Archive

Archive for the ‘privacy’ Category

Manage subject rights requests at scale with Microsoft Priva

March 16th, 2022 No comments

Privacy is of increasing importance to our customers. In addition to the well-known European General Data Protection Regulation (GDPR), privacy regulations are emerging in nearly every region with more than 70 percent of countries now having data protection and privacy legislation.1

As the number and scope of privacy standards have proliferated, privacy becomes an expectation of customers and stakeholders to enable a trusted business. Many of the large organizations I work with are mature in their privacy compliance processes. Some have had to be GDPR compliant since 2018. Even those without GDPR compliance obligations saw GDPR as a watershed event, recognizing that broader privacy regulation was coming. Organizations have now shifted their focus from privacy compliance to privacy leadership in order to provide value to their customers and their brands. To assist organizations on their privacy journey, we introduced Microsoft Priva in October 2021 to help customers safeguard personal data and respect privacy rights.

The concept of respecting an individual’s privacy rights has been emphasized by the Organization for Economic Cooperation and Development (OECD) as “The Individual Participation Principle” in the Fair Information Practice Principles (FIPPs) since 1980.2 The principle includes an individual’s right to access and control their own data. In some cases, they have the right to have this data corrected or deleted. Since GDPR went into effect, the concept has become more mainstream, known as data subject requests or subject rights requests. In the United States, 12 states have laws passed or active bills that mandate a subject’s right to data access.3

Subject rights requests (SRRs) management is time-consuming and costly

Responding to subject rights requests (SRRs) can be resource-intensive, costly, and difficult to manage. There are challenging time frames for a response, with GDPR mandating a response time of 30 days and California Privacy Rights Act (CPRA) allowing 45 days. More than half of organizations handle SRRs manually, while one in three has automated the process.4 According to Gartner®, most organizations process between 51 and 100 SRRs per month at a cost of more than USD1,500 per request.5 As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations’ resources even further.

Pie chart showing 1 in 3 organizations have partially automated subject rights requests.

Figure 1. Approximately one in three organizations have partially automated subject rights requests.

Scaling SRR management is challenging

To process an SRR, an organization must verify the data subject to make sure that the individual is who they say they are and has the rights to the information, then collect the information, review, redact where appropriate, and provide the response to the requester in an auditable manner.

Most organizations have processes in place for SRR responses but rely on email for collaboration, eDiscovery tools for search, and manual reviews to identify data conflicts like a file containing multiple people’s privacy relevant data. These processes can work but they don’t scale. They also create data sprawl and additional security and compliance risk.

Manage at scale and respond with confidence with Microsoft Priva

To help organizations deal with these challenges, Microsoft has created Microsoft Priva, a privacy management solution that helps safeguard and respect privacy while streamlining the process for responding to SRRs.

Microsoft Priva SRRs helps gather a subject’s data from the Microsoft 365 environment automatically, including emails, messages, documents, spreadsheets, and more that contain the requestor’s personal data. It then detects and flags conflicts like the personal data of others or confidential information included in the collected files. Automated data collection and detection can help you capture conflicts more accurately to avoid any data leakage.

Additionally, the solution allows collaboration in a protected platform for stakeholders to review, triage, and redact collected files in their native views. Unlike other solutions that might only provide you with a report of file paths, Microsoft Priva can bring the files to you and save you time and effort manually copying and pasting the file paths in your browser, or emailing and messaging files to others to review.

Animated image of Microsoft 365 compliance dashboard user redacting files.

Figure 2. Review, triage, and redact collected files in their native views when multiple people’s data is detected.

Privacy admins can also leverage Microsoft Teams and Power Automate, integrated with the Microsoft Priva solution, to work with HR, legal, and other departments in an efficient, compliant, and auditable way. All your collaboration data is centralized in one platform that ensures security and compliance along the way. Microsoft Priva SRRs helps organizations manage SRRs at scale with confidence while avoiding personal data sprawl.

Flow chart showcasing how Microsoft Priva Subject Rights Requests helps manage requests at scale and with confidence.

Figure 3. Microsoft Priva SRRs helps manage requests at scale and with confidence.

The solution dashboard provides visualization of SRR metrics and the ability to filter and manage requests to completion. This establishes to internal stakeholders and regulators that SRR responses were made with compliant processes in the required timeframe. 

Microsoft 365 compliance center dashboard showing SRR progress over time.

Figure 4: Microsoft Priva SRRs helps provide insights on SRR progress and show trends over time.

Integrate with your privacy solutions

Many organizations are using other tools to manage SRRs. We want to bring the value of Microsoft Priva and its native integration with Microsoft 365 to them as well to provide a better-together solution. Part of this is to integrate Microsoft Priva with the solutions of other software vendors and customers’ homegrown solutions through our Microsoft Graph subject rights request API. The API allows integration with privacy independent software vendors (ISVs), like OneTrust, Securiti.ai, and WireWheel, to automate the SRR handling process and provide a response that encompasses the organization’s entire data estate.

For example, an organization can use the API to send a request they received in their homegrown application to Microsoft Priva, which then collects the subject’s personal data automatically, enables collaboration to review and redact files, creates a link to the data package, and sends it back to the homegrown application through the API. The organization then can combine all the reports and data from various environments together to respond to the requestor.

Microsoft Graph A P I showing how organizations leverage Microsoft Priva along with their existing privacy tools.

Figure 5. Microsoft Graph API enables organizations to leverage Microsoft Priva along with their existing privacy tools.

Learn more

We are excited to help ease the complexity of SRR management. To learn more about how to manage SRRs at scale, download the e-book Five tips from Microsoft to automate your SRRs or join our webinar on April 5, 2022.

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. You can try out Microsoft Priva SRRs for 90 days or create up to 50 subject rights requests (whichever limit expires first) at no cost.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1UNCTAD Data Protection and Privacy Legislation Worldwide

2OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD. 2013.

3US State Privacy Legislation Tracker, Taylor Kay Lively, iapp. March 3, 2022.

4IAPP-EY Consulting and Annual Privacy Governance Report for 2021, iapp, EY. 2021.

5Market Guide for Subject Rights Request Automation, Gartner. November 2021.

The post Manage subject rights requests at scale with Microsoft Priva appeared first on Microsoft Security Blog.

Categories: cybersecurity, privacy Tags:

Build a privacy-resilient workplace with Microsoft Priva

January 28th, 2022 No comments

Today, we celebrate international Data Privacy Day. This day reminds us of the importance of respecting privacy, safeguarding data, and enabling trust.

However, annual reminders are insufficient to drive material change, which can be seen in the effectiveness rates of one-off trainings. According to the forgetting curve theory, employees forget about 75 percent of training after just six days.1 Imagine the lack of knowledge retention for employees of organizations that only do annual privacy training.

To help you with this challenge, we are excited to re-emphasize our commitment to helping organizations build a privacy-resilient workplace with Microsoft Priva, which was announced by Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, and Identity, last year at Ignite. Microsoft Priva is the new brand of privacy solutions provided by Microsoft moving forward. Currently, the Microsoft Priva solution offers two products:

1. Priva Privacy Risk Management: Proactively identify and remediate privacy risks arising from data transfers, overexposure, and hoarding, and empower information workers to make smart data handling decisions.

2. Priva Subject Rights Requests: Manage subject rights requests at scale with automated data discovery and privacy issues detection, built-in review and redact capabilities, and secure collaboration workflows.

Managing privacy data requires understanding the context around the data, including why information workers collect the data and the intent of use. The integration of Microsoft Priva with your day-to-day productivity tools and business applications gives organizations the power to effectively influence employees to make positive decisions on personal data handling. The in-the-moment nudges drive fundamental behavioral changes, helping people make good data handling decisions in the context of their daily activities.

For example, when a user collects personal data but hasn’t used it for more than 180 days, it may no longer have business value but can increase the risk surface area. To adhere to a principle of data minimization, Microsoft Priva can send a system-generated reminder to the data owner to review the file and make a decision to delete or provide a business justification to keep it. Users can easily take action within the Outlook interface, safeguarding personal data without impeding productivity.

Microsoft Priva identifies unused personal data and empower users to make smart data handling decisions, enabling organizations to meet data minimization requirements.

Figure 1. Help identify unused personal data and empower users to make smart data handling decisions.

Privacy administrators can also set up policies to detect personal data overexposure and notify data owners to review access to the file, with similar experience in the abovementioned example. This feature can help companies who audit file or site access manually, which could be time-consuming and overlook risks between audits.

Microsoft Priva can also help govern communication to support organizations meeting data transfer requirements. In Microsoft Teams, the most commonly used communication platform, users can receive near-real-time notifications and guidance when sending personal data across regions or departments. Privacy administrators can customize the transfer boundaries to adhere to the company’s privacy policies.

Microsoft Priva detects cross-border or cross-department communication in Teams and provide just-in-time guidance, enabling organizations to meet data transfer requirements.

Figure 2. Detect cross-border or cross-department data transfer in Teams and provide just-in-time guidance.

In addition to the user experience, Microsoft Priva also provides an aggregated view of privacy posture showing key insights of detected privacy risks. Admins can easily spot privacy issues and fine-tune policies to engage with users. Microsoft Priva solutions are designed with the concept of privacy by default. User information is pseudonymized by default in the admin interface.

Microsoft Priva provides an aggregated view to privacy admins to gain visibility into critical privacy risks arising from data overexposure, data hoarding, and data transfer.

Figure 3. Provide an aggregated view to admins to gain visibility into privacy issues.

Since launching Microsoft Priva, we heard great feedback from customers, including Novartis, the world’s leading pharmaceutical company, which is currently in a trial with Microsoft Priva solutions.

“Microsoft Priva will help us identify and prevent critical privacy risks that arise from transferring private data across borders and oversharing. We’ll empower our employees to mitigate risks themselves, freeing our IT resources to focus on more urgent high-severity risks.”Beni Gelzer, Head of Data Privacy (Switzerland), Novartis

Read more about how Novartis uses Microsoft Priva to enable its employees with a solution that works with them.

Learn more

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. If you are interested in learning more about Microsoft Priva solutions, we encourage you to start the 90-day free trial today to experience the product directly. If you can’t see the “start trial” button on the page, contact your Global Admin to gain permission for the solution. Learn more about the trial program in this trial playbook.

We hope that Microsoft Priva can help increase your employees’ awareness of data privacy continuously throughout the year so that you can build a privacy resilient workplace. Happy international Data Privacy Day!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 


1The Forgetting Curve, Data & Visuals, Harvard Business Review. October 2019.

The post Build a privacy-resilient workplace with Microsoft Priva appeared first on Microsoft Security Blog.

Categories: cybersecurity, Data Privacy Day, privacy Tags:

Simplifying the complex: Introducing Privacy Management for Microsoft 365

October 19th, 2021 No comments

The data privacy regulation landscape is more complex than ever. With new laws emerging in countries like China and India, shifts in Europe and the United Kingdom, and currently 26 different laws across the United States, staying ahead of regulations can feel impossible.

But this work is critical—to safeguarding people and the tools they use to stay connected, get work done, and thrive in today’s hybrid environment.

We have been working closely with our customers to help. Today, I’m excited to share with you some of the new investments we’re making to attempt to bring some simplicity to the complex topic of data privacy regulations.

Introducing Privacy Management for Microsoft 365

With the latest regulation going into effect soon in China, most of the world’s population will soon have its personal data covered under modern privacy regulations. But how organizations manage their regulatory responsibilities with all those laws in mind is often manual, time-consuming, and expensive.

Today, I’m excited to announce that Privacy Management for Microsoft 365 is generally available to help customers safeguard personal data and build a privacy-resilient workplace. With role-based access controls and data de-identified by default, Privacy Management for Microsoft 365 helps organizations to have end-to-end visibility of privacy risks at scale in an automated way.

  1. Identify critical privacy risks and conflicts: One of the biggest challenges in managing privacy is finding where personal data is stored, especially in an unstructured environment. Most companies still use manual processes to maintain data inventory and mapping, primarily through email, spreadsheets, and in-person communication, which is costly and ineffective. Privacy Management automatically and continuously helps to discover where and how much private data is stored in customers’ Microsoft 365 environments by leveraging data classification and user mapping intelligence. Organizations can see an aggregated view of their privacy posture, including the amount, category, and location of private data, and associated privacy risks and trends over time.
  2. Automate privacy operations and response to subject rights requests: Privacy Management correlates data signals across the Microsoft 365 suite of solutions to deliver actionable insights that allow privacy administrators to automate privacy policies by using an out-of-box template—data transfers, data minimization, data overexposure, and subject-rights request management—or create a custom policy to meet an organization’s specific needs.
  3. Empower employees to make smart data handling decisions: To build a privacy-resilient culture, you need to educate your employees, so they know how to handle data properly. Privacy Management provides insights and contexts to administrators, enabling them to automate privacy policies and protect sensitive data. Additionally, data owners are given recommended actions, training, and tips to make smart data-handling decisions, eliminating the need to choose between privacy and productivity.

The privacy management dashboard shows an overview of privacy alerts, such as items containing personal data, subject rights requests, and more.

Figure 1: Overview dashboard showcasing privacy risks and trends.

“Privacy Management for Microsoft 365 will help us identify and prevent critical privacy risks that arise from transferring private data across borders and oversharing,” said Beni Gelzer, Head of Data Privacy (Switzerland), Novartis. “We’ll empower our employees to mitigate risks themselves, freeing our IT resources to focus on more urgent, high-severity risks.”

You can learn more about Novartis’ experience with Privacy Management for Microsoft 365 in their case study.

Partnering to give customers greater visibility beyond Microsoft 365

Because data lives across so many clouds, systems, and applications, solving the challenge of data privacy requires great insight—and partnership.

To meet you where you are in your privacy journey, we have built APIs that allow you to integrate with your existing processes and solutions to automatically create and manage subject rights requests in Privacy Management.

We’re also excited today to partner with leading privacy software companies—OneTrust, Securiti.ai, and WireWheel—to extend subject rights management capabilities to personal data stored outside of the Microsoft 365 environment, enabling customers to have a unified and streamlined response to subject requests.

“Our mission at OneTrust is to empower businesses to build trust into the fabric of their organization and our collaboration with Microsoft supports this,” noted Adam Rykowski, OneTrust Vice President of Product Management. “By automating and syncing the fulfillment of Data Subject Access Requests (DSAR) from OneTrust’s Privacy Management Solution with Privacy Management for Microsoft 365, available within the Microsoft 365 compliance center, we can seamlessly incorporate IT admins into privacy operations from the OneTrust platform.”

You can learn more about these partnerships in today’s Tech Community blog.

New regulation assessments in Microsoft Compliance Manager

Staying ahead of data privacy regulations and understanding the technical actions you can take to address compliance can be daunting. To help, Microsoft Compliance Manager today has more than 200 regulatory assessment templates covering global, industrial, and regional Data Protection and Privacy regulations, making it easier for customers to interpret, assess, and improve their compliance with regulatory requirements. We recently added three privacy-specific assessments for Colorado Privacy Act, Virginia Consumer Data Protection Act (CDPA), and Egypt Privacy Law.

Additionally, we have mapped privacy-specific controls across these assessment templates to the new Privacy Management solution to help you scale your compliance efforts.

You can learn more about Compliance Manager, our list of available assessments, and how to use the assessment in our documentation. You can also try the Compliance Manager 90-day trial, which gives you access to 25 assessments.

Privacy is a journey

We recognize that navigating the complexity of data privacy regulations is a journey, and we are excited to partner with you, our customers, and others in the ecosystem to help to ease some of the complexity, making the world a safer place for all.

Privacy Management for Microsoft 365 is generally available to customers as an add-on to a Microsoft 365 or Office 365 subscription. To get started with Privacy Management, you can leverage the free 90-day trial. You can learn a lot more about Privacy Management in today’s Tech Community blog or watch the new Microsoft Mechanics video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplifying the complex: Introducing Privacy Management for Microsoft 365 appeared first on Microsoft Security Blog.

Categories: cybersecurity, privacy Tags:

Transparency & Trust in the Cloud Series: Cincinnati, Cleveland, Detroit

March 17th, 2015 No comments
 Customers at the Transparency & Trust in the Cloud Series event in Detroit

Customers at the Detroit “Transparency & Trust in the Cloud” event.

I had the opportunity to speak at three additional Transparency & Trust in the Cloud events last week in Cincinnati, Cleveland, and Detroit. These were the latest in the series that Microsoft is hosting, inviting customers to participate in select cities across the US.

For me personally, these events provide the opportunity to connect with customers in each city and learn which security and privacy challenges are top of mind for them. In addition, I get to hear first-hand, how customers have been using the Cloud to drive their businesses forward, or, if they haven’t yet adopted Cloud services, what’s holding them back. I feel very fortunate as the participating CIOs, their in-house lawyers, CISOs, and IT operations leaders haven’t been shy about sharing the expectations they have for prospective Cloud Providers, specifically around security, privacy, and compliance.

I was joined by other Microsoft Cloud subject matter experts: Microsoft’s Assistant General Counsel, Dennis Garcia, Principal IT Solution Manager, Maya Davis, Director of Audit and Compliance, Gabi Gustaf, and Cloud Architect, Delbert Murphy. This diverse cast helped provide an overview of the Microsoft Trustworthy Cloud Initiative from their unique perspectives and answer a range of technology, business process, and legal questions from attendees.

Here are just some of the types of questions these events garner, most recently in these three cities:

  • How does eDiscovery work in Microsoft’s Cloud? (see related posts)
  • What data loss prevention capabilities does Microsoft offer for Office 365, OneDrive and Microsoft Azure?
  • What data does Microsoft share with customers during incident response investigations?
  • Which audit reports does Microsoft provide to its Cloud customers?
  • What terms does Microsoft include in its Cloud contracts to help customers manage regulatory compliance obligations in EU nations?
  • What does the new ISO 27018 privacy certification that Microsoft has achieved for its four major Cloud solutions provide to Microsoft’s Cloud customers (and Microsoft is the only major Cloud provider to achieve ISO 27018 certification)?

These are great conversations! Thank you to all of the customers that have attended and participated in recent events.

There are still a few more scheduled in different cities across the country. If you are a customer and would like to learn more about the Microsoft approach to building the industry’s most trustworthy Cloud, please reach out to your account team to find out if one of these events is coming to your area.

I’m looking forward to seeing customers in Omaha and Des Moines in just a couple of weeks.

Transparency & Trust in the Cloud Series: Kansas City, St. Louis, Minneapolis

March 5th, 2015 No comments

Over the last few months, Microsoft has hosted a series of events to bring together Chief Information Officers (CIO) and their legal counsels, Chief Information Security Officers (CISO), as well as IT operations leaders from enterprises in cities across the US. These “Transparency & Trust in the Cloud” events aim to highlight and discuss the security, privacy, compliance, and transparency capabilities of Microsoft’s cloud services.

Recently, I was given the opportunity to attend and speak at those in Kansas City, St. Louis, and Minneapolis. I was also able speak directly with many enterprise customers in each city. I was joined by other Microsoft cloud subject matter experts, where together, we answered a range of technology, business process, and legal questions that attendees had—and believe me, they had some well-thought, complex questions!

For example, in Kansas City, attendees asked about service level agreements and were provided with the Microsoft perspective by our Assistant General Counsel, Dennis Garcia. In St. Louis, we were asked about Microsoft’s own journey to move workloads and applications from on premise to the cloud. Ryan Reed, from Microsoft IT, has been doing this work at Microsoft for some time, and shared architectural and development considerations with the audience. Enterprise customers in Minneapolis asked questions ranging from eDiscovery to security incident notifications, to the right to audit, to protecting sensitive healthcare information. These discussions are also extremely helpful to us, at Microsoft, to better understand which topics are top of mind for enterprise customers who are evaluating the use of or adopting cloud services.

I would like to again thank those customers who attended these events. Thank-you!

More meetings like these have been scheduled in different cities across the country. If you are a CIO, CISO, legal counsel, or operations leader for an enterprise organization and would like to learn more about the Microsoft approach to building the industry’s most trustworthy cloud, please reach out to your account team to inquire.

I’m looking forward to meeting more customers and having deeper discussions on trust and transparency in the cloud in the coming weeks.

The Importance of Effective Information Sharing

January 29th, 2015 No comments

SCharney2 012815

This week, I testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing on “Protecting America from Cyber Attacks: the Importance of Information Sharing.” It was good to see that the committee’s first hearing of the 114th Congress focuses on cybersecurity issues generally, and information sharing in particular, and I’d like to summarize the key points of my testimony.

There is no doubt that cybersecurity is an important issue for America, other nations, the private sector, and individuals. In an effort to better understand and help address the challenges we face, I regularly engage with government leaders from around the world, security-focused colleagues in the IT and Communications Sectors, companies that manage critical infrastructures, and customers of all sizes. From those interactions, I have concluded that cyber-attacks have joined terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts countries, corporations, and its citizens at risk.

With global threats, global actors, and global networks, no one organization – public or private – can have full awareness of all the threats, vulnerabilities, and incidents that shed light on what must be managed. There is no doubt that sharing such information can and has protected computer users and increased the effectiveness of the security community’s response to attacks. For example, in 2009, the Conficker Working Group came together to share information and develop a coordinated response to the Conficker worm, which had infected millions of computers around the world. After the working group developed a mitigation strategy, Information Sharing and Analysis Centers (“ISACs”) were mobilized, company incident response teams were activated, government responders were engaged, and the media reported as milestones were reached and services were restored. The challenge was addressed, and quickly.

Why is it, then, that after 20 years of discussion and proof of effectiveness, information sharing efforts are viewed as insufficient? The short answer is that while there are success stories, it is often true that those with critical information are unable or unwilling to share it. They may be unable to share it due to law, regulation, or contract, all of which can create binding obligations of secrecy and expose a company to legal risk if information is shared. Even when those restrictions permit sharing pursuant to authorized exceptions, legal risks remain, as parties may disagree on the scope of the exception. There are also non-legal, non-contractual risks; for example, a company that discloses its vulnerabilities may suffer reputational risk, causing both customers and investors to become concerned. It may even suggest to hackers that security is inadequate, encouraging other attacks.

With all these challenges in mind, we believe there are six core tenets that must guide information sharing arrangements:

1. Information sharing is a tool, not an objective.

2. Information sharing has clear benefits, but poses risks that must be mitigated.

3. Privacy is a fundamental value, and must be protected when sharing information to maintain the trust of users – individual consumers, enterprises, and governments – globally.

4. Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing.

5. Government and industry policies on information sharing should take into account international implications.

6. Governments should adhere to legal processes for law enforcement and national security requests, and governments should not use computer security information sharing mechanisms to advance law enforcement and national security objectives.

Information sharing has and does work. But it works because the parties see that the benefits (better protection, detection and response) outweigh the risks. History also teaches, however, that information sharing tends to work best when those involved trust each other to respect informal and sometimes formal agreements (e.g., non-disclosure agreements) on information use and disclosure.

The two most important things Congress can do are (1) ensure that the information sharing arrangements that are working effectively are left undisturbed; and (2) encourage additional information sharing by providing protections for shared information and addressing risks posed by information sharing, including privacy risks.

You can read my full testimony here.

Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them.

Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values.

However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.

  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.

  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.

Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them. Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values. However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.
  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.

Back-to-school checklist: Clean up my digital life

Ever wonder what your online image says about you? Do you constantly “check in” on social media, take daily selfies, or post the latest images of your kids? In an era of seemingly non-stop online sharing of our thoughts, images, and experiences, it’s important to understand the lasting impact our digital actions have on us and those around us.

US households have an average of 5.7 devices for personal and professional use, according to a recent Microsoft study. As this interconnectivity continues to grow, it’s not surprising that people and organizations, including employers or college recruiters for example, turn to social networking sites as a way to help assess potential candidates. Our same research, however, found that only a small percentage of global respondents take key steps to help manage their online reputations:

  • 19 percent edited or deleted information to protect their online reputation;

  • 15 percent used search engines to monitor and manage their personal information online; and

  • 10 percent used a service to edit or delete information about themselves online

This tells me that as connected as we might be, we may not be doing all we can to manage our online personas. So, before kids, and even parents, educators, counselors, and coaches, head back to school, Microsoft wants each of us to make a personal commitment to #Do1Thing to set yourself up for digital success this school year. Visit Microsoft.com/SaferOnline to share your story and learn more about managing your digital life. On the interactive website, you can also:

  • Take our social personality quiz: Which social media cliché are you?  Find out if you’re #HashtagHyper, a Click-Collector, or a One-Upper. Do you know someone who fits each profile? I bet you do.

    • Share your results through social media for the chance to win a MS Nokia Lumia 2520 Red 10.1 Tablet with Windows RT 8.1(Verizon) in our #Do1ThingSweeps sweepstakes

  • Watch our catchy video: It’s your social personality! Share this light-hearted piece with your social circles and help friends and family understand the potential impact of their online behavior.

  • Finally, review each of our online reputation tips and enjoy the dog days of summer knowing you’ve completed your back-to-school checklist.

For more information about Microsoft’s work in Online Safety, visit our Safety & Security Center, “like” us on Facebook, follow us on Twitter, and look for my “point of view” following the #MSFTCOSO hashtag.

What you need to know about privacy and security in OneDrive

July 24th, 2014 No comments

OneDrive is free online storage that’s built into Windows 8.1 and Windows RT 8.1. Add files from your PC to OneDrive, and then easily access your photos, music, documents, and other files on all the devices you use.

How you can help protect your privacy and security in OneDrive

Create a strong password for your Microsoft Account. You sign into OneDrive with your Microsoft Account. Here is some basic guidance on how to create a strong password for that account. Different sites have different rules for passwords that they’ll accept, but this guidance should work anywhere you need to create a password:

  • Length. Make your passwords at least eight (8) characters long.
  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites. Check the strength of your password.

Manage who can view or edit your OneDrive files. By default, your OneDrive files are available to you, although you can choose to share photos, documents, and other files. To share files or folders, right-click them and choose how you want to share them.

Add security info to your Microsoft account. You can add information like your phone number, an alternate email address, and a security question and answer to your account. That way, if you ever forget your password or your account gets hacked, we can use your security info to verify your identity and help you get back into your account. Go to the Security info page.

Use two-step verification. This helps protect your account by requiring you to enter an extra security code whenever you sign in on a device that isn’t trusted. For more information about two-step verification, see Two-step verification: FAQ.

Back up your OneDrive files. For details about using File History in Windows, see Set up a drive for File History.

For more information about how Microsoft helps keep your files safe in the cloud, see Privacy in OneDrive.

What’s new with Windows Phone 8.1?

May 22nd, 2014 No comments

Windows Phone 8.1 includes features that let you browse the web and use location awareness apps and other apps without losing control of your privacy and security.

Turn location services on or off

Location services can improve your experience in many different applications, from restaurant finders to social networks. If you don’t want to share your location, you can turn location services off. 

To turn location services on or off

  1. In the App list, tap Settings   > Location.
  2. Turn Location services on or off.

See when an app is accessing your location information

If you want to use location services and also see when an app is accessing your phone’s location, you can turn the Location icon .

To make sure this icon is turned on

  1. In the App list, tap Settings   > Location.
  2. Select the Show icon check box.

Note Choosing not to display the Location icon doesn’t turn off location services. It simply hides the icon to reduce clutter on your phone’s status bar.

Change privacy settings on your mobile browser

Internet Explorer 11 for Windows Phone makes it easy to adjust settings. You can delete your Internet Explorer search history and use the SmartScreen Filter to help protect against unsafe websites. You can also set Internet Explorer to send a Do Not Track request to websites you visit to signal that you don’t want that website to track your browsing.

Privacy settings in Cortana (the new personal assistant for Windows Phone)

Cortana is the new digital assistant for Windows Phone 8.1 that can help with tasks and offer reminders, suggestions, and more. The more Cortana knows about you, the more efficient she can be.

Note: Cortana is only available on phones with Windows Phone 8.1, and only in some countries/regions. Check to see which software version you have.

Settings you can change in Cortana to help control your privacy

  • If Cortana is on, you can control detection of tracking info in email messages.
  • Regardless of whether Cortana is on or off, you can choose whether to send your browsing history to Microsoft to help improve our services and products.
  • If Cortana is on, you can control whether Cortana uses information from your Facebook account for personalization.

To understand how Cortana and Bing work with Facebook, see Cortana and my privacy FAQ.

For more information about these and other settings, see Privacy in Windows Phone 8.1.

 

Get the latest version of Internet Explorer

April 24th, 2014 No comments

Microsoft released an updated version of Internet Explorer this month, and it’s available as a free download on Windows 8.1, Windows 7, and Windows Phone 8.1. To increase your security and privacy, it’s important that you use the latest version of any software, but especially your web browser. This new version of Internet Explorer also includes new features that make it easier to browse the web on a variety of devices.

Learn more at the Internet Explorer blog.

If you have automatic updating turned on, you already have the latest version of Internet Explorer.

Learn how to get updates like this one, as well as security updates for all your Microsoft software automatically.

HOW TO: Recycle your old computers and devices for Earth Day

April 22nd, 2014 No comments

Today is Earth Day. Show your love for the globe by getting rid of your old technology in the most environmentally friendly way possible.

Step 1: Back up files or data you want to keep

Use the backup utilities that are built into Windows XP, Windows Vista, and Windows 7 to transfer files from your old computer to your new one.

If you’re getting rid of a computer that is running Windows 8, use File History.

Step 2: Remove personal information from your computer or device

If you use a Microsoft Certified Refurbisher, they will help you remove your data and help you donate your equipment to people in need around the world.

If you decide to remove the personal information yourself, wipe your hard drive by using specialized software that is designed to government standards and will overwrite your information (Active@ KillDisk and Softpedia DP Wiper are free downloads). 

Step 3: Find a reputable recycler

If you’ve already used a Microsoft Certified Refurbisher, they can help you find the right place for your old computers and devices. If you’re doing it yourself, you can find a list of Microsoft-sponsored recycling opportunities in your area.

Many places will offer rewards for your recycled technology. If you’re getting rid of old Xbox or Playstation games, you might be able to exchange them for a gift card to buy new games.

For more information, see How to more safely dispose of computers and other devices. If you just want to upgrade your operating system, find out if your current computer can run Windows 8.1 and you might not even need to get rid of it.

Heartbleed: What you need to know

April 10th, 2014 No comments

On April 8, 2014, security researchers announced a flaw in the software that is used to protect your information on the web. The vulnerability, known as “Heartbleed,” could potentially allow a cyberattacker to access personal information.

After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer, and Skype, along with most Microsoft Services, are not impacted by the “Heartbleed” vulnerability. A few services continue to be reviewed and updated with further protections.

We encourage you to be careful what information you provide to websites and help protect the security of your online accounts by using different passwords for different websites, changing your passwords often, and making your passwords as complex as possible.

For more information, see Microsoft Services unaffected by Open SSL “Heartbleed” vulnerability.

Tax scams: 6 ways to help protect yourself

March 20th, 2014 No comments

We’ve received reports that cybercriminals are at it again, luring unsuspecting taxpayers in the United States into handing over their personal information as they rush to file their taxes before the deadline.

Here are 6 ways to help protect yourself.

1.     Beware of all email, text, or social networking messages that appear to be from the IRS. Cybercriminals often send fraudulent messages meant to trick you into revealing your social security number, account numbers, or other personal information. They’ll even use the IRS logo. Read more about how the IRS does not initiate contact with taxpayers by email or use any social media tools to request personal or financial information.
2.       Use technology to help detect scams. Scams that ask for personal or financial information are called “phishing scams.” Internet Explorer, Microsoft Outlook, and other programs have anti-phishing protection built in. Read more about identity theft protection tools that can help you avoid tax scams.
3.       Check to see if you already have antivirus software. If a cybercriminal does fool you with a tax scam that involves downloading malware onto your computer, you might already be protected by your antivirus software. If your computer is running Windows 8, you have antivirus software built in. Download Microsoft Security Essentials at no cost for Windows 7 and Windows Vista. 
4.       Make sure the website uses secure technology. If you’re filing your taxes on the web, make sure that the web address begins with https, and check to see if a tiny locked padlock appears at the bottom right of the screen. For more information, see How do I know if I can trust a website and What is HTTPs?
5.       Think before you download tax apps. Download apps only from major app stores—the Windows Phone Store or Apple’s App Store, for example—and stick to popular apps with numerous reviews and comments.
6.       Be realistic. If it sounds too good to be true, it probably is. From companies that promise to file your taxes for free, to websites that claim you don’t have to pay income tax because it’s unconstitutional—keep an eye out for deliberately misleading statements.

Thanks to you the Microsoft #Do1Thing initiative donates $50,000 to TechSoup Global

Together we've raised $50,000

On Safer Internet Day, February 11, 2014, Microsoft launched the interactive Safer Online website. Every time you made your #Do1Thing promise or shared the website with your social circles, Microsoft made a donation to TechSoup Global.

In less than 24 hours, so many of you promised to #Do1Thing to stay safer that Microsoft donated $50,000 to TechSoup Global! But it wasn’t just the promise alone.

“As communities around the world use the Internet to learn and connect, developing responsible online safety habits is something each of us should act on,” says Rebecca Masisak, CEO of TechSoup Global. “We appreciate being a part of Safer Internet Day. And with your contributions, TechSoup Global will further develop and deliver online safety education training materials and guidance to be shared across our global network.”

So far, people from five continents have shared what they are doing to help create a better Internet. What’s the number one global promise so far? Creating strong passwords and regularly changing them. Other popular responses included: two-step authentication for online accounts, sharing minimal personal information, using secured Wi-Fi connections, and shopping on https-enabled websites

Of those who answered our Safer Online polling questions:

  • Nearly half (47 percent) of participants chose learning as the greatest benefit the Internet has brought to their lives, while 17 percent chose exploring, and 10 percent go online for entertainment purposes.
  • Website visitors were also asked which potential online risks concern them the most. Of the nine choices, 28 percent selected financial loss as the most concerning, with 22 percent opting for loss of personal privacy, and 19 percent finding forms of malware on their device the greatest concern.
  • Finally, over two thirds (76 percent) of respondents edit or remove online information that may impact their reputation. Learn how to take charge or your online reputation.

If you haven’t done so yet, share your #Do1Thing story, see what others around the world are promising, and get online safety tips to help you stay safer online, today and every day! 

5 safety tips for online dating

February 13th, 2014 No comments

If you’re going to be connecting online this Valentine’s Day (or ever), follow these safety and privacy tips.

  1. Avoid catfishing. This is a type of social engineering designed to entice you into a relationship in order to steal your personal information, your money, or both. Always remember that people on the other end of online conversations might not be who they say they are. Treat all email and social networking messages with caution when they come from someone you don’t know.
  2.  Use online dating websites you trust. Knowing when to trust a website depends in part on who publishes it, what information they want, and what you want from the site. Before you sign up on a site, read the privacy policy. Can’t find it? Find another site. For more information, see How do I know if I can trust a website?
  3.  Be careful with the information you post on online. Before you put anything on a social networking site, personal website, or dating profile, think about what you are posting, who you are sharing it with, and how this will reflect on your online reputation. For more information, watch this video about the dangers of oversharing.
  4.  Be smart about details in photographs. Photographs can reveal a lot of personal information, including identifiable details such as street signs, house numbers, or your car’s license plate. Photographs can also reveal location information. For more information, see Use location services more safely.
  5.  Block and report suspicious people. Use the tools in your email, social networking program, or dating website to block and report unwanted contact. Read this if you think you might already be a victim of a scam.

Do one thing to stay safer online, today and every day

Imagine how much safer we’d all be if we each did one thing to stay safer online.

As part of Safer Internet Day 2014, we’re launching Safer Online, a new interactive website where you can share your “Do1Thing” pledge, learn what others are doing to help protect themselves online, and get instant tips to enhance and better protect your digital lifestyle.

Protecting yourself and your family online is easier than you think.

Here’s an example of one thing you can do right now:

To help spread the word, download and use the #Do1Thing icon (JPG) from the Safer Online site as your social media profile picture to encourage others to join the Safer Internet Day (SID) movement.   We want you to share your story on the Safer Online website with others.  When you do, Microsoft will make a donation to TechSoup Global, a non-profit organization using technology to solve global problems and foster social change.

Take a quick tour of the new Safer Online consumer site that’s inspiring people around the world to “Do 1 Thing” to protect themselves online.

For more information about our work in Internet safety, visit our Safety & Security Center.

 

 

 

The best time to change your password is now

January 30th, 2014 No comments

You can reduce your chances of being hacked by regularly changing the passwords on all the accounts where you enter financial or other sensitive information. Set an automatic reminder to update passwords on your email, banking, and credit card websites every three months.

Different sites have different rules for passwords that they’ll accept, but here is some basic guidance on how to create strong passwords:

  • Length. Make your passwords at least eight (8) characters long.
  • Complexity. Include a combination of at least three (3) upper and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.
  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

Learn more about how to create strong passwords and protect your passwords.

If you think someone has gone into your account and changed your password, learn how to recover a hacked account.

What are your privacy perceptions?

January 28th, 2014 No comments

To mark Data Privacy Day 2014, Microsoft released results of a survey measuring consumer privacy perceptions in the United States and Europe. According to our research, people in the United States estimate they have about 50 percent control over the way their information is used online. In Europe, it’s about 40 percent. 

At Microsoft, we’re committed to earning customer trust by demonstrating accountability and an inherent respect for privacy. Individuals expect us to prioritize their privacy and incorporate strong privacy protections into our products and services and we are constantly looking for ways to innovate on privacy in support of our customers.

For more information, see Marking Data Privacy Day with dialogue and new data, a blog post by Brendon Lynch, Chief Privacy Officer at Microsoft.

Categories: Data Privacy Day, privacy Tags: