Peter A Clarke

The repetition of tens of millions of records being breached each month can have a numbing effect and can lead the reader to be either blase or resigned (they are different) to each installment.  It can lead to the wrong attitude that data breaches are inevitable.  That old saw is relied on by organisations who don’t like regulation or being made to pay more attention to data security.

It governance has compiled its list of data breaches for August and calculated that 97, 456,345 records were breached in 112 publicly disclosed incidents. The reference to public disclosure is important.  There is significant under reporting.  Later disclosures by affected organisations and breaches being discovered by third parties (including hackers) provide ample evidence that some organisations try to avoid disclosing breaches when they think they can get away with it. Further, in many cases while the data breach can be established organisations are reluctant to provide information of how many records have been accessed.  That makes getting a complete figure a difficult proposition.

For August some of the data breaches:

• the University of Kashmir has suffered a data breach which has resulted in the personal information of a million current and former students being offered for sale online.
• according to a notification to the Maine Attorney General Nelnet Servicing has suffered a data breach affecting the personal information of 2,501.324 which was discovered on 17 August.  Nelnet Servicing  provides technology services to EdFinancial and OSLA, including portals that student loan borrowers use to create and access their student loan accounts.
• Practice Resources, LLC notified the California Attorney General’s Office that it had been the victim of a ransomware attack.  It also notified 942,138 patients affected by the breach.
• EmergOrtho has suffered a data breach which according to its filings with the Department of Health and Human Services affected 68,661 individuals.
• Hjedd, a Chinese adult content provider has leaked 14 million user accounts, 24G of files.

Read the rest of this entry »

Given the derth of detailed specialist guidelines from Australian regulators regarding the cyber risk it is useful to review what is being done overseas.  In July the Office of the Superintendent of Financial Institutions released guidelines for technology and cyber risk.

The media release provides:

Today, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13. This guideline sets out OSFI’s expectations for how federally regulated financial institutions (FRFIs) should manage technology and cyber risks such as data breaches, technology outages and more.

The widespread use of technology and the growing rate of cyber incidents has created an urgent need for enhanced regulatory guidance to FRFIs on technology and cyber risk management. OSFI’s final Guideline B-13 provides that guidance, while allowing FRFIs to compete effectively and take full advantage of digital innovation.

The Guideline is organized around three “domains,” each of which sets out key components for sound risk management: Governance and Risk Management, Technology Operations and Resilience, and Cyber Security. In turn, each of these domains includes a desired outcome aimed at helping FRFIs understand OSFI’s expectations, focusing on the “why” and “to what end” of technology and cyber risk management.

The final Guideline B-13 will be effective as of January 1, 2024, to provide financial institutions sufficient time to self-assess and ensure compliance with this new guideline.

Quote

“With today’s release of final Guideline B-13, OSFI has crafted a flexible, principles-based approach towards managing technology and cyber risk that takes into consideration the size, nature, scope and complexity of financial institutions.”

– Jamey Hubbs, Vice-Superintendent

Quick facts

• • Final Guideline B-13 is the product of extensive consultation with industry, starting with the September 2020 publication of a discussion paper and a consultation period from September to December 2020. Following the release of OSFI’s draft Guideline B-13 in November 2021, OSFI further consulted on its proposed guidance regarding technology and cyber risk from November 2021 to February 2022. The final Guideline B-13 published today is the result of that process.
  • Compared with the draft consultation version, the final Guideline B-13 is more streamlined and less prescriptive with clearer definitions and expectations.
  • Guideline B-13 is complemented by OSFI’s existing guidance and tools, including the Corporate Governance Guideline, Guideline E?21 (Operational Risk Management), the revised draft Guideline B?10 (Third-Party Risk Management), the Technology and Cyber Security Incident Reporting Advisory and the Cyber Security Self-Assessment tool.

The guideline relevantly Read the rest of this entry »

The US Federal Trade Commission (the “FTC”), as close as the US gets to a privacy regulator, has announced an inquiry into the use of surveillance in a commercial context.  It is wide ranging, covering cookies.

The FTC first announced the Proposed Rule Making on Commercial Surveillance on 11 August with FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices which provides:

The Federal Trade Commission today announced it is exploring rules to crack down on harmful commercial surveillance and lax data security. Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses. The FTC’s Advance Notice of Proposed Rulemaking seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.” Read the rest of this entry »

The US National Institute of Standards and Technology (the “NIST”) has released a guide to a secure Enterprise Network Landscape.

The Guide to a Secure Enterprise Network Landscape is designed to provide guidance for navigating the current enterprise network landscape. It examines the security limitations of current network access solutions and point security solutions through traditional appliances with enhanced security features. It also considers new appliances, emerging network configurations, frameworks that incorporate the configurations, and cloud-based wide area network (WAN) services with integrated security infrastructures. The guide considers the following security impacts:

• disappearance of the concept of a perimeter associated with the enterprise network;
• an increase in attack surface due to the sheer multiplicity of IT resource components; and
• sophistication of the attackers in their ability to escalate attacks across several network boundaries leveraging the connectivity features.

Specific areas addressed in the Guide include:

• Feature enhancements to traditional network security appliances
• Secure enterprise networking configurations fs
• Security frameworks that integrate individual network configurations
• Evolving wide area network (WAN) infrastructure that provides a comprehensive set of security services

The abstract Read the rest of this entry »

The impact of data breaches cannot be underestimated.  Many, if not most, businesses and organisations store their data on computers which are connected with the internet.  For the service industry that usually means personal information.  Masses of it.  And the health sector is a prime target for cyber attacks because health service providers collect a vast amount of personal information and types of information which may be used for identity theft and other forms of fraud.  Unfortunately the health sector is also prone to poor cyber security practices. This is highlighted in Cyber Incident Cost $100 Million, Tenet Healthcare Reports.  That is a significant cost but not a record by current standards. 

Tenet’s data breach is not an isolated incident by any stretch.  In June and July there have been the following breaches of health care providers:

• Avamere Health Services suffered intermittent unauthorized network access between January 19, 2022 and March 17, 2022. A total of 380,984 patient records were affected and notified. The personal information involved were names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
• The City of Newport suffered a data breach on June 8, 2022 and June 9, 2022 involving records of city employees.
• in the Canadian province of Newfoundland and Labrador Eastern Health suffered a data breach  resulting in a privacy breach notification sent to 37,800.  That equates to one out of every 13 people in the province.

• Feelyou a journaling and social mood tracking app had a flaw whereby anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so. This affected 70,000 personal emails.

Read the rest of this entry »

Choice has formally complained to the Australian Information Commissioner about the use of Facial Recognition by Kmart, Bunnings and the Good Guys.  Itnews has covered the story in Australian retailers named in facial recognition complaint. 

Choice’s announced the complaint by media release which provides:

CHOICE has asked the Office of the Australian Information Commissioner to investigate Kmart, Bunnings and The Good Guys for potential breaches of the Privacy Act (1988). CHOICE is concerned that the retailers’ practices related to their use of facial recognition technology pose significant risks to individuals. The social and economic risks include invasion of privacy, misidentification, discrimination, profiling and exclusion, as well as vulnerability to cybercrime through data breaches and identity theft.

Key issues

CHOICE has concerns with the retailers’ practices for two main reasons:

1. 1. Lack of notice and consent in the collection of sensitive information. The retailers’ use of online privacy policies and small signage in store as the key mechanisms to provide notice and obtain consent from individuals about the collection of their sensitive information is insufficient and non-compliant.
   2. The stated business purpose is disproportionate to the privacy harms posed to individuals. The retailers’ large scale collection and use of their customers’ sensitive information significantly invades the privacy of its customers. It is a disproportionate response to the risk of theft and anti-social behaviour in stores.

Choice has also made public the 16 page formal complaint.  It is comprehensive and refers to the Determination by the Information Commission against Clearview AI (Commissioner initiated investigation into Clearview AI, Inc. [2021] AICmr 54).  It is quite an impressive document. 

Choice alleges that the Kmart, Bunnings and the Good Guys breach the following Australian Privacy Principles (APPs):

APP 1.3 – have a clearly expressed and up-to-date APP Privacy Policy about how the
entity manages personal information;
? APP 3.3(a)(ii) – only collect ‘sensitive information’ where it is reasonably necessary;
? APP 3.3(a) – only collect ‘sensitive information’ with consent;
? APP 3.5 – only collect personal information by lawful and fair means; and
? APP 5.1 – take reasonable steps to notify an individual of the APP 5 matters or to
ensure the individual is aware of those matters.

As a prelude to the publishing its findings Choice undertook a survey of 1000 Australians about their awareness of facial recognition technology and found:

• 76% of respondents didn’t know retailers were using facial recognition.
• 83% of respondents think retail stores should be required to inform customers about the
  use of facial recognition before they enter the store.
• 78% expressed concern about the secure storage of faceprint data.
• 65% are concerned about stores using the technology to create profiles of customers
  that could cause them harm.

That is a very clever move.

Regarding the potential breaches :

APP1

Choice argues

• retailers’ privacy policies (Appendix B) do not clearly express how the entities manage personal, including sensitive, information obtained through use of facial recognition technologies
• retailers were not forthcoming on how they manage sensitive information obtained through facial recognition technologies. There is a reluctance by the retailers to be clear, transparent and upfront about their privacy practices

Read the rest of this entry »

The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity  and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.

The abstract provides:

Abstract

Some of the interesting issues Read the rest of this entry »

After Choice’s comprehensive report, the firestorm of media coverage and obstinate response by Bunnings it was always a strong possibility that the Information Commissioner would look at the material Choice collected.  Given the Commissioner’s findings against 7 Eleven’s use of facial recognition technology Bunnings et al may have some difficulties because they adopted wheezes to supposedly comply with the Privacy Act which were rejected by the Information Commissioner.  Such problematical Read the rest of this entry »

The Choice story regarding some of our biggest retailers using facial recognition in their stores continues to attract media coverage.  As well it should.  The ABC has undertaken a broad brush review, Renewed calls for national guidelines on using facial recognition technology after CHOICE investigation, regarding the science of facial recognition and the legal regulation, or more accurately the lack thereof. The Conversation weighs in for some analysis with Bunnings, Kmart and The Good Guys say they use facial recognition for ‘loss prevention’. An expert explains what it might mean for you.

The Oz with Faceprint technology: Kmart, Bunnings and The Good Guys are scanning customers’ faces in stores reports on the (usual) call for Federal Government action to ban facial recognition.  Bunnings has decided to join the fray and attack the Choice article stating:

We are disappointed by CHOICE’s inaccurate characterisation of Bunnings’ use of facial recognition technology in selected stores. This technology is used solely to keep team and customers safe and prevent unlawful activity in our stores, which is consistent with the Privacy Act.
In recent years, we’ve seen an increase in the number of challenging interactions our team have had to handle in our stores and this technology is an important tool in helping us to prevent repeat abuse and threatening behaviour towards our team and customers.
There are strict controls around the use of the technology which can only be accessed by specially trained team. This technology is not used for marketing, consumer behaviour tracking, and images of children are never enrolled.
We let customers know if the technology is in use through signage at our store entrances and also in our privacy policy, which is available via the homepage of our website.

It is a wholly unconvincing defence of the facial technology and proper notice of the use of the facial recognition technology. It is a weak defence because:

• What is the safety issue? It is not terrorism or armed robberty? It is challenging interactions which constitutes abuse and “threatening behaviour”.  What exactly does challenging interactions mean.  These terms have been misused on occasion by organisations and government to extend to dissent or disagreement of any form.  If it is arguments at the check out why is it necessary to obtain facial recognition data of all individuals.  With these interactions why isn’t it sufficient to take a picture of the malefactor using a camera or smartphone and then use that as a resource to enforce a banning order, if that is what is anticipated. 
• What is the threshold for the use of the facial recognition?  A prior argument or what?  It is all very vague.  
•  how is the technology being used to keep team and customers people safe? If a small proportion of individuals cause a problem how does that justify the hoovering up of thousands of images.  
• how long are the images kept for?  Are they being distributed throughout all Bunnings Stores?  Are they provided to Bunnings staff for delivery purposes?  It is possible for a customer who engages in “challenging interactions” to order on line and have products delivered.
• what are strict controls regarding the use of the technology.  It is a statement that means nothing.,  What is the special training that the team receive before they can access the technology. 
• how does the Bunnings screen out children?  What is the age cut off?  How is that determined?  By an algorithm or a specially trained staff. 
• the notice to the customers is a joke.  The signage at the store entrance is in small print.  Nothing is done to bring that to the customers attention.  Similarly burying reference to it in the privacy policy is unsatisfactory, as the Information Commissioner found with 7 Eleven’s notice on web site.  How Bunnings can rely on this argument given the Commissioner’s findings last year is quite extraordinary. 

Read the rest of this entry »

The Rand Corporation has produced an excellent paper America’s 5G Era Balancing Big Data and Privacy which highlights the threat to privacy with the introduction of 5G.

The brief summary provides:

Key Findings

Recommendation

It is a very thoughtful and quite complex report.  Some of the more detailed comments Read the rest of this entry »