Today is data privacy day…a lot more work to do beyond reminding people of the need to keep data private and secure

January 28, 2021

Thursday 28 January 2021 is Data Privacy Day. It is also the 40th anniversary of Convention 108 and the 15th edition of the Data Protection Day.

The National CyberSecurity Alliance aptly describes what the day is about where it states:

Data Privacy Day is a global effort — taking place annually on January 28th — that generates awareness about the importance of privacy, highlights easy ways to protect personal information and reminds organizations that privacy is good for business. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is observed annually on Jan. 28.

Data Privacy Day is the signature event in a greater privacy awareness and education effort. Year-round, NCSA educates consumers on how they can own their online presence and shows organizations how privacy is good for business.

In 2021, NCSA is encouraging individuals to “Own Your Privacy” by learning more about how to protect your valuable data online, and encouraging businesses to “Respect Privacy”, which advocates for holding organizations responsible for keeping individuals’ personal information safe from unauthorized access and ensuring fair, relevant and legitimate data collection and processing. These themes are encouraged through the below messaging and calls to action:

The Victorian Information Commissioner marked the day by Read the rest of this entry »

Significant data breach from Ambulance Tasmania through interception of its paging service with data of patients who contact ambulances published on line

January 8, 2021

Ambulance Tasmania has suffered a massive data breach. According to the ABC’s Tasmania Police called in after ambulance patient details published online personal information of every Tasmanian who called the Tasmanian Ambulance Service since November 2020 has been accessed and posted on line by a third party.  The specific nature of the breach is unknown but it was to the paging system.  What makes this breach so damaging is that the data accessed is sensitive information, relating to a person’s health status as well as that person/s age, gender and address.

What is both surprising and disturbing is that the data hacked from Ambulance Tasmania has been publicly visible since November last year.

What is less surprising is that it appears that previously deficiencies had been identified in the communications system and processes.  That is quite a common situation.  The problems are apparent but there is no incentive to attend to those problems because time and money can be spent elsewhere which provides more immediate benefit and the legal consequences of a data breach are small because the legislation is weak and the regulators are timid.

The Government response follows the dreary, obsolete path adopted by many Australian Government agencies of the responsible minister being concerned, referring Read the rest of this entry »

Hacked home cams being used to livestream police raids

The Internet of Things, with gadgets and devices previously stand alone now connected to the internet, has always been blighted by vulnerabilities to cyber attack.  The stories of baby monitors being hacked and taken over by criminals or just garden variety creeps are legion and have passed into cyber security folk lore.  Invariably the cause of the hack of a baby monitor is down to the usual problems with any form of security involving a device connected to the internet with some specific issues involving videos; poor security of wireless routers, no or a lousy password for the monitor (often factory settings are left in place), reusing stolen credentials, default log ins and easy to access settings and not updating or patching software as and when required. 

The BBC reports that the hackers have, disturbingly, gone further than standard interference with a device.  Hackers goes beyond accessing home cameras of a residence and now engage in swatting, where they contact or otherwise get police Read the rest of this entry »

Federal Trade Commission requires Zoom to enhance security practices

December 1, 2020

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights Read the rest of this entry »

Europe to take control of its own data

November 27, 2020

Europe is taking decisive steps to increase its data protection with proposed legislation to create an EU wide data market which will enable the sharing of industrial and government information under the European standards. This is reported in the Wall Street Journal’s article Europe Doubles Down on Data Protection to Ward Off Silicon Valley, Chinese Influence.  This will probably be critisised as data localisation, a practice that warrants scrutiny given it is much loved by authoritarian governments for less than savoury reasons.   The scheme will involve data not exclusively involving personal information.

This development highlights Read the rest of this entry »

Hackers attack Legal Services firm Law in Order with Ransonware

November 25, 2020

I have long posted on law firms being in the sights of cyber criminals.  I raised this as an increasing threat in September last year and attacks on Queensland law firms in 2017 and European law firms in 2016.

The Australian Financial Review reports, in Hackers threaten to publish data from attack on legal services firm, report on a cyber attack on 22 November 2020 by hacker legal services firm Law In Order suffering a Ransomware attack with the hackers threatening to publish data unless a payment is made. The story is also covered by itwire, insurance business mag, and itnews.  That list will grow.

Law In Order issued statements of what happens.  It is far from a best practice response.  General waffle.  Full candour is not always possible because investigations take time.  But that does not mean that writing excessive meaningless verbiage is the answer. That is particularly so when the Australian Financial Review has key information about the attack, for example that it was undertaken by Netwalker and is a ransomware attack.  That makes the statement look even sillier than Read the rest of this entry »

Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020

October 30, 2020

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Victorian Privacy and Data Protection Deputy Commissioner commences examination of privacy/security in Victorian Universities

October 21, 2020

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand Privacy Commissioner launches a privacy breach reporting tool

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

When an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is a notifiable privacy breach, the agency must consider the following:

(a) any action taken by the agency to reduce the risk of harm following the breach:

(b) whether the personal information is sensitive in nature:

(c) the nature of the harm that may be caused to affected individuals:

(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known):

(e) whether the personal information is protected by a security measure:

(f) any other relevant matters.

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

Smart devices being used for domestic abuse

The weaknesses of the internet of things to hacking has long been known.  That doesn’t mean it has been dealt with adequately.  The common problem is access to those devices through inadequate security or weak passwords from third parties.  A recent BBC article How smart devices are exploited for domestic abuse demonstrates how the internet of things can be used track and terrorise.

A machine or application is in and of itself neither evil or good.  It has no value.  It provides a service or performs a function.  As the article makes clear features designed to assist, such as a doorbell camera, can be used by partners or ex partners to surveil.  Family apps, which I find creepy, are designed to monitor children’s safety.  But the data can be relayed to Read the rest of this entry »