The internet of things and hacking…

December 16, 2017

There has been a flurry of stories relating to the internet of things and lack of data security, to wit businesses being hacked through access points existing courtesy of connected devices.  In the UK dozens of British Heating systems have been found to be vulnerable to hacking.  In that case Read the rest of this entry »

Attorney General announces reference to the Australian Law Reform Commission into class actions and third party litigation funders

December 15, 2017

The Commonwealth Attorney General has announced a formal reference to the Australian Law Reform Commission, made on 11 December 2017, of class actions and litigation funders.  The heading of the media release leaves little doubt on what is on the Government’s mind: Protecting Australians from exorbitant legal fees.  It is hard to see class actions being abolished given Read the rest of this entry »

Risk assessments predict 2018 will be a significant year for cyber attacks

December 5, 2017

MacAfee has released a 2018 Threats Predictions Report.  While the European Banking Authority has released its risk assessment report. In that report the EBA found:

  •  cyber risk and data security were identified as the “main drivers for increasing operational risk”
  • 55% of banks “foresee an increase in operational risk in their bank”. This is an increase from 43% last year and 35% in 2015.
  • most EU banks are still taking steps to address the weaknesses stemming from the technology-driven evolution to their industry.
  • because of the reliance on  IT platforms, digitalised product channels for banking services, outsourcing to third-party providers  42 % of the respondents stated that cyber risk and data security is the main cause of increasing operational risk
  • that cyber risk is  one of the key risks threatening data integrity and business continuity in the financial system”. It also said that banks are facing increasing complex cyber attacks from “intruders trying to gain unauthorised access to critical systems and data”.
  • cyber risks pose operational, legal and reputational risks including business interruptions, data and software loss, cyber extortion, fraud, breach of privacy, network failure liabilities and damages to physical assets, which can result in financial losses
  • the growing use of third party services by financial services may impact on the ability of institutions to manage their risks such as strategic, reputational, compliance and operational risk and that is a cause of increased systemic risk. The EBA noted that these risks should be mitigated adequately by banks and embedded in a sound and efficient risk management policy.  That means money and effort.

The EBA produced a draft guidance designed to support the adoption of cloud-based solutions by banks earlier this year. Interestingly the EBA Read the rest of this entry »

US Supreme Court to review digital privacy through the prism of the 14th Amendment, warrantless searches

November 27, 2017

The US Supreme Court has been remarkably strong on recognising a right to privacy through various Amendments to the Constitution, mainly the Read the rest of this entry »

UK drone users are to sit safety tests under proposed new law

November 26, 2017

The response of governments to the phenomenal rise of the unmanned aerial vehicles across the world has ranged from the tentative to the woeful.  Admittedly it has provided significant challenges to regulators as light, portable drones sold in their thousands are difficult to monitor and where there is a breach of the regulations difficult to prosecute. Governments are also wary of limiting the commercial utility of drones, which can transform transport and delivery, such as delivering blood to hospitals.

The regulation of drones in Australia is spotty at best. The nature of the regulation depends on whether drones are being used for recreational or for business and commercial purposes.  The primary regulator is the Civil Aviation Safety Authority (the “CASA”) . The focus of the regulation is air safety.  Through my posts over the years on drones this sort of regulation is far from adequate.  Drones have the potential, and often do, to interfere with people’s privacy.

The regulation such as it is is poorly enforced.  The complaints process is cumbersome and there are difficulties in identifying the drone and its owner after the fact. CASA could be doing a better job.
Read the rest of this entry »

Another data breach by an Australian Government Agency…this time the Department of Social Services

It has been a bad year for data breaches in Australia.  Perhaps not as bad as America where the Equifax data breach, involving 145 million Americans, took matters to a whole new level in terms of volume of data stolen, the impact of that credit reporting information on the individuals affected and the truly dreadful response. Similarly the recently announced Uber breach, involving 57 million individuals, has been a new low in terms of woeful data security and appalling subsequent management.  But Australian agencies and organisations have, through data breaches most recently a data breach involving 50,000 Australians from the Department of Finance, the Australian Electoral Commission and other agencies, shown that there remains a poor culture of privacy protections and data security.  Lax regulation and little in the way of consequences for breaches of the legislation have largely contributed to this poor state of affairs.

The Guardian reports on a breach at the Department of Social Services involving yet another breach by a third party contractor which has necessitated the department writing to 8,500 individuals, 2,000 current and 6,500 former employees of the Department.  The compromise involved Read the rest of this entry »

Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 introduced into the New South Wales Parliament

November 24, 2017

Data breach notification laws seem to be in vogue in Australia at the moment. In 90 days, on 22 February 2018, the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect for those organisations and agencies covered under the Privacy Act 1988.  That has the potential to have a major impact on the way privacy and data security is regulated in Australia and make the extent of data breaches more transparent.  It will bring Australia into line with best practice, even if the Act is far from the gold standard. It is a complicated piece of legislation which requires careful analysis of the extent of data breaches, consideration of exemptions and appreciation of which is the best options available to the affected entity to ensure compliance.

In New South Wales an opposition member, Paul Lynch,  introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 into the Legislative Assembly on 16 November 2017.  If passed Read the rest of this entry »

Uber is hacked, covers it up for over a year, pays the hackers US$100,000 to delete the data and keep things quiet. What else could it have done wrong. Not much

November 22, 2017

Uber, like many modern disrupting businesses, relies on data.  Lots of it to make its app effective.  In October 2016 Uber suffered a disastrous data breach, affecting the personal information of 57 million customers and drivers.  The hackers stole names, email addresses, phone numbers as well as the names and driver licences of 600,000 drivers in the US alone.  That can make up a treasure trove of data that can be used in identity theft.  Uber says that location data, credit card numbers, bank account details, social security numbers and birth dates were not compromised.  Or at least that is what it says.  Uber’s credibility has taken a hit.

The story has been picked up by Read the rest of this entry »

Privacy related class action to be issued in New South Wales tomorrow; alleging sale of paramedics medical records to personal injury solicitors

November 19, 2017

The development of privacy related actions in either common law or equity in Australian courts has been glacial at best.  It has been marked by hesitation and wariness heavily seasoned by a major case of conniptions by decision makers.  Efforts to have the courts here do what is effortlessly done in other common law countries, recognise a tort of an invasion of privacy have come to nought.  As for Tribunals’ decisions on privacy, the less said the better.  The legislature, irrespective of which party occupies the treasury benches, has been equally languid, when not down right resistant, in legislating for a statutory tort of privacy. The need for an actionable tort of privacy has been consistently recommended by whichever law reform commission has looked at the issue. The main opponents these days are media lawyers for news outlets, governments who don’t want a fight with media outlets over such a reform and some of the more conservative commentators who see any such right as being a bill of rights by stealth or some such nonsense.

In the weekend Sydney Morning Herald reports on a class action which may test privacy law in Paramedics launch class action over the sale of their medical records to personal injury solicitors.  The breaches are Read the rest of this entry »

Massive Data breach at the ABC

November 17, 2017

To those who think the cloud is the answer to their security prayers think again. Vulnerabilities in a cloud service occur often enough.  Flaws in service provided by third party providers are a chronic problem.  The onus still remains with the party that collects the data but too many organisations assume that once it is stored via a third party provider, such as in the cloud, that responsibility disappears. Often times data in the cloud is not encrypted or otherwise protected.  ABC has learned these and a few other lessons with a data breach in its cloud services, being a misconfigured storage bucket, according to the the Australian article ABC caught in massive data leak. That data seems to Read the rest of this entry »