Federal Trade Commission finalises order against GMR Transcription Services for weak privacy protections

August 22, 2014

While those in the privacy sphere in Australia watch and wait to see how the Privacy Commissioner will excercise his newly acquired (since 12 March 2014) powers of enforcement under the Privacy Act 1988 the Federal Trade Commission (“FTC”) moves apace in taking to task those engaging in privacy intrusive conduct (via claims that the miscreants misrepresented that they protected their customers privacy).  After announcing orders against Credit Karma and Fandango earlier this week (and posted here) the FTC approves final orders against GMR Transcription Services whose security practices were so deficicent as to expose personal information of thousands of consumers on line, some of which were medical histories adn examination notes.  The settlement was first announced on 31 January 2014.   The period of the settlement order is 20 years.  Onerous by any measure but given the nature of the breach reasonable, particularly as the FTC has no power to fine GMR.  In the UK the Information Commissioner may have been able to impose a monetary penalty. In the last 3 – 4 years the FTC has proven to be quite a vigorous regulator using the limited powers available to it in privacy regulation.  It has also been active in calling for greater privacy controls through appearances before Congressional Committees.

In Australia the Privacy Commissioner may Read the rest of this entry »

Call for drone law after incident in British Columbia, Canada.

August 21, 2014

How the law deals with the development of drone technology is a good study in what not to do from a public policy and legislative point of view.  At a Federal level in Australia and the United States the legislative response has been inertia.  Not even incoherence.  But not for want of notice or knowledge.  There have been no shortage of reports, news stories and expert advice on what drones do, will do and the privacy and commercial impact of their operations.

As with many changes in the privacy sphere it Read the rest of this entry »

Data breaches by employees in the health industry…privacy problems

I have recently posted (here, here and here) about data breaches by insiders who are acting maliciously, typically disgruntled or ex employees, or accidentally, often through phishing or poor password protocols or just negligent acts such as leaving data on BYODs which are lost or stolen.   Data breaches are Read the rest of this entry »

Federal Trade Commission takes action against mobile apps regarding poor security protection of sensitive personal information

August 20, 2014

The Federal Trade Commission (FTC) has approved two orders with two apps services, Credit Karma and Fandango, regarding very poor security protections against interception by third parties, known as “man in the middle” attacks.  These orders highlight Read the rest of this entry »

Former employees and data security…. as in the lack of it.

I have recently posted on the problem of internal threats to data security (see here and here).  Organisations may have strong cyber defences and office security may still be exposed to a significant risk of a data breach by the actions of ex employees, whether of the disgruntled or gruntled variety.  Poor practices in password management, closing access and accounts and generally preventing access to records by ex employees can easily expose a business to financial and reputational loss.  Similarly checking the on line and computer activities of employees soon to be former employees may prevent malware or other cyber bombs being placed within a businesses computer system.  These issues are illustrated in Why Former Employees Could Be Your Next Great Security Threat.

It provides, absent slides: Read the rest of this entry »

Hack of hospital chain and the loss of 4.5 million user’s data

Cnet in Hack of hospital chain leads to theft of up to 4.5M users’ data reports on a very significant breach of security affecting a Health group operating 206 hospitals.  The largest breach of hospital patient information since 2009, when the Government started tracking breaches.  The reported concern is that the suspected goal of the data breach is to facilitate future attacks using the data obtained, such as through personal information which can Read the rest of this entry »

Improving router security

August 19, 2014

Zndet in Six ways to secure your vulnerable network router  sets out some very sensible steps that any organisation Read the rest of this entry »

Data breach at Centrelink

The Canberra Times in Federal privacy authorities called in over Centrelink breach reports on personal information of Centrelink clients left in public. The Privacy Commissioner has been notified.  So far there has been no reference to any investigation on the OAIC homepage.  This will be Read the rest of this entry »

The web trying to improve data security

The quality and quantity of data security by organisations in Australia is, anectodally, quite poor.  The common law and statutory regulation remain inadequate in Read the rest of this entry »

Privacy Commissioner issues video on real estate agents taking photographs of property

In an ongoing series the Privacy Commissioner has released another video on matters privacy.  This addition to the collection is Is my real estate agent allowed to take photos in my house?

The youtube of the video is found here:

Is real estate agent allowed to take photos of my house

The transcript Read the rest of this entry »