In the new world of mandatory data breach notification the starting point is having cyber security awareness.

February 26, 2018 |

The BBC reports in Young Brits ‘lack cyber-security awareness’ that the problem with cyber security is more than an organisation not having proper cyber security infrastructure, policies and protocols as well as plans to deal with data breaches.  When 18 – 25 year olds, probably the most tech savvy and dependant generation, embrace practices almost guaranteed to invite a successful hack of their accounts organisations hiring them have a real internal problem.

It will be interesting to see the impact of the now enacted Mandatory National Data Breach notification law.  In the Netherlands there were 1,000 data breach notifications within the first 100 days of the Netherlands Scheme coming into effect.  Care should be taken in drawing too many comparisions.  European privacy regulators have been far more assertive as well as the laws being of longer standing.  There is also the cultural dimension, the public spirit regarding compliance which is difficult to gauge and sometimes, on some things, defies the stereotype.  In Australia, the culture has been poor for a long time with the legislation being weakly enforced and the courts having not had significant exposure to the privacy regulation.  Where they have considered such legislation all too option they have been caught up in the morass of administrative law.  The VCAT jurisprudence is particularly affected by this approach. That has been a retrograde step.

The last outing, by the Full Bench of the Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4  was a significant set back for the Privacy Commissioner and potentially a significant set back for the definition of personal information.  Fortunately the appeal was considered on very limited and technical grounds. It was a poorly run appeal by the Privacy Commissioner.  I was part of the amicus applicant legal team.  The Grounds of Appeal were rudimentary and the Privacy Commissioner paid for the error.  It is difficult to agree with the Privacy Commissioner’s assessment welcoming the decision and claiming it provided important guidance about what is personal information.  The guidance is limited.

The BBC article provides:

More than 52% of Britons aged 18-25 are using the same password for lots of online services, suggests a survey.

By doing so they make it easy for hackers to hijack accounts, warned the UK government’s Cyber Aware campaign.

The danger was acute because of the sensitive data people typically send via email and other accounts, it found.

About 79% of the 2,261 respondents of all ages said they had sent bank details or copies of passports and driving licences via messaging systems.

“Your email account is really a treasure trove of information that hackers won’t hesitate to exploit,” said Det Insp Mick Dodge, national cyber-protect co-ordinator with the City of London police in a statement.

The danger of identity theft was significant, he said, because many people who sent personal information via email rarely deleted it.

Bank statements, electronic copies of signatures and other important documents could all be sitting in lists of sent emails, said Det Insp Dodge.

“You wouldn’t leave your door open for a burglar, so why give criminals an open invitation to your personal information?”

Reusing a password helps cyber-thieves because they try to use login names and password combinations released in data breaches on many different online accounts to see if they get a hit.

While operators of large online email services try hard to protect login credentials, smaller firms are less prepared for hack attacks which can mean reused passwords go astray.

On average, the survey found, people regularly used at least six other online accounts covering everything from social media to online shopping. Some said they had as many as 21 other accounts they logged into frequently.

The survey suggested that younger people were most likely to use their email password on other accounts. Across the whole sample of respondents 27% reported that they reused the key identifier that unlocked their email.

In response to the findings, the UK’s Cyber Aware campaign recommended that people use a strong and separate password for their email accounts.

It also suggested that people should not use the names of children, pets or a favourite sports team for their password.

Such details can be easy to gain from social media accounts, it said.

Wherever possible, said the awareness campaign, people should use two-factor authentication which added another layer of security to online accounts.

Dr Hazel Wallace, a GP and an ambassador for the Cyber Aware campaign, said the start of a new year was often a time that people tried to “reset” their lives by dieting or getting fit.

“When you’re making a lifestyle reset it’s also important to make a reset to your online health as well,” she said. “Hackers can use your email to access all of your personal information by asking for a reset to your passwords for other accounts.”



Leave a Reply