Peter A Clarke

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

• 34% of the breaches were caused by human error;
• 62% were motivated by malicious or criminal attacks
• the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
• 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
• contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
• as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
• phishing is by far and away the most common cause of cyber incidents
• the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »

On 27 June the relatively new Information Commissioner signed off on an enforceable undertaking with the Commonwealth Australia Bank arising out of 2 data breaches, the first involving the loss of 2 magnetic data tape containing what the Information Commissioner customer statements relating to 20 million customers in 2016.  The CBA was not able to work out whether the records were destroyed or something else came of them.  The second breach arose in August 2018 with sensitive information being available to those who were not able to access that material. This enforceable undertaking was entered into with the CBA already the subject of a very critical APRA report on the CBA’s risk management and reactive approach to compliance.  The CBA entered into a enforceable undertaking from the CBA in early May 2018.  And yet the CBA was involved in a second data breach 3 months later, in August 2018.  What does that say about CBA’s commitment to risk management?

There is a contrast in styles between the Information Commissioner’s media release and that of the Bank.

The Commissioner’s media release reads Read the rest of this entry »

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement Read the rest of this entry »

The Information Commissioner announced, on 8 April 2019, that she does not the power to investigate a complaint about a breach of the Privacy Act by Tim Wilson or Wilson Asset Management (International) Pty Ltd in relation to the collection and use of personal information through the ‘stoptheretirementtax.com’ website.’  The website and the collection of data caused some controversy.  In Tim Wilson’s ‘retirement tax’ website doesn’t have a privacy policy. So how is he using the data? Andre Oboler in a traditional academic “on – the – one – hand – and – on – the – other” analysis raised the complications of determining whether a Parliamentarian operating a web site falls within the political exemption provisions of the Privacy Act of is covered by parliamentary privilege, by virtue of his work as a chair of the standing committee on Economics, either of which would deny the Commissioner jurisdiction. The other coverage, such as Liberal MP Tim Wilson faces ‘breach of privacy’ claims and Labor pushes to refer Tim Wilson to privileges committee is more red blooded political reporting.

Mr Oboler was prescient Read the rest of this entry »

Yesterday’s vegan protests in Melbourne and throughout various agricultural sites in Australia has infuriated the Federal Government.  With  an election about to be called and a big rural constituency in mind, a tendency to beat the law and order drum becomes an necessity.   To that end the Attorney General, Christian Porter announced last Friday that that it was going to bring the Aussie Farms website under the regulation of the Privacy Act 1988 on 6 April 2019, last Saturday. 

The media statement provides:

The Coalition Government will bring the Aussie Farms website under the Privacy Act, exposing it to potential penalties of up to $2.1 million if it breaches the Act.

Attorney-General, Christian Porter, said the activities of Aussie Farms Incorporated created an unacceptable risk to hardworking farming communities and producers.

“The company publishes information about Australian farmers and agricultural producers including their names and addresses, exposing them to potential trespass, biosecurity hazards, and reputational damage,” the Attorney-General said.

“Listing this activist group as an organisation under the Privacy Act, now means that the company will have to abide by the provisions of the Act.”

Minister for Agriculture, David Littleproud, said he had repeatedly asked Aussie Farms to take the website down before someone was hurt or worse, but the group behind the website flat refused.

“The farming families who grow our food deserve to be able to do so without fear of invasion on their property and harm to their children,” Minister Littleproud said.

“The Aussie Farms website is intended to be an attack map for activists and it is already working as one. The fact Aussie Farms refused to take the website down when invasions began happening on farms displayed on their map shows they intend for it to be used as an attack map for activists.

“Aussie Farms will now be required to comply with the Privacy Act, which includes laws against the misuse of personal information. I note the maximum penalty for an offence under the Privacy Act is $420,000 for individuals and up to $2.1 million for a body corporate.”

Minister Littleproud also called on state governments to beef up trespass laws to provide real penalties for trespass, and to make publicly state that they expect the police will uphold these laws.

Background:

• The Australian Information and Privacy Commissioner previously found that Aussie Farms Incorporated was exempt from the Privacy Act because its annual turnover was less than $3 million.
• This move means Aussie Farms Incorporated is prescribed as an ‘organisation’ under the Privacy Act, which requires Aussie Farms to act in accordance with the Privacy Act, regardless of its annual turnover
• Prescribing Aussie Farms Incorporated allows the Information and Privacy Commissioner to investigate, either in response to a complaint or on her own initiative, if Aussie Farms Incorporated breaches the Privacy Act. The prescription comes into force as of tomorrow (Saturday, 6th April)

And the regulation was made, the day before the media release,  with the Privacy Amendment (Protection of Australian Farms) Regulations 2019  which Read the rest of this entry »

There is nothing quite like the combination of a Government under stress and high profile privacy breaches to channel the inner reform in what was otherwise a reluctant Attorney General on matters privacy.

The Attorney General has been widely reported as flagging increased fines for serious and repeated interferences with privacy, from $2.1 to 10 million.  Alternatively the fine will be calculated on turnover or value of the misuse.  The flagged amendments will also permit the Australian Information Commissioner to issue infringement notices for minor data breaches.  As importantly the Commissioner will get $25 million to ramp up investigations of data breaches.

The media release provides:

Attorney-General, Christian Porter and Minister for Communications and the Arts, Mitch Fifield, announced the new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” the Attorney-General said.

“What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information.  This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”

Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.

“The tech industry needs to do much more to protect Australians’ data and privacy,” Minister Fifield said.

“Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”

The amendments to the Privacy Act will:

• Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
• Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
• Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
• Require social media and online platforms to stop using or disclosing an individual’s personal information upon request
• Introduce specific rules to protect the personal information of children and other vulnerable groups.

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” the Attorney-General said.

“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”

The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.

Legislation will be drafted for consultation in the second half of 2019.

“This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right,” the Attorney-General said.

“The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019.  Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government.”

The Australian has the best coverage to date in Read the rest of this entry »

The Information has published its Notifiable Data Breaches Quarterly Statistics Report for the last quarter of 2018.

The media release provides:

The latest quarterly report from the Office of the Australian Information Commissioner (OAIC) shows 262 data breaches involving personal information were notified between October and December 2018.

The work of the Information and Privacy Commissioner continues to not go on.  But the Government has appointed a permanent successor to the previous Commissioner, Timothy Pilgrim.  The Interim Information Commissioner and Privacy Commissioner, Angelene Falk, has been appointed Read the rest of this entry »

The Australian Information Commissioner has released another quarterly report of notified data breaches.  It has grown into a 33 page document from its humbler beginnings of a single page.  At the outset it is relevant to note that these figures are not the last word on actual data breaches.  There is a balancing act organisations go through before deciding to notify.  That is a weakness in the legislation.  There is also likely to be some non compliance with the legislation.  Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to.  That said it is a valuable report.

Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records.  And health records were a significant percentage of the records affected.

In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were Read the rest of this entry »

Another case of compare and contrast between privacy regulators.  In the UK the Information Commissioner’s Office has announced the finding of investigations involving the use of personal information provided to Facebook by Cambridge Analytica.  The size of the breach of the Data Protection Act is enormous involving up to 87 million users worldwide.  The UK Information Commissioner commenced it investigation into Facebook in February.  It now announces its intention to fine Facebook a maximum of £500,000 as well as Read the rest of this entry »