Peter A Clarke

When confronted with a difficult issue, either establish an inquiry or create a governmental office. The Government, conftonting the reality of significant data breaches has opted for the bureaurocratic option, establish a cyber tsar.  And of course, a discussion paper.

The rationale is set out in an interview between Clare O’Neil, the Minister for Home Affairs, on AM this morning.  It provides:

SPEAKER: First this half hour, months after millions of people had their personal data hacked during the Optus and Medibank cyber-attacks, the Federal Government setting up a new agency to tackle the problem, there will be a new senior official called a Coordinator For Cyber Security, who will lead a National Office for Cyber Security, and that’s within the Federal Government’s Department of Home Affairs, and along with a round table of business security and tech leaders the Prime Minister is releasing a discussion paper about a new cyber security strategy.

The Home Affairs Minister is Clare O’Neil, she’s spoken with the ABC this morning, saying the Government’s taking an important step forward.

CLARE O’NEIL: We arrived in Government confronting a real mess with cyber security, so what we saw was different parts of Government and the private sector doing important things, but kind of all rowing in different directions, and what was clearly needed here was political leadership, and we’ve got that from the personal investment of the PM, and he today has decided to appoint a coordinator to ensure that there is spine and strategy for the work being done throughout Government, and also an office within my department that will support the coordination work.

SABRA LANE: So practically what will that person do, and when will this office be in place? 

CLARE O’NEIL: So two really important tasks for this person. The first will be, as I said, to try to provide some strategy and structure and spine to the work being done across Government. So it will mean things like making sure that the billions of dollars that we are investing in cyber security each year are being spent in a way that’s strategic and appropriate, that we’ve got different parts of Government communicating with each other and working together on helping with cyber security protections across the country. Read the rest of this entry »

Australia has had legislative proscriptions relating security and reporting obligations in particular defined critical infrastructure industries for some time. Australia has adopted a similar legislative structure that has been adopted in other jurisdictions such as the United States.  The legislation is quite detailed, almost a code.  There is a need for this form of regulation.  Critical infrastructure is invariably networked and vulnerable to attack.  That vulnerability is caused by the development of systems servicing infrastructure over a long period where cyber security was unsophisticated.  Mergers and changes of strategy over the years often leads to information systems which were cobbled together with many weaknesses.  Many organisations put little effort and money into the upgrading cyber security until relatively recently.

It is important for privacy practitioners to be familiar with this legislation.

Today the Minister for Home Affairs, Clare O’Neil released the Risk Manager Program rules and Critical Infrastructure Strategy today.

The media release provides:

Australia’s critical infrastructure assets will be better protected following commencement of the Risk Management Program (RMP) obligation – a set of rules designed to strengthen the resilience of critical infrastructure and essential services vital to the security, prosperity and sovereignty of Australia.

Minister for Home Affairs and Minister for Cyber Security Clare O’Neil said critical infrastructure assets are vulnerable to natural disasters and attractive targets for foreign interference, cyber criminals and other malicious actors who seek to do Australia harm. Read the rest of this entry »

It has taken almost 4 years for the Attorney General to undertake a review of the Privacy Act but it has done it.  That report was published yesterday.  That review is on top of an Australian Law Reform Commission Report in both 2008 and 2014, dealing with identical issues.  It has not been a stellar moment for public policy reform.

The report can be found here. The Report is open for submissions until 31 March 2023.  The usual process is then for the Government to provide its response. At some point there will be a draft proposed Bill, probably before the Parliament rises for the winter recess.  If the Government is intent to pushing the reforms through promptly a Bill will be introduced into the Spring session and referred off to committees.  It will then be debated and voted upon later in the year with a view to being passed before the end of 2023 with a view to taking effect in 2024. Given the Government is on a 3 year cycle and the next House of Representatives election must be held by 27 September 2025 it is unlikely that the process will be lengthy.

There are 116 recommendations.  Some of the most important are:

•  proposal 4 recommends the definition of personal information be amended to  change the word “about” to “relates to”.  This change would allow the definition to capture a broader range of information.   The change would also bring the definition in line with other Commonwealth legislation that uses ‘relating to’ when regulating information on privacy (for example, the Competition and Consumer Act 2010 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)) and bring the Privacy Act definition in line with the language used in the GDPR definition of ‘personal data’.  The Report also proposes that any inferred or generated information will be deemed to have been ‘collected’ within the meaning of the Privacy Act.  This will have important consequences for the AI industry.
• proposal 12 recommends a requirement for entities to act fairly and reasonably when collecting, using and disclosing personal information which will be an objective test. It will apply regardless of any consent
• proposal 11 amends the definition of consent to make it  clear that consent must be voluntary, informed, current, specific and unambiguous
• proposal 26 recommends a direct right of action for those who have suffered loss or damage as a result of an interference with their privacy. The claim can be made individually or a representative actionin the Federal Court or the Federal Circuit Court. Individuals will have to make a complaint to the OAIC prior to commencing court action.
• under proposal 4.5 – 4.8 there will be additional obligations to deidentify information. Those amendments would extend APP 11.1 and APP 8 to apply to de-identified datasets. The Report also recommends prohibiting APP entities from re-identifying de-identified information received from a third party and introducing a new criminal offence for “malicious” re-identification intended to harm or cause illegitimate benefit. .
• under proposal 28 there will be stricter time frames for Notifiable Data Breaches.  The Report recommends falling into line with the GDPR time frame of 72 hours  from when the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach.   The Report also recommends requiring more detailed statements of what  steps the entity has taken or intends to take in response to the breach.
• Additional obligations when handling employee records (Proposal 7). Some businesses may give a sigh of relief that the employee records exemption is to be retained, but on a more nuanced basis – i.e. certain Privacy Act obligations will be extended to private sector employees.  In particular, obligations relating to transparency of collection and use of employee information, protection against unauthorised access or interference, and eligible data breach reporting. The Report flags that further consultation is required to determine how this should be implemented in legislation and hints that it could use either the architecture of the Fair Work Act or the Privacy Act.  The nature of Australia’s current employee records exemption is speculated to be a major barrier for achieving GDPR adequacy status, so it may be surprising to some to see that the exemption will be mostly retained.
• under proposal 22 there will be  processors and controllers.  That is consistent with other jurisdictions.  Under this proposal  where processors are acting on the instructions of a controller, they will have fewer compliance obligations under the Privacy Act.  Processors would only be responsible for complying with APP 1 , APP 11  and the notifiable data breach scheme.
• proposal 13 will require entities to conduct Privacy Impact Assessments for any ‘high privacy risk activity’.  Such activities  would  ‘likely to have a significant impact on the privacy of individuals’.
• under proposal 19 there will be regulation of the use of personal information in automated decision making.  The Report proposes more transparency around personal information used in “substantially” automated decisions which have a legal or significantly similar effect on an individual’s rights.
• proposal 20 recommends regulation of targeted advertising.  There will be a prohibitions on the use of information related to an individual for targeted advertising and content to children, and prohibitions on using sensitive information for targeted advertising and content to any individuals. Individuals will have a right to opt-out of receiving targeted advertising and content, and any permitted targeting must be ‘fair and reasonable’ and come with transparency requirements about the use of algorithms and profiling to recommend content to individuals.
• under proposals 16 and 17 there will be additional protections for children and vulnerable persons.  For children the additional protections include codification of existing OAIC guidance on consent and capacity, requiring entities to make collection notices and privacy policies ‘clear and understandable’, and requiring entities to have regard to the best interests of the child in its consideration of the fair and reasonable test as well as developing a Children’s Online Privacy Code applicable to services that children are likely to access. . For vulnerable people  where an activity may have a significant impact on vulnerable persons, this must be considered in the fair and reasonable test (and a Privacy Impact Assessment must be performed.
• proposal 27 recommends a statutory tort of privacy for serious invasions of privacy that are intentional or reckless. The invasion of privacy need not cause actual damage and individuals may claim damages for emotional distress.  The Report suggests that the OAIC should be able to appear as amicus curiae and intervene in proceedings with leave of the court for both the direct right of action under the Privacy Act and the tort for invasion of privacy.
• under proposal 18 there will be a limited right of erasure.  It also proposes a right of de-indexation which will allow individuals to require search engines to de-index online search results where the results are excessive in volume, inaccurate, out of date, incomplete, irrelevant or misleading. Search engines will also be required to de-index sensitive information and information about minors. There will be exceptions where: there are competing public interests, it is required or authorised by law, it is technically infeasible or an abuse of process.
• proposal 25 recommends giving the OAIC Greater enforcement powers and penalties. They include  new civil penalties and new powers of investigations, public inquiries and determinations.  The threshold for a “serious interference” will be eased, and may include interferences that involve “sensitive information” or other information of a sensitive nature, interferences adversely affecting large groups of individuals, or serious failures to take proper steps to protect personal information.

Read the rest of this entry »

One certainty with data breaches is that the breach is just the start of an organisations problems.  The breach brings on costs of determining the extent of the damage, then dealing with the regulator if it becomes involved, notifying clients/customers, dealing with the media and shareholders and rectifying any damage caused by the breach.  That usually involves engaging technical experts, public relations people, lawyers and hours of in house work.  Then comes the class action if the breach is big enough.  

The Medibank breach is large by any measure and huge by Australian standards.  That resulted in 3 class actions being commenced last year.  And as of 7 February 2023 a fourth class action was filed Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

• since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
• GoodRx advertises, distributes, and sells:
  • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
  • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
• since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
• GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
• GoodRx  collects:
  • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
  • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
  • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

Educational institutions are prime targets for cyber attacks by state actors and criminals.  I have previously written on cyber attacks on tertiary institutions at UWA,  University of Tasmania, Deakin University, the ANU in 2019 and 2022.  There have been many other data breaches of educational institutions in the United States and Europe.  Tertiary institutions are prime targets because they store so much personal information and intellectual property. They are especially tempting targets because tertiary institutions have poor cyber security.  The reasons are many and varied; systems cobbled together when institutions merge, too many authorisations, a failure to remove authorisations, differing protocols in different departments, a failure to encrypt data, a failure to properly silo data and, most importantly, indifferent training and inadequate funding.  Even though the attacks are regular and impact severe educational institutions remain poorly prepared.

I Having proper data security means dealing with both technical issues but also cultural problems. For too long businesses have not properly factored in the risks.  Boards and management don’t address the issues and don’t properly consider what cybersecurity risks are, and what needs to be done to protect themselves from them.  That includes promoting and developing a culture of cyber resilience.

In practical terms that includes:

• doing an inventory of every computer system that exists across the organisation to determine if it is being properly patched, whether there is  proper user access and  multi factor authentication.
• reviewing the type of data being held, determining where it is stored, how it is being protected and who has access to it. That exercise will expose vulnerabilities.
• making sure there are back ups of data which are stored in a way that any data breach can’t affect that storage.
• check whether the organisation is complying with the NIST framework.   It is not officially the standard but is as good as it gets It also adopts useful strategies when dealing with soft defence, passive defence and active defence.
• undertaking audits and penetration testing by outside organisations. There is no substitute for testing.
• having a data breach response plan and have exercises to determine that it works.  That means knowing who to contact when there is a data breach.

The Queensland University of Technology is the latest institutions to suffer a data breach.  It announced yesterday that the data breach affected 2492 current employees, 17 current students, 8,846 former employees  and 50 former students.  The data relating to individuals included tax file numbers and bank account details . In January it had issued a vaguer report of the data breach which it identified as a ransomware attack.

The statement provides:

QUT has identified that some data was stolen in a cybercrime attack on December 22, 2022.

Firstly, QUT is disappointed and sorry that this cybercrime has potentially impacted on our staff and former staff. It is important to note the security of our HR, student or financial systems was not compromised or accessed by the cyber criminals. We also have no evidence to date of any further illegal activity in relation to the data that may have been accessed by the cyber criminals. Read the rest of this entry »

Perhaps there may be a significant improvement in privacy and data protection this year.  On Friday the Australian Medical Association called for major reform to protection patient data.  Its position paper supports applying standards and controls applied by the GDPR for privacy protection and data handling.  Much of what the AMA says is quite consistent with standards advocated by privacy practitioners and the standards that are becoming more common across the first world.  But it is significant because the AMA is quite conservative and the health industry has traditionally had a very poor privacy culture. That has led to the health industry being a prime target for hackers.

The media release provides:

In a new position statement, the AMA says the use of data must be for the public good and not present harm to individuals, the healthcare providers or the healthcare system.

AMA President Professor Stephen Robson said appropriate use of health data can enhance the provision of care for patients, improve health outcomes, increase equitable and individualised care, while minimising duplication and gaps in care.

“Effective data governance will ensure the appropriate collection and use of data and protect patient data,” Professor Robson said. Read the rest of this entry »