Peter A Clarke

The Privacy Act 1988 remains a very flawed piece of legislation.  Until 2014 there was no serious enforcement provisions available to the Commissioner.  The insertion of section 13G permitted the Commissioner to commence civil penalty proceedings for serious or repeated inferences with privacy.  Since 2014 there has been no civil proceeding prosecution commenced and brought to resolution.  Not one in 8 years. The Information Commissioner commenced a proceeding under section 13G against Facebook in 2020 arising out of the alleged misuse of data by Cambridge Analytica which is slowly working its way through the Federal court system .The US and UK have long finished litigation against Facebook in relation to the same issue and similar facts.

Not surprisingly the Commissioner has welcomed the passage of the amendments.  It will provide the Commissione with significantly more powers and more effective and efficient enforcement options. She can issue penalties.  That is more in line with the Monetary Penalty Notices that the UK Information Commissioner has been issuing for years.   A safe assumption is that the Commissioner will be more assertive and high profile in using these powers.  There is a long overdue need for a change of culture by those who collect personal information.  The Commissioner states that she hopes that the increased penalties will help incentivise compliance.  Without some high profile cases occurring that is unlikely to be the case.  The market has factored in the Commissioner being timid and more interested in talking compliance rather than taking enforcement action.

The Commissioner’s media release provides:

The Office of the Australian Information Commissioner (OAIC) welcomes the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which enhances the OAIC’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.

The Bill introduces significantly increased penalties for serious and or repeated privacy breaches and greater powers for the OAIC to resolve breaches.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

Yesterday the Australian Senate passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.  The Bill was introduced and read for the first time on 26 October 2022. The second reading debate occured on 8 November 2022 and passed the House of Representatives on 9 November 2022. 

This Act has always been described as an interim measure.  An immediate response to the Optus and Medibank data breaches which highlighted the inadequacy of the data breach notification regime.  More significant reforms are promised for next year.  It does not address the flaws in the Privacy Act. 

Key aspects of the Act are:

• an increase of  the maximum penalty for serious or repeated interferences with privacy for body corporates from $2.2 million to the greater of:
  • $50 million,
  • three times the value of the benefit obtained attributable to the breach or,
  • if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

These penalties mirror the recent increased penalties introduced for breaches of Australian Consumer Law (“ACL”). The definition of ‘adjusted turnover’is similar to that introduced into the ACL and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period. How long the ‘breach turnover period’ might be could be a very significant issue.  It could be some time where an issue is unknown and there is late detection.

• greater information gathering powers by the Information Commissioner regarding data breaches including:
  • a power to share information publicly if it is in the public interest to do so  with a broader range of entities.  Those bodies include enforcement bodies (both in Australia and overseas), alternative complaint bodies and state and territory authorities.
  • a broader power to make declarations following the conclusion of an investigation including  requiring the organisation to:
    • prepare and publish or otherwise communicate a statement about the conduct; and
    • engage with a suitably qualified independent advisor to review practices, steps taken to remediate the breach and any other matter relevant to the investigation. 

This is a step towards the process the Federal Trade Commission has put in place for many years..

• • conducting an assessment of an organisation’s  compliance with the NDB Scheme, including the extent to which it has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches.  This is a worthwhile amendment.
  • issuing an infringement notice for failures to provide information as required by the Act.
• organisations that carry on business in Australia are now regulated under the Privacy Act, even if they do not collect or hold information in Australia. The aim is to regulate organisations which carry on business in Australia, but do not themselves collect or hold personal information in Australia. The Act will now apply to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. For organisations with a globarl operation compliance will apply to the entire global operation . 

What constitutes either a ‘serious’ or ‘repeated’ interference still remains vague and unsatisfactory.

The Greens successfully proposed an amendment which will now become section 13GA which provides:

An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

Civil penalty:          2,000 penalty units

This provision makes it easier to take action than under section 13G which refers to either a serious inteference with privacy, whatever that means, or repeated interferences with privacy.  Hopefully these provisions will be consolidated in the broader revision of the Act. 

The amendments do not affect the opeation of hte Data Breach Notification Regime.  Not all  data breaches are covered. It remains the case that if an organisation suffers a data breach it may not need to provide notification of that data breach.  The issue remains whether it has or has not taken reasonable steps in the circumstances to secure personal information.  To that extent the amendments may not change much. 

All of these amendments mean nothing if the Information Commissioner does nohting with them. The Commissioner has been a timid regulator.  Whether that continues in light of the focus on privacy is the question.

The Bill Read the rest of this entry »

Apps developers are notorious for pushing out apps as quickly as possible without focusing on privacy and data security.  As a result apps are the focus of hackers.  While Apple currently has good privacy protections built into its products the same can’t be said for apps sold or otherwise downloadable from its app store.  The reason for this action now is because of concerns reproductive health as a result of the US Supreme Court decision in Dobbs.  This has lead to Attorneys General of New Jersey, California, Connecticut, District of Columbia, Illinois, Oregon, Massachusetts, Vermont, North Carolina, and Washington to write to Apple on  21 November 2022, raising concerns about this problem. 

While the move is political, coming from states with governments of a more progressive bent the issue is non political and has been chronic for years.  The focus of the letter is on reproductive information the problem is broader. Personal information taken from a wide range of apps is a continuing problem. It is as much a problem in Australia as it is in the United States of America.  Many app developers in Australia fall within the small business exception of the Privacy Act 1988 so are not subject to regulation.  Even when they are there is no overt regulatory oversight so compliance with the legislation is poor.

The key points the Attorney’s General make are valid regarding apps:

• data not essential for the use of the app should be deleted;
• tclear and conspicuous notices regarding the potential disclose to third parties user data ; and
• App Store apps should hae  the same privacy and security standards as Apple  regarding the holding and disclosure of data.

Each Attorney General made an announcement.  In the case of New Jersey, the Attorney General released a media release providing:

TRENTON –Attorney General Matthew J. Platkin today led a multistate coalition expressing concerns regarding reproductive health privacy on Apple’s App Store (the “App Store”) following the U.S. Supreme Court’s Dobbs decision overturning Roe v. Wade and urging Apple to take commonsense steps to protect consumers’ private reproductive health information.

In a letter sent today to Apple CEO Tim Cook, Attorney General Platkin led a group of 10 Attorneys General calling for privacy-enhancing measures.

As the letter explains, Apple has long promoted privacy as one of its “core values” on both the iOS platform and the App Store and has adopted a number of privacy and security measures that are consistent with its stated goals of protecting consumers’ privacy. But apps that collect private reproductive health data from consumers frequently fail to meet these same standards or to implement appropriate protections for this sensitive data, exposing consumers that seek or provide reproductive health care to potential action and harassment by law enforcement, private entities, or individuals. Read the rest of this entry »

Xavier College’s notice of a data breach has resulted in some no doubt unwanted publicity.  Data breach stories are low hanging fruit for journalists.  Often the story is the notice with a brief quote from the organisation and sometimes another quote from an “expert” keen for the publicity.  It is hard not being cynical about the way these stories are covered.  But that is the landscape but there are ways to keep the damage to a minimum in many cases.

The best starting point is to provide notice promptly and be as open and transparent as possible without drowning the reader with undigestible technical data.  By the same token the notice should not be evasive and vague.  Xavier’s notice of a data breach, which I posted on 2 days ago was quite inadequate and the handling of the data breach was also far from effective,  Xavier thought  not to notify affected individuals until it became aware that the hacker might disclose the information, months after it was stolen.  How it could have worked on the basis that a hacker would not do something with the data is difficult to understand. It is beyond naive.

Under the Data Breach Notification Regime an organisation can effectively self assess, determining if there is a risk of serious harm.  It is a wholly unsatisfactory system.  The downside for erring on the side of non disclosure kicks in when circumstances change and disclosure becomes necessary.  As occurred here with Xavier Read the rest of this entry »

Xavier College in Melbourne has suffered a data breach. A notice went out today to Old Xaverians (past students of Xavier who have kept a connection with the school).

It appears that entry occurred through an email account of an employee.  A fairly standard entrepot.  Given that led to access to other details it is possible that the hacker obtained credentials to move within the system. Or alternatively the system was wide open and permitted unimpeded movement throughout the system.  When that happened is not made clear.  It was discovered some time in June. Then in late October Xavier found that that an unauthorised third party “may disclose details of these mailbox contents.” 

Notifications in the United States have become something of an art form, balancing being as transparent as possible, giving as much information as practical but not overwhelming the reader.  Often the complete picture of what happened is not fully known at the time a notification needs to be sent out.  I have read many such notices and getting it right is important. 

The notice from Xavier College is not very good.  Putting aside the awful prose it begs more questions than it answers.  The events in October are described in terms that leaves the impression that the author is being evasive. The letter tries to cover the necessary issues but is vague and woolly when it should be specific and precise, particularly about what happened to the data. Apparently some members were previously contacted by the College.  Which begs the question as to why the letter, drafted as a notification of a data breach, was sent only now?  As the Optus and Medibank data breaches show, the initial notice can at least partially smooth the difficult path ahead or throw more boulders onto the roadway. 

At best this Notice is a not terribly good first draft. 

The letter provides:

In June this year, Xavier College became aware that the email account of one of its employees had been subject to unauthorised access by an unknown third party.
The College immediately notified any members of our community directly affected by the unauthorised access.
In late October it came to our attention that an unauthorised third party may disclose details of these mailbox contents.
On each occasion, the College undertook the following steps in response:
Engaged cyber security experts to provide an in-depth investigation
• Took steps to ensure the incident was contained and that our network and data systems had not been adversely impacted and were secure
• Conducted a review of the individual’s Mailbox contents to identify any individuals who may have been at-risk
• Notified any members of our community potentially affected by the data breach
• Consolidated ongoing training for staff and students around cyber vigilance and online safety
We also notified the Office of the Australian Information Commissioner and Australian Cyber Security Centre of the incident.
The College has now taken steps to re-assess the original data and consider whether any further individuals may have been affected.
As in June, immediate notification to specific individuals is occurring.
As you will be aware, there has been a proliferation of cyber attacks and data security issues (including a number of other schools) reported over recent months.
As a general reminder, we attach recommendations for steps you can take to protect your personal information (see “Steps you can take to protect against potential data misuse”). Read the rest of this entry »

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

• in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
• in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
• in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
• in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement Read the rest of this entry »

There is a recognised genre of data breaches involving government agencies making sensitive data available on line.  It is almost always due to poor data handling practices and flaws in IT controls and website design.  It often bespeaks poor access control protocols.  The latest reported data breach of this nature is the BBC reports in Suffolk Police apology over sex abuse victims’ data on website  that personal details of sex abuse victims appeared on a police website.  Australia has had more than its fair share of similar data breaches.  In March 2020 the Federal Court published personal details of hundreds of asylum seekers names on line. The Federal Court undertook a review by Professor John McMillan which resulted in a report in August 2020.  The report was comprehensive however its focus was on the findings that the  Federal Court’s response was generally satisfactory.  Not an untypical response an inquiry into an agency’s handling of a data breach.  Individual reviews in Australia are remarkably forgiving and not particularly in depth.  On how the breach occurred, or more particularly how matters reached a point where it could happen the Report was relatively quiet.  In the United Kingdom a similar review would have attracted much less comforting findings.  Even a Monetary Penalty.  Given a similar breach was experienced by the Department of Immigration involving personal details of almost 10,000 individuals in 2014, which attracted considerable media coverage, it is surprising that the Federal Court would not have been more alert to the sensitivity of such data and the potential consequences of a leak.

The article Read the rest of this entry »

The news that Medibank data continues to be released onto the dark web is hardly unexpected.  Hackers do it if they are frustrated that a ransom has not been paid, sometimes if they are acting on behalf of state players and the object is not money but humiliation and sometimes for the hell of it, even if the ransom has been paid.

TheREvil group is clearly intending on causing maximum pain given the data, of nearly 1,500 individuals,  relate to a range of conditions including:

• heart disease,
• diabetes
• asthma,
• cancer,
• dementia,
• mental health conditions,
• infections
• delirium.

For a change Medibank has got in front of the story with an announcement.   Medibank’s media statements are still quite rudimentary compared to resp;onses in the United States where there is much more experience in responding to big data breaches.  It is difficult to improve the media landscape after such a disastrous initial response and given the nature of the data being leaked.  The hackers will continue to leak data and the reputational damage to Medibank will continue to grow.

To restate the obvious, this data breach highlights the need for organisations to have a comprehensive privacy and cyber security strategy, including a plan to deal with a data breach if it occurs.  Medibank has shown what happens when that doesn’t happen.

The Medibank statement Read the rest of this entry »

De identifying data is a critical part of managing data, avoiding reputational damage if there is a data breach and complying with privacy legislation.  It is fundamental yet poorly understood, let alone implemented.  The National Institute of Standards and Technology has released the third draft of its De-Identifying Government Data Sets .   As with many NIST reports it is lengthy not to mention highly technical.  But it is worth reading.  The NIST provides the best technical guides in the privacy and cyber security sphere.

This is an excellent guide because it sets out clearly what deidentificatio involves, why it is important, what the risks are and how organisations and agencies should approach de identification. The United Kingdom’s Information Commissioner has prepared excellence guidance on Anonymisation, pseudonymisation and privacy enhancing technologies.  Given the nature of recent data breaches in Australia de identifying older records is important.  The guidance in Australia is inadequate. 

The abstract provides:

De-identification is a process that is applied to a dataset with the goal of preventing or limiting informational risks to individuals, protected groups, and establishments while still allowing for meaningful statistical analysis. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing, or publishing government data. Previously, NISTIR 8053, De-Identification of Personal Information, provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification. Before using de-identification, agencies should evaluate their goals for using de-identification and the potential risks that de-identification might create. Agencies should decide upon a de-identification release model, such as publishing de-identified data, publishing synthetic data based on identified data, or providing a query interface that incorporates de-identification. Agencies can create a Disclosure Review Board to oversee the process of de-identification. They can also adopt a de-identification standard with measurable performance levels and perform re-identification studies to gauge the risk associated with de-identification. Several specific techniques for de-identification are available, including de-identification by removing identifiers and transforming quasi-identifiers and the use of formal privacy models. People performing de-identification generally use special-purpose software tools to perform the data manipulation and calculate the likely risk of re-identification. However, not all tools that merely mask personal information provide sufficient functionality for performing de-identification. This document also includes an extensive list of references, a glossary, and a list of specific de-identification tools, which is only included to convey the range of tools currently available and is not intended to imply a recommendation or endorsement by NIST. Read the rest of this entry »

On 10 November the Australian Information Commissioner released the six monthly Notifiable Data Breaches Report for the period January to June 2022.  The Report covers a period before the Optus and Medibank Data breaches which will make the next six monthly report quite dramatic with the personal records of at least 15 million Australian’s affected.  In a country of 26,217,341 that is extraordinary.

The Report is far more expansive and detailed than the usual reports.  It also seeks to instruct as to what is expected and why.  No doubt the increased topicality of privacy and the impact of the Optus and Medibank data breaches have influenced the Commissioner and made it prudent to be more expansive than was previously the case.

The highlights of the Report are:

• there were 396 notifications, a reduction of 14% over the previous 6 months;
• health had the most notifications.  No surprises there.
• 63% of data breaches was caused by malicious or criminal attacks.
• ransomware was the most common form of cyber attack, at 31% of the total.
• 71% of entities notified the Commissioner within 30 days of becoming aware of the breach
• 13% of cases did not become aware of the incident for over a year
• 4 entities took more than 12 months from when they became aware of the breach to notify the Commissioner.  That is a matter of significant concern.  It will be interesting to see if the Commissioner does anything about such a flagrant breach of section 26WH of the Privacy Act 1988.
• contact information was involved in the breaches on 331 occasions while identity information occurred in 217 cases.

While the Report and statistics contained within it are quite instructive it should taken with caution.  It should not be regarded as a complete, or even completely accurate, picture of what data breaches have taken place and the number of records affected.  The current Data Breach Notification Scheme as the Attorney General noted, is hopelessly ineffective.

The media release provides:

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable data breaches report released today stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021. Read the rest of this entry »