Security Legislation Amendment (Critical Infrastructure) Bill 2021 passed by both Houses of Parliament.

November 24, 2021

The Security Legislation Amendment (Critical Infrastructure) Bill passed both houses of the Commonwealth Parliament on Monday 22 November 2021. 

Key elements of the legislation are:

  • Section 8D defines the critical infrastructure sector as being:

Each of the following sectors of the Australian economy is a critical infrastructure sector:

                     (a)  the communications sector;

                     (b)  the data storage or processing sector;

                     (c)  the financial services and markets sector;

                     (d)  the water and sewerage sector;

                     (e)  the energy sector;

                      (f)  the health care and medical sector;

                     (g)  the higher education and research sector;

                     (h)  the food and grocery sector;

                      (i)  the transport sector;

                      (j)  the space technology sector;

                     (k)  the defence industry sector.

  • section section 8E defines a critical infrastructure asset as being an asset that relates to a critical infrastructure sector. There are definitions of specific types of critical infrastructure assets
  • there are very broad definitions of when assets relate to a sector
  • the definition of a relevant impact is broad and general
  • Part 2B sets out the obligations of mandatory reporting.  Section 30BC, regarding a critical cyber security incident, provides, in part:

Read the rest of this entry »

US Federal Trade Commission strengthens security safeguard rules to deal with widespread data breaches

November 2, 2021

Another sign, if more more were needed, that data breaches are a chronic and increasingly damaging phenomana when the US Federal Trade Commission (the “FTC”) has issued amendments to the Standards for Safeguarding Customer Information

The Final Rule is a very substantial document. It is a useful document for those interested in privacy and cybersecurity generally. Given the dearth of clear and precise definitions, practices and protocols in Australia it is quite useful in Australia.  Like NIST publications it is a much more substantial and useful documents than the vague and opaque guidelines issued by regulators in Australia.

Those who are responsible for maintaining cyber security and establishes procedures and protocols to protect personal information could do worse than read these rules.  It is only a matter of time before the Information Commissioner prepares detailed guidelines which are more consistent with the voluminous GDPR documents or the direct and also comprehensive FTC rules Read the rest of this entry »

Attorney General’s Department releases discussion paper on reform to the Privacy Act 1988

October 27, 2021

On 25 October the Attorney General’s Department released its long awaited Privacy Act Review Discussion paper (the “Paper”).  It is something of a behemoth, being 217 pages long or about half a lever arch folder.  That said, as a veteran of reading many reform papers on privacy over the years it is not the longest or most comprehensive.  That honour falls upon the Australian Law Reform Commissions 2008 Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108), which filled more than 3 lever arch folders over 3 volumes.  The ALRC’s 2014 Report,Serious Invasions of Privacy in the Digital Era (ALRC Report 123), at 332 pages, was modest by comparison and slightly built on the earlier ALRC report.  The ACCC Digital Platforms Inquiry considered privacy related matters, in particular endorsing and recommending a statutory tort of interference with privacy, coming in at 623 pages.  And there are reports from the Victorian Law Reform Commission and the New South Wales Law Reform Commission on privacy. The point being made is not that I have read a lot of reports. I have.  It is also not that the size of the reports matter.  They don’t.  It is that this Paper is just another in a long line of reports on the need for report of privacy legislation.  And those previous reports were prepared by much more learned authors and were more thorough than this Paper.

The Paper is a constrained work, making many generally uncontroversial recommendations to make interpretation clearer, operation of APPs more relevant and giving some increased powers to the Information Commissioner.  It is far from comprehensive.  It avoids making recommendations about a statutory tort of privacy. Rather it continues the continual policy loop as governments of every persuasion push this issue into further review, then consultation then bury it in a report and then hope it goes away until it is recommended or otherwise finds itself before the Government.  It has been a hugely expensive, time intensive waste of time.  Any body outside of a Government that looks into the issue recognises the need for a statutory tort of privacy.

The Report discusses the small business exception from the operations of the Privacy Act in the broad, on the one hand then on the other way, as well as that of the Employment Records, Political Parties and Journalist carve out but goes no further.  Each exception is anomolous to a greater or lesser degree and the restricted coverage of the Act, covering only 5% of businesses, is a matter that should have been addressed with a firm proposal. Those carve outs make it regulation that is quite limited in scope.

The Paper did not consider the many exceptions to and limitations upon the APPs.  There are too many exceptions which permit agencies especially avoid proper scrutiny.

It is interesting that the Paper quotes the GDPR definitions and practices quite liberally and endorses aspects of the GDPR but refrains from adopting those parts of the regulation, by way of amendment to the Privacy Act 1988, which makes the GDPR a much more effective privacy regulation regime.

The Paper does not consider the role of the Guidelines, which are prepared by the Office of the Australian Information Commissioner’s office, in proceedings.  The Guidelines are important in giving context and detail to the broadly drawn Australian Privacy Principles (APPs).  But they are not regulations.  As such the Administrative Appeals Tribunal and the Federal Court are quite able to have no regard to them, which has happened in cases.  This has made submissions on the interpretation of Principles a fraught affair before the AAT and the Federal Court where applicants have had a poor record of success.  And not because they had weak cases.

Where major revision was warranted the Paper recommends modest improvements.  An improvement is just that, so that is to be welcomed.  But only to that degree. What the Paper does not Read the rest of this entry »

US Consumer Financial Protection Bureau orders tech giants to hand over payment system details to determine how they use personal information and manage consumers’ data

October 25, 2021

As with the Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB) is concerned about tech giants untrammelled use of vast amounts of consumers’ personal information.  To that end the CFPB issued orders on Tech Giants to require each to provide information about data harvesting and monetization and access restriction.  

The Director of the CFPB set out the rationale for this significant fact finding exercise in a formal statement.  It provides Read the rest of this entry »

Zuckerberg to be joined to a Facebook Privacy Suit brought by the US District of Columbia

October 21, 2021

The Attorney General for the District of Columbia is planning to join Mark Zuckerberg, CEO of Facebook, to its consumers protection lawsuit according to the New York Times in Zuckerberg to Be Added to Facebook Privacy Suit.

Claims of this nature which are brought by bodies politic are not unusual in the United States.  They are far less common in Australia where Read the rest of this entry »

Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Ben Stokes privacy action results in apology by the UK Sun and an apology

August 30, 2021

On 17 September 2019 the Sun published a story about the murder suicide of Ben Stokes mother’s ex husband 31 years previously in New Zealand.  The story is no longer available on line.  The murder was of his mother’s two children. This tragic event occurred before Ben Stokes, a prominent English cricketer, was born.  At the time Ben Stokes reacted furiously to the story describing it as disgusting and immoral.  The Guardian ran a detailed piece with Ben Stokes attacks ‘despicable’ Sun story about family tragedy.  The next month Ben Stokes and his mother, Deborah, issued proceeding in the UK Court of Chancery.  The Particulars of Claim was served on 22 January 2020 with the Defence filed on 16 April 2020. 

The nub of the defence was that, first, the story about the murders were covered by the New Zealand media and, secondly, the Sun obtained an on the record interview with the family and had approached Ben Stokes for comment.

At the time, and subsequently, there was a lively debate about whether the report was one of free expression and/or a legitimate story to report versus privacy.  On 18 September 2019 the independent came out in support of the Sun.  At the time the Conversation in Ben Stokes v The Sun: gross intrusion or simple reportage? How media privacy law works highlighted some of the issues, such whether a privacy claim can be brought when the information is in the public domain, and whether a claim can be made by a person when it relates to inter related parties. 

There was no trial on the merits.  The Sun and Stokes settled on favourable terms to Stokes. The Stokes’ solicitors released a statement confirming Read the rest of this entry »

Biggest crypto currency hack involves $600 million stolen from Poly Network

August 12, 2021

Poly Network a finance platform based in China which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchain = has lost $600 million worth of crypto currency to a data breach.  The hacker exploited a vulnerability in the _executeCrossChainTx function between contract calls and was able to pass in data to modify the keeper of the EthCrossChainData contrac.  That let the intruder to declare themselves as the owner of any funds processed through the platform. Clever.  It also shows that coding errors can be fatal and part of cyber security should be to take steps to test and review coding.

Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them Read the rest of this entry »

Class action settlements over privacy claims against Zoom and others show that taking privacy seriously makes good business and legal sense

Zoom has reached a $85 million settlement arising out of a lawsuit, IN RE: ZOOM VIDEO COMMUNICATIONS, INC. PRIVACY LITIGATION (5:20-cv-02155),  which claimed its violated its clients’ privacy rights by sharing personal data with Facebook, Google and Linked In.  The claim also alleged that Zoom’s security practices were unsatisfactory as they let hackers zoom meetings.  That practice has become so notorious that it has a term, zoom bombing. There has been extensive coverage with reports it itnewsabc, BBC.   The Reuters coverage provides Read the rest of this entry »

Red Canary releases 2021 Threat Detection Report while Thales releases its Data threat report for 2021

July 29, 2021

Red Canary has released its 122 page 2021 Threat Detection Report.  It is useful in identifying the most prevalent techniques and threats and considers best ways to detect and mitigate specific threats and techniques. It is a highly technical document.

The top techniques are:

  • T1059 Command and Scripting Interpreter (24%)
  • T1218 Signed Binary Process Execution (19%)
  • T1543 Create and Modify System Process (16%)
  • T1053 Scheduled Task / Job (16%)
  • T1003 OS Credential Dumping (7%)
  • T1055 Process Injection (7%)
  • T1027 Obfuscated Files or Information (6%)
  • T1105 Ingress Tool Transfer (5%)
  • T1569 System Services (4%)
  • T1036 Masquerading (4%)

The report also noted:

  • Command-line parameters are by far the most efficacious for detecting
    potentially malicious PowerShell behavior
  • attackers use Windows Command Shell One by the use of  cmd to call native commands and redirect the output of those commands to a file on the local admin share.
  • to detect adverseries it is necessary to focus on the uncommon patterns of execution and patterns of execution  commonly associated with malice

It is a comprehensive report and worthy of a close read by not only technical operators but those who get involved with cyber security issues.

The Thales report is more a strategic overview Read the rest of this entry »