ANU releases report on Data Trust and data privacy: a brake on the data and digital dividend

October 25, 2022

The ANU Centre for Social Research and Methods has released Data trust and data privacy: a brake on the data and digital dividend?   The timing couldn’t be more appropriate given the latest large scale data breaches.

The description of the paper provides:

Data is increasingly available at scale and many of the fastest growing companies are built on data and data analytics. Governments are also increasingly using data for service delivery and to a lesser extent policy development and evaluation. Regulating and managing the increasing availability and use of data by the public, community and private sectors requires new approaches and laws.

In April 2022 the Australian Parliament passed the Data Availability and Transparency Act 2022 which allows Australian Commonwealth bodies to share data. While the legislation and associated regulation is important, so are the levels of community data trust and attitudes to data privacy.

This paper reports data on Australian’s attitudes to data trust and data privacy and how these have changed since October 2018 using data from the ANUpoll series of surveys collected in October 2018, October 2019, May 2020, August 2021 and August 2022. This provides information on how attitudes have changed during the COVID-19 period and during a period of rapid digitisation and increasing availability and use of data. The data shows that trust in key institutions with regards to data privacy increased during the early stages of COVID-19 period, and has stayed high through to mid-2022.

Australians also for the most part think governments should be sharing data with researchers (particularly in universities) and making use of data internally. However, support for such uses of data is slipping. Part of the response to these trends is to make sure that when data is used, it is done so in a way that maximises benefits to society. Collectively, the Australian research and policy community also needs to better understand who is reluctant for their data to be used, why they are reluctant, and what the possible responses and safeguards might be to make better use of such resources whilst still maintaining a social licence.

Interesting points made in the Report Read the rest of this entry »

Federal Trade Commission takes action against Drizly and its CEO for security failures that exposed the data of 2.5 million cosumers

The Federal Trade Commission (“the FTC”) is taking action against Drizly, an online alcohol supplier, and its CEO, James Rellas, regarding a data breach that exposed personal information of 2.5 million consumers in 2020.  The data breach, it is alleged, was caused by security failures on Drizly’s part.

The core of the complaint is that Drizly:

  • failed to implement basic security measures.  They included not requiring employees to use two-factor authentication for GitHub, not limiting employee access to personal data, not having adequate written security policies, or failing to train employees on those procedure;
  • stored information on an unsecured platform. Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub;
  • failed to monitor its network for security threats. The FTC specifically claimed that the failure included not putting a senior executive in charge of ensuring that the data was secure.  It did it monitor its network for unauthorized attempts to access or remove personal data; and
  • exposed its customers to hackers and identity thieves. After the data breach personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web.

The action is by way of administrative complaint, a precursor to formal litigation.  This has resulted in a consent agreement. It is a more assertive process than the Own Motion Investigation that the Australian Information Commissioner uses, on a very sparing basis, in Australia.

An interesting feature of this consent agreement is that the Chief Executive, James Rellas, is accountable for information security under the consent agreement, even if he leaves Drizly and works for another entity.  That is a procedure that the Australian Government should consider in its reforms of the Privacy Act.  Having the power to make orders against directors to ensure proper data security by way of enforceable undertakings would focus their minds.  With this approach the cost is not only to the business.  It is to its officers as well.  Having an order attached to a director wherever he or she went over a period would be something they would dread.

While the Australian enforceable undertakings are a pale version of what the FTC imposes on companies who have had a data breach or otherwise breached privacy it is worth reviewing how the FTC drafts its complaints and agreements.  They are the gold standard in terms of imposing comprehensive orders which enforce proper privacy practices over a 10 or 20 year period.  It is only a matter of time before Australia will move in this direction.

The statement provides:

The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Boston-based Drizly, a subsidiary of Uber, operates an online marketplace where consumers of legal drinking age can place orders with retailers to buy beer, wine, and alcohol for delivery. The company collects and stores on Amazon Web Services cloud computing service a wide range of personal information from consumers such as email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties.

According to the FTC’s complaint, Drizly and Rellas were alerted to problems with the company’s data security procedures following an earlier security incident. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account. Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place. Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information.

In its complaint, the FTC alleges that Drizly and Rellas:

    • Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly and Rellas failed to put in place reasonable safeguards to secure the personal information it collected and stored. It did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.
    • Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub. For example, in its 2018 complaint against Uber, the FTC specifically publicized and described poor security practices involving the use of Uber’s GitHub account that contributed to a data breach involving the ridesharing app.
    • Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.
    • Exposed customers to hackers and identity thieves: Following the company’s data breach, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web, where criminals post and sell data stolen by hackers. Identity thieves and other malicious actors can use such data to open fraudulent lines of credit or commit other fraud. When unauthorized accounts are opened in their name, consumers can suffer financial harm by incurring debt and damaging their credit, the FTC alleged.

Enforcement Action

The proposed order against Drizly and Rellas includes several requirements aimed at ensuring they take steps to address the problems outlined in the FTC’s complaint. Under the proposed FTC order, Drizly and Rellas are required to:

    • Destroy unnecessary data: Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.
    • Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also must publicly detail on its website the information it collects and why such data collection is necessary.
    • Implement an information security program: Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures. Last year, the Commission secured its first order requiring a firm to minimize data collection and has worked in subsequent orders to ensure companies only collect what they need to conduct their business. The Commission is also taking steps to bolster security market-wide, including by finalizing updates to the Safeguards Rule, issuing a policy statement on the Health Breach Notification Rule, and initiating an advance notice of proposed rulemaking on commercial surveillance and lax data security practices.

The FTC voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Drizly and Rellas. Commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Rellas as an individual defendant and issued a separate statement. Chair Lina M. Khan and Commissioner Alvaro Bedoya issued a joint concurring statement and Commissioner Rebecca Kelly Slaughter issued a separate concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

Read the rest of this entry »

European Data Protection Board releases guidelines on personal data breach notification under the GDPR… excellent timing given the spate of data breaches in Australia

October 24, 2022

The timing couldn’t be better.  The European Data Protection Board (“EDPB”)  released Guidelines 09/2022 on personal data breach notification under GDPR on 18 October 2022. Given the issue of notification of data breaches is a significant issue currently in Australia it is a very relevant document.  More importantly the guidelines on privacy and data breach issues are much more comprehensive in the EU and the UK.  That makes for better and more effective systems and protections, if followed.

The announcement provides:

The European Data Protection Board welcomes comments on the Guidelines 09/2022 on personal data breach notification under GDPR. The targeted update and this public consultation concern paragraph 73 of the Guidelines (marked in yellow in the document). Such comments should be sent 29th November 2022 at the latest using the provided form.

Please note that, by submitting your comments, you acknowledge that your comments might be published on the EDPB website.

The EDPB Secretariat staff screens all replies provided before publication (only for the purpose of blocking unauthorised submissions, such as spam), after which the replies are made available to the public directly on the EDPB public consultations’ page. Unauthorised submissions are immediately deleted. The attached files are not altered in any way by the EDPB.

Please, note that regardless the option chosen, your contribution may be subject to a request for access to documents under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents. In this case the request will be assessed against the conditions set out in the Regulation and in accordance with applicable data protection rules.

All legal details can be found in our Specific Privacy Statement (SPS).

The guidelines are referable to obligations under the GDPR.  That said they contain best practice processes when dealing with the data breaches.  To that extent they are a very valuable resources in the Australian context in providing structure in anticipating and responding to a data breach.  Some points worth noting are:

  • the benefits of notification include the controllers obtaining advice on whether the affected individuals need to be informed. The supervisory authority may order the controller to inform those individuals about the breach.
  • communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences.
  • the focus of any breach response plan should be on protecting individuals and their personal data. Breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data.
  • controllers and processors are encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan
  • GDPR requires:
    • both controllers and processors to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed which should take into account:
      • the state of the art,
      • the costs of implementation
      • the nature,
      • the scope,
      • context and
      • purposes of

Read the rest of this entry »

Data breach hits Advocate Aurora Health exposing personal information of 3 million patients

October 23, 2022

While the media in Australia is in hyperdrive over the Optus data, My Deal and Medibank Private data breaches it is relevant to put them into perspective. Data breaches are a worldwide phenomenon.

The Advocate Aurora Health network, with 26 hospitals in Wisconsin and Illinois are in the process of sending out notifications of a data breach involving 3 million patients.   To put it even more into perspective itGovernance has undertaken an analysis of data breaches in the 3rd quarter of 2022.  On its calculations, between July and September 2022 there were 285 publicly disclosed security incidents involving 232,266,148 compromised records.  The numbers are eye watering but the greater concern is that there has been a rise in both the number of incidents, of over 20%, and a massive increase, of 134%, in the number of compromised records. By a wide margin cyber attacks are the most prevalent form of data breach.  The public sector was the most vulnerable followed by the health sector.

The itGovernance article provides:

Welcome to our third quarterly review of security incidents for 2022, in which we take a closer look at the information gathered in our monthly list of data breaches and cyber attacks.

In this article, you’ll find an overview of the cyber security landscape from the past three months, including the latest statistics and our observations.

This includes year-on-year comparisons in the number of publicly disclosed data breaches, a review of the most breached sectors and a running total of incidents for the year.

Overview

Read the rest of this entry »

Medibank data breach…threats to expose personal information and demands for ransom….Why is this news? It happens on a weekly if not daily basis. That is what criminal hackers do. The key is to get companies to properly protect their data

October 21, 2022

What do criminals do?  They act for profit.  Cyber criminals are still just criminals.  They steal for monetary gain.  Ransomware and just plain demanding ransoms is part of their weaponary.  Exposing health and other personal information happens if the crooks think that will get the money they are after.

As the Guardian reports in Medibank says sample of stolen customer data includes details of medical procedures, the data stolen from Medibank includes details of medical procedures.  The Australian has an article in a similar vein with Medibank hackers stole data on medical conditions customers and treatment.  This shouldn’t be surprising.  What is less understandable is how the sensitive health data was commingled with other records?  Why was it not properly encrypted?  Why wasn’t it siloed?

I have been writing on cyber security and data breaches for so long that I find the breathless quality of Australian media reporting of the Medibank data breach curious.  It is as if this is the only and worst data breach involving health records.  It isn’t by a long chalk.  The Sydney Morning Herald writes of ‘Immense harm’: Federal police investigating threat to sell Australians’ health data.  While the Australian enters into policy speculation with Medibank hack sparks call to end companies creating data ‘honeypots’ for hackers. Where the Australian gets it wrong is that under the current Privacy Act collection of personal information should only be for a specific purpose and used for that purpose.  The legislation is deeply flawed but if properly enforced action should have been taken against companies who collect and hold onto data because it suits them.  The enforcement was weak.  It has always been weak.  Until now no Government has not much cared.

The key is for companies to take their responsibilities seriously.  That means proper regulation and enforcement whereby the cost of non compliance is high.  The next issue is to make sure that when there is a data breach it is dealt with methodically and thoroughly and not turned into a cause celebre.  It helps not at all if it becomes a political battleground.  The company affected has to respond appropriately and quickly and the regulator may need to get involved.  There will always be media coverage but it shouldn’t develop a life of its own as seems to be the case with the latest spate of data breaches in Australia.  It is always worth remembering that it is a legal issue, complying with the law.

The Australian Financial Review undertakes an analysis and critique of Medibank’s responses so far with Medibank’s ransomware response is a lesson in what not to do. It is replete with talking heads  wanting to get their name out as experts prognosticating on this,  that or other things relating to the Medibank data breach.  Much of it is speculation over analysis.  That said  the Medibank response has been dreadful, as bad as Optus but in a different way.  Going through its media releases has been the privacy equivalent of a slow motion car crash involving a crash test dummy. Whatever data breach response plan it had was sub standard.  The first 24 hours should be regarded as the Golden Hours.  Getting as much information about the breach, starting on remediation and crafting a notice to the market, the clients, to government and the media is critical. Information to hand will always be incomplete but being as forthcoming

It’s latest update, Medibank cyber incident response,  provides:

As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community.

This cyber incident is now the subject of an investigation by the Australian Federal Police.

We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them. Read the rest of this entry »

Commonwealth Attorney General describes the Privacy Act as outdated….hardly news but good that an Attorney General is interested in privacy reform

October 18, 2022

The Attorney General is critical of the operation of the Privacy Act according to ‘A very outdated piece of legislation’: Optus hack highlights Privacy Act loophole.  This is hardly news.  What is good news is that reform of the Privacy Act is a priority.  How quickly that happens is less certain.  The the interminable Attorney General Department’s review will be wrapped up by years end and sometime Read the rest of this entry »

A process to anonmize facial images to improve patients privacy

Anonymisation is an important process in protecting privacy and securing data.  The UK information Commissioner’s Office has recently released a draft guidance on anonymisation and pseudonymisation.  Anonymisation and pseudonymisation are both quite contentious issues because it is often ineffective.   Some researchers believe that it cannot work as there is no way to fully protect real identities in datasets.  The development and increasing access to quantum computers pose challenges to anonymisation other data sets can be analysed and compared to the anonymised data to reveal tell tale identifiers.  At this stage it does have utility and the regulators acknowledge it as a means to protect privacy.  

Nature has published a fascinating article, Anonymizing facial images to improve patient privacy, on anonymising facial images in the health industry context through the use of a digital mask.   

The article Read the rest of this entry »

UK Information Commissioner’s Office publishes guidance on privacy enhancing technologies

October 17, 2022

The Information Commissioner’s Office (“ICO”) published its long awaited and very welcome guidance on the use of privacy enhancing technologies (“PETs”).  Properly used PETs are an invaluable part of proper data protection.  The media release provides:

The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice. 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public. 

The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance

By enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs open up unprecedented opportunities to harness the power of data through innovative and trustworthy applications. The UK and US governments have launched a set of prize challenges to unleash the potential of PETs to tackle combat global societal challenges, supported by the ICO.

John Edwards, UK Information Commissioner, said:  

“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains. 

“Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”  

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.

As part of this, the ICO will call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront. 

Mr Edwards said:

“It’s not just regulators that need to take action – we need the industry to step up, too. We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”

At 40 pages the guidance is very comprehensive.

Some key issues that should be considered are:

  • the definition of a PET is:

Read the rest of this entry »

Medibank Private suffers a cyber security breach

October 13, 2022

As if to underscore the need for better cyber security and privacy reform Medibank has reportedly suffered a cyber attack yesterday according to itnews Medibank takes systems offline after ‘cyber incident’ .  In response Medibank shut down two customer facing systems.  According to the ABC the insurer says that no evidence that sensitive data had been accessed.

Interestingly the ABC reports on a surge of interest in cyber security professionals with Since the Optus data breach, Australia is desperate for cybersecurity professionals. You could become one without a university degree which is quite general.  The awareness of the need for cyber experts, actually privacy experts, has been growing for Read the rest of this entry »

The Australian Information Commissioner opens an investigation into Optus regarding its data breach

October 11, 2022

Today the Australian Information Commissioner initiated an investigation.  In other jurisdiction this step by a regulator is quite common.  It is far less so in Australia.  It is clearly required given the size of the data breach, the likely cause and the consequential events as Optus has struggled to remediate the damage. 

The Commissioner’s statement Read the rest of this entry »