Peter A Clarke

Itgovernance has published the list of reported or otherwise discovered data breaches in April 2023 and found that there were 120 publicly disclosed breaches which resulted in 4,353,257 records being compromised. Fortunately Australian entities did not feature April’s tally. They made up a significant part of the tallies in late 2022 and earlier this year.

Some of the prominent breaches involved:

• Shields Health Care Group suffering a cyber attack involving 2,380,483 records
• NCB Management breach affecting former Bank of America 494,969 credit card holders
• Kodi suffers security breach with user records and private messages stolen involving 400,635

Itgovernance highlight the the following data breaches in April:

1. Shields Health Care Group

The largest data breach of April 2023 was at the Shields Health Care Group, a Massachusetts-based medical services provider. Reports emerged near the end of the month that a cyber criminal had gained unauthorised access to the organisation’s systems and had stolen the personal data of 2.3 million people. Read the rest of this entry »

Facebook has been the subject of action from the Federal Trade Commission (the “FTC”) on two occasions to date. The FTC announced on 3 May that it wants to amend its 2020 order against Facebook because it believes that Facebook has failed to comply with that order. Worse it claims the Facebook has misled parents about their control through its Messenger Kids app and misrepresented how much access it provides app developers to private user data.

The use and misuse of children’s personal information is a very serious and topical issue.  The FTC clearly believes that Facebook is incorrigible in its collection of this data and the use it puts it to.  The orders it seeks are quite severe, including Read the rest of this entry »

Today the Attorney General announced that the Government will create a stand alone position of Privacy Commissioner. The statement provides:

Read the rest of this entry »

Chapter 7 of the Attorney Generals’ Report into the Privacy Act 1988 considers the employee records exemption in the Privacy Act 1988. The employee records exemptionwas considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Australian Law Reform Commission unequivocally recommended that the it be removed by the repeal of section 7B(3) of the Privacy Act.  Unfortunately this Report has ummed and ahhed in face of vociferous and largely spurious objections by employer bodies who wish to retain the exemption come what may.  As a result the Proposal is far from unequivocal and seeks to find a half way house of improving privacy protections of those records but not entirely removing the exemption.  It also wants further consultation. Because years and years of consultation is not enough.  It is a very disappointing chapter.  Not as poorly analysed as the small business exemption but not good nevertheless.

The exemption applies to an act or practice of an organisation that is or was an employer as it directly related to its employment relationship with an individual.  In that circumstance an employee record it holds relating to the individual is exempt.  As the exemption applies to acts or practices of ‘organisations’ it covers non-public sector entities in their capacity as employers or former employers.  It does not extend to ‘agencies’.

As with the small business exemption the basis for this exemption is based on flawed assumptions and poor public policy.  Here the rationale was that the ‘handling of employee records is a matter better dealt with under workplace relations legislation.’

The exemption has led to anomolous outcomes.  The exemption applies even in relation to  the National Data Breach Notification scheme;.  As such any data breach involving personal information of employees in an employee record  is not subject to the scheme’s reporting requirements.

The Discussion Paper questioned Read the rest of this entry »

Any opportunity to highlight the need to take privacy seriously and comply with the law should be embraced.  Privacy Awareness Week has been a feature of the privacy calendar for many years now.  It is low key but has been known to get some press from time to time.  It provides little insight to lawyers or privacy practitioners.

The message from the Commonwealth Information Commission Read the rest of this entry »

Enforcement of breaches of the GDPR should be of interest to Australian practitioners if the mooted reforms to the Privacy Act occur.  If the Commissioner is properly funded and changes temperament there could be real enforcement activity.  The European Data Protection Supervisor recently responded to the European Commission’s initiative to further specify procedural rules for enforcement of the GDPR.

The amended rules highlights that the need for effective and efficient cooperation exists in cases where personal data moves from EU institutions, bodies, offices, and agencies (‘EUIs’) to public bodies or private entities, and vice-versa. The focus is Read the rest of this entry »

Chapter 6 of the Attorney Generals’ Report into the Privacy Act 1988 considers the small business exemption of the Act. The small business exemption was considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information).  The Commission was quite explicit then about the small business exemption, that the small business exemption was not necessary or justifiable. The Information Commissioner and a majority of submitters called for the removal of the exemption.

The Report recommends against removing the small business exemption until a long and convoluted process of analysis and consultation with small business, who have been adamantly resistant to any removal of said exemption.  All of this would happen after the other reforms proposed are implemented.  So there will be a second act to this ongoing drama except it has no end date.  It is hard to come to any other conclusion that this part of the Report is the product of poor analysis which may potentially result in a failure of public policy if it is implemented.  How could the authors of this report get it so wrong given the previous analysis by the Law Reform Commission, the overwhelming weight of submissions and cold hard logic?  It may be that there is more politics than law in the drafting of this Chapter and its recommendations.

Australian Law Reform Commission stated, absent footnotes:

39.181 After carefully reviewing stakeholder views, international experience, and the commissioned research, the ALRC concludes that the exemption for small business is neither necessary nor justifiable.

39.182 Associate Professor Moira Paterson has offered a counter to the argument that the requirement to comply with the Privacy Act constitutes a substantial compliance burden. She noted that the costs of compliance on businesses are likely to be significant only where businesses have poor record-keeping practices—citing evidence from Quebec that implementing data protection measures may in fact result in cost reduction or increased productivity due to improved information-handling practices. Furthermore, Paterson observed that, in New Zealand,

the limited information available to date does not suggest that the cost of implementation has been a major problem. For example, the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance; what was required was common sense and fair dealing.

39.183 While cost of compliance with the Privacy Act is an important consideration, this factor alone does not provide a sufficient policy basis to support the small business exemption. The fact that no comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—have an exemption for small businesses is indicative. Read the rest of this entry »

A data breach is just the start of an organisation’s problem. Regulators become involved, there is a need for a major organisational review, new hires of experts and a few fires of those who did not do their job properly. And then there is the litigation., In 2022 IBM released a very influential report titled Cost of a data breach 2022.

Some of the findings were:

• 83% of organizations studied have had more than one data breach
• 60% of organizations’ breaches led to increases in prices passed on to customers
• 79% of critical infrastructure organizations didn’t deploy a zero trust architecture.
• 19% of breaches occurred because of a compromise at a business partner
• the average total cost of a data breach was USD 4.35 million
• Average cost of a ransomware attack, not including the cost of the ransom itself is USD 4.54 million
• Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor is $1 million
• healthcare cost industry for data breaches. This was followed by the financial , pharmaceutical, technology and energy industries. The average cost was to USD 10.10 million
• the average time to identify and contain a data breach was 277 days.
• Average cost of a breach for organizations with high levels of compliance failures was USD 5.57 million
• Average total cost for breaches of 50 million to 60 million records was USD 387 million
• with data breaches involving  20 million to 30 million records was USD 241 million.

Today Medibank advised via a media release titled Cybercrime update – Deloitte incident review

The release Read the rest of this entry »

In the United States statutory protections of privacy tend to be state based. There have been attempts to pass Federal privacy legislation. The latest attempt is the reintroduction of the Online Privacy Act by Californian Democratic Representatives Anna G Eshoo and Zoe Lofgren. Given Republications control the House of Representatives it will be interesting to see whether it is passed in the House of Representatives. Even if it is not successful it is but the latest in a series of attempts to provide proper nationwide privacy coverage.

The Bill was introduced as part of House Resolution 2701 and described as the Online Privacy Act of 2023 (‘OPA’).  The stated intention is to:

• provide for individual rights relating to privacy of personal information, 
• establish privacy and security requirements for covered entities relating to personal information,
• establish an agency to be known as the Digital Privacy Agency to enforce such rights and requirements.

The Act would:

• regulate any entity, including non-profits and common carriers, that intentionally collects, processes, or maintains personal information and transmits personal information over an electronic network.
• provide several data subject rights, primarily the right:
  • of:
    • access,
    • rectification,
    • deletion,
    • portability,
    • impermanence which would mandate that organisations may not maintain a category of personal information for longer than expressly consented to by the individual
  • to:
    • human review of automated decisions,
    • to be informed, .
• impose obligations on organisations being to:
  • articulate the need for and minimise the user data they collect, process, disclose, and maintain;
  • minimise employee and contractor access to user data;
  • not disclose or sell personal information without explicit consent;
  • not use third-party data to re-identify individuals;
  • not use private communications (e.g. emails and web traffic) for ads or other invasive purposes;
  • not process data in a way that violates civil rights (e.g. employment discrimination);
  • use objectively understandable privacy policies and consent processes, and not use dark patterns to obtain consent; and
  • employ reasonable cybersecurity policies to protect user data.
• create the Digital Privacy Agency (‘DPA’), a federal office.  It would have the power to issue regulations and to impose fines of up to $443,792 for each violation.
• also empower State Attorneys General to enforce violations and grant individuals a private right of action.

Read the rest of this entry »

It is hardly surprising that a class action against Optus would be issued. Yesterday Slater and Gordon made that announcement. This follows from the Medibank Data Breach Class Action which is being funded by Omni Bridgeway. Baker and McKenzie is acting for the claimants. Maurice Blackburn, Centennial Lawyers and Bannister Legal opted for the Privacy Act route making a complaint to the Information Commissioner. The Commission has advised those firms that it won’t be investigating the complaints because the class action on foot would provide the appropriate remedies. It is not surprising that Andrew Watson of Maurice Blackburn is not best pleased given the Commissioner is continuing to investigate the Optus breach. He was reported as saying “They’re proposing to conduct an investigation as to whether there’s a breach, but not deal with compensation. If they’re not going to do it on this one, what are they there for?”. A fair point. At the moment to seek remedies through the Privacy Act is do deal with incoherent processes, given to exercises of discretion by the Commissioner that could bring matters to a sudden stop. I could have said that because I practice in this area. Maurice Blackburn clearly does not. It was always better to go the class action route in the Federal Court. One can only hope that the review of the Review of the Privacy Act and the resulting legislation will provide clearer and more coherent enforcement and compensatory process.

The Slater and Gordon statement Read the rest of this entry »