Peter A Clarke

The National Institute of Standards and Technology (“NIST”) releases excellent guides in relation to all manner of technology.  It is particularly helpful in providing processes to improve cyber security and deal with data breaches.

Last week the NIST through its  National Cybersecurity Center of Excellence (NCCoE) released

• Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and
• SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways.

The focus of both guides highlights the importance of timely and appropriate patching so as to enable  organisations to have an adequate cybersecurity system.

Patching is a form of preventive maintenance of computing technologies.  It helps prevent compromises, data breaches, operational disruptions, and criminal acts.

SP 800 – 40

SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and sets up processes for patching.

Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

The publication refers to Read the rest of this entry »

On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022.  It became law on 1 April 2022.  It’s genesis is traced back to reforms proposed by the Productivity Commission’s  Inquiry Report into Data Availability and Use (2017).

The Minister’s Second Reading Speech provides:

I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.

This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.

2020 has shown us how critical this piece of legislation is.

We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.

Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.

Government data and digital services have been fundamental to the government’s response to these events.

Data allowed Australians to receive timely and reliable services in a time of need.

Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.

It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.

The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis. Read the rest of this entry »

The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022.  Settlement was reached last month.  The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:

•   not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
• a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
• until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years

The terms of settlement follows a standard structure used by the FTC and in this context:

• restraining the Defendants to continue with the breaches alleged;
• requiring the Defendants to destroy all Personal Information Collected  within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
• destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
• ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
• requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years. 

What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation.  This is a significant development in regulation.  It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and Read the rest of this entry »