Peter A Clarke

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

The Nine papers group has suffered a data breach involving exposure of its subscribers information, some 16,000 in all (so far). That is particularly embarrassing for a news outlet that usually enjoys breathless reporting of privacy fails of businesses. Here the reporting was by News.com with ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine, the ABC with Nine newspapers subscribers have data exposed online in breach and the Australian Financial Review with Nine audits external data security after breach exposes 16,000 readers. The Australian, a competitor in the market, gleefully reports on the breach with Sydney Morning Herald, The Age and Financial Review readers exposed in data breach.

The breach was the exposure of names, postal addresses and email addresses of 16,000 subscribers.  The information was held by a third party supplier.  The cyber attack was of the that supplier.  While Nine is keen to state that there was no breach of its (excellent) cyber security structure that does not alter the fact that a third party supplier’s cyber protection was not adequate.  This is a very common situation.  Large organisations using third party contractors or suppliers is seen as efficient and cost effective.  Part of that work usually involves the contractor or suplplier holding the organisations store of personal information or having authorisation to access to the organisation’s homepage.  Hackers recognise that many third party suppliers has less effective cyber protection and vulnerable.  To avoid this form of attack organisations should do what they can to require third party contractors and suppliers to have satisfactory and complementary cyber protection and systems in place. Unfortunately that is a conversation that is not had enough.

The ABC story Read the rest of this entry »

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »

Courts have long been a target of cyber attacks. There was a data breach at the Australian Federal Court in 2020, revealing names of refugee applicants. In January 2024 the Victorian Court Services were hacked. That involved the recordings of hearings dating as far back as 2016. In January 2021 the United States Courts announced that it was putting in place extra safeguards to protect records in light of previous data breaches. In July 2022 the United States the House Judiciary Committee investigated data breaches involving the U.S. Fedeal Court dating back to early 2020. The latest data breach involves the New South Wales court website. The Government confirms about 9,000 court files, including domestic violence orders were accessed in a data breach.

As is usual in Australia the initial information provided is vague, to put it kindly. It appears that credentials were used, either by a hacker/other acquiring those credentials or a person within the Department misusing his or her credentials.  While the account holder gained unlawful access to the system the obvious question is the adequacy of the controls protecting the information.  Was there a separate password, available to only those with specific  clearance, required to access that information?  Why wasn’t there notification to IT of a person without authorisation accessing the information?  How the breach was detected is not clear.  The ABC reports that the breach was only detected later during a routine maintenance when technicians noticed some data had changed. News reports that the breach was identified during a “security check” after some data had changed.  Different backgrounding going on.  Even more curious is what happened to the data.  “Accessed” is a general term with a meaning ranging from have the ability to open documents to actually opening those documents to exfiltrating those files. It seems likely that the processes operating at the New South Wales Department of Justice were deficient.

The ABC report of the data breach Read the rest of this entry »

The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

The Times article provides:

Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

In one of those “one for the books” events the Chinese agencies of Cyberspace Administration of China, in collaboration with the Ministry of Public Security have published security measures for the use of facial recognition technology. The measures will take effect on 1 June 2025. Given how intrusive Chinese authorities have been in the past with surveillance and the use of facial recognition technology it will be interesting to see how much of a real change will result.

The measures apply to activities using facial recognition technology, which is individual biometric recognition technology that uses facial information to identify an individual’s identity, to process facial information within China.

Interestingly the do not cover the processing of facial information from their scope for research and development or algorithm training purposes.

Under the measures, facial recognition activities must comply with applicable laws and regulations and, inter alia:

• have a specific purpose;
• be necessary;
• minimizes the impact on personal rights and interests; and
• implement strict protection measures.

Personal information handlers must, inter alia:

• before processing, inform individuals in a prominent manner and clear and understandable language of certain information, such as contact information and purposes and method of processing;
• inform individuals of any changes to the information provided to them;
• when the processing is based on consent, obtain voluntary and explicit consent, including providing the right to withdraw consent;
• when processing minor’s information, obtain the consent of a parent or other guardians;
• stored information on facial recognition devices and not transmit it through the internet;
• conduct a Personal Information Protection Impact Assessment (PIPIA) and include the contents outlined in the measures; and
• if processing data of more than 100,000 individuals, notify the provincial-level or higher cybersecurity and informatization department within 30 working days, and provide the information outlined in the measures.

The measures require personal information handlers to Read the rest of this entry »

Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure. In Australia the most notable is the Security of Critical Infrastructure Act 2018 which covers 11 sectors. Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure.

There is also the

• Cyber Security Act 2024 
• Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. Schedules 1, 2, 3, 4 and 6 commenced by proclamation on 20 December 2024. Schedule 5 will commence by proclamation on 4 April 2025.

In that vein the US Federal Communications Commission is reviewing its submarine cable rules since 2001 to enhance the protection of the nation’s submarine cable infrastructure amid evolving national security concerns.   The FCC is following the now standard approach of requiring cable operators to confirm they take reasonable measures to protect the confidentiality, integrity, and availability of their systems and provide cybersecurity plans.

The FCC proposals are reported in FCC proposes new cybersecurity mandates for submarine cable operators in major rule review, seeks public input which Read the rest of this entry »

The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

Artificial Intelligence is becoming the great disrupter. And in privacy and cyber security its impact is especially acute. the National Institute of Science and Technology (“NIST”) has announced the process to develop a new cyber AI profile.

The NIST notes Read the rest of this entry »