Verizon issues its insecurity hall of fame…apt in light of the Sony experience

December 19, 2014

Verizon in its  The 2014 Data [In]Security Hall of Fame provides a (slightly) more light hearted look at the security issues over the last 12 months, more to the point the breaches and their consequences.  Given the catastrophic end to the year for Sony Read the rest of this entry »

Sydney Law Review article on privacy

As recently noted by Peter Timmons excellent blog Open and Shut the most recent Sydney Law Review has an excellent article titled Enhancing Press Freedom through Greater Privacy Law: A UK Perspective on an Australian Privacy Tort which considers an actionable privacy right in the context of the need for freedom of expression.  It also Read the rest of this entry »

The Privacy Commissioner and Information Commissioner provide privacy tips for the festive system

The Australian Privacy Commissioner, with Privacy tips for the festive season, and the UK Information Commissioner’s office, with Is protecting data on your Christmas list?, have issued posts/statements on the need to maintain proper data security.  As far as they go they are reasonable and easily understood suggestions.  Given the Read the rest of this entry »

A significant flaw in Delta airlines site allowed passengers to view others boarding passes

In Delta site flaw lets passengers access others’ boarding passes Itnews reports on a significant weakness in Delta’s website which enabled passengers to access the boarding passes of others.  Clearly this is a significant privacy violation.  While the vulnerability was fixed it is indicative of problems with organisations failing to review their web site interface to check for vulnerability.
Read the rest of this entry »

US Securities and Exchange Commissioner highlights data security issue as a key problem

December 17, 2014

Under the Privacy Act there is an obligation to provide adequate data security, at Australian Privacy Principle 11.  The Privacy Commissioner’s guidelines attempt to set out what is expected of entities.  Those guidelines are drafted in the broad and suffer from being very generalised.  Absent determinations, enforceable undertakings it is difficult to determine what the benchmarks are.  Clearly industry standards are relevant.  As posted previously (found here) the New York Department of Financial Services has issued a detailed letter regarding what is expected in the event of an IT/cybersecurity examination. It is an area where the United States Regulators are, albeit in a piecemeal and sectoral manner, taking more detailed an pro active steps than Read the rest of this entry »

Cost of Data breach in Australia

Australia lacks a mandatory data breach notification legislation in relation to breaches under the Privacy Act.  By comparison, most American States have such legislation and there is a serious effort to introduce it at a Federal level if for no other reason than to impose some uniformity on notifcation requirements.  It is good public policy to have such legislation.  Individuals are entitled to know if their personal information has been compromised.

With a lack of mandatory reporting there is a lack of Read the rest of this entry »

The Sony releases a data breach notification letter as the ramifactions of the hack continues to wreak havoc

If ever there was an argument for proper cyber security both at the firewall and within it is the cyber attack on Sony and the theft of up to 10 tera bytes of data. Sony issued a breach notification letter on 8 December 2014 which Read the rest of this entry »

Dutch Data Protection Authority threaten Google with fine over privacy intrusive behaviour

December 16, 2014

Itnews reports in Google faces fine for web privacy violations that the Dutch Data Protection Authority is looking closely at Google’s practice of using private information to customise ads. The focus of the DPA’s concern is the lack of transparency and consent.  This form of behaviour would not be a constraint in the US. Read the rest of this entry »

Businesses failing to keep up to date with cybersecurity

December 15, 2014

There has been no consideration of Australian Privacy Principle (“APP”) 11 by the Privacy Commissioner through determination, enforceable undertaking or civil penalty proceeding. The APP guidelines are drafted in general terms. The guidelines on enforcement actions are in draft form and part way through the consultation process.  The nature and extent of actual implementation of measures to comply with APP 11 is a matter of some conjecture, often depending upon which expert has the microphone. What is clear is that the risk of breaches is real as set out in a report prepared by Trustwave titled The State of Risk 2014.

Some of the sobering findings are Read the rest of this entry »

Hong Kong Privacy Commissioner announces imprisonment of person who made false statement

December 12, 2014

The Hong Kong Privacy Commissioner has announced that Read the rest of this entry »