Peter A Clarke

Wired reports that the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI released an advisory about the a malware toolset which can interfere with industrial control systems.  Given Australia has just passed an updated critical infrastructure legislation this is a particularly relevant development.  The state of protection by Australian organisations is generally poor, legislation notwithstanding.

The advisory Read the rest of this entry »

The health industry always features prominently with data breaches and commensurate poor privacy and data security practices.  To show the consequences of one, entirely avoidable, lapse upon a poorly protected organisation note that salutory example of the data breach at the Christie Clinic in Illinois.  A single email account was compromised resulting in unauthorised access and resulting in the personal information of 503,000 individuals.  It is the third largest recorded health data breach thus far in 2022.  It is Read the rest of this entry »

The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022.  Settlement was reached last month.  The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:

•   not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
• a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
• until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years

The terms of settlement follows a standard structure used by the FTC and in this context:

• restraining the Defendants to continue with the breaches alleged;
• requiring the Defendants to destroy all Personal Information Collected  within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
• destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
• ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
• requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years. 

What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation.  This is a significant development in regulation.  It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and Read the rest of this entry »

The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022.  This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021).  The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.   

The USA has critical instructure legislation.  Most recently President Biden signed Strengthening American Cybersecurity Act of 2022.   Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours. 

In short compass what does each Act do?

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)  amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors.  Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included. Read the rest of this entry »

What’s worse, the cover up or the crime?  The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies.  For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence.  So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up. 

CafePress failed to secure its clients sensitive information and then tried to cover up the data breach.  The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled  CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?   The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach.  As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring.  That is standard practice for the FTC.

The FTC has set out in history and the outcome in its press release which Read the rest of this entry »

The Age has run another article on lack of privacy online, with Online privacy is a farce. Click here to agree.  It is an interesting and quite well written piece but nothing in it hasn’t been written before, sometimes more eloquently.  NBC did a piece with Online privacy fears are real last November. It is Read the rest of this entry »

After a false start the ABC is installing mandatory iview login requirements for its television services.  This has raised the hackles of privacy advocates.  In February the Conversation fired up with Mandatory logins for ABC iview could open an intimate window onto your life.   Most recently, as in earlier this week Malcolm Crompton, a former privacy commissioner, has claimed that this will stymie debate and free expression of ideas.  It has also attracted the ire in itwire with ABC appears to be hell-bent on compulsory iview logins and ABC is urged to ditch hated feature on its streaming platform iview – but the public broadcaster is adamant it WILL roll out this week.   Vanessa Teague has produced a very effective youtube video setting out the problems with data sharing (https://www.youtube.com/watch?v=20bqzIoB-Fw).   The problem is that while Vanessa’s post is very thoughtful and persuasive it has been read by 491 views as of today’s date.  It has been the subject of chatter amongst privacy advocates but not much more than that.  That makes it completely ineffective.  Innovation Australia in Last ditch call to stop ABC mandatory login highlights the problem, that a last ditch effort is usually a forlorn hope.  It provides:

Privacy and security experts have called on the ABC to halt its switch to mandatory user accounts at the eleventh hour, warning that the public broadcaster has failed to justify the increased risks of tracking users and sharing data with US tech giants.

Letters to ABC management from the Australian Privacy Foundation and a former privacy commissioner released this week call for the ABC to reconsider the decision, saying the purported benefits are not proportional to the risks they introduce, while a leading cybersecurity expert warned data is still being collected even though users opt-out of tracking.

The ABC intends to make the switch to mandatory user accounts for its iview video-on-demand service on Tuesday, claiming it will allow more personalisation features that it says users want, and that tracking audiences and their viewing habits is now commonplace. Read the rest of this entry »

It is interesting to see the National Institute of Standards and Technology recently release an Introduction to Cybersecurity for Commercial Satellite Operations.  It is too interesting not to post on even if the chances of working on cyber security for satellites is probably a little bit removed from most practitioners experience.  Put another way, I am not expecting a call from Elon Musk to do some cyber security work on a Space X satellite.  That said, the principles are as applicable to more terrestrial equipment. 

The rationale for the paper is pithily described in the abstract stating:

Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

The NIST recommends using the cybersecurity Framework to develop a profile that involves:

Step 1: Establish Scope and Priorities.  While it is Read the rest of this entry »

Ransomware remains an ongoing, growing and developing form of malware that is particularly damaging to businesses.  Ransomware encrypts an organization’s data and demands payment as a condition of restoring access to that data. It can also be used to steal  information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The Australian Cyber Security Centre has provided some guidances on how organisations can minimise the risk of suffering a ransomware attack and what to do when attacked. In my experience many organisations do not have regard to this or any other guidance until it is too late.  Given the potential disastrous impact of a ransomware attack this is false economy.

By far and away the best source of guidance and practical assistance are the publications put out by the US National Institute of Standards and Technology (“NIST”). NIST recently released Ransomware Risk Management: A Cybersecurity Framework Profile.  It is a very useful and timely document. The abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Through a table it sets out the appropriate ISO/ID.AM/NIST guides against issues and explains how the guides operate.

Also released with it was a White Paper titled Getting Started with Cybersecurity Risk Management: Ransomware.

With the threat of ransomware growing, this “quick start guide” will help organizations use the National Institute of Standards and Technology (NIST) “Ransomware Risk Management: A Cybersecurity Framework Profile” to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely used voluntary guidance to help organizations better manage and reduce cybersecurity risk, the customized ransomware profile fosters communications and risk-based actions among internal and external stakeholders, including partners and suppliers.

The Framework provides a very useful section containing basic ransomware tips Read the rest of this entry »

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »