Peter A Clarke

By far and away the most targeted sites for hackers are health organisations, hospitals and health insurers. Those bodies hold vast troves of personal information and traditionally have weak cyber protection.

Senate Bill 1851 is the Healthcare Cybersecurity Act of 2025. It directs the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate and work with healthcare to provide guidance and training on cybersecurity issues. It also directs the CISA to establish criteria to determine whether a covered asset may be designated as a high-risk covered asset.  This criteria is taken from the Critical Infrastructure Protection Act. Australia also has a critical infrastructure legislation.

The press release provides:

WASHINGTON – U.S. Senators Todd Young (R-Ind.) and Jacky Rosen (D-Nev.) introduced the Healthcare Cybersecurity Act to bolster the health care and public health sectors’ cybersecurity. The bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity and make resources available to non-federal entities relating to cyber threat indicators and appropriate defense measures. It would also create a special liaison to HHS from CISA to support cybersecurity for health care and public health sector entities. Read the rest of this entry »

After many decades and multiple reports from the Australian Law Reform Commission, Victorian Law Reform Commission, the New South Wales Law Reform Commission, the Australian Competition and Consumer Commission, from the Federal and State Parliaments Australia now has a tort of serious invasion of privacy.

The tort was enacted by the Privacy and Other Legislation Amendment Act 2024 (Cth).

Under the  tort, a plaintiff will be able to establish a cause of action if:

1. there has been a serious invasion of the plaintiff’s privacy, either by:
   • an intrusion upon the plaintiff’s seclusion.  This includes  a defendant watching or eavesdropping on the plaintiff; or
   • a misuse of the plaintiff’s personal information;
2. the plaintiff had a reasonable expectation of privacy ;
3. the invasion of privacy was intentional or reckless;
4. the invasion of privacy was serious; and
5. the public interest in the plaintiff’s privacy outweighs any countervailing public interest. “Countervailing public interests” include freedom of expression, freedom of the press and public health and safety.

The tort is actionable per se. The plaintiff does not Read the rest of this entry »

Tomorrow the statutory tort of serious invasion of privacy will take effect across all jurisdictions in Australia.  The tort was passed throught the Privacy and Other Legislation Amendment Bill 2024.  The tort is inserted through Schedule 2 of the Privacy Act 1988 (Cth) and recognises two primary forms of invasion; intrusion upon seclusion and misuse of private information.  

It is hardly news anymore that health service providers, especially hospitals are key targets for cyber attacks. That is reinforced by an article titled Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai by removing Read the rest of this entry »

In December 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Act 2023 (Qld).  Amendments to the Information Privacy Act 2009 (Qld) will come into effect on 1 July 2025.

The most notable reform is the introduction of new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.

The most relevant QPPs are  QPP 11, QPP 12 and QPP 13.

• QPP 11 requires agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure.
• QPP 12 requires agencies to give an individual access to a document in their control, containing the individual’s personal information.
• QPP 13 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

QPP 11

QPP 11 requires:

• agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure; and
• agencies to  destroy or de-identify personal information once it is no longer needed for any purpose for which it could be used or disclosed under the QPPs.

The reasonable steps an agency must take to ensure the security of personal information will Read the rest of this entry »

In 7 days Australia will have a stautory tort of serious invasion of privacy.  It is found in Schedule 2 of the Privacy and Other Legislation Amendment Bill 2024.  

The scope of the tort is a matter of conjecture but it is certain to have an impact on corporate governance especially regarding data harvesting, data usage and consent.

In particular it will have Read the rest of this entry »

Today Part 3 of the Cyber Security Act 2024, which sets out the mandatory ransomware and cyber extortion reporting regime, commences. All reporting business entities are required to disclose ransomware and cyber extortion reporting using the form on ASD’s webpage found on cyber.gov.au..   lIt has been reported by the AFR where it describes how organisations, primarily companies, covered by the Privacy Act 1988 to disclose ransom payments resulting from a data breach. The payment is not an offence. It is also reviewed in cyberdaily’s article Pay up: Understanding Australia’s new ransomware reporting requirements. 

The Home Affairs Deparment has set up a comprehensive site explaining the operation of the Cyber Security Act.That includes the Ransom Rules regime.  Companies would do well to seek professional advice about how the regime operates. 

The AFR has an interesting piece on it which Read the rest of this entry »

Legal sites are regular targets of cyber attacks.  They contain considerable personal and financial information.  The Legal Practice Board of Western Australia has recently been subject of a data breach by the Dire Wolf ransomware gang involving the exfiltration of data, including personal information, which has been published on the darknet. The Dire Wolf Gang posted about the theft on 26 May 2025.  The Board published a statement on 27 May 2025. The gang claims to have stolen 300 gigabytes of data. It claims that it will post half the stolen data on 15 June and the balance on 30 June

The Board has apparently issued an ex parte injunction regarding the use of the material found on the dark net.  This form of injunctive relief has become a relatively common response to organisations that have suffered a data breach and discovered that the stolen data has been placed on the dark web for sale.  The limitations of the injunctions are obvious.  An injunction has no more of a deterrent effect than a criminal prosecution.  The second limitation is that thieves and those that buy the data are commonly located out of the jurisdiction and often based in a location which does not respond promptly, if at all, to orders of Australian courts.

These injunctions effectiveness have not been tested.  Irrespective, organisations can refer to the injunctions as part of a rapid and comprehensive response to the data breach.  That may be relevant for the regulators as well as the persons whose personal information has been stolen.  It does not address the why the breach occurred in the first place.  That is an entirely different issue.  It is particularly telling that the Board seemed to be Read the rest of this entry »

On 10 June 2025 Australia will have a statutory tort of serious invasion of privacy.  It fills a yawning gap in the law.

The impact of the law is an unknown but businesses who collect and use use data which includes personal information should evaluate their operations to prioritise data security and data minimisation.  Given that Privacy Commissioner has enhanced powers to issue infringement notices such an exercise would also minimise exposure to intrusions from the regulator. This could involve modifying ways to deliver personalised services without unnecessary Read the rest of this entry »

The Federal Trade Commission (the “FTC”) is the prime regulator of privacy related issues involving companies and agencies in the United States. It has been quite successful in obtaining settlements from large companies such as Facebook. The invariable way of attracting jurisdiction is a claim by a company that is misleading about what it does with information or its data security. And that is what happened with GoDaddy. GoDaddy claimed to have provided “award winning security”. But it didn’t. Didn’t to the point that it failed to implement standard security tools and practices. Worse, it suffered security breaches between 2019 and 2022 involving access to customer’s website and data. The FTC commenced proceedings in January this year and GoDaddy entered into an order with the FTC last week.

Features of the order are Read the rest of this entry »