Tonight ABC’s Media watch broadcast a segment on the Attorney General’s Report on a Review of the Privacy Act, titled “Media and privacy”, with a focus on a proposed statutory tort of privacy. The coverage followed the traditional line adopted by media commentators in Australia, yes there are breaches but a tort of privacy would suppress free speech and so reform is a bad idea. Being Media Watch it was a reasonably comprehensive story, within the time alloted. But still quite predictable and overall not particularly sophisticated. The usual suspects came out against, such as Justin Quill with the usual lines about how such a reform will help the rich and kill investigative journalism. The supporters were also predictably supportive, being Michael Douglas and Barbara McDonald, but a good deal less shrill. Between now and the release of a draft bill expect strident stories from the participants in the Right to Know Coalition. In the past Chris Merritt (Privacy tort a blow to free speech 18 March 2009), Ainslie Van Onsolen (Push for a tort is misguided and wrong 21 September 2012), The Australian) and Micheal Stutchbury (Lawsuits no way to defend privacy or free speech 26 July 2011), among many others, have dipped their thumbs into the ink barrel when a privacy tort is mentioned and penned jeremiads about the end of journalism, the end of freedom of speech and no more public interest exposes if there such a privacy tort is enacted. There is a sameness about the columns; pictures of a grim future with judges wielding their gavels with abandon crushing story after story and villainous reprobates being protected. The offerings tended to be long on emotion and short on analysis. That does not mean it has not had an effect. Governments of both persuasions have steered clear of adequate privacy law reform for decades.

It is entirely understandable that the media would have an interest in privacy reform.  The problem is that it does not accept that the defence of public interest and freedom of expression in any tort will be given any weight.  That is fear based on emotion not logic.  On a more practical level given the gaping lacuna in the law regarding privacy, and the practical inability of the aggrieved to take any legal action for invasions of their privacy, it is in the media’s interests to keep  the status quo. 

The Media Watch report is quite a reasonable analysis, albeit limited by the fact that as the title suggests it focuses on media and privacy. Which is not the whole issue.  What is lost in this story is that there are many circumstances where the media is not involved, the interference with privacy is one person intruding on the seclusion of another.  Or interfering government officials.  Or organisations and businesses surveilling customers or just ordinary individuals.  With new and increasingly intrusive technology not having legal recourse is a failure of public policy.  None of this will convince the media and the fact that Australia is an outlier in this area of law causes it no concern at all.

The transcript of the story Read the rest of this entry »

The date for submissions to the Attorney General’s Review of the Privacy Act Report closed on 31 March 2023.

I will be undertaking a detailed review of the Report, by related chapters, between now and when the draft Bill is released by the Government, probably before or after the Winter Recess.

This analysis relates to Chapters 3 and 4. The proposals contained in both chapters are not controversial and address weaknesses in the Privacy Act drafting that were identified for some time.  The recommendations regarding de identified and anonymised information attempt to address what remains a very difficult issue. The extent to which de identification is possible in a practical sense is matter of significant debate.  Those issues may come into sharp relief if a data breach involved theft of de identified information which was subsequently re identified.

CHAPTER 3 OBJECTS OF THE ACT

The Report notes that Privacy is not defined in the Act. It is a concept that can be broadly construed and may be understood as comprising a number of related concepts including informational privacy, bodily privacy, privacy of communications, and territorial privacy.

The Report proposes:

The rationale for the amendment is that as the focus of the Act is to provide a framework for the handling and protection of personal information, the objects should more clearly reflect this.

The Report then states that the Act implements Australia’s international obligations in relation to privacy in part by providing a framework for regulating the collection, use, storage, disclosure and destruction of personal information but does not cover all aspects of privacy as the term is commonly understood.

The Report recommends:

The Report notes that:

• protection of privacy sits alongside other important interests: this is recognised in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and reflected in paragraph 2A(b) of the objects which are are sometimes, but not always, in tension.
• paragraph 2A(b) of the objects should continue to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities.
• the recognition of a public interest, as well as individual interest, in privacy will inform the balancing exercise, retaining sufficient flexibility for ‘countervailing interests to be given the weight they deserve’
• the protection of privacy and the interests of entities in carrying out their functions and activities, including private commercial activities, are not necessarily in conflict. It is not a zero-sum game.
• businesses that use data in a fair and responsible manner may serve the public interest indirectly, and deliver benefits to individuals and the broader economy, as well as their own commercial interests.

4.   Personal information, de-identification and sensitive information

The Report identifies a problem with principles-based definition of a lack of understanding  how to apply it to information in practice.

The Report notes that the definition has to be seen in context in the Act and as such the Act:

• does not prohibit the collection, use and disclosure of personal information.
• requires that the principles around personal information handling set out in the APPs must be followed, including only collecting reasonably necessary information and only using or disclosing it for the purposes for which it was collected unless the individual consents or another exception applies.

The definition of personal information is intentionally broad which ensures that APP entities keep privacy and risk-based personal information handling at the forefront of their minds when conducting their functions or activities,

Section 6 of the Privacy Act defines personal information as follows:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Individual is defined as a ‘natural person’.

The current definition of personal information has two limbs:

• the information is about an individual, and
• the individual is identified or reasonably identifiable.

The Report identifies two categories of uncertainty about the definition:

1. it is unclear which types of information can be personal information. For example, there is confusion about whether technical information that records service details about a device is the personal information of the owner of the device. Further, there is uncertainty about whether inferred information about an individual, for example in an online profile, will be personal information.
2. there should be more clarity about how to ‘reasonably identify’ an individual and correspondingly how to know when an identifiable individual becomes ‘de-identified’.

The Report proposes to clarify the two categories of uncertainty through proposals that address the two limbs of the test for Read the rest of this entry »

Estimating the number of records accessed or otherwise compromised by data breaches is a fraught business. In the United States, Canada, the United Kingdom, Europe and Australia with mandatory data breach notification laws and a media which has a interest in data breaches it is possible to assemble some reasonable statistics about cyber attacks. There is some data available from Latin America and more advanced economies of Asia, the Middle East and Africa. As for the rest information is spotty and often unreliable. Itgovernance has calculated that in March alone there were 100 publicly disclosed cyber attacks in March which affected 41,970,182 records. These figures should be regarded as an understatement as to the worldwide number of breaches in March. Given the volume of data breaches it is also fair to surmise that the reported breaches to the Australian Information Commissioner is also an understatement of the number and extent of those breaches.

According to itgovernance the biggest of these data breaches were:

• Latitude Financial

The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.

The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.

Almost 8 million drivers licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.

An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.

The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.

Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company. Read the rest of this entry »

Australian media organisations have been entirely consistent when it comes to reform to the Privacy Act 1988 and any other reform to privacy laws. They want none of it. And they say “none of it” at the top of their voice. And they have done that with every review of the Privacy Act over the years and upon any suggestion that there be a statutory tort of interference with privacy. In the past the opposition has been so ferocious and vitriolic as to be detached from logic. The current review of the Privacy Act, culminating in the Attorney General’s Report in February 2023 has elicited much the same response from the Right to Know Coalition which (re)stated its adamant opposition to the proposed reforms contained in the report. In response to the Issues Paper and Discussion Paper the media organisations were keen respondents making their points in determined but polite way.

The deadline for final submissions to the Report was 31 March 2023.  It is only now that the Right to Know Coalition has swung from submissions on legal issues with proposals in the Issues Paper, Discussion Paper and the Report to a full on political and editorial assault on the reform proposals.  Carefully worded legal analysis has given way to high volume polemics and apocolyptic predictions and general purpose mischief making. 

The Guardian, part of the Right to Know coalition, reports on the statement in Media companies slam proposed reforms to Australian privacy laws.

The article provides:

Media companies have rejected a proposal to reform Australian privacy law, warning that the changes – including a right to sue outlets for serious invasions of privacy – are not in the public interest and would harm press freedom.

The Right to Know coalition warns the attorney general’s department’s proposal, released in February, would have “a devastating impact on press freedom and journalism in Australia without any clearly defined need or benefit”. Read the rest of this entry »

The latest data breach notification report, covering the period July – December 2022, covers a period where both Optus and Medibank were the subject of cyber attacks resulting in millions of documents being compromised, almost 10 million for Optus and 9.7 million records for Medibank. In this period there were other significant data breaches which skewed the records. But these figures are still a significant under reporting of the actual number of data breaches that occurred in Australia in this period.  These figures in no way correlate to overseas experience in similar environments. significant under reporting. For example in January 2023 alone there were estimated to be 277,618,767 records compromised in 104 publicly disclosed security incidents.

Some interesting facts from the Report include:

• there were 497 notifications, a 26% increase;
• health again leads the number of notifications with 71 out of hte 497 notifications;
• malicious or criminal attacks were responsible for 70% of the breaches;
• there were 5 breaches affecting 1 – 10 million individuals;
• there was one breach involving more than 10 million;
• in terms of cyber attacks the leading type of attack was ransomware, at 29%
• in January – June 2022 there were 24 data breaches affecting more than 5,000 Australians.  In the July – December half year there were 40 breaches affecting more than 5,000; 
• while 77% of breaches were identified within 30 days 6% took between 4 – 12 months and 5% took more than a year;
• the top cause of human error breaches was personal information sent to a wrong recipient, at 42%.

The report provides:

Executive summary

The NDB scheme was established in February 2018 to drive better security standards and accountability for protecting personal information and improve consumer protection. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC. Read the rest of this entry »

In Greek mythology Cassandra was a Trojan priestess who was fated by Apollo to utter true prophecies which were never believed. When writing on privacy and data security matters on this page over the past 15 years I feel like Cassandra. Raising concerns about poor privacy legislation, ineffective regulation, a lack of proper data security, no training and no risk management have raised not even a shrug. But last year all of a sudden journalists and politicians have talked and written about privacy and data security as it appeared with the Christmas Amazon delivery. That has produced some truly trite pieces, such as the Australian’s Hack attack on all business ‘inevitable’, says Michael Sentonas. The article could have been written almost a decade ago with almost no changes. But journalists weren’t interested and companies would prefer to deal with the cyber attacks quietly, the Privacy Commissioner was out to lunh and governments had no interest in improving regulation. It is just that now that with 3 massive data breaches the issue cannot be avoided and this revelatory piece finds its way into a National paper.

It provides:

The Australian Cyber Security Centre revealed cyber criminals were pouncing “within minutes’’ of vulnerabilities being discovered, and company boards needed to understood their “crucial role’’ in ensuring companies invested appropriately to make their networks resilient to attacks. Read the rest of this entry »

The Latitude Financial data breach has taken the familiar path marked out by previous organisations who have suffered a data breach and who had poor understanding of their obligations and were hopelessly unprepared for dealing with the possibility of a breach . Latitude’s slow and inept response has mirrored many of the failings of Optus and Medibank in their responses to data breaches. After the initial vague publicity about the data breach Latitude provided on 27 March 2023 an increased estimate of the numbers of customers whose personal information was impacted, of approximately 7.9 million individuals. The same day the Information Commissioner issued a statement which doesn’t say much beyond that it is making enquiries and working with other government agencies. This seems to be the new approach when a big data breach occurs, remind people that the Commissioner exists and is doing stuff. The question is what exactly is that stuff.

There is a real skill to drafting statements about data breaches.  In the United States where data breach notifications have been a feature of regulation for a significant number of years the advice to the market and consumers are crafted carefully.  They tend to be Read the rest of this entry »

Choice with Fertility apps and your privacy examined 12 popular fertility apps and found there has been poor privacy practices. It is a devastating report highlighting the poor state of privacy practices in Australia. The Guardian has covered the report with Fertility apps collect unnecessary personal data and could sell it to third parties – study.

The Choice article provides:

Fertility apps collect extremely sensitive and intimate data about our cycles, health, pregnancies, and sex lives. 

There is growing concern over the handling of this data, which is often kept for too long (exposing it to data breach risks) and disclosed to other companies on a supposedly ‘de-identified’ basis (when there are real risks of re-identification).

The apps’ privacy policies, messages and settings are often confusing and potentially misleading. An app might claim “we never sell your data”, but the fine print might say the whole database can be sold to another company as a business asset.  Read the rest of this entry »

Latitude’s woes continue with a high likelihood of more personal information being compromised over and above the reported 330,000 records. Latitude released a “Cybercrime Update” yesterday sometime. That is a very slow response to a data breach where customers were contacted last Thursday. By Australian standards the statement is middling. Compared to statements released in the United States it is very average both in terms of speed of statement (though there is a strand of late responders there as well as here) and the quality of communication.

What the poorly written statement advises is that:

• the attack remains active.  That is a model of vagueness, not making it clear that exfiltration of continues or whether they have not isolated and removed the malware, if malware has been deployed.  Given the access was through a person’s access credentials it is quite curious that it would not have been neutralised unless the hacker deployed some form of virus .
• Latitude does not know the extent of the compromise;
• the attack may have impacted non customer orginating platforms;
• Latitude kept historical customer information.  That is a huge problem, and one that affects Optus and Medibank.  Data that Latitude kept relating to individuals who no longer use Latitude.  That is very concerning.

It is quite concerning that a cyber attacker could have such easy access to a range of documents.  It will be interesting to see what access controls were in place within the system.  Issues of encryption and salting of data seem to be relevant considerations. 

If there is no class action with this data breach I would be amazed.  Just on the scraps of information provided to date it appears that Latitude was non compliance with Australian Privacy Principles relating to data security and retention of documents,

The statement Read the rest of this entry »

The timing of an announcement of a data breach at Latitude Financial couldn’t be more apposite. Submissions on the Government’s Report on reform to the Privacy Act, released in January, are due by 31 March 2023. The attack was effected through an employee login credentials from a major vendor used by Latitude. That is a depressingly familiar scenario. It also bespeaks inadequate controls. Approximately 103,000 identification documents, 97% of which were copies of drivers’ licences, and 225,000 customer records were compromised. The records were held by service providers. The breach has been reported in the Australian Financial Review, the NASDAQ, the Sydney Morning Herald among others (and it will grow in number).

Latitude has made a statement because it has been quoted in the media but it has not done what Optus and Medibank did with their data breaches and put out a statement on its website about what happened, what was done and what is being done.  That is a rookie error. 

The Australian’s Customer details stolen as Latitude suffers major cyber attack provides a good summary of what is known to date. The Information Commissioner has not made mention of any report or investigation. Given its recent decisions to investigate other major data breaches it is a reasonable expectation that Latitude Financial will be hosting officers from the Commissioner’s office in the near future.

The Australian article provides:

The loans, credit cards and insurance company said the activity was believed to have originated from a major vendor used by Latitude.

It said although it took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated. “The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers,” it said. Read the rest of this entry »