Victorian Privacy and Data Protection Deputy Commissioner commences examination of privacy/security in Victorian Universities

October 21, 2020

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand Privacy Commissioner launches a privacy breach reporting tool

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

(a) any action taken by the agency to reduce the risk of harm following the breach:

(b) whether the personal information is sensitive in nature:

(c) the nature of the harm that may be caused to affected individuals:

(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known):

(e) whether the personal information is protected by a security measure:

(f) any other relevant matters.

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

National Security Agency puts out a security advisory about Chinese hackers exploiting vulnerabilities

The US National Security Agency prefers staying in the shadows. It is therefore notable that it has issued a very public cybersecurity advisory highlighting vulnerabilities Chinese hackers are using as part of their cyber attacks.

The advisory Read the rest of this entry »

Smart devices being used for domestic abuse

The weaknesses of the internet of things to hacking has long been known.  That doesn’t mean it has been dealt with adequately.  The common problem is access to those devices through inadequate security or weak passwords from third parties.  A recent BBC article How smart devices are exploited for domestic abuse demonstrates how the internet of things can be used track and terrorise.

A machine or application is in and of itself neither evil or good.  It has no value.  It provides a service or performs a function.  As the article makes clear features designed to assist, such as a doorbell camera, can be used by partners or ex partners to surveil.  Family apps, which I find creepy, are designed to monitor children’s safety.  But the data can be relayed to Read the rest of this entry »

Yuanda Vic Pty Ltd v Facade Designs International Pty Ltd [2020] VSCA 269 (16 October 2020): application for stay pending appeal, special or exceptional circumstances

October 20, 2020

In Yuanda Vic Pty Ltd v Facade Designs International Pty Ltd [2020] VSCA 269 the Court of Appeal granted a stay of payment pending hearing of an appeal.  It is an interesting and valuable decision because it is a comprehensive analysis of the principles associated with making a stay application.  It is also notable because the application was successful, a difficult result to achieve normally. 

FACTS

Under a supply and installation agreement dated 13 April 2018 (‘the Contract’), the respondent, (“Facade Designs”) agreed to  instal  façade elements manufactured and supplied by the applicant (“Yuanda”) as part of the construction of commercial and residential towers at 447 Collins Street known as ‘the Arch on Collins’ (‘the Project’) for the price of $14.5 million [5]. Facade Designs provided works from September 2018 until November 2019 when the Contract was terminated [6]

On 30 September 2019, Facade Designs provided a payment claim under s 14 of the Building and Construction Industry Security of Payment Act 2002 (‘the Act’) for $4,584,820.68 (inclusive of GST) (‘the Payment Claim’) [7].  Yuanda paid Facade Designs paid  $1,115,455 (inclusive of GST) on 2 October 2019, reducing the amount claimed to $3,469,365.58 [8].

Yuanda failed to provide a payment schedule to the respondent within 10 business days of receiving the Payment Claim, as contemplated by s 15 of the Act [9]. Pursuant to s 15(4) Yuanda became liable to pay Facade Designs the amount claimed on 30 October 2019  [10].  The applicant failed to pay the amount claimed [11]. Facade Designs conceded some reductions and  sought judgment pursuant to s 16(2)(a) of the Act [12].

The Court rejected Yuanda’s  contention that:

(a) the Payment Claim was invalid because it did not sufficiently identify the construction work or related goods and services to which the progress payments related within the meaning of s 14(2)(c) of the Act and as a consequence it was not liable to pay the amount under s 15(4) of the Act (‘the Adequacy of the Payment Claim’); and

(b) the Payment Claim included excluded amounts within the meaning of s 14(3)(b) and pursuant to s 16(4)(a)(ii) of the Act .

In relation to the excluded amounts issue the court held that, in determining Read the rest of this entry »

UK Information Commissioner’s office fines British Airways 20 million pounds for data breach affecting 400,000 customers

October 17, 2020

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »

Surveillance of workers at home… a new (actually old) privacy issue that has been a kick along

The cynical saying “don’t waste a good crisis” has found plenty of examples of unimpeded and inadequately scrutinised change by governments and businesses.  Here there has been  a solid level of support in governments doing the right thing.  And generally less fractious argument between workers and employers.  The feeling is, we are all in this right so the presumption is that commonweal trumps all, including individual rights.  A dangerous mindset and one that leads to abuse which can be difficult to undo when the crisis passes as the technology is embeded into the work place structure with little to no push back.

The phenomana of employee monitoring is not a unique by product of the COVID 19 lockdown and remote working.  It has been a growing trend for some time.  In 2018 Garnter produced a report, The Future of Employee Monitoring, where it found that in 2018 50% of companies surveyed used some form of non traditional monitoring techniques.  The figure was 30% in 2015.  Gartner predicted that number to be 80% this year. That prediction was done without factoring in the change in workplace arrangements with COVID 19.  There has been a discernible effort by employers to use the technology available to monitor their workers output while working remotely coupled.  A growing list of increasingly sophisticated surveillance tools has lead to an ineffectively regulated and comprehensive means to surveil employees in their home.  This is well described Read the rest of this entry »

Contact tracing data collected from pubs and restaurants in the UK being sold marketers,

October 12, 2020

When the history of the COVID 19 pandemic is written the chapter on how governments and organisations respected individuals privacy will be grim reading.  The way in which data was collected by businesses at venues was at best sloppy and often times almost criminally negligent. I gave up counting how many scraps of paper or, for some reason, children’s exercise books were left lying around with details of patrons in plain view.  Some of the information sought went beyond names and contact details. Governments went overboard on tracking, to the point where Israel halted police phone tracking because of the privacy intrusion was so great.  The contact tracing app in Australia was oversold as an aid and seriously under performed.  It rarely features in any discussions by, well pretty much anyone.

The Times reports in Contact-tracing data harvested from pubs and restaurants being sold on that data collected to assist contact tracing has been sold on by the establishments that collected that data.  That is a blatant breach of Read the rest of this entry »

The US Internal Revenue Service being investigated for using location data without warrant..the great temptation for government agencies

October 8, 2020

Governments love data. All governments and for as long as there have been governments.  The Assyrian empire as long ago as 2025BC developed a buerocracy and kept records about their subjects. The Romans took it to a new level with the census.  And with every new age and development the collection has become more sophisticated.  But there were always costs and inefficiencies in collecting, managing and using data. The East German authorities essentially drowned under the flood of information from informants and the obsessive surveillance of the Stasi.  In the digital age collection, aggregation and use of masses of data has been simplified.  And data can be used more effectively with enhanced computer power and algorithms. And the temptation to interfere with privacy while using data is a constant one for government agencies, especially those chasing revenue. As can be seen in the report  The IRS Is Being Investigated for Using Location Data Without a Warrant which reports Read the rest of this entry »

US Senate Committee on Commerce, Science, and Transportation conduct hearings about the need for federal level privacy law

October 6, 2020

The United States does not have a comprehensive Data Privacy Legislation.  Most states in the United States have some form of data protection legislation, including mandatory data breach notification laws.  At the Federal level business, in particular those engaged in collecting and selling data, have resisted any attempt to provide some form of regulation on the collection, storage and use of personal information.  The dynamics have changed somewhat in the last two years with the outrageous abuse of personal information by Facebook with Cambridge Analytica, Google’s continuous data avarice and significant data breaches involving millions of individuals personal information.

The US Senate Committee on Commerce, Science, and Transportation held hearings on 23 September 2020 in Washington DC.   The hearing was titled Revisiting the Need for Federal Data Privacy Legislation.  The purpose was described as Read the rest of this entry »