Information Commissioner finds that she has no jurisdiction regarding complaints of interference with privacy against Tim Wilson and ‘stoptheretirementtax.com’ website

April 10, 2019

The Information Commissioner announced, on 8 April 2019, that she does not the power to investigate a complaint about a breach of the Privacy Act by Tim Wilson or Wilson Asset Management (International) Pty Ltd in relation to the collection and use of personal information through the ‘stoptheretirementtax.com’ website.’  The website and the collection of data caused some controversy.  In Tim Wilson’s ‘retirement tax’ website doesn’t have a privacy policy. So how is he using the data? Andre Oboler in a traditional academic “on – the – one – hand – and – on – the – other” analysis raised the complications of determining whether a Parliamentarian operating a web site falls within the political exemption provisions of the Privacy Act of is covered by parliamentary privilege, by virtue of his work as a chair of the standing committee on Economics, either of which would deny the Commissioner jurisdiction. The other coverage, such as Liberal MP Tim Wilson faces ‘breach of privacy’ claims and Labor pushes to refer Tim Wilson to privileges committee is more red blooded political reporting.

Mr Oboler was prescient Read the rest of this entry »

Attorney General seeks to have Privacy Commissioner investigate the actions of Vegan protesters

April 9, 2019

Yesterday’s vegan protests in Melbourne and throughout various agricultural sites in Australia has infuriated the Federal Government.  With  an election about to be called and a big rural constituency in mind, a tendency to beat the law and order drum becomes an necessity.   To that end the Attorney General, Christian Porter announced last Friday that that it was going to bring the Aussie Farms website under the regulation of the Privacy Act 1988 on 6 April 2019, last Saturday. 

The media statement provides:

The Coalition Government will bring the Aussie Farms website under the Privacy Act, exposing it to potential penalties of up to $2.1 million if it breaches the Act.

Attorney-General, Christian Porter, said the activities of Aussie Farms Incorporated created an unacceptable risk to hardworking farming communities and producers.

“The company publishes information about Australian farmers and agricultural producers including their names and addresses, exposing them to potential trespass, biosecurity hazards, and reputational damage,” the Attorney-General said.

“Listing this activist group as an organisation under the Privacy Act, now means that the company will have to abide by the provisions of the Act.”

Minister for Agriculture, David Littleproud, said he had repeatedly asked Aussie Farms to take the website down before someone was hurt or worse, but the group behind the website flat refused.

“The farming families who grow our food deserve to be able to do so without fear of invasion on their property and harm to their children,” Minister Littleproud said.

“The Aussie Farms website is intended to be an attack map for activists and it is already working as one. The fact Aussie Farms refused to take the website down when invasions began happening on farms displayed on their map shows they intend for it to be used as an attack map for activists.

“Aussie Farms will now be required to comply with the Privacy Act, which includes laws against the misuse of personal information. I note the maximum penalty for an offence under the Privacy Act is $420,000 for individuals and up to $2.1 million for a body corporate.”

Minister Littleproud also called on state governments to beef up trespass laws to provide real penalties for trespass, and to make publicly state that they expect the police will uphold these laws.

Background:

  • The Australian Information and Privacy Commissioner previously found that Aussie Farms Incorporated was exempt from the Privacy Act because its annual turnover was less than $3 million.
  • This move means Aussie Farms Incorporated is prescribed as an ‘organisation’ under the Privacy Act, which requires Aussie Farms to act in accordance with the Privacy Act, regardless of its annual turnover
  • Prescribing Aussie Farms Incorporated allows the Information and Privacy Commissioner to investigate, either in response to a complaint or on her own initiative, if Aussie Farms Incorporated breaches the Privacy Act. The prescription comes into force as of tomorrow (Saturday, 6th April)

And the regulation was made, the day before the media release,  with the Privacy Amendment (Protection of Australian Farms) Regulations 2019  which Read the rest of this entry »

Facebook data breach affects 110,000 Australians personal information

April 1, 2019

Facebook has a tendency to advocate vague improvements to its privacy policies and call for improved and stronger regulation after some or other egregious privacy breach or oppressive monopolistic act is uncovered.  In the last year Facebook has been battered by the Cambridge Analytica scandal, clear evidence of its platform being used by foreign players to influence elections and a seemingly regular stream of less dramatic but no less worrying privacy breaches.  Facebook’s standard response to such problems has been a combination of virtue signalling and getting on board the reform wagon so as to moderate its outcomes. In early March Zuckerberg described the move to private messaging as being his “pivot to privacy” in communications.  After the briefest of analyses it was ridiculed and seen to be more about presentation than product according to the Wire’s Facebook’s Pivot to Privacy Is Missing Something Crucial and Forbes’ Facebook’s Fake Pivot To Privacy and Slate’s Facebook’s Awkward Pivot to Privacy.

Mark Zuckerberg’s reported very recent call for “more active” role for government regulation in internet privacy and election laws has a similar feel about a polished response to criticism. Except that the complaints are long lasting and the potential of real action by governments is real. The last edition of the Economist highlighted the steps being taken by the Europeans, a huge market, against Facebook and Google, amongst others, for their privacy unfriendly practices.   And those steps are not confined to Europe.  American legislators are, for the fourth time, considering more comprehensive privacy laws or trust busting action.

So while there is reason to be sceptical about Facebook’s motives the pressure on Facebook and Google is such that there may be actual improvement.

And there should be given the impact of the privacy breaches in Australia with Read the rest of this entry »

Frank v Gaos 586 US (2019) the US Supreme Court remands settlement in privacy case to lower court, issue of damage again causes concern

March 25, 2019

The issue of measuring damages and establishing the threshold loss  in the United States jurisprudence has retarded the development of the tort of privacy.  It is a common basis for applications to strike out claims.  In Australia, with breach of confidence actions, the threshold is emotional distress rather than psychiatric injury since the Victorian Court of Appeal decision of Giller v Procopets.  The awards in that and subsequent actions have been disappointing parsimonious relative to the intrusion but with time, if the United Kingdom jurisprudence is any guide, the courts should develop an appreciation of the loss associated with these types of breaches.

In Frank v Gaos the nub of the claim related to Google’s disclosure of search histories to third parties without consent, a practice that could violate privacy laws.  The court described Read the rest of this entry »

UK Finance Economic Crime Office’s report that 1.2 billion pounds stolen through cyber fraud

UK Finance has released its Annual Report Fraud the Facts 2019: the definitive overview of payment industry fraud. As if any more information was required, it highlights the impact of data breaches on the commission of acts of fraud.

The brief overview to this 53 page report provides grim reading:

Unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £844.8 million in 2018, an increase of 16 per cent compared to 2017.

Banks and card companies prevented £1.66 billion in unauthorised fraud in 2018. This represents incidents that were detected and prevented by firms and is equivalent to £2 in every £3 of attempted fraud being stopped.

In addition to this, in 2018 UK Finance members reported 84,624 incidents of authorised push payment scams with gross losses of £354.3 million.

In summary the report noted:

  • Data breaches are a “major contributor” to fraud experienced in the UK;
  • The number of phishing websites targeted against UK banks and building societies fell with the focus switching to  impersonating other organisations such as online retailers, travel and leisure firms, HMRC and telecommunication companies instead.
  • Criminals using more low-tech methods such as distraction thefts and card entrapments to steal physical debit and credit cards, which are then used to commit fraud
  • £1.2 billion was successfully stolen “through fraud and scams” in 2018 with personal data stolen from businesses used to perpetrate much of that fraud.
  • “Information stolen through a data breach can be used for months or even years after the event,”
  • unauthorised financial fraud losses across payment cards, remote banking and cheques rose 16% in 2018 to total £844.8 million.
  • authorised push payment fraud accounted for a further £354.3m of losses.
  • on a more optimistic note banks and payment card providers helped prevent further fraud totalling £1.66bn in 2018 through  “advanced security systems and innovations”

The industry responses have been:

  • investing in advanced security systems to protect customers, including real-time transaction analysis, behavioural biometrics on devices and technology to identify the different sound tones that every phone has and the environment that they are in.
  • delivering the Banking Protocol – a rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place.
  • sponsoring a specialist police unit, the Dedicated Card and Payment Crime Unit (DCPCU), which tackles the organised criminal groups responsible for financial fraud and scams.
  • working with consumer groups to develop a voluntary code to better protect customers and reduce the occurrence of APP fraud.
  • working with Pay.UK to implement Mule Insights Tactical Solution (MITS), a new technology that will help track suspicious payments and identify money mule accounts, and Confirmation of Payee, an account name checking service for when a payment is made, that will help to prevent authorised push payment scams.
  • hosting and part-funding the government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports (SARs), so that it meets the needs of crime agencies, regulators, consumers and businesses
  • working closely with mobile network operators and the messaging industry to trial a new anti-spoofing system to help root out scam text messages.
  • helping customers stay safe from fraud and spot the signs of a scam through the Take Five to Stop Fraud campaign, in collaboration with the Home Office

Some of those responses are present in one form or another in Australia but generally the response has been less sophisticated.

While data breaches are a constant threat there are established and generally quite  simple steps businesses  can take to avoid falling victim to scams such as multi-factor authentication and internal processes for change of bank details.  In addition proper and ongoing training to avoid social engineering, phishing and ransomware attacks should be part of any organisations operations.  Which unfortunately is commonly not the case.

Federal Government announces reforms to Privacy Act to increase penalties for data breaches

March 24, 2019

There is nothing quite like the combination of a Government under stress and high profile privacy breaches to channel the inner reform in what was otherwise a reluctant Attorney General on matters privacy.

The Attorney General has been widely reported as flagging increased fines for serious and repeated interferences with privacy, from $2.1 to 10 million.  Alternatively the fine will be calculated on turnover or value of the misuse.  The flagged amendments will also permit the Australian Information Commissioner to issue infringement notices for minor data breaches.  As importantly the Commissioner will get $25 million to ramp up investigations of data breaches.

The media release provides:

Attorney-General, Christian Porter and Minister for Communications and the Arts, Mitch Fifield, announced the new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” the Attorney-General said.

“What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information.  This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”

Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.

“The tech industry needs to do much more to protect Australians’ data and privacy,” Minister Fifield said.

“Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”

The amendments to the Privacy Act will:

  • Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
  • Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
  • Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
  • Require social media and online platforms to stop using or disclosing an individual’s personal information upon request
  • Introduce specific rules to protect the personal information of children and other vulnerable groups.

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” the Attorney-General said.

“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”

The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.

Legislation will be drafted for consultation in the second half of 2019.

“This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right,” the Attorney-General said.

“The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019.  Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government.”

The Australian has the best coverage to date in Read the rest of this entry »

Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB): breach of confidence, injunctions

March 4, 2019

Mr Justice Warby in Linklaters LLP Linklaters Business Services Intended Claimants v Frank Mellish [2019] EWHC 177 (QB) considered an application for injunctive relief regarding a breach of confidence action.  The information was sensitive but not commercially sensitive in the strict sense of the word. The decision does demonstrate the relative flexibility of the principles applied to more unusual fact situations.

FACTS

The claimants are:

  • the multi-national law firm Linklaters; and
  • the company through which Linklaters employed its UK-based employees (“LBS”).

Read the rest of this entry »

Likely ransomware attack at Melbourne Heart Group located at Cabrini Hospital affects 15,000 medical files

February 21, 2019

The Fairfax press reports in Crime syndicate hacks 15,000 medical files at Cabrini Hospital, demands ransom that the Melbourne Heart Group, specialists who lease rooms at the Cabrini Hospital has suffered what is almost certainly a ransomware attack. 

Ransomware attacks are particularly prevalent in the health care industry.  The impact of an attack is immediate and serious if not catastrophic and the need to remedy it, by paying the ransom, urgent.  Health data is particularly sensitive.  In early February an optometry clinic in Connecticut was hit impacting 23,578 patient records, In Jacksonvill Florida a Obstetrics and Gynecology practice suffered a data breach involving ransomware in early January while a health center in Rhode Island was hit by a ransomware attack in early December last year.   In November hospitals in Ohio and Ireland were hit by ransomware attacks.  And the list goes on and on and on.

Ransomware attacks are maturing and becoming more, not less effective.  The average ransom in the US has increased by 13% in the last quarter of last year over the previous quarter from $5,973 to $6,733. 

That a specialist cardiology unit at Cabrini could be so compromised by the attack indicates that there was either no or inadequate back up of the health records  in that unit.  If the records were Read the rest of this entry »

Out of a lot of nonsense about cyber attacks by foreign governments there comes a good article dealing with the key issue… poor privacy practices by individuals

February 20, 2019


There has been no shortage of breathless and generally meaningless articles about the Government’s statement that political parties and the Australian Parliament have been the subject of state sponsored cyber attacks.  The Government boffins have come out with statements both  highlighting the risk and claiming everything is under control.  It has given rise to ponderous commentary about attacks on democracy and then spins out to truly odd dystopian pieces as Peter Hartcher did with Farewell tech utopia: how governments are readying the web for war which swallows the  twaddle about the internet being balkanised and ruined. 

The reality is that cyber attacks by state players, mainly Russia, China and North Korea have been a regular occurrence for a decade.  Then there are the plethora of non state hackers in India, the various Stans and Africa who sometimes are engaged by instruments of state to create mischief.  It is a feature of life in the age of the internet. 

Rather than reading the Henny Penny the sky is falling reportage and the end of innocence blather the best article to get an understanding of what is going on and why is the ABC piece Cyber attacks by foreign governments, malicious companies and enterprising hackers are on the rise. And the biggest problem is you. It sets out in plain undramatic terms that most cyber attacks succeed because someone in an organisation or government agency is fooled by an email containing malware.  And, as the article makes clear, that problem is one of Read the rest of this entry »

Nearly one in ten adults admit to taking nude images without consent

February 19, 2019

The Guardian with Revenge porn: nearly one in 10 adults admit to taking nude images without consent and the Canberra Times in One in 10 Australians have perpetrated ‘image-based abuse’ have reported on research by RMIT and Monash University in Image-based sexual abuse: The extent, nature, and predictors of perpetration in a community sample of Australian residents which found that 10% of adults have engaged in this problematical (and in many jurisdictions is criminal) conduct.  

The stories are not a product of detailed analysis but a pick up of the media release by the RMIT on Monday, 18 February 2019 which Read the rest of this entry »