Peter A Clarke

One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting.  A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.

For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.

The release Read the rest of this entry »

The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows.  Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.

The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees.  Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.

There is a very real concern that norms about accessing information differ between Read the rest of this entry »

Itgovernance has identified 80 incidents in June 2022 which resulted in 34,908,053 records being compromised.  The types of attacks vary as does the severity of the attacks. 

Those breaches included:

• Shields Health Service suffering a cyber attack involving compromise of 2 million records;
• a human error in the form of an unauthorised person making available 2 million records on a hacking forum.  The information offered was first and last name, Social Security number; Medicare beneficiary identification number; date of birth; address and contact information; and health insurance information
• .Baptist Medical Center and Resolute Health Hospital suffered a cyber attack involving 1,254,534 records. The information accessed included some or all of demographic information  such as full name, date of birth, and address, Social Security number, health insurance information, such as name of insurer/government payor, policy and/or group numbe, medical information, such as medical record number, dates of service, provider and facility names, chief complaint or reason for visit, and other visit, procedure and diagnosis information; and billing and claims information, such as account and/or claim status, billing and diagnostic codes, and payor information. 
• Flagstar Bank has data breach impacting 1.5 million customers.
• Yuma Regional Medical Center has ransomware attack affecting 700,000 patients;
• Perkins & Co suffered a data breach via an attack on a third party vendor, Netgain, which Perkins used for hosting its data in the cloud.  A total of 354,647 records were compromised.
• Pegasus airlines leaked 6.5 terra bytes of personal information of flight crew.  A total of 23 million records leaked.  The information was left online. 
• in Australia Icare, an insurer, leaked personal information relating to 193,000 injured workers to 587 employers and insurance brokers.  The leak happened through a spreadsheet mistakenly attached to emails to wrong employers. 
• in Japan a person doing work for Amagasaki city lost a USB storage device which had records of all of the city’s residents.  He lost the device after having a drink or three at a restaurant. 
• in Malaysia, the point of sale provider Storehub had a data leak exposing personal information of almost a million customers. 
• there was a leak of gun owners personal information in California from the state’s Department of Justice.  The information released included names, birthdates, gender, race, driver’s license numbers, addresses and criminal histories of people who were granted or denied permits to carry concealed weapons between 2011 and 2021. 
• the insurer EMC National LIfe Company suffered a data breach involving 288,288 records.   

Read the rest of this entry »

The US President’s  Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. made on February 12, 2020 has had a significant impact on government agencies  working on instituting standards to improve cyber security and privacy generally.

The Executive Order specially stated that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order called for updates to the profile every two years or on an as needed basis.

Positioning, navigation and timing (PNT) services is a US owned utility. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Air Force develops, maintains, and operates the space and control segment.

The PNT Profile is designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks, and assets that use PNT services.  It is not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services

The abstract provides:

The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), produced this PNT Profile in response to Sec.4 Implementation (a), as detailed in the EO. The PNT Profile was created by using the NIST Cybersecurity Framework and can be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that use PNT services, and is intended to be broadly applicable across all sectors. NIST acknowledges the tremendous efforts being undertaken by individual entities to address the responsible use of PNT services in their particular sectors and also encourages the development of sector specific guidance should more granular or specific risk management efforts be required. The PNT Profile can serve as a foundation for the development of sector specific guidance as well. This PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to natural and man-made, both intentional and unintentional, disruptions and manipulations.

The released document comes in at a hefty 115 pages.

Some interesting matters to note Read the rest of this entry »

Today the Information Commissioner, the Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA) and the eSafety Commissioner (eSafety) have released a joint communique regarding their co ordination and priorities for the next year.  The key focus will be digital transparency and algorithms and their impact.  As to what exactly that means in terms of action taken by regulators is not clear.  Both issues are very important in the privacy sphere. 

The communique provides:

Digital Platform Regulators Forum names algorithms, digital transparency and increased collaboration as priorities for 2022/23

The heads of the four members of the Digital Platform Regulators Forum (the forum) met yesterday and have agreed on a collective set of priorities for 2022/23.

Members of the forum are: The Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA), eSafety Commissioner (eSafety) and Office of the Australian Information Commissioner (OAIC).

The forum’s strategic priorities for 2022/23 include a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and increased collaboration and capacity building between the four members.

Through the forum all members have agreed to share information and work together to tackle issues across their traditional lines of responsibility.

Digital transparency Read the rest of this entry »

Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament.  That is within at most 3 years.  He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.

This is welcome news although it should be tempered with caution borne of many false dawns in the past.  The commitment is to data privacy laws and not privacy laws per se.  Hopefully the distinction is not significant.  If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step.  Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.

The history of privacy reform has been dismal with ample blame to be assigned on all parties.  The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report.  It could have legislated a statutory cause of action, as was recommended.  There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era.  It was can kicking.  The issues were no different even if the impact of the digital economy was greater.  The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988.  It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014.  It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion.  Why a departmental investigation would be better than 2 ALRC reports is not clear.  The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action.  The rationale has always been weak but now is just anachronistic.  The Business Council  of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints.  And why wouldn’t the Business Council support the status quo.  The Information Commissioner deals with complaints quietly and settlements are miserly.  It is also a timid regulator.  As business organisations hate the light it is a system that suits malefactors.  And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation.  Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information.  It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with.  The terms are vague and the exemptions many.

Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform.  It should also not be afraid of a root and branch change to the Privacy Act 1988.  It is a weak vessel.

The article Read the rest of this entry »

Deloitte Australia has released it 2022 Privacy Index, this year titled Every Breath You Take.  It is a very useful survey, focusing especially on APP 5. The results are sobering.  While some industries perform better than other generally there is a compliance problem. 

The web article provides:

Read the rest of this entry »

The New Zealand Financial Markets Authority (“FMA”) has released an information sheet to assist financial institutions with cyber security. 

The press release provides:

The Financial Markets Authority (FMA) – Te Mana T?tai Hokohoko has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems, and meet any relevant licence obligations. Read the rest of this entry »

The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors.  They are worlds apart. 

CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts.  More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web. 

CafePress carefully did everything wrong after discovering the data breach including:

• while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
• instead of telling customers that  a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
• CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
• CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.

CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

The FTC took action in March 2022 for the data breach and cover up.

Last week the FTC announced a Consent Agreement with Cafe Press.  The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000. 

The FTC Press Release Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released the guidance Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).

The abstract provides:

The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication introduces the mSCP and gives an overview of the resources available from the project’s GitHub site, which is continuously curated and updated to support each new release of macOS. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules. This publication also describes use cases for leveraging the mSCP content.

Interesting matters raised Read the rest of this entry »