Peter A Clarke

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »

Contractors and third party providers are notorious for being weak points in data security.  Some of the largest data breaches have occurred through poor data security of contractors.  The Sony and Target breaches were caused by hackers accessing sites through a contractors access point. It happens in Australia on a more regular basis than people appreciate. And it has now happened in Australia on a very significant scale.  Itnews reports that files, which included full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses was made available on line by a contractor.  In all personal information of 50,000 Australians were compromised.  Of that 50,000 Read the rest of this entry »

In late September this year Deloitte was the target of a successful sophisticated cyber attack which involved compromising client emails and confidential data of its clients, many of which are significant organisations. As is commonly the case with major data breaches the impact of the breach is not immediately known.  Often it requires a review to determine the extent of the breach.  It is not uncommon for hackers to remain undetected for weeks and sometimes months as they access data and decide what to steal or leak.  In the case of Deloitte’s breach was much larger than originally thought affecting the emails of 350 clients among which were US Government agencies including a server hosting emails for the US departments of state, energy, homeland security, and defense, the United States Postal Service, the National Institute of Health and the Federally guaranteed mortgage companies Fannie Mae and Freddie Mac.  The reputational damage to Deloittes has been immense, not least because it and the other big 3 accounting firms market themselves as experts in consulting in data storage, data security and compliance with privacy laws.

According to itgovernance in List of data breaches and cyber attacks in October 2017 – 55 million records leaked October was a bad but not untypical month in terms of data breaches which affected a broad range of companies.  There were financially inspired attacks such as Read the rest of this entry »

Last week the Joint Committee of Public Accounts and Audit released its long awaited report into Cybersecurity Compliance. It is a valuable report which makes clear that the Committee “gets it” as far as the need to maintain proper cyber security by agencies which are increasingly reliant on data being stored, used and disclosed online by its users.   The Committee was also frank in its assessment that key agencies are falling down in this regard.  For those practicing in this area that comes as little surprise.  There remains a poor cyber security and privacy culture in Read the rest of this entry »

Notwithstanding the seeming chaos and drama swirling around the White House last week there was some business being done.  As is the case with every administration.   Notably the President issued a Presidential Memorandum to the Secretary of Transportation titled Unmanned Aircraft Systems Integration Pilot Program.

Previously U.S. companies have faced tight rules regarding the use of drones including to protect Americans from potential harm. In the Presidential Memorandum the Secretary for Transportation has been directed to create a pilot program within 90 days that would effectively loosen regulations around drone usage in an “innovation zone”.  In that zone users can Read the rest of this entry »

Law firms are a particularly attractive target for hackers.  Legal offices usually hold a rich trove of clients’ confidential information, banking details, data from third parties such as witnesses and experts provides enough personal information for identity theft.  Last week the Telegraph reported on a law firm in Bermuda being hacked and client’s sensitive data being accessed.  Today’s Age in Dozens of confidential legal files found dumped outside Melbourne law firm reports on Read the rest of this entry »

The Age’s report Police investigate topless photo of woman wearing Richmond premiership medal seems to be an egregious, but not isolated example of the distribution of sexually explicit images without the depicted person’s consent.  It is commonly described as revenge porn though the report does not make it clear that revenge is the intent with the forwarding of a photograph of a topless female wearing an AFL premiership medal.  The report does Read the rest of this entry »

Today the Hon Dan Tehan launched the Australian Cyber Security Centre’s (ACSC) 2017 Threat Report at the National Press Club. Threat reports are now quite common throughout developed economies by both governments and specialist security companies.  The results are in line with other overseas reports both in terms of increasing attacks, greater sophistication and ransomware becoming a particularly challenging problem.

In his speech Tehan highlighted an example of a contractor in the security industry suffering a data breach in November 2016.  That has resulted in Read the rest of this entry »

The Australian newspaper has long had a set against increased privacy protections.  Its reaction, usually through its commentators, to any proposal that the Federal Government legislate a statutory right to privacy borders on paranoia.   To be fair, its opposition has been consistent, longstanding and been open.  See for example my post in 2012 about Ainslee Van Onselen’s criticism of the Rudd Government’s consideration of a statutory right to privacy in 2012.  It was very much a henny penny “sky – is – falling – sort – of -piece” that is a sub specialty of the Australian on its topics of hate.

It is then more than a little surprising that  Peter Van Onselen (definitely relation of Ainslee, as in spouse) writes a shock horror piece in today’s Australian about political parties being able to use our data without any oversight or regulation in We have no say over what political parties can do with information collected about us in today’s Australian.  The exclusion of political parties (and the media) from the Privacy Act 1988 has been there since Read the rest of this entry »