Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Data breaches kept increasing in 2024, so bad in the health care sector that it prompted changes to regulation in the United State

    January 6, 2025

    With the end of 2024 there has been a compiling of data breaches in 2024. It makes for sombre reading. According to Proven Data the biggest data breaches in the United States were:

    National Public Data breach.

    • Records compromised: 2.7-3 billion
    • Scope: Affected individuals in the United States, Canada, and the United Kingdom
    • Key details: Included social security numbers, names, addresses, and other personal information

    Ticketmaster data breach

    • Records compromised: 560 million
    • Key details: Exposed personal and financial information, including names, email addresses, phone numbers, and payment details

    Change Healthcare ransomware attack

    • Records compromised: Approximately 145 million
    • Scope: Potentially affecting one-third of Americans
    • Key details: Exposed personal, medical, and billing information through a ransomware attack

    AT&T data breach

    • Records compromised: 73 million
    • Key details: Exposed customer data, including Social Security numbers, account numbers, and passcodes

    Snowflake Cloud data breaches

    • Total records: Over 165 customer environments were compromised
    • Notable victims:
      • Ticketmaster: Up to 560 million customer records exposed
      • Santander Bank: 30 million customer records compromised
      • AT&T: Call and text records spanning multiple months
      • Advance Auto Parts: Over 2.3 million individuals were affected, with sensitive job application data exposed

    In December alone the significant data breaches were:

    1. SRP Federal Credit Union Breach

    On December 19, SRP Federal Credit Union disclosed Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Health services continue to be a prime target for hackers. In the US another hospital hit by a hack with 1.4 patients’ information leaked

    December 18, 2024

    Health organisations, surgeries, clinics, hospitals and health insurers, are the number one target for cyber attacks. They collect vast amounts of personal information and linked financial information. They are commonly poorly protected for a range of reasons; ageing and combined incompatible operating systems, poor privacy training, multiple entrepots, poor protocols leading to inadequately controlled authorisations and generally a poor culture by those in the industry. So it is not suprising to read in Another major US hospital hacked, data on 1.4 million patients leaked that there has been yet another big cyber attack. And the Nebraska Attorney General is suing Change Healthcare and two companies in AG sues Change Healthcare, two other companies after data breach hits at least 575,000 Nebraskans.

    The 1.4 million hack story Read the rest of this entry »

    Posted in Privacy | Post a comment »

    UK Information Commissioner’s Office prosecutes an employee for illegally accessing personal information

    Employees accessing personal information for purposes other than which that information was collected is a chronic problem. Sometimes the interest is family or friends personal information, breaching confidentiality, police unlawfully accessing personal information and sometimes it is hacking by organisations. There are endless ways personal information can and often are illegally accessed. The key is proper training and proper computer systems.

    The Information Commissioner’s actions in prosecuting an insurance worker in Manchester for unlawfully accessing personal information in relation to accident claims. 

    The ICO’s media release Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Meta settles civil penalty proceeding with Office of Information Commissioner arising out the Cambridge Analytica scandal for $50 million and an enforceable undertaking

    December 17, 2024

    In the dying days of 2024, when the focus is on presents, holidays and plum pudding (for some at least) Meta has settled the civil penalty proceeding in the Federal Court. Meta will also enter into an enforceable undertaking.   The $50 million will not be distributed immediately. Eligibility will depend on whether a person ws in Australia between November 2013 and mid December 2015 and installed This is Your Digital Life App or was a friend of someone who had that app installed.

    This is a very welcome development.  The civil penalty proceedings power in the Privacy Act has until recently been underutilised.

    The Commissioner’s media release provides:

    The Australian Information Commissioner today agreed to a $50 million payment program as part of an enforceable undertaking (EU) received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings. The payment scheme will be open to eligible Australian Facebook users impacted by the Cambridge Analytica matter.

    The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act 1988 (Cth). The information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.

    The agreement announced today follows a court-ordered mediation, which has been ongoing since February 2024, as part of the Federal Court civil penalty proceedings the Commissioner commenced in March 2020.

    “Today’s settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia,” Australian Information Commissioner Elizabeth Tydd said.

    “It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”

    As part of the resolution, the Commissioner has withdrawn the civil penalty proceedings in the Federal Court.

    The EU requires Meta to set up a payment scheme, which will be run by an independent third-party administrator. Meta will appoint the third party to administer the payment scheme, who will be announced early next year. The scheme will be open to individuals who:

      • held a Facebook Account between 2 November 2013 and 17 December 2015;
      • were present in Australia for more than 30 days during that period; and
      • either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.

    The payment scheme will be structured into two tiers of payments. The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter. The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage. The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme. The Office of the Australian Information Commissioner anticipates individuals may be able to start applying to the payment program in the second quarter of 2025.

    Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.

    “The payment scheme is a significant amount that demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used,” Commissioner Tydd said.

    “This also applies to global corporations that operate here. Australians need assurance that whenever they provide their personal information to an organisation, they are protected by the Privacy Act wherever that information goes.”

    “We remain committed to applying our powers under the Privacy Act to achieve proportionate outcomes to ensure that Australians’ privacy is protected, particularly with respect to technologies that have a high privacy impact. This groundbreaking outcome reflects the significant concerns of the Australian community,” Privacy Commissioner Carly Kind said.

    Since then Australian Information Commissioner Angelene Falk commenced the civil penalty proceedings against Meta in March 2020, the penalties for serious or repeated interferences with privacy (which can only be imposed following the commencement of civil penalty proceedings in the Federal Court), have increased from $1.7 million for each serious and/or repeated interference with privacy, to whichever is the greater of $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

    Read the enforceable undertaking.

    Details of payment scheme

      • Funds of $50 million will be available.
      • Individuals who were present in Australia for more than 30 days between 2 November 2013 and 17 December 2015, and either installed the This is Your Digital Life app, or who were Facebook friends of an individual who installed the This is Your Digital Life app, can apply for a base payment based on generalised concern or embarrassment, or an alternative amount if they can demonstrate specific loss or damage.
      • The third-party administrator will take reasonable steps to publicise the payment scheme.
      • Meta is required to make reasonable best efforts to notify those who are potentially impacted.
      • The payment scheme will be administered by a third-party administrator to be appointed by Meta. Payment is required to be made in a timely manner.
      • Details for accessing the payment scheme will be made public by the administrator in the second quarter of 2025.

    The Enforceable Undertaking Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    About 160,000 members join the Optus data breach class action

    December 11, 2024

    The Australian reports in Class action against Optus after 2022 data breach registers 160,000 members that about 160,000 members have joined in the class action against Optus resulting from the 2022 data breach. This report is based on submissions made at a case management hearing before Justice Beach today. 

    The class action is brought in proceeding PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS (number VID256/2023).

    The article provides:

    About 160,000 people whose passport and Medicare numbers were leaked online after Optus was hacked in 2022 have registered to partake in a class action against the telco.

    Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.

    The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.

    In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public. Read the rest of this entry »

    Posted in Federal Court, Privacy | 15 Comments »

    Federal Trade Commission Report on product support for smart devices raises key issues for data security

    December 10, 2024

    A fairly to update programs and install patches provided by the suppliers is a common way hackers can access websites and smart devices. In those cases the breach is caused by the negligence of the owner of the website or smart device who fails to update. But what if the supplier fails to provide support after a time? With time the program or smart device will become more and more vulnerable to cyber attacks not to mention potentially losing functionality. It is a ubiquitous problem. The Federal Trade Commission has considered it with its report released under a cover of a media release titled Smart Products Surveyed Fail to Provide Consumers with Information on How Long Companies will Provide Software Updates.

    The FTC media release provides:

    A new paper from Federal Trade Commission staff finds that nearly 89% of products surveyed failed to disclose on their websites how long the products would receive software updates, which help ensure the devices are protected against security threats and operate properly.

    FTC staff from the agency’s East Central Regional Office looked for information about 184 different “smart” products—ranging from hearing aids to security cameras to door locks—about how long companies would provide updates for those products. If the manufacturer stops providing software updates, these products may lose their “smart” functionality, become insecure or stop working, according to the FTC Staff Perspective.

    “Consumers stand to lose a lot of money if their smart products stop delivering the features they want,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Our study shows that nearly 89% of manufacturers of products we examined failed to post this information prominently or make it readily available. When shopping for smart devices, consumers should ask questions and consider how long their product will last.”

    Staff reviewed the manufacturer’s product webpages, where consumers might look for detailed information about a connected device, and found 161 of the products surveyed failed to provide information about the support duration or end date. Staff also conducted basic internet searches to determine if consumers could track down support duration and end dates for the smart devices surveyed. Those searches did not uncover support information for two-thirds (124) of the devices surveyed.

    The staff paper noted that manufacturers’ failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act, which requires that written warranties on consumer products costing more than $15 be made available to prospective buyers prior to sale and requires other disclosures. Failing to provide software update information to consumers could also violate the FTC Act if manufacturers make express or implied representations about how long the product is useable, according to the staff perspective.

    This report comes after a Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    New Zealand Privacy Commissioner releases report showing that data breaches are on the increase, like in Australia

    December 9, 2024

    New Zealand has a Privacy Commissioner and a Privacy Act. The regulator has quite limited powers and the legislation is inadequate compared to other common law and European countries. The Commissioner has released the annual report (found here).

    The Commissioner reported that the office:

    • received a total of 1,003 privacy complaints, up 15% from the previous year, with 279 of those complaints received for investigation.
    • there were 2,751 in-house privacy inquiries.
    • there were 864 privacy breach notifications, of which 414 were serious privacy breaches.
    Read the rest of this entry »

    Posted in New Zealand Privacy Commissioner, Privacy | Post a comment »

    Amendments to the Privacy Act commenced on 30 November 2024. No date proclaimed for commencement of Schedule 2, the statutory tort, so it will commence on 29 May 2025

    December 3, 2024

    Most of the amendments to the Privacy Act 1988 through the Privacy and Other Legislation Amendment Bill 2024 commenced on 30 November 2024. There has been no date proclaimed for Schedule 2 as yet.  In the normal course it would be very surprising if the Government was to, at some stage in the future, actually specify a commencement date if it did not do so immediately. 

    Posted in Privacy | Post a comment »

    Attorney gives insight into Privacy at Law Council of Australia Gala Dinner

    At a Law Council Dinner on Sunday 1 December 2024 the Attorney General waxed lyrical about matters pertaining to his portfolio. In the the course of his speechifying discussed the statutory tort and the anti doxxing provisions.  His defence of the journalist exception is wrong headed.  He claims it is necessary to protect freedom of the press.  That is nonsense.  There is no such exemption in any jurisdiction where there is a tort of privacy and somehow the press thrives in those places.  It was a political not policy decision. It is a terrible mistake.  That said having a tort even if in a weakened form is better than no tort.

    His speech provides:

    Acknowledgements

    Thank you to the Law Council of Australia for hosting yet another wonderful dinner, a dinner I’m delighted to be attending for my third consecutive year since returning as Attorney-General in 2022.

    I acknowledge the traditional owners of the land on which we meet, the Ngunnawal people, and pay my respects to their Elders, past and present. I extend that respect to all Aboriginal and Torres Strait Islander people here today. 

    I thank the President of the Law Council, Greg McIntyre SC, for inviting me to speak tonight. I congratulate and welcome the incoming President, Ms Juliana Warner.

    I also acknowledge

      • Her Excellency the Honourable Sam Mostyn AC, Governor-General of the Commonwealth of Australia, and His Excellency Simeon Beckett SC;
      • My parliamentary colleagues;
      • Current and former members of the judiciary; and
      • Members of the legal profession.

    Legal assistance services

    On 6 September this year First Ministers reached a landmark agreement for a new five year National Access to Justice Partnership.

    And I am very pleased to say that yesterday, 28 November, the final signature from an Attorney-General was obtained, and it has been published today.

    This agreement provides $3.9 billion in support for legal assistance services over five years – the largest Commonwealth funding contribution to the legal assistance sector ever.

    It is a vast improvement on the previous agreement, which expires on 30 June next year.

    Every single part of the legal assistance sector will get more funding.

    The agreement contains nearly $800 million in additional funding, including $500 million to support frontline legal assistance services delivered by Community Legal Centres, Women’s Legal Services, Aboriginal and Torres Strait Islander Legal Services, Legal Aid Commissions and Family Violence Prevention and Legal Services.

    Critically, funding will be ongoing. This means an end to a rolling five-year funding cliff. Instead of fighting for its very existence, the sector will be able to plan for the future. It will be able to more easily attract and retain employees because there is job security. This change may be an underreported element of the new agreement but its significance cannot be underestimated.

    The new agreement also addresses long-standing pay parity issues in the sector. For the first time, the Commonwealth is acting to lift rates of pay for the community legal assistance sector, bringing them closer to Legal Aid Commissions – again increasing the ability of services to attract and retain good lawyers.

    Unlike the previous agreement, with its inadequate fixed rate of indexation, funding will be increased in line with the Wage Cost Index – meaning Commonwealth funding will not go backwards in real terms over the life of the agreement.

    The previous agreement did not provide funding security for individual parts of the sector. States and territories could, if they wished, move money from one part to another, reducing the effective value of the Commonwealth contribution. The new agreement requires jurisdictions to maintain their investment for each part of the sector over the life of the agreement.

    This both maintains the value of the Commonwealth contribution and provides funding certainty to each part of the legal assistance sector.

    As some in this room may remember, the new agreement was announced at a meeting of First Ministers focused on gender-based violence, and appropriately so.

    Access to justice is vital for women and children trying to escape gender-based violence. It can be the difference between leaving and staying in a violent situation. It can be the difference between life and death.

    I’m proud that the largest relative funding increase for legal assistance in the new agreement was for Family Violence Prevention and Legal Services – a 112 per cent increase in Commonwealth funding compared to the preceding five years.

    We know that First Nations women experience disproportionate rates of family violence.

    Nationally, First Nations women are seven times more likely to be homicide victims than non-Indigenous women, and of those women, 75 per cent are killed by a current or former partner.

    First Nations women are 33 times more likely to be hospitalised due to family and domestic violence than non-Indigenous women.

    As my colleague Senator Malarndirri McCarthy, the Minister for Indigenous Australians, has said, this is a national shame.

    Doubling the funding for legal assistance services which help First Nations women escape domestic violence will not solve this problem on its own, but it is an important step forward.

    Let me be clear – I know there will always be unmet need in the sector.

    But I believe the new National Access to Justice Partnership is a momentous step forward.

    That’s why I have been disappointed to see some misrepresentation of what the new Agreement delivers.

    I expect demands from the legal profession for government to do more for the legal assistance sector.

    But misrepresenting facts helps no one, least of all those in the sector.

    Further, it makes little sense to make demands of the Commonwealth only.

    Legal assistance is a shared responsibility, and demands on government should not focus on the national government alone.

    For those in the audience who work in the community legal sector, I would like to say thank you.

    You are among the most talented, committed and hardworking lawyers in the country. The Australian Government values your work. I value your work.

    Privacy

    You may have noticed we passed a few bills last night and early this morning.

    I will go to just two of those tonight.

    The first enacts tranche one of our privacy reform agenda.

    The legislation does a great deal. It:

      • Creates a new statutory tort for serious invasions of privacy;
      • Creates a new criminal offence for the malicious release of personal data online, known as doxxing; and
      • Establishes provisions to enable the development of a new Children’s Online Privacy Code.

    A privacy tort is not a new idea. In fact, that is something of an understatement.

    In his 1969 Boyer Lectures Sir Zelman Cowen endorsed legislation to create an actionable right to seek redress for breaches of privacy.

    The bill provides for a new statutory cause of action for individuals who have suffered a serious invasion of their privacy, and applies it to both physical privacy and information privacy. Read the rest of this entry »

    Posted in Legal, Privacy | Post a comment »

    First the celebration about Privacy Reform quickly followed by a more assessment of the Privacy Commissioner’s resources to exercise her newly granted powers. The reality is sobering

    November 29, 2024

    Following the passage of the Privacy and Other Legislation Amendment Bill 2024 this morning it is not surprising that the Attorney General will take a victory lap with a press release titled Delivering stronger privacy protections for Australians. The sobering reality is that the Office of the Information Commissioner is currently under resourced. Innovation Aus reports in OAIC slashes staff to meet $11m budget crunch that the Office is sacking staff to comply with a 23% budget cut from the government.

    Not surprisingly the Privacy Commissioner took a moment to welcome her increased powers. She made the point of saying it was only the first step. And never a truer word was said.

    It makes little sense to provide enhanced powers to the Commissioner, presumably expecting her to exercise those powers, while cutting the resources necessary to exercise those powers. Unfortunately it is a familiar story with the Privacy Commissioner then Information Commissioner’s office.  That is not to say that the Office has occasionally used this problem as an excuse to be a timid regulator when more action was called for.

    The Attorney General’s media release provides:

    The Albanese Government has delivered landmark legislation to strengthen privacy protections for all Australians and outlaw doxxing.

    Australians want their privacy respected. When they are asked to hand over their personal data Australians expect it will be protected.

    The Privacy and Other Legislation Amendment Bill 2024 implements a first tranche of recommendations from the Privacy Act Review, including:

      • a new statutory tort to address serious invasions of privacy
      • a Children’s Online Privacy Code to better protect children from a range of online harms, including $3 million over three years for the Office of the Australian Information Commissioner to support its development
      • greater transparency for individuals affected by automated decisions
      • streamlined information sharing in the case of an emergency data breach, while ensuring that information is appropriately protected
      • stronger enforcement powers for the Australian Information Commissioner The legislation also introduces new criminal offences to outlaw doxxing with serious criminal penalties of up to 7 years imprisonment. Doxxing is a form of abuse that can affect all Australians but is often used against women in the context of domestic and family violence.

    The Government is committed to ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age.

    The legislation builds on the significant steps already taken by the Albanese Government on privacy, including:

      • significantly increased penalties for repeated or serious privacy breaches
      • greater powers for the Australian Information Commissioner to resolve privacy breaches and quickly share information about data breaches
      • restoration of the standalone position of the Australian Privacy Commissioner

    The legislation passed today is just the first stage of the Albanese Government’s commitment to provide individuals with greater control over their personal information.

    The Albanese Government will continue to consult the Australian community on further privacy reforms.

    The Privacy Commissioner’s media release provides:

    The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy and Other Legislation Amendment Bill 2024 as a significant step forward in advancing privacy protections for the Australian community.

    The Bill contains significant measures including:

      • the introduction of a statutory tort for serious invasions of privacy, giving individuals a route to seek redress for privacy harms in the courts
      • the expansion of the OAIC’s enforcement and investigation powers, including new tiers of civil penalties and the ability to issue infringement notices
      • a mandate for the OAIC to develop a Children’s Online Privacy Code, which will cover not only social media platforms but any online services likely to be accessed by children
      • a new mechanism to prescribe a ‘white list’ of countries and binding schemes with adequate privacy protections to facilitate cross-border data transfers
      • a requirement that privacy policies contain information about substantially automated decisions which significantly affect individuals’ rights or interests, including the kinds of decisions and kinds of personal information used.

    “These new powers and functions come at a critical time, as privacy harms increase and the Australian community demands more power over their personal information,” Australian Privacy Commissioner Carly Kind said.

    “They have had a long gestation. Many have campaigned for reform – in some cases for more than a decade – so their efforts need to be recognised today.

    “The reforms are an important first step. More needs to be done of course, and we appreciate the government’s commitment to further action.”

    The Innovation article provides:

    The privacy and information watchdog has slashed dozens of staff in response to a 23 per cent budget cut by government and a review by management consultants, sparking fears it will be ill equipped to deal with key policy changes like the social media ban.

    Senior officials confirmed the cuts on Wednesday and said a new  structure at the Office of the Australian Information Commissioner (OAIC) will in place from early next month. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries
    Next Entries »