Peter A Clarke

The Australian in Anxiety rising as law firms confirm cyber breaches reports on a survey conducted by the Australian Legal Practice Management Association and GlobalX that found almost 20 per cent of Australian law firms that responded had been victims of a cybersecurity breach. This figure is consistent with US findings, such as the Australian Bar Association 2017 Legal Technology Survey.

This is hardly news.  The American Bar released a report in January 2019 dealing with the threat to US law firms which also set out in a practical terms processes and systems which reduce a law firms exposure to a data security.  Australian law societies have come some way in doing something similar but not to the same extent. Unfortunately there seems to be a cultural problem with law firms resisting spending enough on IT security, spending what budgets they have badly and generally failing to develop and maintain decent privacy and data protection policies.  Training tends to be superficial and irregular.  Given the weakest part of any cyber defence is the humans manning the phones, responding to emails and operating the computers this is commonly a disaster waiting to happen.  Often the usual targets for phishing targets, junior administrative staff are ill prepared for an attack.

Law firms are particularly prone to phishing and hacking of email accounts.  Law firms, particularly those with a focus on commercial and property law, hold significant sums and bank details.  Law firms are also prone to ransomware.  In 2017 DLA Piper suffered a ransomware attack which forced it to shut down its world wide digital operations.

The other problem with law firms’ data security is the Read the rest of this entry »

Sometimes, in fact often times, reality provides better copy than fiction.  The Australian reports that the the office of Christian Porter, the Commonwealth Attorney General, has been involved in a privacy breach.  In sending an email regarding the religious discrimination bill the office revealed the email addresses of more than 100 recipients.  Many of the addressees are religious figures but the list also included a judge and lawyers.

While the Australian’s report Read the rest of this entry »

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

• 34% of the breaches were caused by human error;
• 62% were motivated by malicious or criminal attacks
• the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
• 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
• contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
• as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
• phishing is by far and away the most common cause of cyber incidents
• the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »

It is now trite to say that data is a source of power and wealth.  The new oil to hear some commentators tell.  Data analytics is a rapidly expanding and developing field with Artificial Intelligence is driving that development.  Companies collect as much personal information as they can and use it for analysis and marketing just to name two uses.   Organisations often collect more information than is required and keep it for much longer than necessary.  Both are poor privacy practices which attracts no censure from the regulator. 

David Irvine, chief of the Foreign Investment Review Board highlighted in a speech last Monday 19 August 2019 the obvious point that in takeovers by foreign companies personal information of Australians will be part of what is taken over.  The FIRB will be Read the rest of this entry »

In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced.  The analysis was based on the data released by the Victorian Government in to a data science competition.  The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals. 

In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.”  They found it was a straightforward task to re identify two of the co authors cards.  They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source.  They identified Read the rest of this entry »

Western Australia and South Australia have been outliers in not having any statutory framework for the protection of personal information. That is likely to change, a little, with the Western Australian Government through its Attorney General releasing a discussion paper titled Privacy and Responsible Information Sharing for the Western Australian public sector. 

As the name suggests whatever structure is implemented will only apply to personal information collected, used and stored by the Government and its agencies, statutory authorities and other instrumentalities. Even though it is a discussion paper the Government is clearly envisaging following the legislative structure adopted in New South Wales, Victoria and Queensland. Each of those jurisdictions has a privacy and data protection act and has established Read the rest of this entry »

Paradoxically the one type of data that is regarded as most sensitive, health information, is often the most poorly protected.  The privacy protection culture is poor and insufficient resources are put into protecting personal information and staff training is often times rudimentary.  There is a constant stream of breaches reported including in the last fortnight thousands of pharmaceutical records leaked in the US, a data breach in Presbyterian Healthcare Services in Alberquerque resulted in unauthorised access to 183,000 patients, the all too regular instance of medical records in paper form being left on the street, this time in London Canada and a health Centre in Kentucky paying $70,000 ransom to unlock medical records of 20,000 patients. There are clear challenges in securing personal information in health centres and hospitals with many individuals having access to data at many terminals however the challenges are surmountable.  Most data breaches are a result of poor practices and insufficient time, money and effort going into setting up proper hardware and software, establishing proper processes and training and then more training.

The Nine/Fairfax press reports on a major data breach at Neoclinical, a company which matches individuals with active clinical trials.  The data is sensitive by definition but it is even more concerning given the data that Neoclinical heald was users responses to questions qualifying them for clinical trials.  Those sort of questions go to medical diagnoses illicit drug use and treatments received.  The breach involved its 37,170 users.  The breach was detected by UpGuard which sent an email to Neoclinical.  Neoclinical did not notify the Information Commissioner about the breach when notified or even shortly after.  It did nothing until Read the rest of this entry »

The newspaper the Australian has hardly been a standard bearer of privacy rights. Whenever there has been even a whiff of a suggestion that the Parliament would consider a statutory tort to give individuals a right to bring an action for an interference of their privacy the paper has gone into overdrive predicting the end of civilisation.  See my post in 2012, 2013 and again in 2013 and a less dismissive but no less hostile brief piece in 2018.    And there are others.  It has been a generally poorly argued, high octane almost Read the rest of this entry »

Last Friday, 26 July 2019, the Australian Competition & Consumer Commission released its long anticipated and comprehensive final report.  At 623 pages it is something of a tome, not surprisingly given the broad and comprehensive recommendations it makes. The executive summary is found here.

The scope of the recommendations cover issues of competition and protecting diversity in the media, issues of critical importance but beyond the usual coverage of this publication.

Relevantly, for this site, is the recommendations for more privacy protections. That includes Read the rest of this entry »

There has been widespread coverage of data breach at the NAB involving personal information of 13,000 customers being uploaded two data companies without permission. The data provided to the mysterious data companies is extensive; names, date of birth, contact details and sometimes government issued identifiers.  Close to enough to undertake some identity theft and get close to accessing accounts.  It is serious but mitigated by the fact that the breach was only to third party providers known to the NAB.  From the tenor of the story it is likely that the data providers knew of and have or had some form of relationship with the NAB. As such the disclosure is more containable than a disclosure to the world or a hack.  The difficulties with personal information being provided to third party providers is that Read the rest of this entry »