Peter A Clarke

In the new world of privacy regulation and enforcement in Australia the issue of cyber security, or APP 11 under the Privacy Act 1988 goes further than maintaining adequate firewalls, passwords and anti virus software.  How data is stored, how personal information is secured behind the outer defences of an organisations internet interface can be as important as those defences themselves.  The law of averages suggests that at some stage an organisation which is a tempting target to cyber criminals will find its defences breached by either a hack or social engineering.  The issue then is whether data is encrypted, whether personal information is stored in such a way as to be difficult to match by an opportunistic thief and whether there are systems in place to detect unauthorised access.  In many organisations those issues are rarely considered let alone properly implemented. In Australia there is no mandatory data breach notification regime. That assists organisations in avoiding making potentially embarrassing disclosures and gives a false sense of the problem with data security that, if overseas experience is any judge, is quite significant.  It also contributes to a laxity by organisations in properly protecting themselves and, more particularly, the personal information of clients they hold. Read the rest of this entry »

Ad hocracy is the watch word when it comes to regulation of drones.  The LA Time story LAPD seeks to limit civilian drone flights over police stations bears this out.  An operator guides a drone over a police station, takes videos of police cars coming and going, posts what must be interminably boring footage on you tube.  Not surprisingly the Read the rest of this entry »

The roll out of the multi path TCP highlights the dilema with new technology, benefits of a new and far more effective means of keeping internet sessions operating but security and privacy weaknesses.  According to Multipath TCP Introduces Security Blind Spot there are real dangers of TCP outpacing security programs and protocols.  That poses significant problems for organisations using TCP and those purporting to providing security for organisers.

The article provides:

If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream.

MPTCP is an extension to the Internet’s primary communication protocol. It allows a TCP session to move over multiple connections and network providers to the same destination. Should one drop, the session seamlessly moves to its second, backup connection, keeping phone calls or Internet sessions alive. Read the rest of this entry »

Many organisations believe that good data security begins and ends with the firewall and anti maleware software.  A rather brittle defence.  The reality is that data breaches come from a range of sources.  Hacking through digital defences is but one way.  Social engineering and phishing especially is a common means of entreport.  Organisations need to have protections within their systems to deal with those who have breached their outer security infrastructure.  One effective means of thwarting a hacker is encrypting personal information. It is both practical and affordable to do it.  But very few organisations bother as Read the rest of this entry »

That malware can find its way into a computer via a USB stick is not news.  Anti virus scans and reformatting can and do address these problems.  A more significant problem has been highlighted by Wired in Why the Security of USB Is Fundamentally Broken regarding malware being inplanted in the firmware of USB sticks which can remain hidden. That is a real concern both for those designing anti virus defences including programs but for organisations who have responsibility to maintain data security.  Some organisations have very strict controls on the use of USB sticks and other portable devices, with some removing USB ports on most computers or restricting access to their use.  But many organisations don’t have adequate policies on the use of portable devices and put their faith in anti virus software programs. The question now is Read the rest of this entry »

The UK Information Commissioner has issued a guide Safer smartphones – a guide to keeping your device secure.

The main tips are Read the rest of this entry »

It would seem that the FAA is on a collision course with academia over the use of drones, specifically journalistic drones.  The Chronicle of Higher Education in  Feds’ Drone Regs Draw Profs’ Fire reports on 30 professors doing what they do best, write stiff letters of protest, against the FAA’s decision to ground the use of drones for Read the rest of this entry »

Privacy protection in the USA is fragmented and sectoral.  There is no one overarching data protection/privacy regulation Act.  Where there is protection it tends to be quite strong, such as in the health and finance sector.  Its just that there are many gaps.  Including for students.  That may be changing soon.

Senators Senators Markey and Hatch have introduced a new student privacy bill, the Protecting Student Privacy Act.  The press release provides:

Focuses on need to protect students, provide tools to parents when information is shared with third parties

Washington (July 30, 2014) – Senators Edward J. Markey (D-Mass.) and Orrin Hatch (R-Utah) today introduced the “Protecting Student Privacy Act”, legislation that would help safeguard the educational records of students. The PreK-12 educational software and digital content market currently is worth $7.9 billion, with nearly all school districts relying on cloud services for a diverse range of functions that include data collection and analysis related to student performance and data hosting. However, one survey found only 25 percent of districts inform parents of their use of cloud services and 20 percent of districts fail to have policies governing the use of online services. Recent changes to the Family Educational Rights and Privacy Act (FERPA) have allowed for this increased sharing and use of student data in the private sector. The new legislation from Senators Markey and Hatch takes steps to ensure that students are better protected in an interconnected world. The legislation is co-sponsored by Senators Mark Kirk (R-Ill.) and John Walsh (D-Mont.).

“With the business of storing and sifting through records of students growing as fast as students are, Congress must act to ensure that safeguards are in place for data that is shared with outside companies,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “This legislation ensures the parents, not private companies, control personal information about their children and that it won’t be sold as a product on the open market. I thank Senator Hatch for his bipartisanship and attention to this issue, and I look forward working with all of my colleagues to pass this important legislation.”  Read the rest of this entry »

The UK Information Commissioner has published a review of the impact of the Civil Monetary Penalties.

Under the Data Protection Act 1984 the ICO can issue Civil Monetary Penalties (CMPs) to the maximum of £500,000 for serious breaches of the Data Protection Act (the DPA) and serious breaches of the Privacy and Electronic Communications Regulations (PECR). The criteria for serving a CMP  under section 55  A(1) of the DPA are:

1.  there has been a serious contravention of a data protection principle and
2.  “the contravention was of a kind likely to cause substantial damage or substantial distress” and
3.  the data controller:

(a) knew or ought to have known—

(i)                  that there was a risk that the contravention would occur ,and

(ii)                 that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

 (b) failed to take reasonable steps to prevent the contravention”.

The listed key findings are:

• The research findings indicate that  CMPs are effective at improving data protection compliance.This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations managed their data protection responsibilities:
  • Organisations took their data protection obligations seriously, with revised practices and policies, and increased staff training.
  • Data protection was given a higher profile, with greater senior management buy-in.
  • Staff awareness was raised through targeted campaigns,with their importance of handling data properly made more prominent.

Read the rest of this entry »

Max Mosley has commenced action in the High Court of Justice, Queens Bench Division in Mosley v. Google Inc & Anr, HQ14X02964.  The relief he is apparently seeking is to compel Google to stop gathering and publishing the images on the basis that Google breached rules on the use of private information, a claim in equity, and data protection, presumably grounded in statute. This has the potential to expand the operation of misuse of private information claims in the UK.  Mosley has been successful in his action against Google in France (see here also) however privacy protection in civil code jurisdictions, in particular France, is greater and the principles to be applied are not analogous.

The coverage is quite significant, not surprising given Mosley’s history of privacy litigation and the nature of the images he wants to remove.  It is covered by Bloomberg here, the Guardian here and Bayou Buzz (for that Louisiana focus) here.

The Sydney Morning Herald covered the story in  Ex-formula one boss Max Mosley sues Google over sex party images which provides:

London: Max Mosley, the former formula one chief, is suing Google for continuing to publish images of him at a sex party.

Mr Mosley, whose father Sir Oswald Mosley was the wartime British fascist leader, won £60,000 damages from the now-defunct Murdoch-owned News of the World tabloid in 2008 after an earlier High Court action. Read the rest of this entry »