Peter A Clarke

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

• Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
• 42% of the data breaches resulted from cyber security incidents
• 288 of of the attacks were malicious or criminal attack
• human error breaches were the fastest to be identified in 30 days or fewer. 

• 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

  • 7 were caused by ransomware,

  • 7 by compromised or stolen credentials ,

  • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

  • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

• 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
• in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach. Read the rest of this entry »

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity Read the rest of this entry »

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it Read the rest of this entry »

Chapter 5 of the Report is devoted to amending the powers in the Privacy Act relating to developing APP Codes and Emergency Declarations. The focus is quite narrow and technical. The amendments should not be controversial given the nature of the changes are build on what is already in the Privacy Act. There are relatively few APP Codes and the Emergency Declarations thankfully do not commonly arise.

The Act sets out a process for making APP codes in which the Commissioner identifies code developers and registers codes developed by them.  An ‘APP code developer’ is any of an APP entity, a group of APP entities, or an association or body representing one or more APP entities.  Currently the Commissioner is only permitted to make an APP code if a code developer has been requested to make a code by the Commissioner and has not complied with the request/  the Commissioner does not to register a proposed code.

The Report proposes to give the Commissioner more power and flexibility in developing Codes.  To that end the Report recommends that the Commissioner be given  additional power to make an APP code on the direction or approval of the Attorney?General:

• where it is in the public interest for a code to be developed, and
• where there is unlikely to be an appropriate industry representative to develop the code.

An APP code could be made in the absence of a suitable industry code developer.

The process would not be unfettered. A code Read the rest of this entry »

The latest data breach notification report, covering the period July – December 2022, covers a period where both Optus and Medibank were the subject of cyber attacks resulting in millions of documents being compromised, almost 10 million for Optus and 9.7 million records for Medibank. In this period there were other significant data breaches which skewed the records. But these figures are still a significant under reporting of the actual number of data breaches that occurred in Australia in this period.  These figures in no way correlate to overseas experience in similar environments. significant under reporting. For example in January 2023 alone there were estimated to be 277,618,767 records compromised in 104 publicly disclosed security incidents.

Some interesting facts from the Report include:

• there were 497 notifications, a 26% increase;
• health again leads the number of notifications with 71 out of hte 497 notifications;
• malicious or criminal attacks were responsible for 70% of the breaches;
• there were 5 breaches affecting 1 – 10 million individuals;
• there was one breach involving more than 10 million;
• in terms of cyber attacks the leading type of attack was ransomware, at 29%
• in January – June 2022 there were 24 data breaches affecting more than 5,000 Australians.  In the July – December half year there were 40 breaches affecting more than 5,000; 
• while 77% of breaches were identified within 30 days 6% took between 4 – 12 months and 5% took more than a year;
• the top cause of human error breaches was personal information sent to a wrong recipient, at 42%.

The report provides:

Executive summary

The NDB scheme was established in February 2018 to drive better security standards and accountability for protecting personal information and improve consumer protection. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC. Read the rest of this entry »

The Marriot Hotel entered into an enforceable undertaking with the Australian Privacy Commissioner for a data breach arising out of breaches between 2015 – 2018. I have posted on those breaches and the regulatory action taken by the UK Information Commissioner here, here, here and here. Worldwide the breaches affected the personal information of 339 million individuals. In Australia the records of 2.2 million were compromised. The Marriot Breach highlighted poor data security practices, with the breach occurring over a 3 year period, and the challenges of legacy IT issues. All too often IT systems are cobbled together and not properly maintained.

The enforceable undertaking is operable for 5 years.  Compared to agreements in the United States between the Federal Trade Commission and organisations for similar transgressions, that is a short time frame.  It is not uncommon for the FTC to enter into 20 year agreements.  This enforceable undertaking is more robust than the previous few enforceable undertakings the Commissioner has entered into however it is not as stringent as those imposed in the United States. In the United States such agreements usually incorporate a very significant fine.  Given the legislation in Australia that was not possible.

Some of the relevant matters of note from the enforceable undertaking Read the rest of this entry »

The High Court today revoked Facebook’s special leave application. The transcript is not available yet and reasons have not been published but the key argument for this volte face was a change to the Federal Court Rules on overseas service.

The Information Commissioner released a media release providing:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service.

This clears the way for proceedings to return to the Federal Court. The substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter will now progress.

“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Entities operating in Australia are accountable for breaches of Australian privacy law, and must ensure that their operations in Australia comply with that law,” Commissioner Falk said.

Background

On 9 March 2020, the Commissioner lodged proceedings against US-based Facebook Inc and Facebook Ireland (collectively, Facebook) in the Federal Court, alleging the social media platform had committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that from 12 March 2014 to 1 May 2015: Read the rest of this entry »

The Australian Information Commissioner chose a tough nut to crack when it chose to use for the first time its civil penalty powers against Facebook arising out of the use of personal information by Cambridge Analytica.  The Information Commissioner was late in bringing enforcement action against Facebook, The Facebook disclosed personal information to Cambridge Analystica between March 2014 and May 2015.  The Commissioner opened an investigation in April 2018 and commenced proceedings on 9 March 2020.  By then the FTC, on 24 July 2019 imposed a $ 5 billion penalty on Facebook while the UK Information Commissioner imposed a £500,00 fine on Faceook on 30 October 2019. 

On 9 April 2020 the Information Commissioner sought under rule and rule 10.43(2) leave to serve documents on Facebook, Inc. and Facebook Ireland in accordance with art 5 of Hague  Convention by substituted service. On 22 April 2020 His Honour Justice Thawley  made orders  that the Commissioner be granted leave to serve the documents in the United States of America. On 6 May 2020 Facebook Inc by interlocutory application sought to set aside those orders. Thawley J dismissed the application on 14 September 2020 and Facebook appealed that decision on 28 September 2020 to the Full Court of the Federal Court. 

The Full Court dismissed the appeal on 7 February 2022. On 16 September 2022 the High Court granted Facebook leave to appeal. It has been a long road, almost 3 years since commencing proceeding. And the case has barely begun.

The issue before the High Court is whether under Rule 10.43 of Federal Court Rules 2011 whether the Information Commissioner was successful in establishing prima facie case on application to serve appellant out of jurisdiction and whether Facebook “carr[ied] on business in Australia” within meaning of 5B(3)(b) of Privacy Act and whether it “collected… personal information in Australia” within meaning of s 5B(3)(c) of Privacy Act.

The Appellants and First Respondent filed detailed and densely argued submissions which will not be recited at length here.  It is however worth noting a number of points raised.

Facebook submits that:

• the issues are:

(a) Can a foreign corporation “carry on business” in Australia (within the meaning of s 5B(3)(b) of the Privacy Act 1988 (Cth) (the Act)) if it has no commercial activities or other recognised indicia of carrying on business in this country? Appellant contents that hte answer is“no”.
(b) Does the requirement of a “prima facie case” in r 10.43(4)(c) of the Federal Court Rules 2011 (Cth) (Rules) require evidence that could itself Read the rest of this entry »

Today the Information Commissioner released the latest Notifiable Data Breach report.

It makes for grim reading. The key findings are:

• 497 breaches were notified compared with 393 in January to June 2022 – a 26% increase.
• There was a 41% increase in data breaches resulting from malicious or criminal attacks. Malicious or criminal attacks accounted for 350 notifications – 70% of all notifications.
• Human error was the cause of 123 notifications (25% of all notifications), down 5% in number from 129.
• Health reported the most breaches (71), followed by finance (68). That the health sector provides the greatest number of breaches is no surprise.
• Contact information remains the most common type of personal information involved in breaches.
• The majority (88%) of breaches affected 5,000 individuals or fewer.
• 71% of entities notified the OAIC within 30 days of becoming aware of an incident. This is quite an indictment on compliance. Almost 30% of entities did not notify the OAIC within the statutory maximum of 30 days. That bespeaks poor culture.

The Commissioner’s media release provides:

Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks.

“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.”

Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents.

“Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said.

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks.

“As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

The Office of the Australian Information Commissioner has clear expectations of best practice with regard to data breach preparation and response, to ensure individuals are protected from harm.

“In response to a breach, organisations need to provide information to individuals that is timely and accurate.

“As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” said Commissioner Falk.

The reporting period also saw the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Among other things, the Act:

• • provides the Commissioner with new and greater powers to share information with other authorities about data breaches
  • provides the Commissioner with a new power to obtain information and documents relevant to an actual or suspected eligible data breach
  • enables the Commissioner to conduct an assessment of the ability of an entity to comply with the Notifiable Data Breaches scheme, including the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches, and provide notice to the Commissioner and individuals at risk from such breaches
  • significantly increases penalties for serious or repeated privacy breaches, which includes non-compliance with the Notifiable Data Breaches scheme.

“While we will continue to work with organisations to facilitate voluntary compliance, we will use these regulatory powers where required to ensure compliance with the Notifiable Data Breaches scheme,” said Commissioner Falk.

“We also welcome the further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report.”

The Report provides:

Notifications received July to December 2022 – All sectors

The OAIC received 497 notifications this reporting period – a 26% increase compared with January to June 2022. Read the rest of this entry »

The Privacy Act 1988 remains a very flawed piece of legislation.  Until 2014 there was no serious enforcement provisions available to the Commissioner.  The insertion of section 13G permitted the Commissioner to commence civil penalty proceedings for serious or repeated inferences with privacy.  Since 2014 there has been no civil proceeding prosecution commenced and brought to resolution.  Not one in 8 years. The Information Commissioner commenced a proceeding under section 13G against Facebook in 2020 arising out of the alleged misuse of data by Cambridge Analytica which is slowly working its way through the Federal court system .The US and UK have long finished litigation against Facebook in relation to the same issue and similar facts.

Not surprisingly the Commissioner has welcomed the passage of the amendments.  It will provide the Commissione with significantly more powers and more effective and efficient enforcement options. She can issue penalties.  That is more in line with the Monetary Penalty Notices that the UK Information Commissioner has been issuing for years.   A safe assumption is that the Commissioner will be more assertive and high profile in using these powers.  There is a long overdue need for a change of culture by those who collect personal information.  The Commissioner states that she hopes that the increased penalties will help incentivise compliance.  Without some high profile cases occurring that is unlikely to be the case.  The market has factored in the Commissioner being timid and more interested in talking compliance rather than taking enforcement action.

The Commissioner’s media release provides:

The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which enhances the OAIC’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.

The Bill introduces significantly increased penalties for serious and or repeated privacy breaches and greater powers for the OAIC to resolve breaches.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »