UK Government opts for sensible approach in permitting researchers test anonymisation measures

January 14, 2018

The mantra by regulators that data which is anonymised can be used for research and published has resulted in significant embarrassment when said anonymisation resulted in re identification. It has spawned a busy subset of academic articles on how this happens and generally advising caution, see for example All or Nothing: The False Promise of Anonymity in the Data Science Journal.

 Re identification occurs were there has been insufficient de identification and the methods of re identifying are generally one or both of pseudonym reversal or by combing data sets.

In Australia the Government introduced the Privacy Amendment (Re-identification Offence) Bill 2016.  If enacted it will prohibit the Read the rest of this entry »

NSW Government data security inadequate according to report

December 28, 2017

The Fairfax press in Personal information held by NSW government exposed to cyber crime risk reports that 2/3rds of NSW Government agencies do not comply with their obligations to secure data.

The 82 page report provides insight but the chronic and deep seated flaws in data handling and cyber security practices are all too common.  A lack of training and what limited access to data should mean,  a lack of in depth protections which detect breaches from both outside and within, inadequate legislation with ineffective enforcement and inadequate training which leads to a poor privacy culture are the foundations upon which these problems develop.

It is curious that the report was released on 20 December and only reported on 28 December 2017.  Given the issue is so serious it is almost certain to disappear into the ether over the Christmas break.  Maybe it wasn’t so curious after all.

The New South Wales Audit Office released a press release on Read the rest of this entry »

A refreshing and timely story on the Commonwealth bank accused of misleading the Privacy Commissioner and the Privacy Commissioner cops criticism in handling that deception

December 20, 2017

Tonight’s 7.30 program has a story, titled  Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is Read the rest of this entry »

Cybersecurity risks with the internet of things

Legislatures, and courts, being slow to fill gaps in the law is hardly a news story.  And it is axiomatic that there is legislative inertia in the face of new technologies. The history of road rules for motor vehicles is a classic example.  But the inertia and failure to respond to the threat of cyber attack has been a protracted and sad story of public policy failure.  Hacking, phishing, spoofing and any number of attacking a network has existed as long as the internet has been publicly accessible.  Protecting against that has been ad hoc and generally Read the rest of this entry »

Australian Information Commissioner releases Notifiable Data Breaches resources

December 18, 2017

It is always in the enforcement that regulators are judged.  And how effective legislation is.  In the privacy sphere that is no different.  The Privacy Amendment (Notifiable Data Breaches) Act 2017  commences operation on 22 February 2018.

The Australian Information Commissioner has released the final resources (used to be called guidelines) on the operation of the Act and what is expected of organisations and agencies.  They are set out below.

Resources are one thing it is the culture that is as important.  The excellent article When cultures collide: the debate we’re not having on data privacy highlights Read the rest of this entry »

Health records re identified in significant data breach

There is significant controversy about whether data can be scrubbed so that it can not be re identified.  What is less controversial is that many organisations put insufficient effort into de identifying data.  The authors of a paper Health Data in an Open World have demonstrated how they have re identified patients in an supposedly de identified open health data set.  The authors, academics at the Shcool of Computing and Information Systems at the University of Melbourne summarised what they did Read the rest of this entry »

Queensland law firms attacked by hackers and lose millions

Law firms have long been a target for hackers.  They hold vast troves of valuable information about clients and significant sums of money in trust.  They generally constitute a soft target because they have a poor understanding of cyber security and what their obligations are under the Privacy Act 1988 and do not Read the rest of this entry »

The internet of things and hacking…

December 16, 2017

There has been a flurry of stories relating to the internet of things and lack of data security, to wit businesses being hacked through access points existing courtesy of connected devices.  In the UK dozens of British Heating systems have been found to be vulnerable to hacking.  In that case Read the rest of this entry »

Risk assessments predict 2018 will be a significant year for cyber attacks

December 5, 2017

MacAfee has released a 2018 Threats Predictions Report.  While the European Banking Authority has released its risk assessment report. In that report the EBA found:

  •  cyber risk and data security were identified as the “main drivers for increasing operational risk”
  • 55% of banks “foresee an increase in operational risk in their bank”. This is an increase from 43% last year and 35% in 2015.
  • most EU banks are still taking steps to address the weaknesses stemming from the technology-driven evolution to their industry.
  • because of the reliance on  IT platforms, digitalised product channels for banking services, outsourcing to third-party providers  42 % of the respondents stated that cyber risk and data security is the main cause of increasing operational risk
  • that cyber risk is  one of the key risks threatening data integrity and business continuity in the financial system”. It also said that banks are facing increasing complex cyber attacks from “intruders trying to gain unauthorised access to critical systems and data”.
  • cyber risks pose operational, legal and reputational risks including business interruptions, data and software loss, cyber extortion, fraud, breach of privacy, network failure liabilities and damages to physical assets, which can result in financial losses
  • the growing use of third party services by financial services may impact on the ability of institutions to manage their risks such as strategic, reputational, compliance and operational risk and that is a cause of increased systemic risk. The EBA noted that these risks should be mitigated adequately by banks and embedded in a sound and efficient risk management policy.  That means money and effort.

The EBA produced a draft guidance designed to support the adoption of cloud-based solutions by banks earlier this year. Interestingly the EBA Read the rest of this entry »

US Supreme Court to review digital privacy through the prism of the 14th Amendment, warrantless searches

November 27, 2017

The US Supreme Court has been remarkably strong on recognising a right to privacy through various Amendments to the Constitution, mainly the Read the rest of this entry »