Cyber attack at BlueScope Steel and MyBudget highlights a chronic problem facing businesses, particularly those with poor privacy protocols

May 16, 2020

This year has seen some major cyber attacks which have crippled businesses.  On 31 January 2020 Toll Transport’s systems were infected with Ransomware, a variant of the Mailto or Netwalker ransomware.  It operates by encrypting all the common file types outside the operating system.  the files are rendered unusable. That meant it couldn’t perform its core service, delivery.

Mailto is usually spread through a compromised email attachment but it can also be done through a combination of user credential theft or a brute force attack on passwords in combination with usernames.   Attacks by  email involves the Mailto activating an infected payload through what appears to be a legitimate file. Attacks are commonly sent from a domain with a high reputation.  Sometimes they are sent from compromised email accounts.  These forms of attack easily Read the rest of this entry »

Privacy Amendment (Public Health Contact Information) Bill 2020 passed the Federal Parliament

May 15, 2020

The Privacy Amendment (Public Health Contact Information) Bill 2020 passed the Senate yesterday without any amendment to the Bill passed by the House of Representatives.  The amendments proposed by Senator McKim and Senator Patrick were not accepted. 

The bill, soon to be Act, can be found here.  The explanatory memorandum can be found here

The passage of the bill is covered by itnews in Read the rest of this entry »

Privacy Amendment (Public Health Contact Information) Bill 2020 passes the House of Representatives and the second reading in the Senate

May 14, 2020

With not much in the way of fanfare the House of Representatives passed the Privacy Amendment (Public Health Contact Information) Bill 2020 yesterday.  The Bill was introduced into the Senate yesterday and has passed the Second Reading.  It has been referred to a Committee.

The Bill passed in the House of Representatives relevantly provides Read the rest of this entry »

Age breathlessly reports that Victoria Police could be sued over leak of Laidley photo. Duh! The real story is that when it comes to protecting privacy and getting redress the law is woefully inadequate.

May 6, 2020

The angles newspapers take to kick a story along can be astonishing.  In today’s Age the story Police could be sued over Laidley photo leak, lawyer warns reports that Victoria Police could be sued in relation to the leak of photographs of Dean Laidley.  Really! That is the story? The “talking head” that is the hook for the story, is Jeremy King providing ex tempore observations, that there was a breach of confidential information and  misfeasance in public office.  They were reasonable general comments overall. But hardly extraordinary and definitely not in the “breaking news” category.

All in all it is pretty thin gruel for a story in a large newspaper.  It does however provide an opportunity to have a (very) brief look at how inadequate the law is in this area.

Until all the facts are known it is impossible to properly assess and determine what causes of action are available.  But even at this preliminary stage there appear to be some available.  Unfortunately with no statutory tort of interference with privacy (recommended by the Australian Law Reform Commission twice, the Victorian and New South Wales Law Reform Commissions, the ACCC in its recent Digital Platforms Report, multiple Federal and State Parliamentary Committees and recommendations by learned academics over the last 40 years) when dealing with privacy breaches it is necessary to rely on a range of torts, claims in equity and, on occasion, common law to bring a case.

There are two distinct issues in a case of this nature, the Read the rest of this entry »

A second police officer suspended over leak of unauthorised photographs of Laidley

May 5, 2020

The extent to which the unauthorised photographs of Dean Laidley have spread through texts and via social media is not publicly known but the reporting suggests it has been, and probably continues to be widespread.  The immediate impact has been on the Victoria Police with a second policeman, a senior constable, stood down and under investigation and likely to be charged.  The story is reported by the Age in Second police officer suspended over leaked images of Dean Laidley and by the ABC with Victoria Police suspends second police officer over unauthorised sharing of Dean Laidley photo.  Both Senior Constables will be fortunate if the extent of their troubles is limited to damaging their careers within Victoria Police.  If convicted of a criminal offence they face the real prospect of losing that career.  In those circumstances officers more often than not resign before being removed from the Force. 

To the extent that action has been taken is laudable, but the episode also highlights that in Australia it is for the authorities to take action.  The law in this area is lamentably paternalistic.  The ability of Australians to take action, or at least consider it, for breaches of their privacy is so circumscribed as to be near worthless.  There is no Read the rest of this entry »

Government releases exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

Proposal by Restaurant and Catering Australia to require those who don’t have the COVIDSafe tracking app to provide their personal details to staff at restaurants and cafes is silly, oppressive and down right dangerous.

May 4, 2020

In the 7 or so weeks of lock downs of varying degrees of intensity there has sprung up a strain of virtue signalling where intrepid souls have come up with more and more intrusive and frankly ridiculous ways of demonstrating how they are doing the right thing to beat the demon virus. That has commonly meant tormenting fellow Australians with petty displays of colonel blimpery. In its milder forms it is hyper compliance with social distancing. A particularly frantic employee at Haighs in Hawthorn nipping in between customers ensuring they do not move from x’s on the floor, scolding them when they took a foot wrong, and doing quick 1.5 m checks with out stretched arms is a favourite memory. It is a good time for those who harbour a petty beaurocrat in their soul.  In its more extreme forms it involves making up legislative prescriptions that just don’t exist.

But some proposals which try to be seen to do the right thing are not just petty and irritating they are down right dangerous and oppressive.  The proposal spruiked by Restaurant and Catering Australia CEO Wes Lambert to require Australian’s who don’t down load the COVIDSafe tracking app and who want to use a restaurant or cafe to give their personal information to the staff fits that description to a tee.  It may not constitute a technical breach of clause 8 of the Biosecurity (Human Biosecurity Emergency)(Human Coronavirus with Pandemix Potential) (Emergency Requirements – Public Health Contact Information Determination 2020 which prohibits coercising the use of COVIDSafe App but it is in breach of the spirit of that law. 

One can only hope that Wes Lambert was suffering temporary relevance deprivation syndrome which prompted him to advocate this breath takingly stupid, utterly unAustralian and pernicious proposal. 

The proposal is reported in the Australian article Coronavirus Australia: No app? Leave your name and number which Read the rest of this entry »

Victoria police suspends officer over leak of photographs of Laidley taken in police station. The response highlights the uneven and generally inadequate state of privacy protections even if the results head in the right direction.

It appears that occasionally the Victoria Police can respond quickly and appropriately to privacy breaches. The ABC reports that a senior constable who took the photographs of Dean Laidley while in custody and being processed has been suspended and is likely to be charged with an offence under the Victoria Police Act 2013.  Deputy Commissioner Patton did not identify what provision of the Act the senior constable might be charged under but it may be under one of section 226227 or 228.     

The ABC Report provides:

Victoria Police has suspended an officer over an “appalling” privacy breach after he allegedly shared unauthorised images of former AFL coach Dean Laidley in custody inside a police station. Read the rest of this entry »

Police photographs of Dean Laidley and photographs taken inside police station a significant data breach and invasion of his privacy.

The arrest and charging of Dean Laidley for what has been described as stalking is a matter of public record.  He appeared before the Melbourne Magistrates Court and was remanded.  As no suppression or pseudonomysation orders  were made those details can be reported. 

However photographs police take of those charged are not public documents.  They are taken for the purpose of properly recording the processing of a person into custody.  Their purpose does not extend to providing colour to a story.  Further, other photographs taken in a police station of a suspect or a person charged are not for public consumption. Frankly there is no good reason for taking other still photographs. 

It is then appalling to see that the Herald Sun has Read the rest of this entry »

Home affairs data breach exposes data of 700,000

Another depressingly familiar data breach involving the Federal Government’s handling of personal information.  This time the Guardian reports the breach involving access to personal details of 774,000 migrants and applicants.  In this case the breach involved the inadvertent display through the SkillsSelect platform of those who expressed an interest in migrating to Australia.  The defect in the platform’s operation permits someone accessing details of a persons age, qualifications and marital status as well as other information. 

What is interesting is that the information dates back to 2014.  According to the Guardian story expressions of interest are stored for 2 years.  Yet the database includes information stretching back 6 years.  That in itself is a concern. 

It will be interesting to see if Read the rest of this entry »