Privacy Commissioner speech on Digital Media and Digital Advertising

April 17, 2018

The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

FTC revisits consent agreement with Uber after discovering Uber concealed other data breaches

In August 2017 Uber entered into a consent agreement with the US Federal Trade Commission (FTC) arising out of a data breach in May 2014 which revealed Uber’s unreasonable security practices.  I did a post on this settlement in August here. Settlements with the FTC can be onerous, unlike the limp enforceable undertakings in Australia, but better than being the subject of litigation.  Unfortunately Uber knew in 2016 that it had suffered a data breach in 2016 from lax security associated with third party cloud services, while the FTC was investigating the 2014 breach, but did not disclose it to the FTC.  In fact it deliberately covered it up and attempted to pay off the hackers (see my post in November 2017). A classic case of the cover up causing more problems than the breach for the organisation.

The FTC described it Read the rest of this entry »

Early report on mandatory data breach notification laws – Australian Information Commissioner releases first quarterly report. Sixty three notified breaches in the first 6 weeks of the law’s operation

April 12, 2018

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »

Data breach notification laws spawn little fanfare.. another case of under estimating obligations and poor privacy culture

March 15, 2018

The national data breach notification laws are marching towards the first month of operation.  It is not surprising that there have been no reported notifications under the law.  It is necessary to Read the rest of this entry »

Australia’s mandatory data breach notification laws a little over a week old…. 2,234,633 worldwide recorded data breaches for February 2018

March 3, 2018

It Governance compiles monthly and annual records of recorded data breaches.  For February 2018 it calculated that there were 2,234,633 data breaches.  A significant number but Read the rest of this entry »

Victorian Privacy and Data Protection Act and Health Records Act amended to remove “imminent” from the IPPs and HPPs.

March 2, 2018

Arising from the Royal Commission into Domestic Violence the Victorian Government enacted the Family Violence Protection Amendment (Information Sharing) Act 2017.  Through it the words “imminent” has been removed from Information Privacy Principles and Health Privacy Principles of the Privacy and Data Protection Act 2014 and the Health Records Act 2001.  The amendment will lower the threshold for the disclosure of information where there is a serious threat of harm. The change impacts particular agencies within the Victorian Government service.  The focus will now Read the rest of this entry »

In the new world of mandatory data breach notification the starting point is having cyber security awareness.

February 26, 2018

The BBC reports in Young Brits ‘lack cyber-security awareness’ that the problem with cyber security is more than an organisation not having proper cyber security infrastructure, policies and protocols as well as plans to deal with data breaches.  When 18 – 25 year olds, probably the most tech savvy and dependant generation, embrace practices almost guaranteed to invite a successful hack of their accounts organisations hiring them have a real internal problem.

It will be interesting to see Read the rest of this entry »

Mandatory data breach notification law comes into effect today. Now what? It all depends on proper regulation and enforcement

February 22, 2018

The Privacy Amendment (Notifiable Data Breaches) Act 2017 commences operation today.  There has been more than a ripple of reporting on what is a significant change to the regulatory landscape, ranging from the nerdy techy journals such as Computerworld, start up daily and InnovationAus to the insurance publications such as insurance and risk  to the general media such as Mumbrella and SBS. The coverage has been general but hits the key points, that in the event of a data breach involving authorised loss or access to personal information organisations and agencies must consider whether they are obliged to notify persons and the Information Commissioner of that breach. There is a hyperventilating report in the Canberra Times which, while good in parts, extrapolutes the law as it now exists with what might conceivably happen without the burden of evidence.  That is little better than crystal ball gazing.  The article seems to be suggesting that the effect of the legislation will be a blizzard of emails to customers and the possibility of “data breach notification fatigue.”  This sort of argument is a riff familiar in parts of America where 48 states have data breach notification laws which has meant that there have been multiple notifications arising from breaches.  To the extent that there is an identifiable fatigue, and what exactly that entails, is very much debatable.  Surveys of Americans have highlighted a high level of concern about the security of personal information (such as the Pew Research’s survey on privacy in September 2016).  Those who assert there is data fatigue are commonly representing businesses or defence lawyers given data breaches can attract class actions in the United States.  It is always a fraught exercise to look to another jurisdiction, with all their cultural and legal distinctions, and predict an identical outcome.

What is clear from the legislation is that organisations will need a step by step analysis of the breach and whether the elements of the scheme have been met to trigger that obligation.  It is far from a straightforward exercise and potentially can be quite complex involving weighing whether there was the likelihood of the risk of serious harm arising from the breach. It is certainly more complex than the reportage to date suggests.

The legislation has the real potential to affect many organisations and make them take a more serious approach to their privacy protections.  It could have a very positive and long lasting impact on data security in Australia.  Or it could end up being a dead letter law, as happens with much privacy protection in Australia at the moment.  As with all regulation the effectiveness has more to do with the effectiveness of the enforcement than what the regulations say.  And that is the rub given the legislation is structured such that the Commissioner must initiate most actions.  If he or she is disinclined to take an assertive role then there is little an individual can do under the Privacy Act.  There are other more complicated options that can be taken for a data breach which causes damage but it is a much more difficult process.  The Commissioner’s office has Read the rest of this entry »

Privacy and Information Commissioner releases guide to managing data breaches…just in time for the commencement of the Notifiable Data Breach legislation

February 21, 2018

The draft guidelines relating to the impending Data breach legislation coming into effect have now been finalised and were released yesterday.  All 64 pages of them.

While the guidelines are not regulations they will be very important when developing processes and procedures necessary to deal with a data breach.  They will also be important when dealing with data breach.  What is notable about this Guideline is that while it is comprehensive in one respect, addressing key issues in each category, and provides a very useful structure when dealing with a data breach it is drafted in broad and sometimes opaque terms.  That means there will need to be consideration of relevant principles of law when dealing with particular provisions of the Privacy Act.  The absence of case law does not assist.  It is a starting point only for Read the rest of this entry »

The Australian Information and Privacy Commissioner, Timothy Pilgrim, to retire on 24 March 2018

February 20, 2018

According to a report in the Mandarin,Last man standing: information and privacy commissioner Timothy Pilgrim to retire, Timothy Pilgrim, the Privacy and Information Commissioner is to retire on 24 March 2018. It is also reported in itnews, computerworld and zdnet.

Timothy Pilgrim has been one of the better privacy commissioners.  That is a comparative measure only.  His predecessors ranged from ineffective to hopeless.  As a result the privacy and data security culture has been poor.  Pilgrim was far more active than his predecessors both in terms of work rate and general profile.  But objectively measured he was a timid and tentative regulator.  Even with a limited budget from 2014 the Office of the Information Commissioner took a very low profile.  His determinations were excessively conservative and Read the rest of this entry »