Peter A Clarke

Mandatory data breach notification rules are becoming standard in most first world jurisdictions. Over time the obligations upon affected entities have tightened. That is good policy given the way that hackers operate. The US Federal Communications Commission (“FCC”) has updated Data Breach Notification Rules. These updated rules obviously do not apply in Australia.  That said they are very useful to consider because they are so much more detailed and analytical than the Australian equivalents.  It is a very useful resource when considering how to deal with data breaches and how to properly structure a notification.

The media release relevantly provides:

It has been sixteen years since the Federal Communications Commission last updated its policies to protect consumers from data breaches.  Sixteen years!  To be clear, that was before the iPhone was introduced.  There were no smart phones, there was no app store, there were no blue and green bubbles for text.  It was a long time ago.  In the intervening years a lot has changed about when, where, and how we use our phones, and what data our providers collect about us when we do.  But not the FCC’s data breach rules; they remain stuck in the analog age. 

Today we fix this problem.  We update our policies to protect consumers from digital age data breaches.  We make clear that under the Communications Act carriers have a duty to protect the privacy and security of consumer data. 

First, we modernize our data breach rules to make clear they include all personally identifiable information.  In the past, these rules have only prohibited the disclosure of information about who we call and when.  But consumers also deserve to know if their carrier has disclosed their social security number or financial data or other sensitive information that could put them in harm’s way.  We fix that today—and it is overdue.  Read the rest of this entry »

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

Legal practitioners hold enormous amounts of personal and other sensitive information. They are key targets of hackers. Just ask HWL Ebsworth. It is now the subject of an Information Commissioner investigation.

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

On March 20, 2024, the Australian Signals Directorate (ASD) announced that it had partnered with Microsoft to develop a Cyber Threat Intelligence Sharing (CTIS) plug-in for the Microsoft Sentinel platform. The CTIS is a two-way sharing platform enabling government and industry partners to receive and share information about malicious cyber activity.

Businesses using Sentinel can join and contribute to this CTIS platform as long as they become an ASD Cyber Security Network Partner.

Microsoft is no stranger to data breaches. Hackers breached its Exchange Online accounts in November 2023. In 2022 a misconfigured Microsoft server exposed some of its customers’ sensitive information. There have been other data breaches which is not surprising given Microsoft is a ubiquitous system used by many businesses in first world countries and there have been many vulnerabilities in its systems over the years. Similarly governments haven’t been Read the rest of this entry »

The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach.  That has expanded to three.  That is not unusual.  In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist.  That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.  

Data breaches involving snooping into medical records are a chronic problem in hospitals.  But they can be minimised if there are proper systems in place.  And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records.  That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to.  It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that.  It is no less a problem in my experience in Australia than in the UK.  Given the regulation is Read the rest of this entry »

Hospital staff checking out records of the rich and famous is a depressingly common occurrence. It is a serious data breach. I have been posting on, only some, of these instances such as Data breach at the Alfred by curious pharmacist is just another in a long line of data breaches in the health sector last year and Privacy concerns regarding data breaches in the health system, hospitals in particular in 2014. There are many others such as Perth Hospital staff snooped on 40 patients’ records in 2018. There are challenges in the hospital system keeping records secure and away from prying eyes. There is usually a large number of staff with significant churn.  Properly training new staff and providing refresher training requires good administration.  Health professionals are Read the rest of this entry »

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly Read the rest of this entry »

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

On 13 March 2024 the , the European Parliament voted to adopt the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act). This is a continuum of AI regulation. On 2 February 2024 the AI Act was signed by by the Committee of Permanent Representatives (Coreper). That was followed on 13 February 2, 2024 this was endorsed by the Internal Market (IMCO) and Civil Liberties, Justice, and Home Affairs (LIBE) Committees.

The press release, set out below, describes the operation of the AI Act, which has been foreshadowed for some time. 

The AI Act will fully come into operation 24 months after entry into force, except for:

• bans on prohibited practices, which will apply six months after the entry into force;
• codes of practice, which will apply nine months after the entry into force;
• general-purpose AI rules including governance which will apply 12 months after the entry into force; and
• obligations for high-risk systems which will apply 36 months after the entry into force.

Read the rest of this entry »

The Medibank breach was a seminal moment in Australian privacy and data security history. Together with the Optus breach it affected almost half the country’s population. It also highlighted the lax state of cyber security of large companies; minimal data security overall, a focus on perimeter defences over in depth defences, dreadful storage and security of data policies and retaining data long after they are required. But it is the knock on effect of . Itnews reports in Australian police link “over 11,000 cybercrime incidents” to Medibank breach . The knock on effect.  It is that consequential damage that regulators need to be constantly aware of when deciding how to enforce the legislation. Unfortunately in Australia a light touch enforcement has meant that the culture about data security at the board room level is still woefully lax, despite protestations to the contrary.  As a result data breaches are quite regular and escalating in frequency.

The article Read the rest of this entry »

The Government forshadowed that it would legislate against doxxing, Then there was quiet. Yesterday the Attorney General announced a consultation about proposed legislation against doxxing and released a consultation paper. The consultation paper is quite brief.

The consultation paper does not include an exposure draft because it proposes to incorporate the reforms into the mooted reform of the Privacy Act.  That reform would be included within the proposed amendments to the Privacy Act.  That is a sensible approach.

The announcement provides:

Today we are commencing public consultations on measures to address the practice of doxxing.

The Albanese Government takes the protection of Australians’ privacy and personal information very seriously.

The increasing use of online platforms to harm people through practices like doxxing, the malicious release of their personal information without their permission, is a deeply disturbing development.

Action to combat doxxing would complement other critical reforms being progressed by the Government to strengthen the Privacy Act, as well as laws against hate speech and to further protect online safety.

Australians should have trust and confidence that their personal information is kept safe and secure in the digital age.

The targeted and malicious release of personal information without permission is unacceptable and cannot be tolerated.

This consultation process will be complemented by a roundtable discussion with key stakeholders including individuals with lived experience and media organisations to advise on doxxing and privacy reforms, and how to appropriately balance competing rights.

The Government is separately progressing reform options to strengthen laws against hate speech.

The consultation paper provides:

Overview

We are consulting with members of the public to seek your views on how to most appropriately address doxxing through civil remedies.

Definition of doxxing

‘Doxxing’ is the intentional online exposure of an individual’s identity, private information or personal details without their consent.

Doxxing can refer to a number of different practices, including:

• • De-anonymising doxxing – revealing the identity of someone who was previously anonymous (for example, someone who uses a pseudonym).
  • Targeting doxxing – revealing specific information about someone that allows them to be contacted or located, or their online security to be breached (for example, their phone number or home address, or their account username and password).
  • De-legitimising doxxing – revealing sensitive or intimate information about someone that can damage their credibility or reputation (for example, their private medical, legal, or financial records, or personal messages and photos usually kept out of public view).

Harms of doxxing

The Australian Government understands doxxing can leave targets vulnerable to, and fearful of:

• • public embarrassment, humiliation or shaming
  • discrimination, if personal characteristics are disclosed
  • cyberstalking and physical stalking  
  • identity theft and financial fraud
  • damage to their personal and professional reputation, leading to social and financial disadvantage such as loss of employment
  • increased anxiety 
  • reduced confidence and self-esteem.

Read the rest of this entry »