Peter A Clarke

On 13 March 2024 the , the European Parliament voted to adopt the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act). This is a continuum of AI regulation. On 2 February 2024 the AI Act was signed by by the Committee of Permanent Representatives (Coreper). That was followed on 13 February 2, 2024 this was endorsed by the Internal Market (IMCO) and Civil Liberties, Justice, and Home Affairs (LIBE) Committees.

The press release, set out below, describes the operation of the AI Act, which has been foreshadowed for some time. 

The AI Act will fully come into operation 24 months after entry into force, except for:

• bans on prohibited practices, which will apply six months after the entry into force;
• codes of practice, which will apply nine months after the entry into force;
• general-purpose AI rules including governance which will apply 12 months after the entry into force; and
• obligations for high-risk systems which will apply 36 months after the entry into force.

Read the rest of this entry »

The Medibank breach was a seminal moment in Australian privacy and data security history. Together with the Optus breach it affected almost half the country’s population. It also highlighted the lax state of cyber security of large companies; minimal data security overall, a focus on perimeter defences over in depth defences, dreadful storage and security of data policies and retaining data long after they are required. But it is the knock on effect of . Itnews reports in Australian police link “over 11,000 cybercrime incidents” to Medibank breach . The knock on effect.  It is that consequential damage that regulators need to be constantly aware of when deciding how to enforce the legislation. Unfortunately in Australia a light touch enforcement has meant that the culture about data security at the board room level is still woefully lax, despite protestations to the contrary.  As a result data breaches are quite regular and escalating in frequency.

The article Read the rest of this entry »

The Government forshadowed that it would legislate against doxxing, Then there was quiet. Yesterday the Attorney General announced a consultation about proposed legislation against doxxing and released a consultation paper. The consultation paper is quite brief.

The consultation paper does not include an exposure draft because it proposes to incorporate the reforms into the mooted reform of the Privacy Act.  That reform would be included within the proposed amendments to the Privacy Act.  That is a sensible approach.

The announcement provides:

Today we are commencing public consultations on measures to address the practice of doxxing.

The Albanese Government takes the protection of Australians’ privacy and personal information very seriously.

The increasing use of online platforms to harm people through practices like doxxing, the malicious release of their personal information without their permission, is a deeply disturbing development.

Action to combat doxxing would complement other critical reforms being progressed by the Government to strengthen the Privacy Act, as well as laws against hate speech and to further protect online safety.

Australians should have trust and confidence that their personal information is kept safe and secure in the digital age.

The targeted and malicious release of personal information without permission is unacceptable and cannot be tolerated.

This consultation process will be complemented by a roundtable discussion with key stakeholders including individuals with lived experience and media organisations to advise on doxxing and privacy reforms, and how to appropriately balance competing rights.

The Government is separately progressing reform options to strengthen laws against hate speech.

The consultation paper provides:

Overview

We are consulting with members of the public to seek your views on how to most appropriately address doxxing through civil remedies.

Definition of doxxing

‘Doxxing’ is the intentional online exposure of an individual’s identity, private information or personal details without their consent.

Doxxing can refer to a number of different practices, including:

• • De-anonymising doxxing – revealing the identity of someone who was previously anonymous (for example, someone who uses a pseudonym).
  • Targeting doxxing – revealing specific information about someone that allows them to be contacted or located, or their online security to be breached (for example, their phone number or home address, or their account username and password).
  • De-legitimising doxxing – revealing sensitive or intimate information about someone that can damage their credibility or reputation (for example, their private medical, legal, or financial records, or personal messages and photos usually kept out of public view).

Harms of doxxing

The Australian Government understands doxxing can leave targets vulnerable to, and fearful of:

• • public embarrassment, humiliation or shaming
  • discrimination, if personal characteristics are disclosed
  • cyberstalking and physical stalking  
  • identity theft and financial fraud
  • damage to their personal and professional reputation, leading to social and financial disadvantage such as loss of employment
  • increased anxiety 
  • reduced confidence and self-esteem.

Read the rest of this entry »

Managing data when organisations are flooded with data is an ongoing challenge which can easily result in a data breach when that management fails. Misfiling documents in the analog era was common enough however the chance of that resulting in a privacy breach was far rarer than today with . The Information Commissioner has reprimanded the West Midlands Police for a data protection failure.  The data breach resulted in one person with the same name receiving documentation intended for another.  Given that one was a suspect in crimes and the other a victim of domestic violence this error was significant.  As is usually the case, upon investigation the Commissioner found significant flaws in the way the WMP handled data and trained its officers.  This is a typical problem.  Data breaches often occur because there are inadequate processes and not much in the way of training.

The media statement provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to West Midlands Police (WMP) after the force repeatedly mixed up two people’s personal information.

On numerous occasions throughout 2020, 2021 and 2022, WMP incorrectly linked and merged the records of two people with the same name and date of birth. Both people had been victims of crime, and one was a suspect, meaning WMP didn’t make a clear distinction between the personal information of victims and suspects of crime, a breach of the Data Protection Act 2018.

This mix-up led to inaccurate personal information being processed and resulted in a catalogue of errors, including officers attending the wrong address when attempting to find a person regarding serious safeguarding concerns. Officers also incorrectly visited the school of a wrong person’s child. Read the rest of this entry »

The Information Commissioner has released its semi annual data breach report, this time for the period July to December 2023. There was a steady increase in the reported breaches, 57 in July, 68 in August, 79 in September, 86 in October, 96 in November and 97 in December.  

Interesting issues arising from the report:

• the health sector still remains the most affected by data breaches;
• 65% of data breaches affect organisations of 100 people or fewer;
• 67% of the data breaches were caused by malicious or criminal attacks.  There were 322 incidents, up 12%. 
• while human error was responsible for 30% of data breaches, that was an increase of 36% over the previous period
• 423 incidents involved Contact Information
• 306 incidents involved identity information
• 197 incidents involved health information
• ‘193 involved financial details
• 64% of the data breaches were identifed in 10 or fewer days
• 23% of data breaches were identified in 30 days or more
• 56 of the 211 notificatons involved ransomware while 59 involved phishing

Relevant extracts are:

Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).

Entities need to continually review whether appropriate controls and processes are in place to defend against and mitigate data breaches caused by cyber incidents. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents– to help entities protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight. Read the rest of this entry »

The US Federal Trade Commission has taken action against Avast for claiming it represented to consumers that its software would protect their privacy by preventing tracking and collection of browser information while it tracked that browser information and sold it to more than 100 other companies. Avast tracked and collected the data and provided it to a subsidiary, Jumpshot, which from 2014 until 2020 sold that browsing information to some of its clients, including investment nad advertising companies, search enging optimisation firms and data brokers.  In short companies that need data as part of their business activities.  Avast has entered into a consent order whereby it agreed to pay $16.5 million and be prohibited from selling or licensing any web browsing data for advertising purposes.

The FTC generally relies upon representations for jurisdiction to take action.  That is different to the approach taken by the UK regulator, which relies the UK Data Protection Act.  In Australia the regulator relies on its powers under the Privacy Act.  FTC decisions are useful and relevant in the analysis of privacy cases because the principles relating to data security, collection and use are consistent with those principles under the UK, New Zealand and European laws. Given the FTC is a much more active regulator than the Austrlian Office of the Information Commissioner the analysis of the FTC in its complaints and consent orders is particularly useful.  The Australian resources are modest by comparison and often too general. 

The FTC’s very colourful media release provides:

When uttered by a pirate, “Avast!” is a nautical term for “Listen up and cut it out.” And when the FTC says “Avast!” to software company Avast, it means the same thing. UK-based Avast Limited told consumers that using its software would protect their privacy by preventing the tracking and collection of their browser information. But according to the FTC, from 2014 to 2020, guess who was tracking consumers’ browser information and then selling it to more than 100 other companies through an affiliate called Jumpshot? Ironically enough, Avast Limited. We’re not sure how much the $16.5 million financial remedy is in doubloons, but we hope the terms of the proposed settlement will remind other companies to relegate conduct like that to Davy Jones’ Locker.

For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.”  Read the rest of this entry »

The Information Commissioner has opened an Commissioner initiated investigation into the data breach of the HWL Ebsworth site which involved the loss of 1.1 terabytes of data. It has been some time in coming. HWL Ebsworth notified the Commissioner on 8 May 2023 and the Commissioner opened up a preliminary enquiry in June 2023. A flaw in the legislation and  the Commissioner’s approach to its regulation is the lengthy and drawn out processes.  It has been 8 months, or thereabouts, from the date the preliminary investigation opened and the date this investigation opens.  It will be months, probably many, before the Commissioner completes this investigation.  If civil proceedings are commenced that won’t happen for months.  And then a couple of years in the Federal Court.  The Commissioner’s regulatory action policy needs a significant overhaul.

The other problem with the Commissioner’s approach to regulation is that typically results of those investigations do not see the light of day.  Or the results are quietly announced with little coverage in the media.  This is significantly different to the regulators more expansive approach in the United States, the United Kingdom and the European Union.

HWL Ebsworth adopted a “batten down the hatches” approach to the data breach.  After an initial anodyne statement it kept its counsel.  It applied for and obtained an injunction against those using information leaked onto the dark web.  The utility of that application is problematical but it does restrain those who are not criminals who may be tempted to access or otherwise view that material.  Notwithstanding sporadic stories of which of HWL Ebsworth’s clients were affected the strategy seemed to overall effective.  HWL Ebsworth avoided the intense media scrutiny and censure that Medibank and Optus experienced even if the data stolen was at least as sensitive and sometimes even more sensitive than each of those other organisations. 

Given the large volume of data stolen, accross the breadth of the firm’s operations there will be serious questions as to the data storage policies, training, data handling processes, why so much data was retained for so long and how the hackers were able to range so widely across practice areas.

The Commissioner’s Statement provides:

The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.

The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.

The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.

This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.

Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

The story has been covered by itnews with Read the rest of this entry »

The road to hell is paved with good intentions. That is never so true when ABC with University program shut down amid class action investigating veterans’ medical data distributed without consent. A program, operating since 2005, that was designed to help veterans involved some quite cavalier practices in handling their personal information. The first problem was that the data was disclosed without the veteran’s consent. This story is not new. Senator Lambie raised specific concerns about no consent, no opt out ability and the Department of Veteran’s Affairs looseness with the truth regarding the concerning practices of MATES in an adjournment debate in the Australian Senate on 2 August 2023.

Why did it take 6 months for those who ran the program to respond.  Even today the University of South Australia is crowing about how good the program is with Keeping patients alive by monitoring their medication . That is quite foolish in the circumstances. 

The ABC article provides:

A University of South Australia program has been shut down and a class action is being considered amid claims by advocates that sensitive information about veterans was disclosed without their consent.

The Medicines Advice and Therapeutics Education Services (MATES) program has been cancelled amid revelations that the program was using identifiable data.

The program, led by the Department of Veterans’ Affairs (DVA) and has been running since 2005, involved the use of veteran’s healthcare card billing data provided by the department to conduct medical research.

Last week, the department’s ethics committee revoked its approval of the program.

Returned and Services League (RSL) South Australia president Dave Petersen said the impact on veterans has been profound.

Read the rest of this entry »

The numbers can boggle the mind. the data breach affecting Viamedis and Almerys  has resulted in exposure of 33 million individuals personal information. Viamedis and Almerys are healthcare payment service providers. The services provided by these companies are quite common in advanced countries.  It is cheaper and more effective to have specialist companies processing payments of usually complex insurance or goverment payments.  That makes them a high value target for hackers.  So much information collected from a range of sources.

Bleeping Computer’s article on that data breach provides:

Data breaches at two French healthcare payment service providers, Viamedis and Almerys, have now been determined to impact over 33 million people in the country.

Viamedis and Almerys provide healthcare and insurance services in France with technological and administrative solutions to facilitate transactions.

They manage the sensitive data of policyholders required for granting reimbursements and generally streamline the payment process in France’s complex, multi-layered insurance coverage system.

Viamedis first disclosed the cybersecurity incident one week ago on LinkedIn (the company’s website remains down), saying that it suffered a data breach impacting beneficiaries and healthcare professionals.

The company said the exposure includes names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment. Read the rest of this entry »

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »