Peter A Clarke

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

The European Union has activated its cyber security team to help Ukrainians from Russian cyber attacks.  Actually, more Russian cyber attacks given the US attributed a DDoS cyber attack on the Ukrainian Ministry of Defence to the Russian Main Intelligence Directorate.  On the back of that the Australian Government issued a joint media release by Ministers Andrews, Payne and Dutton (is there an election in the air?) saying the same thing as the US providing:

The Australian Government joins the United States and the United Kingdom in publicly attributing the cyber attacks against the Ukrainian banking sector on 15 and 16 February 2022 to the Russian Main Intelligence Directorate (GRU).

In consultation with our partners, the Australian Government assesses that the GRU was responsible for these distributed denial of service (DDoS) attacks.

The Australian Government stands in solidarity with Ukraine and our allies and partners to hold Russia to account for its ongoing unacceptable and disruptive pattern of malicious cyber activity.

The international community must not tolerate Russia’s misuse of cyberspace to undermine Ukraine’s national security, sovereignty and territorial integrity by seeking to disrupt essential services, businesses and community confidence.

Russia’s actions pose a significant risk to global economic growth and international stability.

The global community must be prepared to shine a light on malicious cyber activity and hold the actors responsible to account. All members of the international community – including Russia – should abide by existing international law and norms of responsible state behaviour which apply in cyberspace. Australia calls on all countries to honour and uphold their commitments.

Australia is committed to upholding the rules-based order online, just as we do offline, and supporting our partners in the face of cyber threats.

Australia will continue providing cyber security assistance to the Ukrainian Government, including through a new bilateral Cyber Policy Dialogue and further cyber security training for Ukrainian officials.

Australia commends the swift action taken by Ukrainian authorities and the private sector to substantially mitigate the impacts of this incident.

Governments, the private sector and households must remain vigilant about the ongoing threats we face in cyberspace.

The Government is taking concrete action to protect Australians against cyber criminals, investing $1.67 billion over 10 years to build new cybersecurity and law enforcement capabilities to protect Australian businesses and communities, and passing new laws to protect our critical infrastructure assets from malicious cyber attacks.

This was picked up in the Australian’s Australia offers cyber security aid to Ukraine. 

The reality of modern conflict is that cyber attacks are Read the rest of this entry »

The SMH reports that there has been a data breach by NSW  Department of Consumer Service in the publication of 500,000 addresses on a government website.  According to the NSW Government the NSW information Commissioner was advised the day after it became aware of the information being in the public domain and that the Commissioner stated that this did not constitute a privacy breach.  That story is based on a Nine News expose. As is the way the embarrassment of the breach is compounded by the negative coverage, going as far as the UK.

If there is some humour to be found in this all too familiar type of breach it is that NSW legislated to ban police from accessing QR code check in data in November last year. 

The SMH article Read the rest of this entry »

It has long been the practice of authorities to provide maximum privacy to complainants in sexual assault and rape cases.  In Australia and most overseas common law jurisdictions reporting of rape cases does not identify the victim.  The report that data from rape kits of victims who alleged they were sexually assaulted are the subject of a data breach is devastating to those individuals.  It also undermines the confidence in the police procedure.  It may also prejudice the prosecution of cases where that data is a crucial piece of evidence.  

What is more than passing strange is that the data breach took place on 18 November 2021 but details of that breach were only provided this week.  The handling of the breach has been dreadful with the the Police Department stating that “certain sensitive personal and health-related information” may have been compromised.  DNA Solutions took a different tack stating “The data did not include social security numbers, driver’s license information, or financial information. We have notified individuals or organizations whose data may have been impacted directly.” DNA Solutions stated what was not included in the data taken or exposed but does not say whether personal information was taken.  That is a non answer answer. 

There have been some very significant data breaches involving DNA data.  On 29 November 2021 DNA Diagnostics Center Inc in Maine USA notified the Attorney General that there had been a data breach, from 24 May until 28 July 2021, which affected 2,102,436 people.  In July 2019 it was reported that a DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years with more than 3,000 user files remaining accessible to the public on Amazon Web Services cloud-computer servers until 1 July 2019. The reports included genealogy reports which included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions. Back in 2017 Ancestry.com had a huge, by those standards, data breach involving 300,000 credentials exposed. 

The article related to the Oklahoma breach Read the rest of this entry »

The Security Legislation Amendment (Critical Infrastructure) Bill passed both houses of the Commonwealth Parliament on Monday 22 November 2021. 

Key elements of the legislation are:

• Section 8D defines the critical infrastructure sector as being:

Each of the following sectors of the Australian economy is a critical infrastructure sector:

                     (a)  the communications sector;

                     (b)  the data storage or processing sector;

                     (c)  the financial services and markets sector;

                     (d)  the water and sewerage sector;

                     (e)  the energy sector;

                      (f)  the health care and medical sector;

                     (g)  the higher education and research sector;

                     (h)  the food and grocery sector;

                      (i)  the transport sector;

                      (j)  the space technology sector;

                     (k)  the defence industry sector.

• section section 8E defines a critical infrastructure asset as being an asset that relates to a critical infrastructure sector. There are definitions of specific types of critical infrastructure assets
• there are very broad definitions of when assets relate to a sector
• the definition of a relevant impact is broad and general
• Part 2B sets out the obligations of mandatory reporting.  Section 30BC, regarding a critical cyber security incident, provides, in part:

Read the rest of this entry »

Another sign, if more more were needed, that data breaches are a chronic and increasingly damaging phenomana when the US Federal Trade Commission (the “FTC”) has issued amendments to the Standards for Safeguarding Customer Information. 

The Final Rule is a very substantial document. It is a useful document for those interested in privacy and cybersecurity generally. Given the dearth of clear and precise definitions, practices and protocols in Australia it is quite useful in Australia.  Like NIST publications it is a much more substantial and useful documents than the vague and opaque guidelines issued by regulators in Australia.

Those who are responsible for maintaining cyber security and establishes procedures and protocols to protect personal information could do worse than read these rules.  It is only a matter of time before the Information Commissioner prepares detailed guidelines which are more consistent with the voluminous GDPR documents or the direct and also comprehensive FTC rules Read the rest of this entry »

On 25 October the Attorney General’s Department released its long awaited Privacy Act Review Discussion paper (the “Paper”).  It is something of a behemoth, being 217 pages long or about half a lever arch folder.  That said, as a veteran of reading many reform papers on privacy over the years it is not the longest or most comprehensive.  That honour falls upon the Australian Law Reform Commissions 2008 Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108), which filled more than 3 lever arch folders over 3 volumes.  The ALRC’s 2014 Report,Serious Invasions of Privacy in the Digital Era (ALRC Report 123), at 332 pages, was modest by comparison and slightly built on the earlier ALRC report.  The ACCC Digital Platforms Inquiry considered privacy related matters, in particular endorsing and recommending a statutory tort of interference with privacy, coming in at 623 pages.  And there are reports from the Victorian Law Reform Commission and the New South Wales Law Reform Commission on privacy. The point being made is not that I have read a lot of reports. I have.  It is also not that the size of the reports matter.  They don’t.  It is that this Paper is just another in a long line of reports on the need for report of privacy legislation.  And those previous reports were prepared by much more learned authors and were more thorough than this Paper.

The Paper is a constrained work, making many generally uncontroversial recommendations to make interpretation clearer, operation of APPs more relevant and giving some increased powers to the Information Commissioner.  It is far from comprehensive.  It avoids making recommendations about a statutory tort of privacy. Rather it continues the continual policy loop as governments of every persuasion push this issue into further review, then consultation then bury it in a report and then hope it goes away until it is recommended or otherwise finds itself before the Government.  It has been a hugely expensive, time intensive waste of time.  Any body outside of a Government that looks into the issue recognises the need for a statutory tort of privacy.

The Report discusses the small business exception from the operations of the Privacy Act in the broad, on the one hand then on the other way, as well as that of the Employment Records, Political Parties and Journalist carve out but goes no further.  Each exception is anomolous to a greater or lesser degree and the restricted coverage of the Act, covering only 5% of businesses, is a matter that should have been addressed with a firm proposal. Those carve outs make it regulation that is quite limited in scope.

The Paper did not consider the many exceptions to and limitations upon the APPs.  There are too many exceptions which permit agencies especially avoid proper scrutiny.

It is interesting that the Paper quotes the GDPR definitions and practices quite liberally and endorses aspects of the GDPR but refrains from adopting those parts of the regulation, by way of amendment to the Privacy Act 1988, which makes the GDPR a much more effective privacy regulation regime.

The Paper does not consider the role of the Guidelines, which are prepared by the Office of the Australian Information Commissioner’s office, in proceedings.  The Guidelines are important in giving context and detail to the broadly drawn Australian Privacy Principles (APPs).  But they are not regulations.  As such the Administrative Appeals Tribunal and the Federal Court are quite able to have no regard to them, which has happened in cases.  This has made submissions on the interpretation of Principles a fraught affair before the AAT and the Federal Court where applicants have had a poor record of success.  And not because they had weak cases.

Where major revision was warranted the Paper recommends modest improvements.  An improvement is just that, so that is to be welcomed.  But only to that degree. What the Paper does not Read the rest of this entry »

As with the Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB) is concerned about tech giants untrammelled use of vast amounts of consumers’ personal information.  To that end the CFPB issued orders on Tech Giants to require each to provide information about data harvesting and monetization and access restriction.  

The Director of the CFPB set out the rationale for this significant fact finding exercise in a formal statement.  It provides Read the rest of this entry »

The Attorney General for the District of Columbia is planning to join Mark Zuckerberg, CEO of Facebook, to its consumers protection lawsuit according to the New York Times in Zuckerberg to Be Added to Facebook Privacy Suit.

Claims of this nature which are brought by bodies politic are not unusual in the United States.  They are far less common in Australia where Read the rest of this entry »

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »