Peter A Clarke

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »

Courts have long been a target of cyber attacks. There was a data breach at the Australian Federal Court in 2020, revealing names of refugee applicants. In January 2024 the Victorian Court Services were hacked. That involved the recordings of hearings dating as far back as 2016. In January 2021 the United States Courts announced that it was putting in place extra safeguards to protect records in light of previous data breaches. In July 2022 the United States the House Judiciary Committee investigated data breaches involving the U.S. Fedeal Court dating back to early 2020. The latest data breach involves the New South Wales court website. The Government confirms about 9,000 court files, including domestic violence orders were accessed in a data breach.

As is usual in Australia the initial information provided is vague, to put it kindly. It appears that credentials were used, either by a hacker/other acquiring those credentials or a person within the Department misusing his or her credentials.  While the account holder gained unlawful access to the system the obvious question is the adequacy of the controls protecting the information.  Was there a separate password, available to only those with specific  clearance, required to access that information?  Why wasn’t there notification to IT of a person without authorisation accessing the information?  How the breach was detected is not clear.  The ABC reports that the breach was only detected later during a routine maintenance when technicians noticed some data had changed. News reports that the breach was identified during a “security check” after some data had changed.  Different backgrounding going on.  Even more curious is what happened to the data.  “Accessed” is a general term with a meaning ranging from have the ability to open documents to actually opening those documents to exfiltrating those files. It seems likely that the processes operating at the New South Wales Department of Justice were deficient.

The ABC report of the data breach Read the rest of this entry »

Tanya O’Carroll commenced proceedings against Meta seeking orders that Facebook stop using her personal data to create targeted ads on subjects that it believed she would be interested in. She argued that Facebook’s campaign was direct marketing under the UK legislation. Meta has settled the claim agreeing to stop sending targeting advertisements using her personal information. The Information Commissioner’s Office is very happy. So happy that it issued a statement. The ICO has always regarded targeted advertising as being direct marketing under the legislation.it intervened in the case with an amicus curiae brief.

Under the Australian Privacy Act 1988 Australian Privacy Principle 7 addresses direct marketing directly, with the key issues being:

• APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
• Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
• Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
  • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
  • comply with that request.
• An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

There has been no similar case in Australia to O’Carroll v Meta.  There is a basis for making the same argument here given the content of APP 7.

The ICO statement provides:

A BBC article Read the rest of this entry »

The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

The Times article provides:

Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

In one of those “one for the books” events the Chinese agencies of Cyberspace Administration of China, in collaboration with the Ministry of Public Security have published security measures for the use of facial recognition technology. The measures will take effect on 1 June 2025. Given how intrusive Chinese authorities have been in the past with surveillance and the use of facial recognition technology it will be interesting to see how much of a real change will result.

The measures apply to activities using facial recognition technology, which is individual biometric recognition technology that uses facial information to identify an individual’s identity, to process facial information within China.

Interestingly the do not cover the processing of facial information from their scope for research and development or algorithm training purposes.

Under the measures, facial recognition activities must comply with applicable laws and regulations and, inter alia:

• have a specific purpose;
• be necessary;
• minimizes the impact on personal rights and interests; and
• implement strict protection measures.

Personal information handlers must, inter alia:

• before processing, inform individuals in a prominent manner and clear and understandable language of certain information, such as contact information and purposes and method of processing;
• inform individuals of any changes to the information provided to them;
• when the processing is based on consent, obtain voluntary and explicit consent, including providing the right to withdraw consent;
• when processing minor’s information, obtain the consent of a parent or other guardians;
• stored information on facial recognition devices and not transmit it through the internet;
• conduct a Personal Information Protection Impact Assessment (PIPIA) and include the contents outlined in the measures; and
• if processing data of more than 100,000 individuals, notify the provincial-level or higher cybersecurity and informatization department within 30 working days, and provide the information outlined in the measures.

The measures require personal information handlers to Read the rest of this entry »

Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure. In Australia the most notable is the Security of Critical Infrastructure Act 2018 which covers 11 sectors. Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure.

There is also the

• Cyber Security Act 2024 
• Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024
• Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024. Schedules 1, 2, 3, 4 and 6 commenced by proclamation on 20 December 2024. Schedule 5 will commence by proclamation on 4 April 2025.

In that vein the US Federal Communications Commission is reviewing its submarine cable rules since 2001 to enhance the protection of the nation’s submarine cable infrastructure amid evolving national security concerns.   The FCC is following the now standard approach of requiring cable operators to confirm they take reasonable measures to protect the confidentiality, integrity, and availability of their systems and provide cybersecurity plans.

The FCC proposals are reported in FCC proposes new cybersecurity mandates for submarine cable operators in major rule review, seeks public input which Read the rest of this entry »

The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

Artificial Intelligence is becoming the great disrupter. And in privacy and cyber security its impact is especially acute. the National Institute of Science and Technology (“NIST”) has announced the process to develop a new cyber AI profile.

The NIST notes Read the rest of this entry »

On 16 January the European Data Protection Board (EDPB) adopted Guidelines 01/2025 on Pseudonymisation which is effective on 17 January 2025. Pseudonymisation is poorly understood by organisations and some practitioners. It is also an important means of data protection.

t should be noted that OVIC has undertaken a very detailed assessment into de identification and higlighted the problems with it.

The guidelines sets out in details guidance on on the use and benefits of pseudonymisation under the General Data Protection Regulation (GDPR). Importantly it clarifies

• what pseudonymization means,
• how to use it to meet data protection requirements, and
• how to implement it.

Australia operates under the Privacy Act and is not bound by the GDPR.  That said many organisations in Australia operate in Europe nad to that extent are bound by hte operation of the GDPR.  Further, the guidelines from the EU like the NIST publications provide valuable assistance in dealing with privacy issues. 

What is Pseudonymization?

Art. 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.”

Pseudonymisation can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations). 

Pseudonymisation should at least concern direct identifiers (e.g. passport or social security numbers, but also the combination of the full name of a person with his or her date of birth) which, alone, allow to identify data subjects. The pseudonymising entity should also be mindful of indirect identifiers (e.g. by deleting such indirect identifiers, generalising or randomising them), which may also allow to identify a data subject despite the pseudonymisation.
Read the rest of this entry »