Peter A Clarke

The Legal Practice Board of Western Australia suffered a data breach on 21 May 2025. It claimed the incident was swiftly contained and it implemented changes to avoid a reoccurrence. In the subsequent 5 months it discovered that additional data was accessed by the cyber hacker in addition to that determined in May. Unfortunately that involved health, identity and financial information. Unusually for updates the Legal Practice Board has advised there is low risk of misuse of data because it believes the third party no longer has the Board data.  That is far from the norm.  Usually hackers hold onto stolen data unless they are convinced to destroy it or hand it back.  In the context of ransomware attacks that invariably happens after payment of the ransom.  Unfortunately the Legal Board will not share the basis for the belief.  The Board also claims an injunction will prevent any access or sharing of data.  That is more assertion than evidence.  Injunctions are now becoming quite a standard form response to cyber atacks.  Whether that slows the publication of data on the dark web or the sale of personal information is yet to be seen. 

It is ironic that the statutory body responsible for standards and discipline of the legal profession in Western Australia has had its cyber security been found wanting.  Even more interesting that it took 5 months to discover that more information was stolen than was previously thought.  There is a problem there, either in the nature of the remediation, the resources provided for it or the process for notifying victims.  

The Legal Pratice Board’s recent media release and the history of this data breach provides:

Read the rest of this entry »

Protection of children’s privacy has been the subject of increasing focus by regulators worldwide. In Australia under the Privacy and Other Legislation Amendment Act 2024 the Office of the Australian Information Commissioner (OAIC) must develop a Children’s Online Privacy Code by 10 December 2026. The Code will specify how online services accessed by children must comply with the Australian Privacy Principles impose additional requirements provided they are not inconsistent with the existing principles. Legislation protecting children’s privacy has been in place in the United States for some time with legislation including the Children’s Online Privacy Protection Rule (“COPPA”). Recently the Federal Trade Commission (“FTC”) has taken action against Disney and Apitor, a robot toy maker, regarding unlawful collection of their personal information.

Complaint against Disney

Disney has entered into a settlement with the FTC to settle allegations that it enabled the unlawful collection of Children’s personal information in breach of COPPA.  The breach was Read the rest of this entry »

The SBS has published a very interesting piece on the Gena data breach and medical privacy in general with ‘Really angry’: Isabel is one of hundreds considering class action against this IVF provider. The Story reports that Phi Finney McDonald are investigating whether to undertake a class action.

The story highlights the chronic problem of organisations holding personal information much longer than is reasonable.  The health sector is particularly prone to this data hoarding.  There have been cases where the medical practices of patients who have died.  The deceased have no privacy protections but there is no basis for holding onto such records.  It is a systemic problem.  Because the cost of storing digitised personal records is inexpensive and becoming less and less expensive there is little urgency or financial need to purge data bases.  The Genea and Optus data breach reveal that such poor data handling results in personal information being taken which should not have been in the possession of the organisations to start with.  

The Genea data breach also highlights how a poor data breach response plan can aggravate a damaging situation.  Genea initially treated its patients and ex patients poorly,  has been very closed mouthed about the data breach generally and took an inordinate amount of time to properly notify those patients affected.  

The article provides:

Read the rest of this entry »

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

AI has a voracious appetite for data. The implications of for privacy protection is obvious. What is less known about, or at least discussed, is the danger to privacy from AI agents. This is explained clearly, and concerningly, by the President of the Signal Foundation, Meredith Whittaker in this week’s Economist by Invitation piece AI agents are coming for your privacy, warns Meredith Whittaker. A key concern is that operating systems are integrating AI agents into the core of their platforms so they are mandatory.  It is a particularly apt article for a delicate time in the development of AI technology.  The development of AI cannot be at the expense of privacy.  More to the point, AI can be developed with privacy protections built in.  Not as an afterthought.

The article provides:

SOON WE WILL all have robot butlers, an army of AI agents anticipating our needs and fulfilling our desires. At least, this is the tech promise of the moment. From booking a restaurant to asking your crush on a date, we’ll be able to put our brain in a jar while a bundle of AI systems does our living for us. Why waste time on wooing when you can leave it to your botservant to turn on the charm? In pursuit of this future, the companies that dominate this market are busy injecting AI agents into the nervous system of the digital world. But as in fairy tales, so in life: relying on magical fixes leads to trouble. Read the rest of this entry »

Ransomware is a chronic and growing problem in cybersecurity. It is important that organisations have an understanding of the threat but more importantly properly prepare against an attack. On both counts Australian companies are generally underprepared. The National Institute of Science and Technology (NIST) publishes excellent guides and reports. It’s report 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, is particularly timely. It is a crucial document that can help organizations bolster their defenses against ransomware threats.

The Abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the This Cybersecurity Framework (CSF) 2.0 Community Profile identifies the security objectives from the NIST CSF 0 that support governing management of, identifying, protecting against, detecting, responding to, and recovering from ransomware events.   The Profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of This Profile can be leveraged in developing a ransomware countermeasure

The Report starts with a very good description of the challenge Ransomware poses when it stated:

Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware events target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The methods ransomware uses to gain access to an organization’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. Techniques used to promulgate ransomware will continue to change as attackers constantly look for new ways to pressure their victims.

Ransomware attacks differ from other cybersecurity events where access may be surreptitiously gained to information such as intellectual property, credit card data, or personally identifiable information and later exfiltrated for monetization. Instead, ransomware threatens an immediate impact on business operations. During a ransomware event, organizations may be afforded little time to mitigate or remediate impact, restore systems, or communicate via necessary business, partner, and public relations channels. For this reason, it is especially critical that organizations be prepared. That includes educating users of cyber systems, response teams, and business decision makers about the importance of – and processes and procedures for – preventing and handling potential compromises before they occur.

Fortunately, organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes the following: establish, communicate and monitor ransomware risk strategy, expectations and policy; identify and protect critical data, systems, and devices; detect ransomware events as early as possible (preferably before the ransomware is deployed); and prepare to respond to and recover from any ransomware events that do occur. There are many resources available to assist organizations in these efforts. They include information from the National Institute of Standards and Technology (NIST), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).

The Report provides Read the rest of this entry »

Large tech companies have found themslves under close scrutiny of privacy regulators in Europe of late. The latest is the French data protection authority fining Google $379 million and Chinese e commerce operator Shein $150 million for setting advertising cookies without customers consent.

The story is reported by the Hacker News with Google Fined $379 Million by French Regulator for Cookie Consent Violations. 

The story provides:

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules.

Both companies set advertising cookies on users’ browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision. Read the rest of this entry »

The question of the status of pseudonymised data confounds many and is the subject of some controversy. OVIC published a report The Limitations of De-Identification – Protecting Unit-Record Level Personal Information. In its guidelines the Privacy Commissioner’s guidelines regarding Pseudonymity state that:

2.6Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, a user name that a person uses when participating in an online forum, or an artist who uses a ‘pen-name’ or ‘screen-name’.

2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction, such as credit information or an address at which goods can be delivered. Similarly, an APP entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.

2.8 An APP entity should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with the entity without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity could also restrict access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the security requirements for personal information, see Chapter 11 (APP 11)).

In EDPS v SRB the Court of Justic of the European Union  confirmed that pseudonymised data will not be personal data in all cases. Whether the data is actually personal depends on the context requiring an assessment of all the means reasonably likely to be used to identify the individual.

The Decision

The Court relevantly stated:

The requirement that Read the rest of this entry »

In a Federal Court class action in the United States involving 98 Google users over 174 million devices The jury found for the claimants and awarded the sum of $425 million against Google for breaching users privacy. The breach was Google collecting data from users even after they turned off a tracking feature in Google Accounts. The orginal claim was for $32 billion.  Jury awards in the United States can be eye watering high.  Appeals courts regularly reduce the size of the award if they are not reduced by agreement between the parties.

The story is covered by the BBC with Google told to pay $425m in privacy lawsuit, Reuters with Google must pay $425 million in class action over privacy, jury rules and Tech xplore with Jury tells Google to pay $425 mn over app privacy.

The BBC story provides:

Read the rest of this entry »

Multi factor authentication is a critical part of any cyber security. While it is becoming standard with many larger organisations it is poorly understood and even more poorly implemented. The National Institute of Science and Technology (“NIST”) has released a report on multi factor authentication for Criminal Justice Information Systems. Very specific perhaps but the contents of the report have a broader application.

The abstract provides:

Most recent cybersecurity breaches have involved compromised credentials. Migrating from single-factor to multi-factor authentication (MFA) reduces the risk of compromised credentials and unauthorized access. Both criminal and noncriminal justice agencies need to access criminal justice information (CJI); to reduce the risk of unauthorized access, the Criminal Justice Information Services (CJIS) Security Policy now requires the use of MFA when accessing CJI. This document provides practical information to agencies that are implementing MFA, reflecting on lessons learned from agencies around the country and from CJI-related technology vendors.

The report is worth reading.  Some interesting Read the rest of this entry »