Peter A Clarke

Law firms are prime targets for data breaches. One need only look at the recent massive data breach at HWL Ebsworth. Entry into law firms can be through a range of third party providers such as IT services. The UK Information Commissioner has reprimanded a UK Law Firm, Levales for breaching the General Data Protection Regulation. The incident affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved.

According to the reprimand:

• The breach occurred after an unknown threat actor gained access to the secure cloud based server via legitimate credentials, later publishing the data on the dark web
• 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.
• the data involved was:
  • Name
  • Data of Birth
  • Address
  • National Insurance Number
  • Prisoner Number
  • Health Status
  • Details of Criminal allegations not charged
  • Details of Criminal allegations prosecuted
  • Outcomes of investigations and prosecutions
  • Details of complainants and victims both adult and children
  • Previous Convictions
  • Legally privileged information and advice
• Levales did not implement appropriate technical and organisational measures to ensure their  systems were secure because while outsourcing their IT management to a third party were unaware of security measures in place such as detection, prevention, and monitoring.
• Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.

Read the rest of this entry »

There have been 3 further 2^nd reading speeches published; from Paul Fletcher (Liberal) on 8 October 24,  Graham Perrett (Labor) and Max Chandler Mather (Greens).  None are particularly illuminating.  All follow predictable paths.  Perrett recounts what is in the bill and how that is for the good.  Fletcher makes fair criticisms about the selective approach to reform, less fair criticisms about the delay in banning doxxing and a generally confused complaint about the statutory tort, as much about the process as the benefit of otherwise of having a tort.  The problem with the process argument is that the statutory tort has been recommended by the Australian Law Reform Commission since 2008.  It’s 2014 Report also recommended such a tort.  The Attorney General Department’s Report also recommended the tort.  There can be no serious complaint about ambush and lack of knowledge. The reality is that the Coalition has always been hostile to a statutory tort.  At least they are reserving their position until the completion of the Senate Committee process.  Where there will be long and loud complaining by the business sector.

The Cross benches have proposed amendments:

By Kylea Tink:

(1)  Schedule 2, item 10, page 67 (line 19), after “privacy was”, insert “expressly”.
[defences]
(2)  Schedule 2, item 10, page 71 (line 13), after “journalistic material”, insert “about matters of public interest”.
[public interest journalism]
(3) Schedule 2, item 10, page 72 (lines 6 to 8), omit all the words from and including “reasonably believes” to the end of clause 16, substitute:
: (a) reasonably believes that the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and
(b) is conducting a lawful investigation in respect of a serious crime.
[enforcement bodies]
(4) Schedule 2, item 10, page 72 (line 15), at the end of clause 17, add:
; to the extent that the intelligence agency is conducting a lawful national security operation.
[intelligence agencies]

By Zoe Daniel:

(1) Clause 2, page 2 (after table item 7), insert:
7A. Schedule 1, Part 16
The day after this Act receives the Royal Assent.
[commencement]
(2) Schedule 1, page 58 (after line 27), at the end of the Schedule, add:
Part 16—Miscellaneous amendments
Privacy Act 1988
90 Subsection 6(1) (definition of consent)
Repeal the definition, substitute:
consent means voluntary, informed, current, specific, and unambiguous indication through clear action, which has not since been withdrawn.
91 Subsection 6(1) (definition of personal information)
Repeal the definition, substitute:
personal information: see section 6AAA.
92 After section 6
Insert:
6AAA Meaning of personal information
(1) In this Act, personal information means information or an opinion that relates to an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act.
(2) For the purposes of this section, an individual is reasonably identifiable if they are capable of being distinguished from all other individuals, regardless of whether or not their identity is known.
93 Application of amendments
The amendments of section 6 of the Privacy Act 1988 made by this Part, and section 6AAA of the Privacy Act 1988 as inserted by this Part, apply in relation to acts done, or practices engaged in, after the commencement of this item.
[definitions]

Fletcher’s second reading speech provides:

I rise to speak on the Privacy and Other Legislation Amendment Bill 2024. This is a bill that’s been in the pipeline for some time, yet it is a very curious creation. It seems to have been cobbled together from a range of different parts. Each of these parts does something different. They have different objectives, and they respond to different stakeholders. They are all somehow related to privacy, but they each have their own merits and drawbacks. It just does not sit together well as a whole. All the indications are that this bill was hastily stitched together at the last minute. Read the rest of this entry »

Yesterday the Government introduced into the House of Representatives the Cyber Security Bill 2024. The Minister’s Second Reading Speech set out the operation of the Bill.

Features of the Bill include:

• provisions relating to victims of “ransomware” – malicious software cyber criminals use to block access to crucial files or data until a ransom has been paid.  Victims of ransomware attacks who make payments must report the payment to authorities.
• new obligations for the National Cyber Security Coordinator and Australian Signals Directorate on how they can use information provided to them by businesses and industry about cyber security incidents.
• organisations in critical infrastructure – such as energy, transport, communications, health and finance – will be required to strengthen programs used to secure individuals’ private data.
• increased investigative powers of the Cyber Incident Review Board. It will be able to conduct “no-fault” investigations after significant cyber attacks and share findings to promote improvements in cyber security practices.
• new minimum cyber security standards for all smart devices, such as watches, televisions, speakers and doorbells.. Those standards will include secure default settings, unique device passwords, regular security updates and encryption of sensitive data.

The Second Reading speech provides:

In introducing this legislation, I acknowledge the work done in its development from the former Minister for Home Affairs, now the Minister for Housing, and also acknowledge the work of the very large number of members of the Department of Home Affairs in the cybersecurity section, who have worked for some years in the development of the legislation in the national interest that I present to the House today.

This bill, alongside the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill, form the cybersecurity legislative reforms package. This package will collectively strengthen our national cyber defences and build cyber-resilience across the Australian economy. Read the rest of this entry »

The Government has published the Second Reading Speech and adjourned debate of the Bill. The Second Reading Speech is dated 12 September 2024 however the Daily Program lists the Speech as being moved today. It only recently appeared on the Bill’s homepage.

The Bill provides the Privacy Commissioner with more flexibility with enforcement, allowing for infringement notices and new civil penalties.  The real issue there is getting the Commissioner to use those powers.  The existing civil penalty provisions have only been used twice, and then only very recently and neither case has reached resolution. 

The statutory tort for serious invasions of privacy is welcome however the exemption carve outs, for journalism, law enforcement and security limit its effectiveness.  There is no consideration of whether the actions of the journalist is excessive and irresponsible in breaching a person’s privacy.  In the UK there is a balancing between Article 8, a right to privacy, and Article 10 a freedom of expression as applies to the media.  

There is specific provision for the development of a Children’s Privacy Code.  According to the Attorney General that is designed to align the protections with those that exist overseas. 

Doxxing will be criminalised.

There are other provisions which clarify the sharing of information when there are data breaches and during emergencies and regarding overseas data flows.

The amendments are conservative and modest but a move in the right direction. These changes will not make Australia’s Privacy Act the gold standard but if the further reforms proposed by the Attorney General’s Department are implemented then the level of protections will allow for a more effective regulation and protections.

The Second Reading provides:

Introduction

The digital economy has unleashed enormous benefits for Australians. But it has also increased the privacy risks we face through the collection and storage of enormous amounts of our personal data.

The Privacy Act 1988 represented the first time that a comprehensive, integrated set of legal rules protecting interests in privacy existed in Australia. On introducing it, Attorney-General Lionel Bowen told the parliament that ‘enormous developments in technology for the processing of information are providing new and, in some respects, undesirable opportunities for the greater use of personal information.’

In that respect, little has changed. Evolutions in technology and the way people use it continue to vex those who share information online, and those charged with regulating it. It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.

The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms—like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams. Read the rest of this entry »

In the United States the fines for breaches of data security can be quite heavy, much heavier than in Australia. Like Australia there is more than one regulator that can take action against organisations on various grounds for breaches of data security. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced, found here, the notice of final determination finaliising a civil penalty of $240,000 against Providence Medical Institute for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules, following a ransomware attack breach report investigation. The final determination is found here.

As can be the way, the background has quite a long history.  In July 2016, Providence acquired the Center for Orthopedic Specialists and initiated a two-year transition plan linking the Center for Orthopedic Specialists IT system into Providence’s IT structure. In April 2018 Providence filed a breach report which resulted into an investigation. The breach report concerned the unauthorized access and encryption of the Center for Orthopedic Specialists’ systems on February 18, 2018, February 25, 2018, and March 4, 2018. The attacks compromised Read the rest of this entry »

Max Shrems has struck again. He has been successful in his claim against Meta on the user of sexual orientation about a user’s sexual orientation in personalised advertising as reported by the BBC in Meta must limit data for personalised ads – EU court and by breaking news in Activist wins privacy case against Meta over personal data on sexual orientation. 

Meta and other social media platforms use data to drive the effectiveness of personalised ads.  That means the collection of data, especially personal information, is a priority. In practice sensitive information, such as sexual orientation, may assist in refining the nature of ads directed at a person. 

The final judgment has not been published as yet. 

The BBC article provides:

Read the rest of this entry »

The Court of Justice of the European Union (CJEU) has published its judgment (found here)  concerning the Registry Entries Agency of Bulgaria refusal to delete certain personal data concerning an individual contained in a partnership agreement published in the commercial register under the General Data Protection Regulation (GDPR).

The claimant was  a partner of a limited liability company under Bulgarian law.

On July 8, 2021, the claimant asked the Agency to delete the personal data contained in the partnership agreement, specifying that consent was withdrawn. The Agency did not responded which lead to a claim before the Administrative Court of Dobrich which annulled the Agency’s implied refusal to delete the data and referred the case back to the Agency for a new decision. The Agency indicated, by a letter, a certified copy of the relevant partnership agreement concealing the individual’s personal data, with the exception of that required by law.

The individual claimant again brought an action before the Administrative Court seeking the annulment of the letter and an order against the Agency to compensate it for the non-pecuniary damage of the letter, which infringed the rights conferred by the GDPR. The Administrative Court annulled the letter and ordered the Agency to compensate the individual for non-pecuniary damage, pursuant to Article 82 of the GDPR. The Agency appealed to the Supreme Administrative Court which subsequently referred the case to the CJEU.

The CJEU found:

• that Directive 2017/1132 does not impose on a Member State an obligation to authorize the publication, in the commercial register, of a partnership contract subject to the mandatory publication provided for by the Directive and containing personal data other than the minimum personal data required, the publication of which is not required by the law of that Member State.

The CJEU has found that the General Data Protection Regulation (GDPR) does not preclude national legislation that confers on competitors of an alleged perpetrator of a GDPR infringement, the right to bring civil proceedings against the alleged perpetrator on the grounds of such infringements and on the basis of the prohibition of unfair commercial practices. The Court also found that information that customers enter when ordering medicine online, such as names, delivery addresses, and elements necessary for the individualization of medicines, constitute data concerning health, even when the sale of such medicines is not subject to a medical prescription.

The Court found that:

• those data are capable of revealing information about the health status of an identified or identifiable data subject by means of an intellectual operation involving comparison or deduction because a link is established between that person and a medicinal product, its therapeutic indications or its uses, irrespective of whether that information concerns the customer or any other person for whom the customer places the order.
• in the absence of a prescription, it is immaterial whether it is only with a certain degree of probability and not with absolute certainty that those medicinal products are intended for the customers who ordered them.
• to make a distinction according to the type of medicinal product and to whether or not the sale of those medicinal products requires a prescription would be contrary to the GDPR’s objective of ensuring a high level of protection.
• the seller must inform those customers in an accurate, comprehensive and easily understandable manner of the specific characteristics and purposes of the processing of those data and request their explicit consent to that processing.

The case arose due to a dispute between two pharmacies on whether marketing pharmacy-only medicines on Amazon Marketplace constituted an unfair commercial act. The Regional Court of Dessau-Roßlau upheld this action whereas Read the rest of this entry »

In the United States of America the regulators can force very heavy penalties for data breaches. The Federal Trade Commission (“FTC”), the Securities Exchange Commission (“SEC”) and the Federal Communications Commission (“FCC”) all have some jurisdiction relating to data security and bringing a complaint over data breaches. The most recent instance of the regulator taking action is T – Mobile has settled a claim by the FCC for cyber security data breaches as reported by Geekwire in T-Mobile to pay $31.5M in settlement with FCC over cybersecurity data breaches and US reaches $31.5 million settlement with T-Mobile over data breaches. This is on the back of a settlement in September  between the FCC and AT & T relating to a data breach in January 23 for the sum of US $13 million, as reported by Reuters.

The Geekwire article provides:

T-Mobile will pay $31.5 million in a data protection and cybersecurity settlement with the Federal Communications Commission, resolving investigations into data breaches that impacted millions of U.S. consumers, the agency announced Monday. Read the rest of this entry »

Credit Codes under the Privacy Act 1988 are very important and a breach of them can result in serious difficulties for a credit provider. The Information Commissioner has registered the Privacy (Credit Reporting) Code 2024. The Commissioner’s media release provides a useful summary of the features of the new code. That is an overview only.  It is important for credit providers, and those who act for those who have credit related matters to carefully read the Code. It is important that credit providers incorporate the new requirements into their documentation and processes. While that may sound trite the failure to do so is quite common, particularly by non bank credit providers.

The media release Read the rest of this entry »