The Irish Data Protection Commission commenced an inquiry on 14 April 2021 arising from discovery that there was a collated dataset of Facebook personal data available on the internet.

The media release provides as follows:

The Privacy Act 1988 remains a very flawed piece of legislation.  Until 2014 there was no serious enforcement provisions available to the Commissioner.  The insertion of section 13G permitted the Commissioner to commence civil penalty proceedings for serious or repeated inferences with privacy.  Since 2014 there has been no civil proceeding prosecution commenced and brought to resolution.  Not one in 8 years. The Information Commissioner commenced a proceeding under section 13G against Facebook in 2020 arising out of the alleged misuse of data by Cambridge Analytica which is slowly working its way through the Federal court system .The US and UK have long finished litigation against Facebook in relation to the same issue and similar facts.

Not surprisingly the Commissioner has welcomed the passage of the amendments.  It will provide the Commissione with significantly more powers and more effective and efficient enforcement options. She can issue penalties.  That is more in line with the Monetary Penalty Notices that the UK Information Commissioner has been issuing for years.   A safe assumption is that the Commissioner will be more assertive and high profile in using these powers.  There is a long overdue need for a change of culture by those who collect personal information.  The Commissioner states that she hopes that the increased penalties will help incentivise compliance.  Without some high profile cases occurring that is unlikely to be the case.  The market has factored in the Commissioner being timid and more interested in talking compliance rather than taking enforcement action.

The Commissioner’s media release provides:

The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which enhances the OAIC’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.

The Bill introduces significantly increased penalties for serious and or repeated privacy breaches and greater powers for the OAIC to resolve breaches.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

Yesterday the Australian Senate passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.  The Bill was introduced and read for the first time on 26 October 2022. The second reading debate occured on 8 November 2022 and passed the House of Representatives on 9 November 2022. 

This Act has always been described as an interim measure.  An immediate response to the Optus and Medibank data breaches which highlighted the inadequacy of the data breach notification regime.  More significant reforms are promised for next year.  It does not address the flaws in the Privacy Act. 

Key aspects of the Act are:

• an increase of  the maximum penalty for serious or repeated interferences with privacy for body corporates from $2.2 million to the greater of:
  • $50 million,
  • three times the value of the benefit obtained attributable to the breach or,
  • if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

These penalties mirror the recent increased penalties introduced for breaches of Australian Consumer Law (“ACL”). The definition of ‘adjusted turnover’is similar to that introduced into the ACL and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period. How long the ‘breach turnover period’ might be could be a very significant issue.  It could be some time where an issue is unknown and there is late detection.

• greater information gathering powers by the Information Commissioner regarding data breaches including:
  • a power to share information publicly if it is in the public interest to do so  with a broader range of entities.  Those bodies include enforcement bodies (both in Australia and overseas), alternative complaint bodies and state and territory authorities.
  • a broader power to make declarations following the conclusion of an investigation including  requiring the organisation to:
    • prepare and publish or otherwise communicate a statement about the conduct; and
    • engage with a suitably qualified independent advisor to review practices, steps taken to remediate the breach and any other matter relevant to the investigation. 

This is a step towards the process the Federal Trade Commission has put in place for many years..

• • conducting an assessment of an organisation’s  compliance with the NDB Scheme, including the extent to which it has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches.  This is a worthwhile amendment.
  • issuing an infringement notice for failures to provide information as required by the Act.
• organisations that carry on business in Australia are now regulated under the Privacy Act, even if they do not collect or hold information in Australia. The aim is to regulate organisations which carry on business in Australia, but do not themselves collect or hold personal information in Australia. The Act will now apply to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. For organisations with a globarl operation compliance will apply to the entire global operation . 

What constitutes either a ‘serious’ or ‘repeated’ interference still remains vague and unsatisfactory.

The Greens successfully proposed an amendment which will now become section 13GA which provides:

An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

Civil penalty:          2,000 penalty units

This provision makes it easier to take action than under section 13G which refers to either a serious inteference with privacy, whatever that means, or repeated interferences with privacy.  Hopefully these provisions will be consolidated in the broader revision of the Act. 

The amendments do not affect the opeation of hte Data Breach Notification Regime.  Not all  data breaches are covered. It remains the case that if an organisation suffers a data breach it may not need to provide notification of that data breach.  The issue remains whether it has or has not taken reasonable steps in the circumstances to secure personal information.  To that extent the amendments may not change much. 

All of these amendments mean nothing if the Information Commissioner does nohting with them. The Commissioner has been a timid regulator.  Whether that continues in light of the focus on privacy is the question.

The Bill Read the rest of this entry »

Apps developers are notorious for pushing out apps as quickly as possible without focusing on privacy and data security.  As a result apps are the focus of hackers.  While Apple currently has good privacy protections built into its products the same can’t be said for apps sold or otherwise downloadable from its app store.  The reason for this action now is because of concerns reproductive health as a result of the US Supreme Court decision in Dobbs.  This has lead to Attorneys General of New Jersey, California, Connecticut, District of Columbia, Illinois, Oregon, Massachusetts, Vermont, North Carolina, and Washington to write to Apple on  21 November 2022, raising concerns about this problem. 

While the move is political, coming from states with governments of a more progressive bent the issue is non political and has been chronic for years.  The focus of the letter is on reproductive information the problem is broader. Personal information taken from a wide range of apps is a continuing problem. It is as much a problem in Australia as it is in the United States of America.  Many app developers in Australia fall within the small business exception of the Privacy Act 1988 so are not subject to regulation.  Even when they are there is no overt regulatory oversight so compliance with the legislation is poor.

The key points the Attorney’s General make are valid regarding apps:

• data not essential for the use of the app should be deleted;
• tclear and conspicuous notices regarding the potential disclose to third parties user data ; and
• App Store apps should hae  the same privacy and security standards as Apple  regarding the holding and disclosure of data.

Each Attorney General made an announcement.  In the case of New Jersey, the Attorney General released a media release providing:

TRENTON –Attorney General Matthew J. Platkin today led a multistate coalition expressing concerns regarding reproductive health privacy on Apple’s App Store (the “App Store”) following the U.S. Supreme Court’s Dobbs decision overturning Roe v. Wade and urging Apple to take commonsense steps to protect consumers’ private reproductive health information.

In a letter sent today to Apple CEO Tim Cook, Attorney General Platkin led a group of 10 Attorneys General calling for privacy-enhancing measures.

As the letter explains, Apple has long promoted privacy as one of its “core values” on both the iOS platform and the App Store and has adopted a number of privacy and security measures that are consistent with its stated goals of protecting consumers’ privacy. But apps that collect private reproductive health data from consumers frequently fail to meet these same standards or to implement appropriate protections for this sensitive data, exposing consumers that seek or provide reproductive health care to potential action and harassment by law enforcement, private entities, or individuals. Read the rest of this entry »

Xavier College’s notice of a data breach has resulted in some no doubt unwanted publicity.  Data breach stories are low hanging fruit for journalists.  Often the story is the notice with a brief quote from the organisation and sometimes another quote from an “expert” keen for the publicity.  It is hard not being cynical about the way these stories are covered.  But that is the landscape but there are ways to keep the damage to a minimum in many cases.

The best starting point is to provide notice promptly and be as open and transparent as possible without drowning the reader with undigestible technical data.  By the same token the notice should not be evasive and vague.  Xavier’s notice of a data breach, which I posted on 2 days ago was quite inadequate and the handling of the data breach was also far from effective,  Xavier thought  not to notify affected individuals until it became aware that the hacker might disclose the information, months after it was stolen.  How it could have worked on the basis that a hacker would not do something with the data is difficult to understand. It is beyond naive.

Under the Data Breach Notification Regime an organisation can effectively self assess, determining if there is a risk of serious harm.  It is a wholly unsatisfactory system.  The downside for erring on the side of non disclosure kicks in when circumstances change and disclosure becomes necessary.  As occurred here with Xavier Read the rest of this entry »

Xavier College in Melbourne has suffered a data breach. A notice went out today to Old Xaverians (past students of Xavier who have kept a connection with the school).

It appears that entry occurred through an email account of an employee.  A fairly standard entrepot.  Given that led to access to other details it is possible that the hacker obtained credentials to move within the system. Or alternatively the system was wide open and permitted unimpeded movement throughout the system.  When that happened is not made clear.  It was discovered some time in June. Then in late October Xavier found that that an unauthorised third party “may disclose details of these mailbox contents.” 

Notifications in the United States have become something of an art form, balancing being as transparent as possible, giving as much information as practical but not overwhelming the reader.  Often the complete picture of what happened is not fully known at the time a notification needs to be sent out.  I have read many such notices and getting it right is important. 

The notice from Xavier College is not very good.  Putting aside the awful prose it begs more questions than it answers.  The events in October are described in terms that leaves the impression that the author is being evasive. The letter tries to cover the necessary issues but is vague and woolly when it should be specific and precise, particularly about what happened to the data. Apparently some members were previously contacted by the College.  Which begs the question as to why the letter, drafted as a notification of a data breach, was sent only now?  As the Optus and Medibank data breaches show, the initial notice can at least partially smooth the difficult path ahead or throw more boulders onto the roadway. 

At best this Notice is a not terribly good first draft. 

The letter provides:

In June this year, Xavier College became aware that the email account of one of its employees had been subject to unauthorised access by an unknown third party.
The College immediately notified any members of our community directly affected by the unauthorised access.
In late October it came to our attention that an unauthorised third party may disclose details of these mailbox contents.
On each occasion, the College undertook the following steps in response:
Engaged cyber security experts to provide an in-depth investigation
• Took steps to ensure the incident was contained and that our network and data systems had not been adversely impacted and were secure
• Conducted a review of the individual’s Mailbox contents to identify any individuals who may have been at-risk
• Notified any members of our community potentially affected by the data breach
• Consolidated ongoing training for staff and students around cyber vigilance and online safety
We also notified the Office of the Australian Information Commissioner and Australian Cyber Security Centre of the incident.
The College has now taken steps to re-assess the original data and consider whether any further individuals may have been affected.
As in June, immediate notification to specific individuals is occurring.
As you will be aware, there has been a proliferation of cyber attacks and data security issues (including a number of other schools) reported over recent months.
As a general reminder, we attach recommendations for steps you can take to protect your personal information (see “Steps you can take to protect against potential data misuse”). Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

• in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
• in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
• in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
• in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement Read the rest of this entry »

There is a recognised genre of data breaches involving government agencies making sensitive data available on line.  It is almost always due to poor data handling practices and flaws in IT controls and website design.  It often bespeaks poor access control protocols.  The latest reported data breach of this nature is the BBC reports in Suffolk Police apology over sex abuse victims’ data on website  that personal details of sex abuse victims appeared on a police website.  Australia has had more than its fair share of similar data breaches.  In March 2020 the Federal Court published personal details of hundreds of asylum seekers names on line. The Federal Court undertook a review by Professor John McMillan which resulted in a report in August 2020.  The report was comprehensive however its focus was on the findings that the  Federal Court’s response was generally satisfactory.  Not an untypical response an inquiry into an agency’s handling of a data breach.  Individual reviews in Australia are remarkably forgiving and not particularly in depth.  On how the breach occurred, or more particularly how matters reached a point where it could happen the Report was relatively quiet.  In the United Kingdom a similar review would have attracted much less comforting findings.  Even a Monetary Penalty.  Given a similar breach was experienced by the Department of Immigration involving personal details of almost 10,000 individuals in 2014, which attracted considerable media coverage, it is surprising that the Federal Court would not have been more alert to the sensitivity of such data and the potential consequences of a leak.

The article Read the rest of this entry »

In Re J Build Developments Pty Ltd [2022] VSC 434 Hetyey AsJ set aside a statutory demand on the basis that there was a genuine dispute in the context of a notice being issued under the Building and Construction Industry Security of Payment Act 2002.

FACTS

The facts in applications to set aside statutory demand relating to construction contracts and building works invariably have complicated and involved factual issues.  This case is no exception.

On 26 June 2020, J Build entered into a $2.9 million building contract with Abboud Corporates Pty Ltd to construct three double-storey residential dwellings at 10 Glyndon Road, Camberwell, Victoria (‘the head contract’ and ‘the property’, respectively) [2].

AES is a mechanical and electrical services provider specialising in heating, ventilation, air conditioning and associated electrical work [2].

On or about 24 February 2020, Jamiel Daou (“Daou”),  a director of J Build, texted Wright, the sole director of AES, asking for  a quotation  for the supply and installation of ducted heating and cooling air-conditioning systems in each of the units at the property (‘the sub-contracting works’).  There was a subsquent telephone conversation between the two the contents of which are in contention.

On 5 March 2020, AES provided JB Build with a quotatio of $88,002.64 inclusive of GST.

Prior to 22 October 2020, JB Build requested that revisions be made to the quotation. On 22 October 2020, AES issued a second quotation for $101,507.09 (inclusive of GST) [6].

On or around 27 October 2020, the parties discussed a further variation which would provide a cost saving to the plaintiff of between $5,000 and $6,000 and reduce the contract price contained in the second quotation [7]. On 28 October 2020, Wright emailed Daou requested confirmation of the revised second quotation with Daou responding via email  with the word ‘[a]pproved’ [8].

On 31 October 2021, AES issued an invoice for $16,874.55 (inclusive of GST) regarding work performed between 28 October 2020 and 31 October 2020,  payable by 14 November 2020 but paid on 7 December 2020 [10].

Wright and Daou  had a site meeting at the property on or around 5 February 2021 where they discussed the need for further variations to AES’ scope of work [11]. AES issued J Build with a further revised quotation on 14 May 2021, documenting additional proposed revisions to the scope of work and increasing the contract price to $109,047.31 (inclusive of GST) (‘the third quotation’). A signed acceptance of the third quotation was returned to AES via email later that day [12].  AES rendered an invoice in the sum of $81,504.61 (inclusive of GST) (‘the second invoice’)  to J Build by email on 14 On 31 May 2021. AES required payment by 30 June 2021. J Build didn’t pay by this date and in or around July 2021, AES stopped work [13]. J Build paid AES $41,504.61 on 22 July 2021 and $5,000 on 20 September 2021 [15], leaving $35,000 owing in respect of the second invoice.

On 4 October 2021, AES served a notice under s 18(2) of the Building and Construction Industry Security of Payment Act 2002 (Vic) (‘the SOP Act’) on J Build,   J Build responded the next day by sending AES a payment schedule informing AES that it proposed paying nil in respect of the second invoice on the basis that works had not been completed. No adjudication application was ultimately pursued by AES [16].

On 14 October 2021 AES instructed its solicitors to issue and serve the statutory demand claiming the  $35,000 as ‘monies due and owing pursuant to [AES’] tax invoice no 6394 dated 31 May 2021,’ which refers to the second invoice. The statutory demand did not annex a copy of the second invoice [17].

J Build commenced this application  on 3 November 2021 [18].

The defendant contended that:

• the second invoice referred to in the statutory demand constitutes a ‘payment claim’ within the meaning of s 14 of the SOP Act which was not effectively challenged by way of a ‘payment schedule’ served within time and is therefore due and payable by force of statute and beyond challenge.
• J Build was precluded from contending the existence of any genuine dispute about the subject of the statutory demand in this proceeding.

DECISION

The court, at [21],defined the issues for determination as:

(a) is there a genuine dispute under s 459H(1)(a) of the Act that the defendant’s invoice the subject of the demand (ie the second invoice) is a ‘payment claim’ which satisfies the requirements of s 14 of the SOP Act? In particular, is there a genuine dispute whether: Read the rest of this entry »

The news that Medibank data continues to be released onto the dark web is hardly unexpected.  Hackers do it if they are frustrated that a ransom has not been paid, sometimes if they are acting on behalf of state players and the object is not money but humiliation and sometimes for the hell of it, even if the ransom has been paid.

TheREvil group is clearly intending on causing maximum pain given the data, of nearly 1,500 individuals,  relate to a range of conditions including:

• heart disease,
• diabetes
• asthma,
• cancer,
• dementia,
• mental health conditions,
• infections
• delirium.

For a change Medibank has got in front of the story with an announcement.   Medibank’s media statements are still quite rudimentary compared to resp;onses in the United States where there is much more experience in responding to big data breaches.  It is difficult to improve the media landscape after such a disastrous initial response and given the nature of the data being leaked.  The hackers will continue to leak data and the reputational damage to Medibank will continue to grow.

To restate the obvious, this data breach highlights the need for organisations to have a comprehensive privacy and cyber security strategy, including a plan to deal with a data breach if it occurs.  Medibank has shown what happens when that doesn’t happen.

The Medibank statement Read the rest of this entry »