Peter A Clarke

The DP World data breach caused major disruption at Australian ports around 13 November 2023 . There was no mention of personal information being accessed. Now the ABC reports in DP World Australia confirms employee data was stolen during cyber attack, warns of further freight delays ahead of Christmas rush that the personal information had been accessed.There is nothing on its website.  This knkowledge would have been in DP World’s possession for some time.  Often these late announcements immediately proceed an organisation finally notifying staff whose personal information was accessed.  It follows a poor practice play book.

The article Read the rest of this entry »

Australian privacy and cyber security operators, or anyone who follows the news found at the front of the paper, doesn’t need to be told of law firms being a prime target of cyber attacks. The HWL Ebsworth data breach was one of the big data breaches of 2023. Given the firm had a large Government practice it is not surprising that the data breach affected personal information it held in its work for 65 government agencies.  It is also a salient example of the cobblers children going shoeless.  Its response to the data breach has been quite poor.

A reminder that  this is a chronic threat is an article titled Cyberattack on IT provider CTS impacts dozens of UK law firms.  The mode of the attack is familiar, through a third party provider with authorisations and poor cyber security.  Here the Read the rest of this entry »

The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

The Attorney General’s announcement of the appointment is:

Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

The ICO’s media release provides:

A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

The FTC Read the rest of this entry »

The Australian Securities and Investments Commission (ASIC) has had a reasonably long interest in corporates maintaining proper cyber security.  Last year it successfully prosecuted a claim in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) for RI Advice Group failing to maintain proper cyber security. The chair of ASIC today released Spotlight on cyber: Findings and insights from the cyber pulse survey 2023.  The warnings about weaknesses in cyber defences is not surprising to those who work in the privacy and cyber security space.  Some organisations take the problem seriously, many don’t.  It is yet another clarion call for proper regulation and then proper enforcement.

The statement provides:

The Australian Securities and Investments Commission (ASIC) has called for organisations to prioritise their cybersecurity after a recent survey shows 58 percent of Australian businesses have limited or no capability to protect confidential information adequately.

The inaugural Cyber Pulse Survey commissioned by ASIC, also highlighted that 44 percent of participants do not manage third-party or supply chain risk and 33 percent of participants do not have a cyber incident response plan.

ASIC noted the results of the voluntary self-assessment survey have exposed deficiencies in cybersecurity risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cybersecurity.

Joe Longo, chair at ASIC said for all organisations, cybersecurity and cyber resilience must be a top priority.

“ASIC expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain – it was alarming that 44 percent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.

Participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.

Due to competing demands for limited human and financial resources, the survey showed that small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.

“There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks,” Longo said.

“An effective cybersecurity strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

Air marshal Darren Goldie, national cybersecurity coordinator said cybersecurity must be a priority for everyone, including individuals and businesses large and small.

“Support is available – the national office of cybersecurity works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he ended.

The Executive Summary of the Report Read the rest of this entry »

The Federal Government recently announced support for the International Counter Ransomware Initiative.  Today the Government announced that it will introduce a mandatory ransomware reporting scheme as part of its cyber security strategy. It has been reported by innovation Aus with Business face cyber ransom reporting scheme.  The legislation or even details of the proposal has not been released.

Banning ransomware is difficult.  The first problem is enforcement. Data breaches and ransomware attack are notoriously under reported.  Professional hackers are quite sophisticated and can make the payment of ransom a relatively quick operation.  For a desperate victim whose business is being affected and concerned about reputational damage this can be the least worst option.   Having a no fault no liability mandatory reporting scheme is more complicated than it would appear.  Commonly an organisation will suffer a data breach because of its own laxity; failing to proper patch anti virus software, inadequate privacy training, and poor culture. It is always a matter of the legislation works.  Will reporting a breach provide an organisation with protection from action by a regulator.  Will that protection only Read the rest of this entry »

Last Friday ( known trash day for those wanting to put out news that won’t get a run in the mainstream press) the Information Commissioner announced that she would not be seeking a third term. Her term ends in August 2024.  What is not clear from the statement was whether the Commissioner received an indication from the Government that  a third term was a reasonable prospect if she wanted it. 

Her statements is:

The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.

The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”

Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.

“There is much I wish to do in the remainder of my term and a key priority is to support Commissioners in their roles and leverage our current strategic review so the OAIC can continue to serve the Australian community over the next decade,” she said.

The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Falk’s tenure has been more effective than her predecessors.  That is partly because she has had more resources of late and the pressures to do more given the increased number and size of data breaches have grown.  That said, previous Commissioners left a disappointing legacy.  Regulation has been weak and enforcement negligible.  As such Read the rest of this entry »

The 12 hour collapse of Optus’s services showed that it has learnt little on how to respond to a catastrophic event, at least in talking to its customers. Optus executives effectively made themselves into a ball and hoped 10 million customers were happy to have the day off. The by product of this major fail was the reports about how it has not learnt from its data breach fiasco where the information flow was slow and sparse. The Australian’s article Has Optus learned from the cyberattack playbook? is fairly typical. It is quite amusing to read columnists lately stumble upon this basic need to be transparent with customers.

The thing is that issuing statements of bad news following a data breach has become a sophisticated exercise in the United States and should be treated seriously in Australia. Unfortunately it isn’t. I have been writing on the importance of Read the rest of this entry »