The Canadian Standing Committee on Access to Information, Privacy and Ethics publishes ‘Facial Recognition Technology and the Growing Power of Artificial Intelligence’

October 9, 2022

On 4 October 2022 the Canadian House of Commons Standing Committee on Access to Information, Privacy and Ethics published a report, ‘Facial Recognition Technology and the Growing Power of Artificial Intelligence’.

The report explores:

  • the benefits and concerns associated with facial recognition technology,
  • the use of facial recognition by police forces,
  • misidentification and algorithmic bias.
  • regulations on facial recognition and artificial intelligence

Read the rest of this entry »

Optus suffers massive data breach affecting up to 9 million customers. The largest data breach involving personal information of Australians in history

September 23, 2022

Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data.  Optus released a media release about it yesterday.  The compromised data included names, dates of birth, drivers licences and passport numbers.  The sort of information which would allow a hacker to attempt identity theft.  Very saleable data on the dark web.

A curious aspect of this incident is that some of that data related to former customers.  It will be interesting to see how far back that data goes.  Why it is necessary to hold onto former customers of many years back?  That may be a breach of the Australian Privacy Principles.

With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected.  The breach did not include payment details and account passwords.

Optus has notified the Information Commissioner.  One issue to resolve is what notification will be provided to affected Optus customers.  Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states.  Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support.  That is good business.

In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan.  In my experience Australian organisations put less than optimal effort into preparing for a data breach.  Similarly the response to a data breach is too often marked by improvisation than following a plan.

Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information.  It Read the rest of this entry »

National Institute of Standards and Technology releases a draft regarding Engineering Trustworthy Secure Systems SP 800 – 160

June 8, 2022

The National Institute of Standards and Technology (“NIST”) has release Engineering Trustworthy Secure Systems for public comment.It is a very useful document for those interested in privacy and cyber security in that it provides a framework for analysis.

This guide has been produced pursuant to a Presidential Executive Order on 12 May 20212 titled Improving the National’s Cyber Security WO 14028.

The key elements of that executive order Read the rest of this entry »

National Institute of Standards and technology issues Blockchain for Access Control Systems NISTIR 8403

May 27, 2022

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

Education Apps endorsed by the Australian Government found to be surveilling Australian children resulting in inquiries by New South Wales and Victorian Governments

May 26, 2022

As the saying goes, the road to hell is paved with good intentions.  That may be the sombre story of education apps used during the Pandemic.   The Human Rights Watch has undertaken a detailed study, How Dare They Peep into My Private Life.  Of particular interest is some of the practices of EdTech.  The EdTech apps were used by students in Australia during the lockdowns.  The Victorian and New South Wales Governments have announced inquiries.  The Victorian Information Commissioner raised concerns about education apps as far back as August 2020 stating in a report that “..we consider that schools are at risk of breaching the [Information Privacy Principles] IPPs when using apps and web?based learning tools that handle student personal information.” 

The report has been reported in Itnews with Edtech vendors invaded student privacy: Human Rights Watch,  InnovationAus in ‘Dystopian’: Govt-endorsed education apps surveilling Australian children and the ABC with Investigation reveals tracking by EdTech of millions of Australian school students during COVID lockdowns.

Some interesting findings from the Report Read the rest of this entry »

Data breach at the California State Bar, with 322,000 confidential attorney disclipline files exposed to the public, an excrutiating experience ongoing from 27 February 2022

May 10, 2022

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time Read the rest of this entry »

Commonwealth Parliament passes the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022

March 31, 2022

The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022.  This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021).  The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.   

The USA has critical instructure legislation.  Most recently President Biden signed Strengthening American Cybersecurity Act of 2022.   Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours. 

In short compass what does each Act do?

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)  amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors.  Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included. Read the rest of this entry »

Significant data breach at the Federal Court of Australia revealing names of protection visa applicants

March 31, 2020

It was serendipitous that last Wednesday I presented a paper, via Zoom, at a Legalwise Seminar on Data Breaches: How to Respond, Notify and Remedy  given today’s report that there has been a significant data breach by the Federal Court, an agency for the purposes of the Privacy Act 1988.  The, to use the Federal Court’s spokesman’s description, “major systemic failure” involved the searchable database permitting the identity of 400 asylum seekers being disclosable. 

This breach would fall within Part IIIC of the Privacy Act 1988, the mandatory data breach notification regime. Going through the process would require an assessment of the breach, a determination as to whether the breach is likely to cause serious harm and, if so, the means of notifying the affected individuals.  Based on the ABC report of the breach there would be legal and practical issues to address with each step.  As to the assessment process it is concerning that Read the rest of this entry »

Victorian Information Commissioner release guidelines on dealing with data breaches

May 26, 2019

The Victorian Information Commissioner has released guidelines on managing the privacy impacts of privacy breaches.  While it relates to entities covered under the Privacy and Data Protection Act 2014, primarily government agencies and contractors engaged by them it does provide another useful point of reference to those wanting to develop a comprehensive understanding of what is the best way of dealing with a data breach.

It is a starting point only.  The structure and operation of a business will dictate Read the rest of this entry »

Banks privacy policies reflect the flexibility of the Australian Privacy Principles and the Guidelines

March 17, 2014

Zdnet’s Playing by the rules: Australia’s banks and the privacy reforms reflects how similarly sized organisations in the same sector approach drafting their respective privacy policies.  Not massive differences but enough to show that in drafting the APPs cana be in the eyes of the beholder.   How the Privacy Commissioner approaches Read the rest of this entry »

Verified by MonsterInsights