Peter A Clarke

The Attorney General has announced proposed amendments to the Privacy Act to increase the potential size of penalty for a serious or repeated privacy breaches.  They will be increased to the greater of:

• $50 million;
• 3 times the value of the benefit obtained through the misuse of the data; or
• 30% of the coThe jmpany’s adjusted turnover in the relevant period.

The statement provides:

The reports do not say what the penalty to Government agencies will be in the event of a serious data breach.  Clearly the turnover calculation will not apply.

Currently penalties for serious and repeated interferences with privacy are found in section 13G of the Privacy Act 1988.  It provides:

An entity contravenes this subsection if:

                     (a)  the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or

                     (b)  the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

Civil penalty:          2,000 penalty units.

Under the Privacy Act the Commissioner must commence civil penalty proceedings in the Federal Court to seek penalties under section 13G.  The process Read the rest of this entry »

The Office of the Information Commissioner announced today that it was “making inquiries into Medibank.” The ostensible reason was to ensure that it complied with the Notifiable Data Breaches Scheme.  Given the circumstances it had ample power to do an own motion investigation in any event.  Given Medibank’s spluttering initial response to the data breach it is not surprising that this is the basis chosen.

The OIAC media release provides:

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank following its cyber incident, to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised.

“This matter is understandably of great concern, given the sensitive information that may be involved,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. Read the rest of this entry »

What do criminals do?  They act for profit.  Cyber criminals are still just criminals.  They steal for monetary gain.  Ransomware and just plain demanding ransoms is part of their weaponary.  Exposing health and other personal information happens if the crooks think that will get the money they are after.

As the Guardian reports in Medibank says sample of stolen customer data includes details of medical procedures, the data stolen from Medibank includes details of medical procedures.  The Australian has an article in a similar vein with Medibank hackers stole data on medical conditions customers and treatment.  This shouldn’t be surprising.  What is less understandable is how the sensitive health data was commingled with other records?  Why was it not properly encrypted?  Why wasn’t it siloed?

I have been writing on cyber security and data breaches for so long that I find the breathless quality of Australian media reporting of the Medibank data breach curious.  It is as if this is the only and worst data breach involving health records.  It isn’t by a long chalk.  The Sydney Morning Herald writes of ‘Immense harm’: Federal police investigating threat to sell Australians’ health data.  While the Australian enters into policy speculation with Medibank hack sparks call to end companies creating data ‘honeypots’ for hackers. Where the Australian gets it wrong is that under the current Privacy Act collection of personal information should only be for a specific purpose and used for that purpose.  The legislation is deeply flawed but if properly enforced action should have been taken against companies who collect and hold onto data because it suits them.  The enforcement was weak.  It has always been weak.  Until now no Government has not much cared.

The key is for companies to take their responsibilities seriously.  That means proper regulation and enforcement whereby the cost of non compliance is high.  The next issue is to make sure that when there is a data breach it is dealt with methodically and thoroughly and not turned into a cause celebre.  It helps not at all if it becomes a political battleground.  The company affected has to respond appropriately and quickly and the regulator may need to get involved.  There will always be media coverage but it shouldn’t develop a life of its own as seems to be the case with the latest spate of data breaches in Australia.  It is always worth remembering that it is a legal issue, complying with the law.

The Australian Financial Review undertakes an analysis and critique of Medibank’s responses so far with Medibank’s ransomware response is a lesson in what not to do. It is replete with talking heads  wanting to get their name out as experts prognosticating on this,  that or other things relating to the Medibank data breach.  Much of it is speculation over analysis.  That said  the Medibank response has been dreadful, as bad as Optus but in a different way.  Going through its media releases has been the privacy equivalent of a slow motion car crash involving a crash test dummy. Whatever data breach response plan it had was sub standard.  The first 24 hours should be regarded as the Golden Hours.  Getting as much information about the breach, starting on remediation and crafting a notice to the market, the clients, to government and the media is critical. Information to hand will always be incomplete but being as forthcoming

It’s latest update, Medibank cyber incident response,  provides:

As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community.

This cyber incident is now the subject of an investigation by the Australian Federal Police.

We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them. Read the rest of this entry »

The sub editors are earning their keep coming up with ever more dramatic headlines for cyber attack stories.  It is as if data breaches were a new phenomenon.  They aren’t.  I have been writing about data breaches and privacy and cyber security for over a decade.  What has changed things is the Optus Data Breach that affected almost half the population in one way or another.

The Home Affairs Minister Clare O’Neil has echoed earlier statements by ministers that the Medibank cyber attack is a huge wake up call.  The problem is that this wake up call has been made by civil society groups and commentators for years.  It was ignored by both sides of politics.  This sudden interest in cyber security and privacy by a government reminds me of a conversation I had with Professor George Williams during a break at a legal conference years ago.  I was bemoaning the ineffective privacy protections in legislation and the lack of options at common law and equity.  He said that reform will come with a major privacy incident which gets the governments attention or convinces the courts of an unacceptable gap in legal protections.  How prescient were those comments.  The Optus and Medibank data breaches seems to have achieved the former.  Or at least the promise of the former.  Hopefully the courts will recognise the protections at common law and equity are wholly inadequate.

Now MInisters are inserting themselves into every significant data breach.  That has all the makings of poor policy.  It is relatively unusual for governments and their ministers to insert themselves into the middle of a cyber attack.  There have been exceptions, usually for extraordinary events, but on the whole it is a matter for the regulator, the affected organisation, the various experts brought in to fix the mess and sometimes the insurer.  Later the courts Read the rest of this entry »

Medibank Private’s woes continue as the ABC reports in Health insurer Medibank Private halts trading after receiving message from company claiming to be behind cyber attack when it was contacted by a group wanting to negotiate the return of stolen data.  Nothing has been verified, or at least publicly identified, but Medibank Private notified the ASX to put a halt to the trade in its shares. The Australian Financial Review, in Medibank ransom demand targets politicians, actors, LGBT activists,  claims that the hackers were demanding ransom to prevent the release of health and credit card information. The Sydney Morning Herald, in Medibank hackers threaten to release stolen health data in ransom demand, claims to have seen the ransom note.

Dealing with hackers who plant ransomware or those who simply exfiltrate data and then ransom in back to the organisation who is usually very keen to avoid more humiliation and cost has become a niche industry.  Just as hackers have developed sophisticated processes for payment and negotiation there are people who have an expertise in negotiating with those hackers and sometimes outwitting them. There is an excellent article in the 31 May 2021 of the New Yorker titled How to Negotiate with Ransomware Hackers which gives a little bit of an insight into this murky world. The Australian also ran a similar, but lesser, story ‘They demanded $1m in 72 hours’: your money or your data.   The official government advice is not to pay ransoms.  The reality is much more nuanced.  Payments are made.  And hackers often to abide by their side of an agreement.  But not always.  And then there are the middling results where the hackers provide ransom keys but upon unlocking the ransomed data some or much of the data is corrupted.  Sometimes the hackers only return some of the data, sometimes intentionally and sometimes by accident.  Being a crook does not mean they are good administrators. 

The answer is always to maintain proper cyber security.  That doesn’t just mean having up to date programs.  It means making sure the human element is covered.  Staff need to be trained and there needs to be systems to avoid lax security occurring.

The ABC article provides:

Health insurer Medibank Private has confirmed they have received messages from a group wishing to negotiate with the company regarding their alleged removal of customer data.

The update comes less than a week after the company was hit by a cyber attack. 

Medibank says they are working urgently to establish if the claim is true, but are treating the matter seriously.

As a result of this, the health insurer has halted trading on the share market until further notice.

Medibank CEO David Koczkar has apologised to customers and said he understood the latest update was distressing. 

“We have always said that we will prioritise responding to this matter as transparently as possible,” Mr Koczkar said.  Read the rest of this entry »

The Internet of Things is a key part of any cyber security and privacy.   The National Institute of Standards and Technology (“NIST”) has released a very important report on IoT baselines, titled Profile of the IoT Core Baseline for Consumer IoT Products.

The Abstract provides:

This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028 and was initially published in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This document also discusses the foundations to developing the recommended consumer profile and related considerations. NIST reviewed a landscape of relevant source documents to inform the consumer profile and engaged with stakeholders across a year-long effort to develop the recommendations.

At 30 pages it is a relatively brief NIST publication.  That does not mean it is not technical and dense.

Some interesting points Read the rest of this entry »

Sometimes it feels like the the last decade of writing and reporting on privacy never existed.  Articles are being written and statements made portentously with a breathless quality about a cyber threat here or a privacy harm there as if it was never said before.  The Australian’s Universities are at particular risk of cyber attack is a classic example of this reheating of well known facts and previous commentary of a phenomana that has been well known and understood for many years but written as if it is some sort of revelation. 

Universities are and have always been a focus for espionage and theft of information, sometimes by state actors and sometimes by criminals who can see a financial pay day in stealing commercial information.  During the Cold War, the analog era, universities were engaged to do sensitive defence related research.  There was a constant competition between those screening staff and protecting information and those intent on  trying to corrupt or turn staff and otherwise purloin information.  In the digital era this issue has taken on new dimensions with much more information, including personal information on a massive scale, and many more ways of accessing it.  Universities are notorious for having inadequate cyber protection often because of multiple systems being cobbled together after mergers or rationalisations.  The authorisation policies are lax and the training is poor.

I have posted on data breaches at the University of Western Australia, Deakin University, University of Tasmania, Australian Catholic University, Australian National University and  the University of Greenwich.

The article says Read the rest of this entry »

The Attorney General is critical of the operation of the Privacy Act according to ‘A very outdated piece of legislation’: Optus hack highlights Privacy Act loophole.  This is hardly news.  What is good news is that reform of the Privacy Act is a priority.  How quickly that happens is less certain.  The the interminable Attorney General Department’s review will be wrapped up by years end and sometime Read the rest of this entry »

Real estate agents and other property related companies collect masses of personal information.  A significant amount of that data is not required for preparing a lease.  Real estate agents enthusiastic collectors of  data but less impressive in the storage of data.  This is amply demonstrated in the Guardian’s article A real estate agent data breach would be devastating for renters. They collect too much personal information.  The sobering fact is that unless a real estate agent had an annual turnover of $ 3 million or more it would not be covered by the Privacy Act.

One cue, the Australian reports poor data management has lead to personal information being made publicly available on line in Lax security: RealtyAssist loan details online.  This comes as no suprise to anyone practising privacy law.  That it is being reported so widely is more a function of the heightened interest in data breach stories since the Optus Data Breach.  The article Read the rest of this entry »

Anonymisation is an important process in protecting privacy and securing data.  The UK information Commissioner’s Office has recently released a draft guidance on anonymisation and pseudonymisation.  Anonymisation and pseudonymisation are both quite contentious issues because it is often ineffective.   Some researchers believe that it cannot work as there is no way to fully protect real identities in datasets.  The development and increasing access to quantum computers pose challenges to anonymisation other data sets can be analysed and compared to the anonymised data to reveal tell tale identifiers.  At this stage it does have utility and the regulators acknowledge it as a means to protect privacy.  

Nature has published a fascinating article, Anonymizing facial images to improve patient privacy, on anonymising facial images in the health industry context through the use of a digital mask.   

The article Read the rest of this entry »