Peter A Clarke

The Federal Trade Commission (FTC) has formally imposed a $5 billion fine on Facebook arising out of its breach of the 2012 FTC order.  The breaches related to sharing of data with third party users, to wit making that information available to Cambridge Analytica, as well as launching Privacy Shortcuts and Privacy Checkup in 2014 which were supposed to help with managing privacy settings but did not disclose Read the rest of this entry »

With the General Data Protection Regulation in force in the United Kingdom the Information Commissioner has greatly enhanced powers to fine those who breach data protection laws.  And in that vein the Commissioner announced on 8 July 2019 an intention to fine British Airways £183.39 million for a data breach in September 2018 which resulted in personal information of 500,000 were compromised.  As is often the case investigation after the breach revealed Read the rest of this entry »

Although the Federal Trade Commission (“FTC”) has not made a formal announcement the detailed reporting of the deliberations and voting by FTC Commissioners in favour ( 3-2) make it almost certain that once the civil division of the Justice Department approves the settlement, an almost certainty, an announcement will be formally made and Facebook will be liable to pay $5 billion. The Wall Street Journal broke the story with FTC Approves Roughly $5 Billion Facebook Settlement. 

Wired has undertaken a comprehensive report of the saga, which started with the FTC opening its investigation in March 2018, a week after the Cambridge Analytica scandal broke.  

The problem Facebook faces Read the rest of this entry »

On 27 June the relatively new Information Commissioner signed off on an enforceable undertaking with the Commonwealth Australia Bank arising out of 2 data breaches, the first involving the loss of 2 magnetic data tape containing what the Information Commissioner customer statements relating to 20 million customers in 2016.  The CBA was not able to work out whether the records were destroyed or something else came of them.  The second breach arose in August 2018 with sensitive information being available to those who were not able to access that material. This enforceable undertaking was entered into with the CBA already the subject of a very critical APRA report on the CBA’s risk management and reactive approach to compliance.  The CBA entered into a enforceable undertaking from the CBA in early May 2018.  And yet the CBA was involved in a second data breach 3 months later, in August 2018.  What does that say about CBA’s commitment to risk management?

There is a contrast in styles between the Information Commissioner’s media release and that of the Bank.

The Commissioner’s media release reads Read the rest of this entry »

The Full Bench of the Fair Work Commission recently handed down a very important decision in Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 regarding the application of the Privacy Act. The Full Bench undertook a careful analysis of the Act and applied the Australian Privacy Principles (the APPs) to the facts in the context of an unfair dismissal claim, in this case appeal from a Commissioner at first instance.

The Facts

Superior Wood operates two sawmills at Melawondi and Imbil [2] in Queensland. It had approximately 150 employees, 80 of whom, including Lee,working at the Imbil site. Lee was employed as a casual general hand and worked for  3 ¼ years. Superior Wood is Read the rest of this entry »

The focus of reporting on data breaches is on the personal information which is taken, potentially to commit fraud and the distress that others have that information without permission.  What is less reported is the potentially catastrophic effect data breaches may have on an business’ prospects, if not survival.  

In the United States Retrieval – Masters Creditors Bureau filed for Chapter 11 bankruptcy protection after it suffered a data breach in March.  The fallout from the data breach has been described as creating a “cascade of events” with led to the bankruptcy.  In Australia the Australian Financial Review (AFR) has reported that Landmark White is considering a full or partial sale of its business as it suffers a liquidity crisis caused by its second suspension by its lender clients.  In both cases the Read the rest of this entry »

Amongst the big 4 tech giants in their own given areas, Microsoft, Google, Facebook and Apple, Apple has made the strongest public stand on protecting its users privacy.  It too a stand as a civil rights issue in protecting privacy when in in 2016 when it refused to assist the FBI in in cracking a password on an iphone owned by a terrorist.  That included fighting the FBI in the Federal Court.

Facebook’s recent pivot to a privacy friendly future with the statement A Privacy-Focused Vision for Social Networking in March has been treated with some scepticism when the Guardian recently reported that Zuckerberg knew of poor privacy practices associated with the Cambridge Analytica scandal.  The evidence, emails uncovered by the Federal Trade Commission in its investigation as to whether Facebook has breached a 20 year consent decree, which it almost certainly has.  Facebook has reportedly set aside $3 billion in anticipation of a record fine from the FTC though the figure could be as high as $5 billion.  Today Facebook through Read the rest of this entry »

Organisations and agencies that collect and use personal information have a chronic problem of staff accessing that information without authorisation.   It is a very significant problem in the health industry with staff looking into the health records of celebrities; George Clooney in 2007, of Brittany Spears in 2008, Michael Jackson’s health records in 2011 and Kim Kardashian in 2013 to name a few. Last year 2 staff members at the Ipswich Hospital were reprimanded and one sacked for accessing Ed Sheeran’s health records relating to his treatment for a writs injury caused by a bicycle accident.  These instances are a fraction of the breaches of this nature that occurs. The breaches rarely come to light because the organisations notify those whose personal information have been compromised.  And they are only occasionally notified to the regulator. 

A case of snooping that was reported to the regulator resulted in a successful prosecution. In the United Kingdom unauthorised access of personal information is criminal offence. The UK Information Commissioner successfully prosecuted a former customer services officer at Stockport Homes who unlawfully accessed personal data, being anti social behaviour cases 67 times in 2017.  The breaches were Read the rest of this entry »

The Australian National University has had a very serious data breach.  Not just that a hacker or hackers breached its data security and accessed personal data, collected over a 19 year period, but that it started late in 2018 and was only detected two weeks ago.  That happens.  Sometimes hackers can remain in a system for years.  That may be a reflection on the sophistication of the attackers but it is more often a reflection on the adequacy of the organisation. 

This is second data breach in less than a year.  That bespeaks a real structural and governance problem with data security.  What also happens when data breaches like this happen is the data handling practices of the organisation come under the spotlight.  And ANU will have, or at least should have, a few questions to answer. Apart from the obvious about Read the rest of this entry »

Financial institutions and health care facilities are by far and away the most attractive and attacked sites for hackers.  Accessing personal information to permit access and transfer of funds from financial institutions are an obvious attraction.  Health facilities as a matter of course collect names, addresses, dates of birth, insurance information, government identifiers and often times credit card information.  That accumulation of data in one place, which depressingly is what health facilities usually do, permits a hacker to sell that information on the dark web or embark on identify theft himself (most hackers, based on evidence to date, being male).

Westpac has suffered a data breach as reported in Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.  The aim and partial success was to access personal information to later use to commit acts of fraud.

There are three interesting aspects to the story.  The first is that details of the attack became public only because someone close to or in Westpac, NPP or both posted details as an item of interest on Whirlpool.  The Second is that the attack highlightgs the vulnerability of apps and other services designed for quick and easy use of banking facilities.  There is often a trade off, at least in the developers mindset, of ease of use and protection from hacking.  Apps are often weak links in data security.  The third issue is Read the rest of this entry »