Peter A Clarke

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »

There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

On 2 April 2024 Diabetes WA announced a data breach in a quite cryptic statement. It refers to “some of our contacts” which covered names, addresses and medical number and type of diabetes, amongst other information. Diabetes WA recommend getting replacement Medicare card numbers. It is reported by itnews with Diabetes WA reveals data breach. The breach occurred through a compromised account and Diabetes WA believe the breach involved those persons using the telehealth services.  Even with a limited attack the data available to the intruder was significant.

Data Breach today reports in Health Data Thefts Keep Coming; Millions Affected in 2024 that the US Department of Health and Human Services had 174 health data breaches in the USA involving 16.6 million individuals since the beginning of this year.

Health remains a key focus for attackers because health services collect and store vast troves of personal information.  That said, the level of complacency by hospitals and health services is quite high and the willingness to spend on proper data security, quite low.

The Diabetes WA notification provides:

Diabetes WA recently experienced a cyber incident, which resulted in a third-party gaining access to the personal information of some of our contacts.

This breach was quickly detected and fully contained. It is under investigation through Diabetes WA’s Cyber Security Response Plan.

We can confirm that no detailed medical records or detailed clinical information were accessed.

Diabetes WA has sent a communication to all affected individuals of this incident.  We have also notified the Office of the Australian Information Commissioner of this incident.

Based on our investigation, we understand that personal information may have been affected by the incident including the following details:

Name –  Address – DOB – Email – Telephone number – Marital Status – Aboriginal Status – Medicare Number – Referring doctor – Type of diabetes

We have taken decisive action to protect data we hold in this cyber incident and will further reinforce our technology security measures to protect us from potential future attacks.

The itnews report on the Diabetes WA data breaches Read the rest of this entry »

The ever expanding story of a senior Tory getting caught up in a sexting scandal and sharing private phone numbers highlights the dangers and impacts of spear phishing and the breach of privacy in passing on confidential phone numbers. The Times and others report that a Senior Tory MP in the UK, William Wragg, gave out personal phone numbers because he was compromised in a honeytrap. The result was that at least 12 people received unsolicited Whats App messages. The Times has run a series of stories on this leading off with Senior Tory admits leaking MPs phone numbers in honeytrap sext scandal. It seems that Wragg was compromised by someone he met on Grindr, a gay dating app. He appears to be a victim of spear phising which is helpfully described by the Times here.

Recent data breaches have focused on cyber attacks and malware.  But someone disclosing personal information belonging to other people without their consent or relevant to the purpose for which it was created is a data breach.  In this case it involved private contact details.  The circumstances surrounding why the information was Read the rest of this entry »

Mandatory data breach notification rules are becoming standard in most first world jurisdictions. Over time the obligations upon affected entities have tightened. That is good policy given the way that hackers operate. The US Federal Communications Commission (“FCC”) has updated Data Breach Notification Rules. These updated rules obviously do not apply in Australia.  That said they are very useful to consider because they are so much more detailed and analytical than the Australian equivalents.  It is a very useful resource when considering how to deal with data breaches and how to properly structure a notification.

The media release relevantly provides:

It has been sixteen years since the Federal Communications Commission last updated its policies to protect consumers from data breaches.  Sixteen years!  To be clear, that was before the iPhone was introduced.  There were no smart phones, there was no app store, there were no blue and green bubbles for text.  It was a long time ago.  In the intervening years a lot has changed about when, where, and how we use our phones, and what data our providers collect about us when we do.  But not the FCC’s data breach rules; they remain stuck in the analog age. 

Today we fix this problem.  We update our policies to protect consumers from digital age data breaches.  We make clear that under the Communications Act carriers have a duty to protect the privacy and security of consumer data. 

First, we modernize our data breach rules to make clear they include all personally identifiable information.  In the past, these rules have only prohibited the disclosure of information about who we call and when.  But consumers also deserve to know if their carrier has disclosed their social security number or financial data or other sensitive information that could put them in harm’s way.  We fix that today—and it is overdue.  Read the rest of this entry »

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

Legal practitioners hold enormous amounts of personal and other sensitive information. They are key targets of hackers. Just ask HWL Ebsworth. It is now the subject of an Information Commissioner investigation.

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

On March 20, 2024, the Australian Signals Directorate (ASD) announced that it had partnered with Microsoft to develop a Cyber Threat Intelligence Sharing (CTIS) plug-in for the Microsoft Sentinel platform. The CTIS is a two-way sharing platform enabling government and industry partners to receive and share information about malicious cyber activity.

Businesses using Sentinel can join and contribute to this CTIS platform as long as they become an ASD Cyber Security Network Partner.

Microsoft is no stranger to data breaches. Hackers breached its Exchange Online accounts in November 2023. In 2022 a misconfigured Microsoft server exposed some of its customers’ sensitive information. There have been other data breaches which is not surprising given Microsoft is a ubiquitous system used by many businesses in first world countries and there have been many vulnerabilities in its systems over the years. Similarly governments haven’t been Read the rest of this entry »

The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach.  That has expanded to three.  That is not unusual.  In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist.  That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.  

Data breaches involving snooping into medical records are a chronic problem in hospitals.  But they can be minimised if there are proper systems in place.  And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records.  That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to.  It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that.  It is no less a problem in my experience in Australia than in the UK.  Given the regulation is Read the rest of this entry »

Hospital staff checking out records of the rich and famous is a depressingly common occurrence. It is a serious data breach. I have been posting on, only some, of these instances such as Data breach at the Alfred by curious pharmacist is just another in a long line of data breaches in the health sector last year and Privacy concerns regarding data breaches in the health system, hospitals in particular in 2014. There are many others such as Perth Hospital staff snooped on 40 patients’ records in 2018. There are challenges in the hospital system keeping records secure and away from prying eyes. There is usually a large number of staff with significant churn.  Properly training new staff and providing refresher training requires good administration.  Health professionals are Read the rest of this entry »

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly Read the rest of this entry »