Peter A Clarke

The National Institute of Science and Technology (“NIST”) has released its initial draft of Cybersecurity of Genomic Data.

The media release provides:

Genomic data has enabled the rapid growth of the U.S. bioeconomy and is valuable to the individual, industry, and government due to intrinsic properties that, in combination, make it different from other types of high-value data which possess only a subset of these properties. The characteristics of genomic data compared to other high value datasets raises some correspondingly unique cybersecurity and privacy challenges that are inadequately addressed with current policies, guidance, and technical controls.

This report describes current practices in risk management, cybersecurity, and privacy management for protecting genomic data, as well as the associated challenges and concerns. It identifies gaps in protection practices across the genomic data lifecycle and proposes solutions to address real-life use cases occurring at various stages of the genomic data lifecycle. This report also is intended to provide areas for regulatory/policy enactment or further research.

Genomic data has multiple intrinsic properties that in combination make it different from other types of high value data which possess only a subset of these properties. The characteristics of genomic data compared to other high value datasets raises unique cybersecurity and privacy challenges.

The NIST  report proposes a set of solution ideas that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected  benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted.

Cyber attacks targeted at genomic data include attacks against:

• the confidentiality of the data,
• data  integrity and its availability.
• the confidentiality of the data can threaten the economy through theft of the intellectual property owned by the  biotechnology industry,
• the integrity of the data can disrupt:
  • biopharmaceutical output,
  • agricultural food production,
  • bio-manufacturing activity.
• the availability of the data include:
  • encrypting for ransom,
  • deletion of data, and
  • disabling critical automated equipment used in:
    • research,
    • development,
    • and manufacturing.
• the potential harms of cyber attacks on genomic data threaten national security including enabling the development of biological weapons and the surveillance, oppression, and extortion of our citizens, military, and intelligence personnel based on their genomic data.
• genomic data can also harm individuals by enabling blackmail, discrimination based on disease risk, and privacy loss from the revealing of hidden consanguinity or phenotypes including health, emotional stability, mental capacity, appearance, and physical abilities.

Read the rest of this entry »

The Australian Information Commissioner chose a tough nut to crack when it chose to use for the first time its civil penalty powers against Facebook arising out of the use of personal information by Cambridge Analytica.  The Information Commissioner was late in bringing enforcement action against Facebook, The Facebook disclosed personal information to Cambridge Analystica between March 2014 and May 2015.  The Commissioner opened an investigation in April 2018 and commenced proceedings on 9 March 2020.  By then the FTC, on 24 July 2019 imposed a $ 5 billion penalty on Facebook while the UK Information Commissioner imposed a £500,00 fine on Faceook on 30 October 2019. 

On 9 April 2020 the Information Commissioner sought under rule and rule 10.43(2) leave to serve documents on Facebook, Inc. and Facebook Ireland in accordance with art 5 of Hague  Convention by substituted service. On 22 April 2020 His Honour Justice Thawley  made orders  that the Commissioner be granted leave to serve the documents in the United States of America. On 6 May 2020 Facebook Inc by interlocutory application sought to set aside those orders. Thawley J dismissed the application on 14 September 2020 and Facebook appealed that decision on 28 September 2020 to the Full Court of the Federal Court. 

The Full Court dismissed the appeal on 7 February 2022. On 16 September 2022 the High Court granted Facebook leave to appeal. It has been a long road, almost 3 years since commencing proceeding. And the case has barely begun.

The issue before the High Court is whether under Rule 10.43 of Federal Court Rules 2011 whether the Information Commissioner was successful in establishing prima facie case on application to serve appellant out of jurisdiction and whether Facebook “carr[ied] on business in Australia” within meaning of 5B(3)(b) of Privacy Act and whether it “collected… personal information in Australia” within meaning of s 5B(3)(c) of Privacy Act.

The Appellants and First Respondent filed detailed and densely argued submissions which will not be recited at length here.  It is however worth noting a number of points raised.

Facebook submits that:

• the issues are:

(a) Can a foreign corporation “carry on business” in Australia (within the meaning of s 5B(3)(b) of the Privacy Act 1988 (Cth) (the Act)) if it has no commercial activities or other recognised indicia of carrying on business in this country? Appellant contents that hte answer is“no”.
(b) Does the requirement of a “prima facie case” in r 10.43(4)(c) of the Federal Court Rules 2011 (Cth) (Rules) require evidence that could itself Read the rest of this entry »

Today the Information Commissioner released the latest Notifiable Data Breach report.

It makes for grim reading. The key findings are:

• 497 breaches were notified compared with 393 in January to June 2022 – a 26% increase.
• There was a 41% increase in data breaches resulting from malicious or criminal attacks. Malicious or criminal attacks accounted for 350 notifications – 70% of all notifications.
• Human error was the cause of 123 notifications (25% of all notifications), down 5% in number from 129.
• Health reported the most breaches (71), followed by finance (68). That the health sector provides the greatest number of breaches is no surprise.
• Contact information remains the most common type of personal information involved in breaches.
• The majority (88%) of breaches affected 5,000 individuals or fewer.
• 71% of entities notified the OAIC within 30 days of becoming aware of an incident. This is quite an indictment on compliance. Almost 30% of entities did not notify the OAIC within the statutory maximum of 30 days. That bespeaks poor culture.

The Commissioner’s media release provides:

Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks.

“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.”

Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents.

“Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said.

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks.

“As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

The Office of the Australian Information Commissioner has clear expectations of best practice with regard to data breach preparation and response, to ensure individuals are protected from harm.

“In response to a breach, organisations need to provide information to individuals that is timely and accurate.

“As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” said Commissioner Falk.

The reporting period also saw the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Among other things, the Act:

• • provides the Commissioner with new and greater powers to share information with other authorities about data breaches
  • provides the Commissioner with a new power to obtain information and documents relevant to an actual or suspected eligible data breach
  • enables the Commissioner to conduct an assessment of the ability of an entity to comply with the Notifiable Data Breaches scheme, including the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches, and provide notice to the Commissioner and individuals at risk from such breaches
  • significantly increases penalties for serious or repeated privacy breaches, which includes non-compliance with the Notifiable Data Breaches scheme.

“While we will continue to work with organisations to facilitate voluntary compliance, we will use these regulatory powers where required to ensure compliance with the Notifiable Data Breaches scheme,” said Commissioner Falk.

“We also welcome the further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report.”

The Report provides:

Notifications received July to December 2022 – All sectors

The OAIC received 497 notifications this reporting period – a 26% increase compared with January to June 2022. Read the rest of this entry »

The BBC in YouTube accused of collecting UK children’s data reports that YouTube has been accused of collecting the data of children aged under 13. This while the UK Information Office has developed a Children’s Code for on line services used by children.

The BBC article provides:

Read the rest of this entry »

For more than a decade I have been writing about the propensity for health data to be the subject of data breaches.  It has been a long standing problem which predates the digital age.  Health services and their practitioners have been notoriously prone to data breaches.

The Australian in Health data ‘most vulnerable’ to hack attack rehashes the obvious in breathless terms.  As if it is major discovery.  It is not.  Data Breach in Healthcare Most Hit by Ransomware Last Year, FBI Finds reports the FBI listed health care facilities as being the most attacked of critical infrastructure.

Health organisations have many and Read the rest of this entry »