Anthem Inc, America’s largest health insurance company settles litigation over hack of 79 million people’s accounts for $115 million

June 24, 2017

Reuters reports in Anthem to pay record $115 million to settle U.S. lawsuits over data breach a resolution of a class action arsing out of a massive data breach of 79 million individuals’ personal information.

The Plaintiffs’ website announced that the court will consider the settlement on Read the rest of this entry »

Ponemon Institute releases 2017 Cost of Data Breach around the world

June 22, 2017

The cost of data breaches can be catastrophic.  The BBC reports that a South Korean web hosting firm, Nayana, has paid $1 million that had been the subject to a ransomware attack.  The hackers initially wanted $4.4 million payable in Bitcoin.  The orthodox advice is not to pay the ransom.  The reality is more mixed.

Ponemon has released another very useful report, this time on the cost of data breaches.  It is titled 2017 Cost of Data Breach Study Global Overview.

Some interesting findings include Read the rest of this entry »

The Australian Competition and Consumer Commission sends warning about phishing

June 20, 2017

The Australian Competition and Consumer Commission (ACCC) has issued an alert about phishing scams stating that so far this eyar there have been 11,000 reports and a loss of $260,000.  Given under reporting is the norm it is likely that the losses are much greater.

The media release provides:

The ACCC is warning people to stay alert to ‘phishing’ scammers pretending to be from well-known businesses and government departments trying to con unsuspecting victims out of their personal information and money. Read the rest of this entry »

Personal information of nearly 200 million US citizens exposed on line in massive data breach…courtesy of third party provider’s lax cyber security system. Familiar story.

Data breaches by third party providers, usually contractors, is becoming a chronic problem. Weaknesses in the cyber security of smaller contractors have allowed hackers to access large corporations sites, such as with Target in 2014, or access large companies personal information and information property, such as the theft of a season of Orange is the new Black.  With the maturation of the data analytics industry and the increasing sophistication of algorithms the processing of data is increasingly Read the rest of this entry »

Australian Law Reform Commission releases long awaited report on elder abuse

June 15, 2017

The Australian Law Reform Commission has released a comprehensive report on Elder Abuse – A National Legal Response.  For legal practitioners the relevant recommendations  include Read the rest of this entry »

UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing personal information to cyber attack

June 14, 2017

It is a critical part of maintaining data security to address vulnerabilities on a website as and when they become known.  That is requirement is included in all guidances put out by privacy commissioners.  Usually it is fairly straightforward task, updating programs, installing patches when a vulnerability is identified and responding to notices about threats.  Organisations should, but rarely, organise penetration testing.  In the United States there is a culture of engaging white hat hackers to test the cyber defences of government and organisations.

But protecting from well known vulnerabilities has to be a necessary minimum.  As The Gloucester City Council will now realise having been fined £100,000 for failing to repair a vulnerability, the Heartbleed flaw in software, in the council’s website.  This failure Read the rest of this entry »

‘LP’ v The Westin Sydney (Privacy) [2017] AICmr (7 June 2017): APP 3.5 and 12, secret recording of telephone conversation by The Westin

The Privacy Commissioner handed down a decision finding that the The Westin Sydney interfered with the complainant’s privacy in LP’ and The Westin Sydney (Privacy) [2017] AICmr 53.  The Westin was found to have interfered with the privacy of LP by recording his telephone conversation without advising him beforehand.  It is a decision that has not been publicised.  That is a shame and quite different to the practice by the Information Commissioner in the United Kingdom and the Federal Trade Commission in the United States.  It is a practice failing by the Australian Privacy Commissioner.


LP  booked a room at The Westin. On the afternoon of 17 January 2016, he arrived and checked in. The Westin employee who handled his check-in informed him that there would be a 10 to 20 minute delay until his room became available.  While LP was waiting in the hotel’s executive lounge he received a call on his mobile phone from a Westin employee who advised that the preferred room was not be available until later that afternoon. LP was then asked whether he wanted to wait for a similar room on a different floor, or if he would prefer an alternate smaller room on the same floor that was available immediately. LP agreed to accept the alternate room, but was unhappy [4].

LP subsequently complained to The Westin about his treatment, including the unavailability of his preferred room. While responding to this complaint, on 18 January 2016, the Executive Assistant Manager of The Westin referred to the recording of LP with a Westin employee. LP had been unaware that The Westin had recorded the call [5].

On 19 January 2016, LP emailed Read the rest of this entry »

Hong Kong Privacy Commissioner investigates loss of computer notebook containing names

June 12, 2017

The loss of computers containing personal information is an all too common event. I have previously written a post on the UK Information Commissioner’s Office taking action for loss of a lap top.  It is a serious problem because notebooks,  a common if not preferred form of computers for many workers, can be easily lost or stolen.  They can store large amounts of sensitive data.  While theft and loss is a problem the bigger problem for organisations is the lack of security in the storage of data.  Poor training results in more data being kept than is required, the data is not properly encrypted and computers are not properly password protected.

The Hong Kong Privacy Commissioner has conducted an investigation and today published a detailed report on the Loss of Notebook computers which contained personal data of election Committee Members and Electors.  The amount of data on 2 computers that were lost is significant, 1,200 Election Committee members and 3.78 million electors. Some of the data was Read the rest of this entry »

EU General Data Protection Regulation less than a year away. The Privacy Commissioner issues guidance

In slightly less than a year, from 25 May 2018 to be precise, the the General Data Protection Regulation (“GDPR”) will take effect throughout the European Union.  Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  It is more a continuum of the existing data protection laws rather than a new system.  That said it is a Read the rest of this entry »

The United States Supreme Court to consider whether the police need warrants to obtain cellphone location data

June 11, 2017

The US Supreme Court has in recent times considered the use of new technologies and their privacy intrusive consequences and whether they constitute a constitutional breach.  In 2012 the Court in United States v Jones held that installing a GPS tracking device on a vehicle and using the device to monitor the vehicle’s movements constitutes a search under the Fourth Amendment. In Riley v California the Court unanimously held that the warrantless search and seizure of digital contents of a mobile phone during an arrest was unconstitutional.

On 5 June 2017 the Supreme Court  agreed to hear arguments in the October Term in Carpenter v United States as to whether police should obtain warrants to obtain location data of suspects.

The question presented to the Court is Read the rest of this entry »