Federal Trade Commission requires Zoom to enhance security practices

December 1, 2020

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights Read the rest of this entry »

Europe to take control of its own data

November 27, 2020

Europe is taking decisive steps to increase its data protection with proposed legislation to create an EU wide data market which will enable the sharing of industrial and government information under the European standards. This is reported in the Wall Street Journal’s article Europe Doubles Down on Data Protection to Ward Off Silicon Valley, Chinese Influence.  This will probably be critisised as data localisation, a practice that warrants scrutiny given it is much loved by authoritarian governments for less than savoury reasons.   The scheme will involve data not exclusively involving personal information.

This development highlights Read the rest of this entry »

Hackers attack Legal Services firm Law in Order with Ransonware

November 25, 2020

I have long posted on law firms being in the sights of cyber criminals.  I raised this as an increasing threat in September last year and attacks on Queensland law firms in 2017 and European law firms in 2016.

The Australian Financial Review reports, in Hackers threaten to publish data from attack on legal services firm, report on a cyber attack on 22 November 2020 by hacker legal services firm Law In Order suffering a Ransomware attack with the hackers threatening to publish data unless a payment is made. The story is also covered by itwire, insurance business mag, and itnews.  That list will grow.

Law In Order issued statements of what happens.  It is far from a best practice response.  General waffle.  Full candour is not always possible because investigations take time.  But that does not mean that writing excessive meaningless verbiage is the answer. That is particularly so when the Australian Financial Review has key information about the attack, for example that it was undertaken by Netwalker and is a ransomware attack.  That makes the statement look even sillier than Read the rest of this entry »

Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020

October 30, 2020

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Victorian Privacy and Data Protection Deputy Commissioner commences examination of privacy/security in Victorian Universities

October 21, 2020

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand Privacy Commissioner launches a privacy breach reporting tool

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

(a) any action taken by the agency to reduce the risk of harm following the breach:

(b) whether the personal information is sensitive in nature:

(c) the nature of the harm that may be caused to affected individuals:

(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known):

(e) whether the personal information is protected by a security measure:

(f) any other relevant matters.

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

National Security Agency puts out a security advisory about Chinese hackers exploiting vulnerabilities

The US National Security Agency prefers staying in the shadows. It is therefore notable that it has issued a very public cybersecurity advisory highlighting vulnerabilities Chinese hackers are using as part of their cyber attacks.

The advisory Read the rest of this entry »

Smart devices being used for domestic abuse

The weaknesses of the internet of things to hacking has long been known.  That doesn’t mean it has been dealt with adequately.  The common problem is access to those devices through inadequate security or weak passwords from third parties.  A recent BBC article How smart devices are exploited for domestic abuse demonstrates how the internet of things can be used track and terrorise.

A machine or application is in and of itself neither evil or good.  It has no value.  It provides a service or performs a function.  As the article makes clear features designed to assist, such as a doorbell camera, can be used by partners or ex partners to surveil.  Family apps, which I find creepy, are designed to monitor children’s safety.  But the data can be relayed to Read the rest of this entry »

Yuanda Vic Pty Ltd v Facade Designs International Pty Ltd [2020] VSCA 269 (16 October 2020): application for stay pending appeal, special or exceptional circumstances

October 20, 2020

In Yuanda Vic Pty Ltd v Facade Designs International Pty Ltd [2020] VSCA 269 the Court of Appeal granted a stay of payment pending hearing of an appeal.  It is an interesting and valuable decision because it is a comprehensive analysis of the principles associated with making a stay application.  It is also notable because the application was successful, a difficult result to achieve normally. 

FACTS

Under a supply and installation agreement dated 13 April 2018 (‘the Contract’), the respondent, (“Facade Designs”) agreed to  instal  façade elements manufactured and supplied by the applicant (“Yuanda”) as part of the construction of commercial and residential towers at 447 Collins Street known as ‘the Arch on Collins’ (‘the Project’) for the price of $14.5 million [5]. Facade Designs provided works from September 2018 until November 2019 when the Contract was terminated [6]

On 30 September 2019, Facade Designs provided a payment claim under s 14 of the Building and Construction Industry Security of Payment Act 2002 (‘the Act’) for $4,584,820.68 (inclusive of GST) (‘the Payment Claim’) [7].  Yuanda paid Facade Designs paid  $1,115,455 (inclusive of GST) on 2 October 2019, reducing the amount claimed to $3,469,365.58 [8].

Yuanda failed to provide a payment schedule to the respondent within 10 business days of receiving the Payment Claim, as contemplated by s 15 of the Act [9]. Pursuant to s 15(4) Yuanda became liable to pay Facade Designs the amount claimed on 30 October 2019  [10].  The applicant failed to pay the amount claimed [11]. Facade Designs conceded some reductions and  sought judgment pursuant to s 16(2)(a) of the Act [12].

The Court rejected Yuanda’s  contention that:

(a) the Payment Claim was invalid because it did not sufficiently identify the construction work or related goods and services to which the progress payments related within the meaning of s 14(2)(c) of the Act and as a consequence it was not liable to pay the amount under s 15(4) of the Act (‘the Adequacy of the Payment Claim’); and

(b) the Payment Claim included excluded amounts within the meaning of s 14(3)(b) and pursuant to s 16(4)(a)(ii) of the Act .

In relation to the excluded amounts issue the court held that, in determining Read the rest of this entry »

UK Information Commissioner’s office fines British Airways 20 million pounds for data breach affecting 400,000 customers

October 17, 2020

The UK Information Commissioner’s Office (“ICO”)has fine British Airways (BA) £20 million for a data breach in 2018.  I did a post on it in September 2018. The ICO initially intended to fine BA nearly £184 million and made a statement in July 2019 to that effect in response to BA’s statement to the London Stock Exchange.  The Commissioner decided to reduce the sum in light of the impact COVID 19 has had on BA’s business and finances.

As often happens the investigation into the cyber attack by the regulator turned up multiple failings by BA in both protecting its network but also failing to detect the attack. And that attack was both wide and deep in its penetration. Through the attack addresses of 244,000 customers were accessed, the credit card details with CVV numbers of 77,000 customers and credit card numbers Read the rest of this entry »