Peter A Clarke

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt  under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.”  According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not.  It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered.  Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.

That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.  

The story is covered in Read the rest of this entry »

The Cambridge Analytica scandal has a very long tail. Shareholders of Meta brought an action against Mark Zuckerberg and other Facebook directors over privacy violations. It is reported in the Times with Mark Zuckerberg settles $8bn lawsuit over Facebook privacy claims and the BBC with Meta investors settle $8bn lawsuit with Zuckerberg over Facebook privacy.  The core of the case was a claim against Facebook directors for their failures which resulted in fines and legal costs associated with the Cambridge Analytica scandal. The problem for the defendants was that Facebook entered into an agreement in 2012 regarding compliance with privacy obligations. The other difficulty for the defendants was the scale of the data harvesting and the deceptive practices to do it.

The timing of the settlement is ironic given Read the rest of this entry »

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

The AFR article Read the rest of this entry »

It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

The Australian story Read the rest of this entry »

That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.

What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents.  It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.   

In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »

Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.

The Bleeping Computer article Read the rest of this entry »

The Chief Justice of the Victorian Supreme Court has published a notice to the profession regarding the conduct of applications to set aside statutory demand. The Notice sets down a very specific timetable which must be followed.  There will be consequences for failing to comply.  The second feature of the Notice is a requirement to keep affidavits concise and exhibits “..limited to those documents which are critical to the grounds relied upon by the plaintiff and the real issues in dispute.”

Some points that practitioners must consider:

1. the court will fix a date for final hearing in the timetabling orders;
2. first, the Notice to the Profession must be served on the defendant (Paragraph 4.1).  That is a new development;
3. “as soon as practicable” after filing (Paragraph 5.2), the Court will make timetabling orders in the form of Annexure A to the Notice which requires:
   • seven days after filing of the Originating Process the plaintiff to file ,the plaintiff file an affidavit of service of the Originating Process, supporting affidavit, and a copy of the Notice to Profession
   • 14 days after filing of the Originating Process] the defendant file and serve:
     • an affidavit of service of the statutory demand; and
     • any affidavit on which it intends to rely in opposition to the application; and
   • 14 days after filing of the Originating Process] the defendant advise chambers that the defendant disputes jurisdiction
   • 21 days after filing the Originating Process] the plaintiff must:
     • file and serve any affidavit on which it intends to rely upon in reply;
     • file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
     • email the Chambers of the judicial officer a bundle of authorities that the plaintiff relies upon in pdf text-searchable format, with cases arranged in alphabetical order and with an electronic bookmark for each case
   • 28 days after filing of the Originating Process the defendant will:
     • file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
     • email the Chambers a bundle of authorities that the defendant relies upon which are not already included in the plaintiff’s bundle.
4. submissions must identify why or why not there is a genuine dispute/offsetting claim/some other matter with reference to the affidavit material;
5. in advance of any non compliance with the timetable/exercise of liberty the parties have to confer regarding the amendments and email the Court to “explain the reason that a variation is sought and provide consent or competing draft minutes of order addressing a revised timetable which maintain the final hearing date and ensures that the last document is filed no later than 72 hours before the final hearing;”
6. evidence or submissions filed out of time will not be considered at the final hearing without a summons for leave supported by an affidavit explaining non-compliance (Paragraph 8.3).
7. in the event of non-compliance the Court may, of its own motion, make a self-executing or ‘unless’ order disposing of the proceeding;
8. the Court will aim to schedule the final hearing to be held within 6 weeks of filing, listed for half a day (Paragraph 8.1); and
9. within 3 days of the hearing the practitioners briefed to appear at the final hearing are to confer with a view to resolving the dispute or narrowing the issues.  The plaintiff must email the Court on behalf of the parties a “joint statement” of  the remaining issues in dispute.

The Notice Read the rest of this entry »

The National Institute of Science and Technology (“NIST”) has publisheda guideline on High-Performance Computing (HPC) Security Overlay,

Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance and

The announcement about the HPC provides:

High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.

This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.

The recommendations for best practices for key management organisations, part 2 provides:

NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.

The recommendations for Key Management part 3;  Application-Specific Key Management Guidance provides:

IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.

Read the rest of this entry »