DP World confirms that employee data was stolen during cyber attack

November 29, 2023

The DP World data breach caused major disruption at Australian ports around 13 November 2023 . There was no mention of personal information being accessed. Now the ABC reports in DP World Australia confirms employee data was stolen during cyber attack, warns of further freight delays ahead of Christmas rush that the personal information had been accessed.There is nothing on its website.  This knkowledge would have been in DP World’s possession for some time.  Often these late announcements immediately proceed an organisation finally notifying staff whose personal information was accessed.  It follows a poor practice play book.

The article Read the rest of this entry »

Major cyber attack on IT provider affects dozens of UK law firms. Another salient warning that law firms

Australian privacy and cyber security operators, or anyone who follows the news found at the front of the paper, doesn’t need to be told of law firms being a prime target of cyber attacks. The HWL Ebsworth data breach was one of the big data breaches of 2023. Given the firm had a large Government practice it is not surprising that the data breach affected personal information it held in its work for 65 government agencies.  It is also a salient example of the cobblers children going shoeless.  Its response to the data breach has been quite poor.

A reminder that  this is a chronic threat is an article titled Cyberattack on IT provider CTS impacts dozens of UK law firms.  The mode of the attack is familiar, through a third party provider with authorisations and poor cyber security.  Here the Read the rest of this entry »

Optus and its system crash highlights the need for a plan to explain, empathise and explain some more when things go wrong. A basic part of a response when there is a data breach which is usually ignored or messed up

November 9, 2023

The 12 hour collapse of Optus’s services showed that it has learnt little on how to respond to a catastrophic event, at least in talking to its customers. Optus executives effectively made themselves into a ball and hoped 10 million customers were happy to have the day off. The by product of this major fail was the reports about how it has not learnt from its data breach fiasco where the information flow was slow and sparse. The Australian’s article Has Optus learned from the cyberattack playbook? is fairly typical. It is quite amusing to read columnists lately stumble upon this basic need to be transparent with customers.

The thing is that issuing statements of bad news following a data breach has become a sophisticated exercise in the United States and should be treated seriously in Australia. Unfortunately it isn’t. I have been writing on the importance of Read the rest of this entry »

The UK Information Commissioner issues preliminary enforcement notice against Snap for failing to properly assess the privacy risk posed by its generative AI chatbot ‘My AI’

October 19, 2023

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

    • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
    • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

Federal Government releases its long awaited response to the Privacy Act Review Report. A cautious yes to reform. The major caveat is when the reforms will be enacted and whether they will be enacted as proposed.

September 28, 2023

On the long and winding road that is privacy reform another turn has been reached. The Federal Government today released its response to the Privacy Act Review Report.

The Attorney General’s media release sounds a triumphalist tone commiting the Government to stronger protection after a landmark review.  It provides:

The Albanese Government has committed to stronger privacy protections for Australians in its response today to the landmark review of the Privacy Act.

Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.

The Government’s response to the review agrees, or agrees in-principle, with the majority of the review’s proposals, including:

    • giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information;
    • establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code;
    • making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed; and
    • providing entities with greater clarity on how to protect individuals’ privacy, and simplifying their obligations when handling personal information on behalf of another entity.

The Government will also work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses.

These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.

The Attorney-General’s Department will conduct an impact analysis and continue to work with the community, business, media organisations and government agencies to inform the development of legislation and guidance material in this term of Parliament. The Government will also consider appropriate transition periods as part of the development of any legislation.

Privacy reform will complement other critical reforms being progressed by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.

The Albanese Government is committed to ensuring Australians can benefit from the latest technologies, while knowing that their personal information is safe and secure.

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

Dymocks suffers data breach, data placed on the dark web

September 11, 2023

 

Dymocks became aware of a data breach on 6 September 2023. It became aware via someone telling it that customer data had been put on the dark web.  Dymocks notified customers on 8 September 2023. That is quite a quick notification which was more inspired by stolen customers data being posted on the dark web more than best practice. Dymocks notification on its website is quite good, brilliant by the dismal standards usually displayed by Australian companies. The content of the notice makes it clear that Dymock’s is a long way from completing its damage assessment.  It put out the Notice to get ahead of the story.  That is generally a good idea.  To see how bad things can get when an affected organisation doesn’t advise its customers look at the way Optus and Medibank handled their respective data breaches. 

Dymocks doesn’t know much data has been exfiltrated (but it is reported elsewhere that up to 836,000 unique email addresses were stolen), it doesn’t know when the breach occurred, it doesn’t know what data was taken but suggests it is probably personal information but is definitely not financial information.  That Dymocks discovered the data breach from a party finding customer data on the dark web highlights a weakness in its data security.  It is passe to merely rely on a perimeter defence and have no other means of monitoring hostile activity within the site.  Organisations should use programs to test their cyber defences, such as Nessus and Metasploit.   Perimeter defences get breached, often by use of purloined authentications, as was the case with HWL Ebsworth.  Threat intelligence tools should be part of any organisation that collects and uses significant amounts of personal information.  Companies should be using intrusion detection systems such as SolarWinds Event Manager, to name one of many.    
The notice provides:

We recently became aware of a data breach of customer information. We have a strong commitment to customer privacy and data security and while the magnitude of the breach has not been confirmed or determined at this stage, we are taking immediate action to investigate the incident and protect customers information.

Below is a summary of what we know, what we’re doing, and how we’ll continue to communicate further updates.

We apologise for any inconvenience or concern this situation causes customers. We are committed to providing updates as our investigation progresses. All necessary steps will be taken to safeguard customer data.

How we will communicate

Customers will be notified via email as we know more. We will also update this webpage with the latest updates.

Read the rest of this entry »

Australian Community Attitudes to Privacy Survey released and results are consistent with overseas findings…that privacy is seen as important, there is an unease how their personal information is collected and used, there is a distrust of government and business in their attitude to privacy and data breaches are a major concern. These are hardly new findings. It is just that not much is done to fix the problems

August 13, 2023

The Office of the Information Commissioner has released the he Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them. The survey finds that Australians care about their privacy, they feel they have little control over it and are concerned how their information is handled. They want more to be done to protect their privacy. These findings reinforce findings of previous surveys in Australia. They are also consistent with the Pew Research Center’s 2019 survey of Americans with Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information in 2019.    

The problem has never been that discerning Australians’ attitude to privacy.  Repeated surveys show they value it and want it protected. The problems are well known as well; ineffective legislation & timid enforcement of what there is, chronic under investment in cyber security and privacy training and a lack of any right to take action for breaches.  Report after report into privacy legislation has made this clear.  What has been lacking is the will. Governments of both persuasions have alternated between hostility and tentativeness towards privacy reform.  The result has been minimum protection.   

The Government is considering the Privacy Act Review Report prepared by the Attorney General’s Department. The recommendations do not go far enough in legislating best practice privacy protections. If the Government accepted all of the recommendations the legislative structure will provide robust protections. Then it is a question of properly funding the regulator and staffing it with people who will be much more assertive in taking action against breaches. Even with greater powers provided in 2014 the Commissioner’s Office has been a timid regulator and poor litigator in the Federal Court.

The media release sets out a reasonable summary of the findings.  It provides:

There has been a sharp increase in the number of Australians who feel data breaches are the biggest privacy risk they face today, according to a major survey released today by the Office of the Australian Information Commissioner (OAIC).

The Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.

The survey tested attitudes on topics such as data practices, privacy legislation, data breaches, biometrics, artificial intelligence and children’s privacy.

“Our survey shows privacy is a significant concern for Australians, especially in areas that have seen recent developments like artificial intelligence and biometrics,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk. Read the rest of this entry »

Meta companies ordered to pay $20 million for misleading consumers on the use of the personal information (and other data). Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842

July 27, 2023

It seems now that the Australian Competition and Consumer Commission (ACCC) have taken a real interest, and lead, in responding to egregious data collection practices. Its Data Platform Inquiry has been influential, it has made submissions to the review of the Privacy Act and now has successfully brought a claim in Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842.  Meta subsidiaries were found to have misused personal information.  At paragraph 2 his Honour summarised the issue thus:

Onavo and Facebook Israel admit contraventions of ss 18 and 33 of the Australian Consumer Law, contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth) (CCA). The contraventions occurred during the period from 1 February 2016 to 31 October 2017 (Available Period), when Onavo and Facebook Israel advertised and promoted Onavo Protect on the Play Store and App Store in Australia (in the form set out in Schedule A to the orders) (the Listings), without making disclosures to Australian consumers that were sufficiently prominent and proximate to those Listings that data collected from users of Onavo Protect would be used for purposes other than providing Onavo Protect. While Onavo Protect was advertised and promoted as protecting users’ personal information and keeping their data safe, in fact, Facebook Israel and Onavo used the app to collect an extensive variety of data about users’ mobile device usage. An anonymised and aggregated form of that data was provided to their parent company, Meta Platforms Inc (Meta), and used by Meta for a range of commercial purposes.

The ACCC media release, $20m penalty for Meta companies for conduct liable to mislead consumers about use of their data, provides:

The Federal Court has ordered two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, to each pay $10 million for engaging in conduct liable to mislead in breach of the Australian Consumer Law, in an action brought by the ACCC.

The Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes. Read the rest of this entry »

Another instalment in the HWL Ebsworth data breach…this time highly sensitive Victorian government files leaked. The firm has finally provided an update and will provide updates every Thursday at noon.

July 17, 2023

The HWL Ebsworth’s woes continue with another announcement of what documents were stolen. This time it is Victorian Government files according to ‘Highly sensitive’ Victorian government files leaked online by HWL Ebsworth law firm hackers. Not to be outdone Queensland also says its files were taken by the data breach. Meanwhile the Fair Work Ombudsman has released a statement .

The statement provides:

On 8 May 2023, national law firm HWL Ebsworth reported a cyber incident involving a data breach and possible unauthorised disclosure of personal information to the dark web.

Documents relating to a limited number of our (the Fair Work Ombudsman’s) files were included in the breach experienced by HWL Ebsworth.

Importantly, none of our systems have been compromised by the cyber incident.

We’re working with HWL Ebsworth to ensure individuals affected by the data breach are notified as a priority. Support and assistance will be provided to these individuals.

The Department of Home Affairs is investigating the extent of the breach, including exposure of the Australian Government’s information including personal information.

We’re also working with HWL Ebsworth to understand what information of ours may have been disclosed. We take our obligations under the Privacy Act 1988 seriously and we’re committed to ensuring appropriate systems are in place to maintain the privacy and the protection of personal information.

HWL Ebsworth released a statement on Friday. It has finally adopted a sensible approach when dealing with the public, especially those affected or just concerned.  To date the firm has been secretive and inward looking.  That is entirely the wrong approach.  But then again, having a cyber security system that lets a hacker with one person’s authorisation not detecting wholesale theft of data shows that Ebsworth has a long way to go in getting its cyber house in order.  

The statement is clearly curated by a cyber Read the rest of this entry »

Legislative Council of New South Wales Parliament commences inquiry into Artificial Intelligence

June 30, 2023

Along with the Federal Government the New South Wales Parliament has commenced an inquiry into Artificial Intelligence.

The terms of reference Read the rest of this entry »