The papers, standards and guidelines published by the National Institute of Science and Technology (“NIST”) are in many ways more practical and effective than the guidelines issued by privacy regulators which must of necessity be more general. The NIST has published a very useful standard on methods to help manufacturers restore operations after a cyber attack.

The summary provides:

Industrial control systems (ICS) and devices that run manufacturing environments play a critical role in our nation’s economy. Manufacturers rely on ICS to monitor and control physical processes that produce goods for public consumption. These same systems face an increasing number of cyber attacks, presenting a real threat to manufacturing safety and production. Though defense-in-depth security architecture can help mitigate cyber risk, it may not entirely eliminate it. Organizations should have a plan to recover and restore manufacturing operations should a cyber event impact plant operations. The NCCoE, together with the NIST Communications Technology Laboratory and industry collaborators, will demonstrate an approach for responding to and recovering from an ICS attack within the manufacturing sector by leveraging the following cybersecurity capabilities: event reporting, log review, event analysis, and incident handling and response. The NCCoE will implement each of these capabilities in a discrete-based manufacturing work-cell that emulates a typical manufacturing process. The project will result in a freely available NIST Cybersecurity Practice Guide. Read the rest of this entry »

It has taken a while but the Government has finally released its repoonse to the Senate Legal and Constitutional Affairs Legislation Committee report.  Most of the recommendations related to machinery issues and were thus easily accepted.

The response provides:

The Australian Government welcomes the opportunity to respond to the Senate Legal and Constitutional Affairs Legislation Committee’s report, Privacy and Other Legislation Amendment Bill 2024 [Provisions] (the Report), tabled on 14 November 2024.

The Government thanks individuals and organisations that contributed to the Committee’s inquiry, including in preparing written submissions and appearing before the Committee.

The Government moved a number of amendments to the Privacy and Other Legislation Amendment Bill 2024 (the Bill) to implement recommendations of the Report.

The Bill passed the Parliament on 29 November 2024, and received Royal Assent on 10 December 2024.

The Privacy and Other Legislation Amendment Act 2024 makes a range of important amendments to strengthen privacy protections for Australians. The Act:

• • requires the development of a Children’s Online Privacy Code which will apply to social media and other internet services which are likely to be accessed by children
  • enables streamlined information sharing in the case of an emergency or an eligible data breach, while ensuring that information is appropriately protected
  • supports the free flow of information with appropriate protections by providing for countries and binding schemes with substantially similar data privacy protections to Australia to be prescribed
  • expands the suite of regulator powers and enforcement options available to the Australian Information Commissioner to effectively protect privacy
  • provides individuals with transparency about the use of their personal information in automated decisions which significantly affect their rights and interests
  • establishes a statutory tort for serious invasions of privacy, and
  • creates new criminal offences targeting the release of personal data in a manner that is menacing or harassing – a practice known as ‘doxxing’.

The Australian Government’s response to the Report is set out below. The response addresses the recommendations contained in the Report and in the additional comments

Committee’s Recommendations

Recommendation 1

The committee recommends that the minimum consultation period for the Children’s Online Privacy Code is extended to at least 60 days. Read the rest of this entry »

Shiny Hunters is on a tear. They have been successful in hacking Canvas and reportedly (but not confirmed) scored a US $10 million dollar pay off. That data breach affected Australian educational institutions. Now it has breached 7 – Eleven’s data security. It suffered a data breach last month, resulting in over 600,000 records being stolen. When 7 – Eleven refused to pay the ransom documents were leaked onto a dark web.

The article regarding the breach provides:

Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month.

Founded in 1927, 7-Eleven now operates, franchises, and licenses over 86,000 stores globally, including 13,000 stores in the U.S. and Canada, while its 7Rewards and Speedy Rewards loyalty programs have more than 100 million members. Read the rest of this entry »

There have been some very significant data breaches in Australia in May. They include a data breach at Gregory Jewellers, with the loss of 574 gigabytes from the company, Champion Homes lost 44 gigabyte which was posted on the darknet, a data breach of a third party provider to Queensland Education and a data breach at Scope Systems. The Canvas data breach by the cybercriminal group Shiny Hunters has been the biggest data breach story in May. The Information Commissioner published an almost proforma statement on the data breach involving Canvas. Seven months ago Canva was hacked using an encrypted password data accessing 4 million Canva accounts. Canva published a reasonable statement of where things are at and the need to change passwords. The data breach had a huge impact on education providers in Australia. They were amongst the 9,000 institutions worldwide who were impacted. It also highlighted the poor response plans of many educational institutions. This lead to a scam warning about those trying to make some quick money pretending to be from Education Departments. Canva ultimately paid a ransom. It is rumoured to be Read the rest of this entry »

Location data is very valuable for a whole range of businesses and law enforcement. One of the first things police do when they have a suspect in a serious crime is to review the location data of that person’s mobile phone. That has sunk many alibis. At the commercial level location data is very valuable as well. It is also very sensitive information. At its most granular tracking a person’s movements is a serious invasion of his or her privacy. And that is what the Federal Trade Commission alleged in its charges against Kochava, a data broker. The FTC sued Kochava in August 2022 for selling data that tracked people to reproductive health clinics, places of worship and other sensitive locations. To resolve the matter Kochava has consented to orders injuncting it from selling sensitive information.

The sale of data in the United States is a big industry and there is no equivalent in Australia in the private sector because of the Privacy Act and general regulation against the commodification of data for commercial gain.  But the technology is the same in Australia as in the United States.  And in the recent past the controls on data exchange have loosened.

This case is relevant in highlighting the importance of securing and not misusing tracking data.  Tracking data is not confined to mobile phones.  Technology now allows for tracking of fitness devices and other wearable items.  Modern cars have tracking Read the rest of this entry »

Horsham Council has suffered an analogish data breach with cameras found in the change rooms of the Horsham Town Hall. The cameras were found on 1 April 2026. The Council brought in the Victoria Police. The analysis of the cameras resulted in two search warrants being executed resulting in mobile phones, computuers and storage devices being seized. It appears possible, if not likely, that the cameras were in place for 4 years.

Last Thursday the Council announced that a second inspection revealed no hidden cameras were found. Doing a sweep of rooms, including change rooms, would hardly rate is news normally.  But this privacy breach has been hugely embarrassing for Horsham, particularly as the cameras were found in change rooms in the Town Hall which was used to stage community functions and performances.  

As the Guardian Reports in The terrifying rise of secret cameras, the use of secret cameras is a growing problem but one that has a disturbing long history.  Spy cameras have been used in espionage as far back as 1885 and developed into more sophisticated devices during each of the World Wars and the Cold War. Miniaturisation and reduced cost of cameras put cameras that could be used secretly into the hands of individuals (or companies). Digital technology, with the ability to use and record remotely made the use of video cameras more widespread. 

While a member of the Board of the Australian Privacy Foundation and in my professional life, complaints of secret camera use were a fairly regular occurrence. 

Victoria criminalised this behaviour where, under the Surveillance Devices Act 1999, there is a prohibition of recording “private activities” where participants reasonably expect privacy, such as in homes or bathrooms. The penalties include 240 penalty units or up to 2 years imprisonment. Until the passage of the Statutory Tort of Interference with Privacy the civil options were limited and complicated.  In this case it is unlikely that there is a claim against Horsham Council for a breach of privacy.  That said, it is very odd that Read the rest of this entry »

Latitude Finance has either been very incompetent or very obstreperous. In March 2023 Latitude suffered from a massive data breach in March 2023. In 2022 it was fined $1.55 million for breaching the Australian Spam Laws. It entered into an enforceable undertaking. That resulted in further spam breaches between March 2024 and April 2025 where more than 2.3 million messages were sent, of which 344,416 messages did not have an unsubscribe function. As a result ACMA has fined Latitude $3.96 million and a new court enforceable undertaking.

The media release provides:

Latitude Finance Australia (Latitude) has paid a $3.96 million penalty after the Australian Communications and Media Authority (ACMA) found the company breached Australia’s spam laws more than 2.7 million times.

The ACMA investigation found that between March 2024 and April 2025, Latitude sent more than 2.3 million marketing messages without accurate contact information, of which 344,416 messages also lacked a working unsubscribe function.

This is the second time the ACMA has taken enforcement action against Latitude for spam breaches. In 2022, the company paid a $1.55 million penalty for similar contraventions.  Read the rest of this entry »

The Privacy Commissioner has issued a media release of a report by the Global Privacy Network seep which was published last week. The nub of it, risks to children’s privacy has increased . The figures are quite sobering with more being collected to access a site now than in 2015.

The media release provides:

The results of the latest Global Privacy Enforcement Network sweep, published today, show risks to children’s privacy have increased over the last decade.

The OAIC participated in the global sweep, which involved 27 data protection and privacy authorities from around the world, and examined almost 900 websites and apps that are used by children. While some are designed for children’s use more specifically, others are used by the general population but are popular with children.

The sweep found that more than half (59%) of the websites and mobile applications required the collection of an email address to access the full functionality of the platforms, followed by 50% requiring usernames, and 46% requiring geolocation. Overall, participants noted an increase in the collection of certain types of information compared to 2015. Read the rest of this entry »

The Privacy Commissioner has published an exposure draft of the Children’s Online Privacy Code. The Consultation period is open until 5 June 2026. The legislature has mandated that the Code will be registered on 10 December 2026.

The documents the Commissioner has produced as part of the Code are:

• Exposure Draft Children’s Online Privacy Code
• Short Guide to the Children’s Online Privacy Code
• Extended Guide to the Draft Children’s Online Privacy Code
• Exposure Draft Explanatory Statement
• Facilitator’s Guide – Children
• Facilitator’s Guide – Young People

The media release Read the rest of this entry »

The US Federal Trade Commission (“FTC”) relies on breach of contract or representations in having jurisdiction to take action for misuse of personal information and data security. Its decision today to take action against Match and OK Cupid for sharing personal information with an undisclosed third party is quite typical in that regard.What is not typical here is that Match and OK Cupid breached its users privacy since 2014 and actively hid that misuse.  The data of three million customers were involved and the data involved photos and location information.

This case is a cautionary tale for organisations making representations and being loose in their language about how information is being handled.  In this case Match and OK Cupid adopted a very resistant and obstructive response to the FTC in its investigations.  That is quite foolish and short sighted.  It is better to co operate with the regulator where the breach is clear and the facts are not in dispute.

The settlement agreement will last for 10 years and involves considerable reporting requirements.

The Statement provides:

The Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations OkCupid deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises.

As part of a settlement, OkCupid, operated by Dallas-based Humor Rainbow, Inc., and Match Group Americas, which provides services for Humor Rainbow, will be prohibited from misrepresenting its privacy policies. Read the rest of this entry »