Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • 35.6 million records breached in September 2022

    October 9, 2022

    itgovernance has listed 88 publicly disclosed security incidents involving 35,566,046 in September.  That is a slight improvement on the September numbers, involving 97 million records, but remains grim reading. 

    Some notable incidents include:

    • Wolfe Eye Clinic in the United States suffered a data breach through a third party which has affected 542,776.
    • The US NFL franchise the 49ers suffered a data breach involving more than 20,000 social security numbers.
    • the Medical Associates of the Lehigh Valley suffered a data breach affecting the social security numbers and personal health information of 75,628.
    • the personal information of 16 million compromised in a data breach of the Indian Swatchhta Platform.
    • 8 hotels of the Shangri La Group has been hacked with personal information affecting 290,000 hotel guests.  Three of the Shangri La hotels are located in Hong Kong.  The group waited 2 months to tell the Hong Kong Privacy Commissioner of the breaches to the Hong Kong hotels, something that raised the Commissioner’s ire. As a result the Privacy Commissioner commenced a compliance check.
    • Morgan Stanley paid a $35 million fine to the SEC for failing to dispose hard drives and servers containing the personal information of 15 million customers. 

    Posted in General, Privacy | Post a comment »

    National Institute of Standards and Technology release Understanding Stablecoin Technology and Related Security ConsiderationsNational Institute of Standards and Technology

    Regulation of crypto currency and other digital forms of exchange is coming but in in the meantime applying and understanding the technical details of the types of crypto currency is vital.

    The National Institute of Standards and Technology (“NIST”) has prepared an analysis of Stablecoin technologies.  For lawyers the relevance goes to security and stability is of relevance.

    Stablecoins are a type of cryptocurrency.  They aim to maintain a stable price relative to a specified asset, usually a fiat currency). There is little being written on the technical mechanisms and architectures used and related security considerations. NIST IR 8408 addresses this by providing an evaluation of the technical design of different stablecoin architectures along with related security analyses.

    The abstract provides:

    Stablecoins are cryptocurrencies whose price is pegged to that of another asset (typically one with low price volatility). The market for stablecoins has grown tremendously – up to almost $200 billion USD in 2022. These coins are being used extensively in newly developing paradigms for digital money and commerce as well as for decentralized finance technology. This work provides a technical description of stablecoin technology to enable reader understanding of the variety of ways in which stablecoins are architected and implemented. This includes a descriptive definition, commonly found properties, and distinguishing characteristics, as well as an exploration of stablecoin taxonomies, descriptions of the most common types, and examples from a list of top stablecoins by market capitalization. This document also explores related security, safety, and trust issues with an analysis conducted from a computer science and information technology security perspective as opposed to the financial analysis and economics focus of much of the stablecoin literature.

    The NIST defines blockchains as:

    Blockchains are distributed digital ledgers of cryptographically signed transactions that are grouped into blocks. Each block is cryptographically linked to the previous one (making it tamper evident) after validation and undergoing a consensus decision. As new blocks are added, older blocks become more difficult to modify (creating tamper resistance). New blocks are replicated across copies of the ledger within the network, and any conflicts are resolved automatically using established rules.

    A crypto currency Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    US President signs Executive Order to implement EU – US Data Privacy Framework

    October 8, 2022

    The EU data privacy laws requires overseas recipients from the EU to have a basic minimum protections.  There is no Federal Privacy Act which mandates a minimum level of privacy protection. To let the data flow the US Government and the EU have created a structure, previously known as safe harbour, whereby the US commits to maintain a minimum level of privacy protections.  In 2015 the European Court of Justice ruled that the Safe Harbour arrangement was invalid.  It also ruled the subsequent Privacy Shield was invalid.

    That has given rise to other arrangements, the latest iteration of which was announced on 7 October 2022. President, Joseph Biden, signed two signficant executive orders directing the steps that the US will take to implement its commitments under the European Union – U.S. Data Privacy Framework.

    The Framework is designed to restore the legal basis for transatlantic data flows by addressing the Court of Justice of the European Union’s ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) invalidating the Privacy Shield framework as a data transfer mechanism.

    The net effect is that the US and the EU may a proper structure for the data flows, in particular complying with minimum EU data protection requirements.

    The Executive Order:

    • adds further safeguards for US signals intelligence activities;
    • mandates handling requirements for personal information collected through signals intelligence activities and extends officials’ responsibilities;
    • requires US Intelligence Community elements to update their policies and procedures;
    • creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organisations, as designated under the Executive Order, to obtain independent and binding review and redress; and
    • calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures.
    • provides the European Commission with the basis to adopt a new adequacy determination for companies using Standard Contractual Clauses and Binding Corporate Rules for EU-US data transfers.

    Within 60 days the Attorney General and heads of elements of the Intelligence Community that collect or handle personal information collected through signals intelligence must establish a process for the submission of qualifying complaints transmitted by the appropriate public authority in a qualifying state.

    The executive order provides the Civil Liberties Protection Officer of the Office of the Director of National Intelligence with powers to investigate, review, and, as necessary, order appropriate remediation for qualifying complaints.

    The Attorney General is authorised to establish a process to review the determinations and promulgate regulations establishing a Data Protection Review Court.

    Prior to adopting an adequacy decision the European Commission  must obtain an opinion from the European Data Protection Board and receive approval from a committee composed of representatives of the EU Member States. The European Parliament has a right of scrutiny over adequacy decisions.

    The Executive Order provides:

    By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

    Section 1.  Purpose.  The United States collects signals intelligence so that its national security decisionmakers have access to the timely, accurate, and insightful information necessary to advance the national security interests of the United States and to protect its citizens and the citizens of its allies and partners from harm.  Signals intelligence capabilities are a major reason we have been able to adapt to a dynamic and challenging security environment, and the United States must preserve and continue to develop robust and technologically advanced signals intelligence capabilities to protect our security and that of our allies and partners.  At the same time, the United States recognizes that signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.  Therefore, this order establishes safeguards for such signals intelligence activities.

         Sec. 2.  Signals Intelligence Activities. 

         (a)  Principles.  Signals intelligence activities shall be authorized and conducted consistent with the following principles:

    (i)  Signals intelligence activities shall be authorized by statute or by Executive Order, proclamation, or other Presidential directive and undertaken in accordance with the Constitution and with applicable statutes and Executive Orders, proclamations, and other Presidential directives.

    (ii)  Signals intelligence activities shall be subject to appropriate safeguards, which shall ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities so that:

    (A)  signals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; and

    (B)  signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

    (iii)  Signals intelligence activities shall be subjected to rigorous oversight in order to ensure that they comport with the principles identified above. 

         (b)  Objectives.  Signals intelligence collection activities shall be conducted in pursuit of legitimate objectives. 

    (i)  Legitimate objectives.

    (A)  Signals intelligence collection activities shall be conducted only in pursuit of one or more of the following objectives:

    (1)  understanding or assessing the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, a foreign-based political organization, or an entity acting on behalf of or controlled by any such foreign government, military, faction, or political organization, in order to protect the national security of the United States and of its allies and partners;

    (2)  understanding or assessing the capabilities, intentions, or activities of foreign organizations, including international terrorist organizations, that pose a current or potential threat to the national security of the United States or of its allies or partners;

    (3)  understanding or assessing transnational threats that impact global security, including climate and other ecological change, public health risks, humanitarian threats, political instability, and geographic rivalry;

    (4)  protecting against foreign military capabilities and activities;

    (5)  protecting against terrorism, the taking of hostages, and the holding of individuals captive (including the identification, location, and rescue of hostages and captives) conducted by or on behalf of a foreign government, foreign organization, or foreign person;

    (6)  protecting against espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;

    (7)  protecting against threats from the development, possession, or proliferation of weapons of mass destruction or related technologies and threats conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;

    (8)  protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person;

    (9)  protecting against threats to the personnel of the United States or of its allies or partners;

    (10)  protecting against transnational criminal threats, including illicit finance and sanctions evasion related to one or more of the other objectives identified in subsection (b)(i) of this section;

    (11)  protecting the integrity of elections and political processes, government property, and United States infrastructure (both physical and electronic) from activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person; and

    (12)  advancing collection or operational capabilities or activities in order to further a legitimate objective identified in subsection (b)(i) of this section.

    (B)  The President may authorize updates to the list of objectives in light of new national security imperatives, such as new or heightened threats to the national security of the United States, for which the President determines that signals intelligence collection activities may be used.  The Director of National Intelligence (Director) shall publicly release any updates to the list of objectives authorized by the President, unless the President determines that doing so would pose a risk to the national security of the United States.

    (ii)  Prohibited objectives.  

    (A)  Signals intelligence collection activities shall not be conducted for the purpose of:

    (1)  suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;

    (2)  suppressing or restricting legitimate privacy interests;

    (3)  suppressing or restricting a right to legal counsel; or

    (4)  disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.

    (B)  It is not a legitimate objective to collect foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and United States business sectors commercially.  The collection of such information is authorized only to protect the national security of the United States or of its allies or partners.

    (iii)  Validation of signals intelligence collection priorities.

    (A)  Under section 102A of the National Security Act of 1947, as amended (50 U.S.C. 3024), the Director must establish priorities for the Intelligence Community to ensure the timely and effective collection of national intelligence, including national intelligence collected through signals intelligence.  The Director does this through the National Intelligence Priorities Framework (NIPF), which the Director maintains and presents to the President, through the Assistant to the President for National Security Affairs, on a regular basis.  In order to ensure that signals intelligence collection activities are undertaken to advance legitimate objectives, before presenting the NIPF or any successor framework that identifies intelligence priorities to the President, the Director shall obtain from the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) an assessment as to whether, with regard to anticipated signals intelligence collection activities, each of the intelligence priorities identified in the NIPF or successor framework:

    (1)  advances one or more of the legitimate objectives set forth in subsection (b)(i) of this section;

    (2)  neither was designed nor is anticipated to result in signals intelligence collection in contravention of the prohibited objectives set forth in subsection (b)(ii) of this section; and

    (3)  was established after appropriate consideration for the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

    (B)  If the Director disagrees with any aspect of the CLPO’s assessment with respect to any of the intelligence priorities identified in the NIPF or successor framework, the Director shall include the CLPO’s assessment and the Director’s views when presenting the NIPF to the President.

    (c)  Privacy and civil liberties safeguards.  The following safeguards shall fulfill the principles contained in subsections (a)(ii) and (a)(iii) of this section.

    (i)  Collection of signals intelligence.

    (A)  The United States shall conduct signals intelligence collection activities only following a determination that a specific signals intelligence collection activity, based on a reasonable assessment of all relevant factors, is necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; it could be used, for example, to ensure alternative pathways for validation or for maintaining reliable access to the same information.  In determining whether to collect signals intelligence consistent with this principle, the United States — through an element of the Intelligence Community or through an interagency committee consisting in whole or in part of the heads of elements of the Intelligence Community, the heads of departments containing such elements, or their designees — shall consider the availability, feasibility, and appropriateness of other less intrusive sources and methods for collecting the information necessary to advance a validated intelligence priority, including from diplomatic and public sources, and shall prioritize such available, feasible, and appropriate alternatives to signals intelligence.

    (B)  Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.

    (C)  For purposes of subsection (c)(i) of this section, the scope of a specific signals intelligence collection activity may include, for example, a specific line of effort or target, as appropriate.

    (ii)  Bulk collection of signals intelligence.

    (A)  Targeted collection shall be prioritized.  The bulk collection of signals intelligence shall be authorized only based on a determination — by an element of the Intelligence Community or through an interagency committee consisting in whole or in part of the heads of elements of the Intelligence Community, the heads of departments containing such elements, or their designees — that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection.  When it is determined to be necessary to engage in bulk collection in order to advance a validated intelligence priority, the element of the Intelligence Community shall apply reasonable methods and technical measures in order to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimizing the collection of non-pertinent information.

    (B)  Each element of the Intelligence Community that collects signals intelligence through bulk collection shall use such information only in pursuit of one or more of the following objectives:

    (1)  protecting against terrorism, the taking of hostages, and the holding of individuals captive (including the identification, location, and rescue of hostages and captives) conducted by or on behalf of a foreign government, foreign organization, or foreign person;

    (2)  protecting against espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;

    (3)  protecting against threats from the development, possession, or proliferation of weapons of mass destruction or related technologies and threats conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;

    (4)  protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person;

    (5)  protecting against threats to the personnel of the United States or of its allies or partners; and

    (6)  protecting against transnational criminal threats, including illicit finance and sanctions evasion related to one or more of the other objectives identified in subsection (c)(ii) of this section.

    (C)  The President may authorize updates to the list of objectives in light of new national security imperatives, such as new or heightened threats to the national security of the United States, for which the President determines that bulk collection may be used.  The Director shall publicly release any updates to the list of objectives authorized by the President, unless the President determines that doing so would pose a risk to the national security of the United States.

    (D)  In order to minimize any impact on privacy and civil liberties, a targeted signals intelligence collection activity that temporarily uses data acquired without discriminants (for example, without specific identifiers or selection terms) shall be subject to the safeguards described in this subsection, unless such data is:

    (1)  used only to support the initial technical phase of the targeted signals intelligence collection activity;

    (2)  retained for only the short period of time required to complete this phase; and

    (3)  thereafter deleted.

    (iii)  Handling of personal information collected through signals intelligence.

    (A)  Minimization.  Each element of the Intelligence Community that handles personal information collected through signals intelligence shall establish and apply policies and procedures designed to minimize the dissemination and retention of personal information collected through signals intelligence.

    (1)  Dissemination.  Each element of the Intelligence Community that handles personal information collected through signals intelligence:

    (a)  shall disseminate non-United States persons’ personal information collected through signals intelligence only if it involves one or more of the comparable types of information that section 2.3 of Executive Order 12333 of December 4, 1981 (United States Intelligence Activities), as amended, states may be disseminated in the case of information concerning United States persons;

    (b)  shall not disseminate personal information collected through signals intelligence solely because of a person’s nationality or country of residence;

    (c)  shall disseminate within the United States Government personal information collected through signals intelligence only if an authorized and appropriately trained individual has a reasonable belief that the personal information will be appropriately protected and that the recipient has a need to know the information;

    (d)  shall take due account of the purpose of the dissemination, the nature and extent of the personal information being disseminated, and the potential for harmful impact on the person or persons concerned before disseminating personal information collected through signals intelligence to recipients outside the United States Government, including to a foreign government or international organization; and

    (e)  shall not disseminate personal information collected through signals intelligence for the purpose of circumventing the provisions of this order.

    (2)  Retention.  Each element of the Intelligence Community that handles personal information collected through signals intelligence:

    (a)  shall retain non-United States persons’ personal information collected through signals intelligence only if the retention of comparable information concerning United States persons would be permitted under applicable law and shall subject such information to the same retention periods that would apply to comparable information concerning United States persons;

    (b)  shall subject non-United States persons’ personal information collected through signals intelligence for which no final retention determination has been made to the same temporary retention periods that would apply to comparable information concerning United States persons; and

    (c)  shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.

    (B)  Data security and access.  Each element of the Intelligence Community that handles personal information collected through signals intelligence:

    (1)  shall process and store personal information collected through signals intelligence under conditions that provide appropriate protection and prevent access by unauthorized persons, consistent with the applicable safeguards for sensitive information contained in relevant Executive Orders, proclamations, other Presidential directives, Intelligence Community directives, and associated policies; 

    (2)  shall limit access to such personal information to authorized personnel who have a need to know the information to perform their mission and have received appropriate training on the requirements of applicable United States law, as described in policies and procedures issued under subsection (c)(iv) of this section; and

    (3)  shall ensure that personal information collected through signals intelligence for which no final retention determination has been made is accessed only in order to make or support such a determination or to conduct authorized administrative, testing, development, security, or oversight functions.

    (C)  Data quality.  Each element of the Intelligence Community that handles personal information collected through signals intelligence shall include such personal information in intelligence products only as consistent with applicable Intelligence Community standards for accuracy and objectivity, with a focus on applying standards relating to the quality and reliability of the information, consideration of alternative sources of information and interpretations of data, and objectivity in performing analysis.

    (D)  Queries of bulk collection.  Each element of the Intelligence Community that conducts queries of unminimized signals intelligence obtained by bulk collection shall do so consistent with the permissible uses of signals intelligence obtained by bulk collection identified in subsection (c)(ii)(B) of this section and according to policies and procedures issued under subsection (c)(iv) of this section, which shall appropriately take into account the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

    (E)  Documentation.  In order to facilitate the oversight processes set forth in subsection (d) of this section and the redress mechanism set forth in section 3 of this order, each element of the Intelligence Community that engages in signals intelligence collection activities shall maintain documentation to the extent reasonable in light of the nature and type of collection at issue and the context in which it is collected.  The content of any such documentation may vary based on the circumstances but shall, to the extent reasonable, provide the factual basis pursuant to which the element of the Intelligence Community, based on a reasonable assessment of all relevant factors, assesses that the signals intelligence collection activity is necessary to advance a validated intelligence priority.

    (iv)  Update and publication of policies and procedures.The head of each element of the Intelligence Community:

    (A)  shall continue to use the policies and procedures issued pursuant to Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities) (PPD-28), until they are updated pursuant to subsection (c)(iv)(B) of this section;

    (B)  shall, within 1 year of the date of this order, in consultation with the Attorney General, the CLPO, and the Privacy and Civil Liberties Oversight Board (PCLOB), update those policies and procedures as necessary to implement the privacy and civil liberties safeguards in this order; and

    (C)  shall, within 1 year of the date of this order, release these policies and procedures publicly to the maximum extent possible, consistent with the protection of intelligence sources and methods, in order to enhance the public’s understanding of, and to promote public trust in, the safeguards pursuant to which the United States conducts signals intelligence activities.

    (v)  Review by the PCLOB.

    (A)  Nature of review.  Consistent with applicable law, the PCLOB is encouraged to conduct a review of the updated policies and procedures described in subsection (c)(iv)(B) of this section once they have been issued to ensure that they are consistent with the enhanced safeguards contained in this order.

    (B)  Consideration of review.  Within 180 days of completion of any review by the PCLOB described in subsection (c)(v)(A) of this section, the head of each element of the Intelligence Community shall carefully consider and shall implement or otherwise address all recommendations contained in such review, consistent with applicable law.

         (d)  Subjecting signals intelligence activities to rigorous oversight.  The actions directed in this subsection are designed to build on the oversight mechanisms that elements of the Intelligence Community already have in place, in order to further ensure that signals intelligence activities are subjected to rigorous oversight.

    (i)  Legal, oversight, and compliance officials.  Each element of the Intelligence Community that collects signals intelligence:

    (A)  shall have in place senior-level legal, oversight, and compliance officials who conduct periodic oversight of signals intelligence activities, including an Inspector General, a Privacy and Civil Liberties Officer, and an officer or officers in a designated compliance role with the authority to conduct oversight of and ensure compliance with applicable United States law;

    (B)  shall provide such legal, oversight, and compliance officials access to all information pertinent to carrying out their oversight responsibilities under this subsection, consistent with the protection of intelligence sources or methods, including their oversight responsibilities to ensure that any appropriate actions are taken to remediate an incident of non-compliance with applicable United States law; and

    (C)  shall not take any actions designed to impede or improperly influence such legal, oversight, and compliance officials in carrying out their oversight responsibilities under this subsection.

    (ii)  Training.  Each element of the Intelligence Community shall maintain appropriate training requirements to ensure that all employees with access to signals intelligence know and understand the requirements of this order and the policies and procedures for reporting and remediating incidents of non-compliance with applicable United States law.

    (iii)  Significant incidents of non-compliance.

    (A)  Each element of the Intelligence Community shall ensure that, if a legal, oversight, or compliance official, as described in subsection (d)(i) of this section, or any other employee, identifies a significant incident of non-compliance with applicable United States law, the incident is reported promptly to the head of the element of the Intelligence Community, the head of the executive department or agency (agency) containing the element of the Intelligence Community (to the extent relevant), and the Director.

    (B)  Upon receipt of such report, the head of the element of the Intelligence Community, the head of the agency containing the element of the Intelligence Community (to the extent relevant), and the Director shall ensure that any necessary actions are taken to remediate and prevent the recurrence of the significant incident of non-compliance.

         (e)  Savings clause.  Provided the signals intelligence collection is conducted consistent with and in the manner prescribed by this section of this order, this order does not limit any signals intelligence collection technique authorized under the National Security Act of 1947, as amended (50 U.S.C. 3001 et seq.), the Foreign Intelligence Surveillance Act of 1978, as amended (50 U.S.C. 1801 et seq.) (FISA), Executive Order 12333, or other applicable law or Presidential directive.

    Sec. 3.  Signals Intelligence Redress Mechanism.

    (a)  Purpose.  This section establishes a redress mechanism to review qualifying complaints transmitted by the appropriate public authority in a qualifying state concerning United States signals intelligence activities for any covered violation of United States law and, if necessary, appropriate remediation.

    (b)  Process for submission of qualifying complaints.  Within 60 days of the date of this order, the Director, in consultation with the Attorney General and the heads of elements of the Intelligence Community that collect or handle personal information collected through signals intelligence, shall establish a process for the submission of qualifying complaints transmitted by the appropriate public authority in a qualifying state.   

    (c)  Initial investigation of qualifying complaints by the CLPO.

    (i)  Establishment.  The Director, in consultation with the Attorney General, shall establish a process that authorizes the CLPO to investigate, review, and, as necessary, order appropriate remediation for qualifying complaints.  This process shall govern how the CLPO will review qualifying complaints in a manner that protects classified or otherwise privileged or protected information and shall ensure, at a minimum, that for each qualifying complaint the CLPO shall:

    (A)  review information necessary to investigate the qualifying complaint;

    (B)  exercise its statutory and delegated authority to determine whether there was a covered violation by:

    (i)  taking into account both relevant national security interests and applicable privacy protections;

    (ii)  giving appropriate deference to any relevant determinations made by national security officials; and

    (iii)  applying the law impartially;

    (C)  determine the appropriate remediation for any covered violation; 

    (D)  provide a classified report on information indicating a violation of any authority subject to the oversight of the Foreign Intelligence Surveillance Court (FISC) to the Assistant Attorney General for National Security, who shall report violations to the FISC in accordance with its rules of procedure;

    (E)  after the review is completed, inform the complainant, through the appropriate public authority in a qualifying state and without confirming or denying that the complainant was subject to United States signals intelligence activities, that:

    (1)  “the review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation”;

    (2)  the complainant or an element of the Intelligence Community may, as prescribed in the regulations issued by the Attorney General pursuant to section 3(d)(i) of this order, apply for review of the CLPO’s determinations by the Data Protection Review Court described in subsection (d) of this section; and

    (3)  if either the complainant or an element of the Intelligence Community applies for review by the Data Protection Review Court, a special advocate will be selected by the Data Protection Review Court to advocate regarding the complainant’s interest in the matter;

    (F)  maintain appropriate documentation of its review of the qualifying complaint and produce a classified decision explaining the basis for its factual findings, determination with respect to whether a covered violation occurred, and determination of the appropriate remediation in the event there was such a violation, consistent with its statutory and delegated authority;

    (G)  prepare a classified ex parte record of review, which shall consist of the appropriate documentation of its review of the qualifying complaint and the classified decision described in subsection (c)(i)(F) of this section; and

    (H)  provide any necessary support to the Data Protection Review Court.

    (ii)  Binding effect.  Each element of the Intelligence Community, and each agency containing an element of the Intelligence Community, shall comply with any determination by the CLPO to undertake appropriate remediation pursuant to subsection (c)(i)(C) of this section, subject to any contrary determination by the Data Protection Review Court.

    (iii)  Assistance.  Each element of the Intelligence Community shall provide the CLPO with access to information necessary to conduct the reviews described in subsection (c)(i) of this section, consistent with the protection of intelligence sources and methods, and shall not take any actions designed to impede or improperly influence the CLPO’s reviews.  Privacy and civil liberties officials within elements of the Intelligence Community shall also support the CLPO as it performs the reviews described in subsection (c)(i) of this section.

    (iv)  Independence.  The Director shall not interfere with a review by the CLPO of a qualifying complaint under subsection (c)(i) of this section; nor shall the Director remove the CLPO for any actions taken pursuant to this order, except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity.

    (d)  Data Protection Review Court.

    (i)  Establishment.  The Attorney General is authorized to and shall establish a process to review determinations made by the CLPO under subsection (c)(i) of this section.  In exercising that authority, the Attorney General shall, within 60 days of the date of this order, promulgate regulations establishing a Data Protection Review Court to exercise the Attorney General’s authority to review such determinations.  These regulations shall, at a minimum, provide that:

    (A)  The Attorney General, in consultation with the Secretary of Commerce, the Director, and the PCLOB, shall appoint individuals to serve as judges on the Data Protection Review Court, who shall be legal practitioners with appropriate experience in the fields of data privacy and national security law, giving weight to individuals with prior judicial experience, and who shall not be, at the time of their initial appointment, employees of the United States Government.  During their term of appointment on the Data Protection Review Court, such judges shall not have any official duties or employment within the United States Government other than their official duties and employment as judges on the Data Protection Review Court.

    (B)  Upon receipt of an application for review filed by the complainant or an element of the Intelligence Community of a determination made by the CLPO under subsection (c) of this section, a three-judge panel of the Data Protection Review Court shall be convened to review the application.  Service on the Data Protection Review Court panel shall require that the judge hold the requisite security clearances to access classified national security information.

    (C)  Upon being convened, the Data Protection Review Court panel shall select a special advocate through procedures prescribed in the Attorney General’s regulations.  The special advocate shall assist the panel in its consideration of the application for review, including by advocating regarding the complainant’s interest in the matter and ensuring that the Data Protection Review Court panel is well informed of the issues and the law with respect to the matter.  Service as a special advocate shall require that the special advocate hold the requisite security clearances to access classified national security information and to adhere to restrictions prescribed in the Attorney General’s regulations on communications with the complainant to ensure the protection of classified or otherwise privileged or protected information.

    (D)  The Data Protection Review Court panel shall impartially review the determinations made by the CLPO with respect to whether a covered violation occurred and the appropriate remediation in the event there was such a violation.  The review shall be based at a minimum on the classified ex parte record of review described in subsection (c)(i)(F) of this section and information or submissions provided by the complainant, the special advocate, or an element of the Intelligence Community.  In reviewing determinations made by the CLPO, the Data Protection Review Court panel shall be guided by relevant decisions of the United States Supreme Court in the same way as are courts established under Article III of the United States Constitution, including those decisions regarding appropriate deference to relevant determinations of national security officials. 

    (E)  In the event that the Data Protection Review Court panel disagrees with any of the CLPO’s determinations with respect to whether a covered violation occurred or the appropriate remediation in the event there was such a violation, the panel shall issue its own determinations.

    (F)  The Data Protection Review Court panel shall provide a classified report on information indicating a violation of any authority subject to the oversight of the FISC to the Assistant Attorney General for National Security, who shall report violations to the FISC in accordance with its rules of procedure.

    (G)  After the review is completed, the CLPO shall be informed of the Data Protection Review Court panel’s determinations through procedures prescribed by the Attorney General’s regulations.

    (H)  After a review is completed in response to a complainant’s application for review, the Data Protection Review Court, through procedures prescribed by the Attorney General’s regulations, shall inform the complainant, through the appropriate public authority in a qualifying state and without confirming or denying that the complainant was subject to United States signals intelligence activities, that “the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation.”

    (ii)  Binding effect.  Each element of the Intelligence Community, and each agency containing an element of the Intelligence Community, shall comply with any determination by a Data Protection Review Court panel to undertake appropriate remediation.

    (iii)  Assistance.  Each element of the Intelligence Community shall provide the CLPO with access to information necessary to conduct the review described in subsection (d)(i) of this section, consistent with the protection of intelligence sources and methods, that a Data Protection Review Court panel requests from the CLPO and shall not take any actions for the purpose of impeding or improperly influencing a panel’s review.

    (iv)  Independence.  The Attorney General shall not interfere with a review by a Data Protection Review Court panel of a determination the CLPO made regarding a qualifying complaint under subsection (c)(i) of this section; nor shall the Attorney General remove any judges appointed as provided in subsection (d)(i)(A) of this section, or remove any judge from service on a Data Protection Review Court panel, except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity, after taking due account of the standards in the Rules for Judicial-Conduct and Judicial-Disability Proceedings promulgated by the Judicial Conference of the United States pursuant to the Judicial Conduct and Disability Act (28 U.S.C. 351 et seq.).

    (v)  Record of determinations.  For each qualifying complaint transmitted by the appropriate public authority in a qualifying state, the Secretary of Commerce shall:

    (A)  maintain a record of the complainant who submitted such complaint;

    (B)  not later than 5 years after the date of this order and no less than every 5 years thereafter, contact the relevant element or elements of the Intelligence Community regarding whether information pertaining to the review of such complaint by the CLPO has been declassified and whether information pertaining to the review of any application for review submitted to the Data Protection Review Court has been declassified, including whether an element of the Intelligence Community filed an application for review with the Data Protection Review Court; and

    (C)  if informed that such information has been declassified, notify the complainant, through the appropriate public authority in a qualifying state, that information pertaining to the review of their complaint by the CLPO or to the review of any application for review submitted to the Data Protection Review Court may be available under applicable law.

    (e)  Annual review by PCLOB of redress process.

    (i)  Nature of review.  Consistent with applicable law, the PCLOB is encouraged to conduct an annual review of the processing of qualifying complaints by the redress mechanism established by section 3 of this order, including whether the CLPO and the Data Protection Review Court processed qualifying complaints in a timely manner; whether the CLPO and the Data Protection Review Court are obtaining full access to necessary information; whether the CLPO and the Data Protection Review Court are operating consistent with this order; whether the safeguards established by section 2 of this order are properly considered in the processes of the CLPO and the Data Protection Review Court; and whether the elements of the Intelligence Community have fully complied with determinations made by the CLPO and the Data Protection Review Court.

    (ii)  Assistance.  The Attorney General, the CLPO, and the elements of the Intelligence Community shall provide the PCLOB with access to information necessary to conduct the review described in subsection (e)(i) of this section, consistent with the protection of intelligence sources and methods.

    (iii)  Report and certification.  Within 30 days of completing any review described in subsection (e)(i) of this section, the PCLOB is encouraged to:

    (A)  provide the President, the Attorney General, the Director, the heads of elements of the Intelligence Community, the CLPO, and the congressional intelligence committees with a classified report detailing the results of its review;

    (B)  release to the public an unclassified version of the report; and

    (C)  make an annual public certification as to whether the redress mechanism established pursuant to section 3 of this order is processing complaints consistent with this order.

    (iv)  Consideration of review.  Within 180 days of receipt of any report by the PCLOB described in subsection (e)(iii)(A) of this section, the Attorney General, the Director, the heads of elements of the Intelligence Community, and the CLPO shall carefully consider and shall implement or otherwise address all recommendations contained in such report, consistent with applicable law.

         (f)  Designation of qualifying state.

    (i)  To implement the redress mechanism established by section 3 of this order, the Attorney General is authorized to designate a country or regional economic integration organization as a qualifying state for purposes of the redress mechanism established pursuant to section 3 of this order, effective immediately or on a date specified by the Attorney General, if the Attorney General determines, in consultation with the Secretary of State, the Secretary of Commerce, and the Director, that:

    (A)  the laws of the country, the regional economic integration organization, or the regional economic integration organization’s member countries require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the country or a member country of the regional economic integration organization;

    (B)  the country, the regional economic integration organization, or the regional economic integration organization’s member countries of the regional economic integration organization permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States; and

    (C)  such designation would advance the national interests of the United States.

    (ii)  The Attorney General may revoke or amend such a designation, effective immediately or on a date specified by the Attorney General, if the Attorney General determines, in consultation with the Secretary of State, the Secretary of Commerce, and the Director, that:

    (A)  the country, the regional economic integration organization, or the regional economic integration organization’s member countries do not provide appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the country or to a member country of the regional economic integration organization;

    (B)  the country, the regional economic integration organization, or the regional economic integration organization’s member countries do not permit the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States; or

    (C)  such designation is not in the national interests of the United States.

         Sec. 4.  Definitions.  For purposes of this order:

    (a)  “Appropriate remediation” means lawful measures designed to fully redress an identified covered violation regarding a specific complainant and limited to measures designed to address that specific complainant’s complaint, taking into account the ways that a violation of the kind identified have customarily been addressed.  Such measures may include, depending on the specific covered violation at issue, curing through administrative measures violations found to have been procedural or technical errors relating to otherwise lawful access to or handling of data, terminating acquisition of data where collection is not lawfully authorized, deleting data that had been acquired without lawful authorization, deleting the results of inappropriately conducted queries of otherwise lawfully collected data, restricting access to lawfully collected data to those appropriately trained, or recalling intelligence reports containing data acquired without lawful authorization or that were otherwise disseminated in a manner inconsistent with United States law.  Appropriate remediation shall be narrowly tailored to redress the covered violation and to minimize adverse impacts on the operations of the Intelligence Community and the national security of the United States. 

    (b)  “Bulk collection” means the authorized collection of large quantities of signals intelligence data that, due to technical or operational considerations, is acquired without the use of discriminants (for example, without the use of specific identifiers or selection terms).

    (c)  “Counterintelligence” shall have the same meaning as it has in Executive Order 12333.

    (d)  “Covered violation” means a violation that:

    (i)    arises from signals intelligence activities conducted after the date of this order regarding data transferred to the United States from a qualifying state after the effective date of the Attorney General’s designation for such state, as provided in section 3(f)(i) of this order;

    (ii)   adversely affects the complainant’s individual privacy and civil liberties interests; and

    (iii)  violates one or more of the following:

    (A)  the United States Constitution;

    (B)  the applicable sections of FISA or any applicable FISC-approved procedures;

    (C)  Executive Order 12333 or any applicable agency procedures pursuant to Executive Order 12333;

    (D)  this order or any applicable agency policies and procedures issued or updated pursuant to this order (or the policies and procedures identified in section 2(c)(iv)(A) of this order before they are updated pursuant to section 2(c)(iv)(B) of this order);

    (E)  any successor statute, order, policies, or procedures to those identified in section 4(d)(iii)(B)-(D) of this order; or

    (F)  any other statute, order, policies, or procedures adopted after the date of this order that provides privacy and civil liberties safeguards with respect to United States signals intelligence activities within the scope of this order, as identified in a list published and updated by the Attorney General, in consultation with the Director of National Intelligence.

    (e)  “Foreign intelligence” shall have the same meaning as it has in Executive Order 12333.

    (f)  “Intelligence” shall have the same meaning as it has in Executive Order 12333.

    (g)  “Intelligence Community” and “elements of the Intelligence Community” shall have the same meaning as they have in Executive Order 12333.

    (h)  “National security” shall have the same meaning as it has in Executive Order 13526 of December 29, 2009 (Classified National Security Information).

    (i)  “Non-United States person” means a person who is not a United States person.

    (j)  “Personnel of the United States or of its allies or partners” means any current or former member of the Armed Forces of the United States, any current or former official of the United States Government, and any other person currently or formerly employed by or working on behalf of the United States Government, as well as any current or former member of the military, current or former official, or other person currently or formerly employed by or working on behalf of an ally or partner.

    (k)  “Qualifying complaint” means a complaint, submitted in writing, that:

    (i)    alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after the effective date of the Attorney General’s designation for such state, as provided in section 3(f)(i) of this order;

    (ii)   includes the following basic information to enable a review:  information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States Government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;

    (iii)  is not frivolous, vexatious, or made in bad faith;

    (iv)   is brought on behalf of the complainant, acting on that person’s own behalf, and not as a representative of a governmental, nongovernmental, or intergovernmental organization; and

    (v)    is transmitted by the appropriate public authority in a qualifying state, after it has verified the identity of the complainant and that the complaint satisfies the conditions of section 5(k)(i)-(iv) of this order.

    (l)  “Significant incident of non-compliance” shall mean a systemic or intentional failure to comply with a principle, policy, or procedure of applicable United States law that could impugn the reputation or integrity of an element of the Intelligence Community or otherwise call into question the propriety of an Intelligence Community activity, including in light of any significant impact on the privacy and civil liberties interests of the person or persons concerned.

    (m)  “United States person” shall have the same meaning as it has in Executive Order 12333.

    (n)  “Validated intelligence priority” shall mean, for most United States signals intelligence collection activities, a priority validated under the process described in section 2(b)(iii) of this order; or, in narrow circumstances (for example, when such process cannot be carried out because of a need to address a new or evolving intelligence requirement), shall mean a priority set by the President or the head of an element of the Intelligence Community in accordance with the criteria described in section 2(b)(iii)(A)(1)-(3) of this order to the extent feasible.

    (o)  “Weapons of mass destruction” shall have the same meaning as it has in Executive Order 13526.

         Sec. 5.  General Provisions.  (a)  Nothing in this order shall be construed to impair or otherwise affect:

    (i)   the authority granted by law to an executive department, agency, or the head thereof; or

    (ii)  the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

    (b)  This order shall be implemented consistent with applicable law, including orders of and procedures approved by the FISC, and subject to the availability of appropriations.

    (c)  Nothing in this order precludes the application of more privacy-protective safeguards for United States signals intelligence activities that would apply in the absence of this order.  In the case of any conflict between this order and other applicable law, the more privacy-protective safeguards shall govern the conduct of signals intelligence activities, to the maximum extent allowed by law.

    (d)  Nothing in this order prohibits elements of the Intelligence Community from disseminating information relating to a crime for law enforcement purposes; disseminating warnings of threats of killing, serious bodily injury, or kidnapping; disseminating cyber threat, incident, or intrusion response information; notifying victims or warning potential victims of crime; or complying with dissemination obligations required by statute, treaty, or court order, including orders of and procedures approved by the FISC or other court orders.

    (e)  The collection, retention, and dissemination of information concerning United States persons is governed by multiple legal and policy requirements, such as those required by FISA and Executive Order 12333.  This order is not intended to alter the rules applicable to United States persons adopted pursuant to FISA, Executive Order 12333, or other applicable law.

    (f)  This order shall apply to signals intelligence activities consistent with the scope of PPD-28’s application to such activities prior to PPD-28’s partial revocation by the national security memorandum issued concurrently with this order.  To implement this subsection, the head of each agency containing an element of the Intelligence Community, in consultation with the Attorney General and the Director, is hereby delegated the authority to issue guidance, which may be classified, as appropriate, as to the scope of application of this order with respect to the element or elements of the Intelligence Community within their agency.  The CLPO and the Data Protection Review Court, in carrying out the functions assigned to it under this order, shall treat such guidance as authoritative and binding.

    (g)  Nothing in this order confers authority to declassify or disclose classified national security information except as authorized pursuant to Executive Order 13526 or any successor order.  Consistent with the requirements of Executive Order 13526, the CLPO, the Data Protection Review Court, and the special advocates shall not have authority to declassify classified national security information, nor shall they disclose any classified or otherwise privileged or protected information except to authorized and appropriately cleared individuals who have a need to know the information.     

    (h)  This order creates an entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLPO’s decisions by the Data Protection Review Court in accordance with the redress mechanism established in section 3 of this order.  This order is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.  This order is not intended to, and does not, modify the availability or scope of any judicial review of the decisions rendered through the redress mechanism, which is governed by existing law.

    Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    Survey finds 51% of respondents want stronger privacy laws. This tallies with overseas polls on privacy and data collection

    October 4, 2022

    The Guardian has published an Essential Poll finding that 51% of respondents support restrictions on amount of personal information private companies can collect.  That tallies with a Pew Research Center finding in November 2019 that Americans were concerned about data collection. The Australian Information Commissioner also published a survey of Australian Community Attitudes to Privacy in 2020. EPIC also described a similar outcome from a poll by Morning Consult in 2021.

    These findings are all consistent and hardly secret.  Similar polls have had similar findings for more than a decade.  It is governmental inertia that prevents anything from being done about the problem.

    The Guardian article Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    Optus Data breach with Optus dragged to covering more costs and it becoming a mini political battle ground

    October 2, 2022

    Optus is very slowly applying the basic principles of a data breach response plan.  But grudgingly and so reluctantly that the benefits of having a plan are lost. It refused to provide any help initially to those affected, merely suggesting they get assistance from services it helpfully listed in its original letter.  That never works.  So it engaged Equifax to help “most affected customers.”  Still miserly.  It wasn’t candid about what personal information was compromised.  It failed to say that some Medicare numbers were part of the hacker’s haul.  That brought on a savage response from the Home Affairs Minister.

    With Operation Guardian, the taskforce an investigation by the Australian Federal Police to find the hacker, the focus has shifted ever so slightly away from the incredibly poor response to the data breach. On 30 September Optus and the Australian Federal Police and other agencies and organisations issued a joint media release about the Optus data breach which states

    The AFP and state and territory police have set up Operation Guardian to supercharge the protection of more than 10,000 customers whose identification credentials have been unlawfully released online under the Optus data breach.

    Customers affected by the breach will receive multi-jurisdictional and multi-layered protection from identity crime and financial fraud. The 10,000 individuals, who potentially had 100 points of identification released online, will be prioritised. Read the rest of this entry »

    Posted in General | Post a comment »

    Optus data breach, the remediation and no shortage of continuing recrimination

    September 28, 2022

    Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

    The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

    The article Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    The cost of the Optus data breach being estimated. The bill will be large. IBM estimates that the average cost of remedying a data breach involving 1 – 10 million records is USD 49 million

    September 26, 2022

    Over the many years I have written about privacy and cyber security (as well as commercial and defamation law) I have never cease to be amazed how organisations blithely accept the risk of a data breach through poor privacy and cyber security practices given the jaw dropping costs of remediation after such a breach. Bringing in a range of experts to assess the damage, locate the cause of the breach, work with the regulators and then deal with litigation by those regulators or disgruntled customers can run up a cost of hundreds of thousands of dollars and often millions.

    IBM’s Cost of a Data Breach Report for 2022 highlights the poor state of readiness of many companies with Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    The optus data breach consequences. Reports of data being ransomed & Government’s first response

    September 25, 2022

    When hackers steal data they commonly do it for a reason.  The days of student hackers breaching cyber defences for the fun of it are long gone.  They have been more a product of Hollywood than reality, with some notable long ago exceptions.  Similarly white hat hackers don’t find vulnerabilities and then steal data.  They typically find the vulnerability and then notify the company.  The Optus breach is more in line with either criminals aiming to turn the product of their theft into money or state based hackers whose aims and motivations are more complicated; disruption, obtaining intelligence data on individuals, data to be used for identity theft and for use in conjunction with other data.  State based actors take a much longer view than criminals. There is some evidence that the data, or at least some of it, is being offered for sale on the dark net.

    The data breach story has now moved into its second phase, where interested parties use it to push their agendas.  The Telcos are making its clear that their compliance obligations in retaining meta data are contributing to privacy breaches.  Doubtful.  They may contribute to compliance costs and definitely make the consequences of a data breach more significant. So much more to steal (if not properly protected that is).  But they do not weaken cyber security defences in and of themselves.  There is a real issue about excessive legal requirements to obtain and retain personal information.  And the meta data retention laws require telcos to retain masses of data for longer than they would need them not to mention these laws are a continuing pernicious blight on liberal democracy, giving agencies a right to access meta data without a warrant.  There is also the general preference for companies to collect and store more personal information than they need and for as long as they can as the Age notes in an opinion piece No, Optus doesn’t need to keep your sensitive information for so long.   But none of that is not a cyber security issue, as in protecting personal information from criminal actors. While there may be some regulatory overload on telcos any sympathy must be tempered by the fact that cyber security is a separate issue. The protection of  data (even that retained reluctantly) is possible with proper cyber security systems, proper protocols and adequate training.  None of which is in abundant supply.  Companies give too little emphasis on privacy and spend the bare minimum, often less. Unlike the United States and the United Kingdom, data breaches in Australia do not bring a serious regulatory response by way of civil proceedings, fines or enforceable undertakings. If the worst case scenario from a data breach is a tepid and muted regulatory response and some reputational damage what is the incentive for a company to seriously get its house in order.

    According to the ABC the Government is going to legislate to require financial institutions of data breaches.  The Australian runs a similar story as well.  This is dealing with symptoms not problems and makes a complicated but ineffective privacy regime even more cumbersome.

    The ABC story provides:

    The Home Affairs Minister is soon expected to announce several new security measures following the massive Optus data breach that saw hackers steal the personal details of up to 9.8 million Australians.

    On Saturday, Clare O’Neil and several of her federal ministerial colleagues met with the Australian Signals Directorate and the Cyber Security Centre to discuss the fallout from the devastating cyber-hack.

    Under the changes to be announced in coming days, banks and other institutions would be informed much faster when a data breach occurs at a company like Optus, so personal data can’t be used to access accounts.

    The ABC has been told the first step to occur will be directing Optus to hand over customer data to the banks so financial institutions can upgrade security and monitor customers who’ve had their personal details stolen. Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    The optus breach, the consequences, the strong suggestion that human error contributed to Australia’s largest data breach and finally a letter to consumers!

    September 24, 2022

    Every data breach is different.  There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences.  What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything.  What is not made clear is what defences behind the firewall were in place and were they working.  Did Optus have programs running which detected unusual activity within the system?  What about defences protecting the data itself.  Was there any detection of exfiltration?  A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.

    The breakdown of the breaches, in broad terms are:

    • exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
    • dates of birth, email addresses and phone numbers of another 7 million customers.

    Optus’s response to the data breach has been something of a curate’s egg; good in parts.

    Optus has adopted a personal approach in response to the breach.  A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017.  It provides:

    Optus chief executive Kelly Bayer Rosmarin has delivered an emotional apology for the company’s data breach which has affected up to nine million of the telco’s customers.

    Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.

    It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.

    “[I feel] terrible,” Ms Bayer Rosmarin told reporters.

    “It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers. Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    The National Institute of Standards and Technology releases report on Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight: NIST IR 8286C

    September 20, 2022

    The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.  It is a particularly useful and practical report.  In short compass it describes ways to combine risk information across an enterprise.  In this way there is integration of risk information issues which permits proper decision making and monitoring.

    The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.

    The Abstract provides:

    This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.

    This guide is of particular use for privacy practitioners.  It discusses Read the rest of this entry »

    Posted in General, Privacy | Post a comment »

    « Previous Entries
    Next Entries »