Victorian Information Commissioner release guidelines on dealing with data breaches

May 26, 2019

The Victorian Information Commissioner has released guidelines on managing the privacy impacts of privacy breaches.  While it relates to entities covered under the Privacy and Data Protection Act 2014, primarily government agencies and contractors engaged by them it does provide another useful point of reference to those wanting to develop a comprehensive understanding of what is the best way of dealing with a data breach.

It is a starting point only.  The structure and operation of a business will dictate Read the rest of this entry »

Mandatory notifiable data breaches in Australia 12 months on

May 20, 2019

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement Read the rest of this entry »

Information Commissioner finds that she has no jurisdiction regarding complaints of interference with privacy against Tim Wilson and ‘stoptheretirementtax.com’ website

April 10, 2019

The Information Commissioner announced, on 8 April 2019, that she does not the power to investigate a complaint about a breach of the Privacy Act by Tim Wilson or Wilson Asset Management (International) Pty Ltd in relation to the collection and use of personal information through the ‘stoptheretirementtax.com’ website.’  The website and the collection of data caused some controversy.  In Tim Wilson’s ‘retirement tax’ website doesn’t have a privacy policy. So how is he using the data? Andre Oboler in a traditional academic “on – the – one – hand – and – on – the – other” analysis raised the complications of determining whether a Parliamentarian operating a web site falls within the political exemption provisions of the Privacy Act of is covered by parliamentary privilege, by virtue of his work as a chair of the standing committee on Economics, either of which would deny the Commissioner jurisdiction. The other coverage, such as Liberal MP Tim Wilson faces ‘breach of privacy’ claims and Labor pushes to refer Tim Wilson to privileges committee is more red blooded political reporting.

Mr Oboler was prescient Read the rest of this entry »

Attorney General seeks to have Privacy Commissioner investigate the actions of Vegan protesters

April 9, 2019

Yesterday’s vegan protests in Melbourne and throughout various agricultural sites in Australia has infuriated the Federal Government.  With  an election about to be called and a big rural constituency in mind, a tendency to beat the law and order drum becomes an necessity.   To that end the Attorney General, Christian Porter announced last Friday that that it was going to bring the Aussie Farms website under the regulation of the Privacy Act 1988 on 6 April 2019, last Saturday. 

The media statement provides:

The Coalition Government will bring the Aussie Farms website under the Privacy Act, exposing it to potential penalties of up to $2.1 million if it breaches the Act.

Attorney-General, Christian Porter, said the activities of Aussie Farms Incorporated created an unacceptable risk to hardworking farming communities and producers.

“The company publishes information about Australian farmers and agricultural producers including their names and addresses, exposing them to potential trespass, biosecurity hazards, and reputational damage,” the Attorney-General said.

“Listing this activist group as an organisation under the Privacy Act, now means that the company will have to abide by the provisions of the Act.”

Minister for Agriculture, David Littleproud, said he had repeatedly asked Aussie Farms to take the website down before someone was hurt or worse, but the group behind the website flat refused.

“The farming families who grow our food deserve to be able to do so without fear of invasion on their property and harm to their children,” Minister Littleproud said.

“The Aussie Farms website is intended to be an attack map for activists and it is already working as one. The fact Aussie Farms refused to take the website down when invasions began happening on farms displayed on their map shows they intend for it to be used as an attack map for activists.

“Aussie Farms will now be required to comply with the Privacy Act, which includes laws against the misuse of personal information. I note the maximum penalty for an offence under the Privacy Act is $420,000 for individuals and up to $2.1 million for a body corporate.”

Minister Littleproud also called on state governments to beef up trespass laws to provide real penalties for trespass, and to make publicly state that they expect the police will uphold these laws.

Background:

  • The Australian Information and Privacy Commissioner previously found that Aussie Farms Incorporated was exempt from the Privacy Act because its annual turnover was less than $3 million.
  • This move means Aussie Farms Incorporated is prescribed as an ‘organisation’ under the Privacy Act, which requires Aussie Farms to act in accordance with the Privacy Act, regardless of its annual turnover
  • Prescribing Aussie Farms Incorporated allows the Information and Privacy Commissioner to investigate, either in response to a complaint or on her own initiative, if Aussie Farms Incorporated breaches the Privacy Act. The prescription comes into force as of tomorrow (Saturday, 6th April)

And the regulation was made, the day before the media release,  with the Privacy Amendment (Protection of Australian Farms) Regulations 2019  which Read the rest of this entry »

Facebook data breach affects 110,000 Australians personal information

April 1, 2019

Facebook has a tendency to advocate vague improvements to its privacy policies and call for improved and stronger regulation after some or other egregious privacy breach or oppressive monopolistic act is uncovered.  In the last year Facebook has been battered by the Cambridge Analytica scandal, clear evidence of its platform being used by foreign players to influence elections and a seemingly regular stream of less dramatic but no less worrying privacy breaches.  Facebook’s standard response to such problems has been a combination of virtue signalling and getting on board the reform wagon so as to moderate its outcomes. In early March Zuckerberg described the move to private messaging as being his “pivot to privacy” in communications.  After the briefest of analyses it was ridiculed and seen to be more about presentation than product according to the Wire’s Facebook’s Pivot to Privacy Is Missing Something Crucial and Forbes’ Facebook’s Fake Pivot To Privacy and Slate’s Facebook’s Awkward Pivot to Privacy.

Mark Zuckerberg’s reported very recent call for “more active” role for government regulation in internet privacy and election laws has a similar feel about a polished response to criticism. Except that the complaints are long lasting and the potential of real action by governments is real. The last edition of the Economist highlighted the steps being taken by the Europeans, a huge market, against Facebook and Google, amongst others, for their privacy unfriendly practices.   And those steps are not confined to Europe.  American legislators are, for the fourth time, considering more comprehensive privacy laws or trust busting action.

So while there is reason to be sceptical about Facebook’s motives the pressure on Facebook and Google is such that there may be actual improvement.

And there should be given the impact of the privacy breaches in Australia with Read the rest of this entry »

Frank v Gaos 586 US (2019) the US Supreme Court remands settlement in privacy case to lower court, issue of damage again causes concern

March 25, 2019

The issue of measuring damages and establishing the threshold loss  in the United States jurisprudence has retarded the development of the tort of privacy.  It is a common basis for applications to strike out claims.  In Australia, with breach of confidence actions, the threshold is emotional distress rather than psychiatric injury since the Victorian Court of Appeal decision of Giller v Procopets.  The awards in that and subsequent actions have been disappointing parsimonious relative to the intrusion but with time, if the United Kingdom jurisprudence is any guide, the courts should develop an appreciation of the loss associated with these types of breaches.

In Frank v Gaos the nub of the claim related to Google’s disclosure of search histories to third parties without consent, a practice that could violate privacy laws.  The court described Read the rest of this entry »

UK Finance Economic Crime Office’s report that 1.2 billion pounds stolen through cyber fraud

UK Finance has released its Annual Report Fraud the Facts 2019: the definitive overview of payment industry fraud. As if any more information was required, it highlights the impact of data breaches on the commission of acts of fraud.

The brief overview to this 53 page report provides grim reading:

Unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £844.8 million in 2018, an increase of 16 per cent compared to 2017.

Banks and card companies prevented £1.66 billion in unauthorised fraud in 2018. This represents incidents that were detected and prevented by firms and is equivalent to £2 in every £3 of attempted fraud being stopped.

In addition to this, in 2018 UK Finance members reported 84,624 incidents of authorised push payment scams with gross losses of £354.3 million.

In summary the report noted:

  • Data breaches are a “major contributor” to fraud experienced in the UK;
  • The number of phishing websites targeted against UK banks and building societies fell with the focus switching to  impersonating other organisations such as online retailers, travel and leisure firms, HMRC and telecommunication companies instead.
  • Criminals using more low-tech methods such as distraction thefts and card entrapments to steal physical debit and credit cards, which are then used to commit fraud
  • £1.2 billion was successfully stolen “through fraud and scams” in 2018 with personal data stolen from businesses used to perpetrate much of that fraud.
  • “Information stolen through a data breach can be used for months or even years after the event,”
  • unauthorised financial fraud losses across payment cards, remote banking and cheques rose 16% in 2018 to total £844.8 million.
  • authorised push payment fraud accounted for a further £354.3m of losses.
  • on a more optimistic note banks and payment card providers helped prevent further fraud totalling £1.66bn in 2018 through  “advanced security systems and innovations”

The industry responses have been:

  • investing in advanced security systems to protect customers, including real-time transaction analysis, behavioural biometrics on devices and technology to identify the different sound tones that every phone has and the environment that they are in.
  • delivering the Banking Protocol – a rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place.
  • sponsoring a specialist police unit, the Dedicated Card and Payment Crime Unit (DCPCU), which tackles the organised criminal groups responsible for financial fraud and scams.
  • working with consumer groups to develop a voluntary code to better protect customers and reduce the occurrence of APP fraud.
  • working with Pay.UK to implement Mule Insights Tactical Solution (MITS), a new technology that will help track suspicious payments and identify money mule accounts, and Confirmation of Payee, an account name checking service for when a payment is made, that will help to prevent authorised push payment scams.
  • hosting and part-funding the government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports (SARs), so that it meets the needs of crime agencies, regulators, consumers and businesses
  • working closely with mobile network operators and the messaging industry to trial a new anti-spoofing system to help root out scam text messages.
  • helping customers stay safe from fraud and spot the signs of a scam through the Take Five to Stop Fraud campaign, in collaboration with the Home Office

Some of those responses are present in one form or another in Australia but generally the response has been less sophisticated.

While data breaches are a constant threat there are established and generally quite  simple steps businesses  can take to avoid falling victim to scams such as multi-factor authentication and internal processes for change of bank details.  In addition proper and ongoing training to avoid social engineering, phishing and ransomware attacks should be part of any organisations operations.  Which unfortunately is commonly not the case.

Federal Government announces reforms to Privacy Act to increase penalties for data breaches

March 24, 2019

There is nothing quite like the combination of a Government under stress and high profile privacy breaches to channel the inner reform in what was otherwise a reluctant Attorney General on matters privacy.

The Attorney General has been widely reported as flagging increased fines for serious and repeated interferences with privacy, from $2.1 to 10 million.  Alternatively the fine will be calculated on turnover or value of the misuse.  The flagged amendments will also permit the Australian Information Commissioner to issue infringement notices for minor data breaches.  As importantly the Commissioner will get $25 million to ramp up investigations of data breaches.

The media release provides:

Attorney-General, Christian Porter and Minister for Communications and the Arts, Mitch Fifield, announced the new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” the Attorney-General said.

“What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information.  This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”

Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.

“The tech industry needs to do much more to protect Australians’ data and privacy,” Minister Fifield said.

“Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”

The amendments to the Privacy Act will:

  • Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
  • Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
  • Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
  • Require social media and online platforms to stop using or disclosing an individual’s personal information upon request
  • Introduce specific rules to protect the personal information of children and other vulnerable groups.

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” the Attorney-General said.

“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”

The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.

Legislation will be drafted for consultation in the second half of 2019.

“This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right,” the Attorney-General said.

“The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019.  Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government.”

The Australian has the best coverage to date in Read the rest of this entry »

A’la Carte Homes Pty Ltd v AAPD CO P/L [2019] VSC 108 (5 March 2019): application to set aside, section 459J Corporations Act

March 13, 2019

In A’la Carte Homes Pty Ltd v AAPD CO P/L [2019] VSC 108 the Supreme Court, per Randall AsJ, set aside a statutory demand. The key issue was the failure of the assignment of a debt being described in the statutory demand or accompanying affidavit.

FACTS

The application was made under ss 459G, 459H and 459J of the Corporations Act 2001 (Cth). The orders sought were Read the rest of this entry »

Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB): breach of confidence, injunctions

March 4, 2019

Mr Justice Warby in Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB) considered an application for injunctive relief regarding a breach of confidence action.  The information was sensitive but not commercially sensitive in the strict sense of the word. The decision does demonstrate the relative flexibility of the principles applied to more unusual fact situations.

FACTS

The claimants are:

  • the multi-national law firm Linklaters; and
  • the company through which Linklaters employed its UK-based employees (“LBS”).

Read the rest of this entry »