, disclosed, retained, or destroyed. As technology explodes it is hard to stay current, and educating individuals on their privacy rights has diminished.

There are many organizations devoted to educating consumers on their privacy rights and committed to teaching them about the risks and considerations for protecting their privacy. One such organization, the Privacy Rights Clearinghouse, continues to provide relevant and timely content on the rapidly-changing patchwork of privacy risks and rights.

I began following the Privacy Rights Clearinghouse right from its inception because it was one of the first organizations to keep a detailed list of data breaches. It started tabulating the number of records that have been breached since 2005. As of this writing, that tally according to Privacy Rights Clearinghouse is 11,725,045,478. And the count changes daily.

In addition to keeping track of the number of records breached, Privacy Rights Clearinghouse provides up-to-date articles on different topics relating to privacy, resources on discrete topics such as robocalls, employee monitoring, exercising your rights under different laws, and how new technology affects your privacy.

This  site is  user-friendly and its content is robust. It is a good place to start if you want to find out more about your privacy rights.