Peter A Clarke

The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.  It is a particularly useful and practical report.  In short compass it describes ways to combine risk information across an enterprise.  In this way there is integration of risk information issues which permits proper decision making and monitoring.

The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.

The Abstract provides:

This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.

This guide is of particular use for privacy practitioners.  It discusses Read the rest of this entry »

The United States National Security Agency (“NSA”) has released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory . It notifies National Security Systems operators of the requirement to have   quantum-resistant  algorithms, being networks which contain classified information or are otherwise critical to military or intelligence activities. A cryptanalytically relevant quantum computer would have the potential to break public-key systems so that it is necessary to plan, prepare, and budget for a transition to QR algorithms if cryptanalytically relevant quantum computers become a reality.

The media release Read the rest of this entry »

Educational institutions are prime targets for cyber attackers.  They hold large volumes of personal information of students and staff and often alumni.  They are also notoriously poor at maintaining proper data security.  A key response to the coronavirus epidemic by schools was to move to remote learning.  That meant greater opportunities for cyber attacks.   Attacks on educational institutions this month, so far, include Franklin College in the United States being attacked and personal information of 6,000 students possibly being taken. The Savannah College of Art and Design suffered an attack with personal information being accessed.  Someone stole personal information of students who studied there from 1989 to 1999.  Why an institution would have that information on its server is a mystery and a failure of proper data management.  The stolen data included the names and Social Security numbers of students.

But those breaches were dwarfed by a data breach of the the Los Angeles Unified School District, which enrols 600,000 students.  It is the second largest school district in the United States. It has suffered a data breach Data Breach Today reports in Los Angeles School District Hit by Ransomware Attack . It seems that at least 23 sets of credentials were compromised before the attack and offered on the dark web.  At least one of those credentials unlocked the account for the school districts virtual public network.  Tellingly, last March the FBI Read the rest of this entry »

At a time when children’s privacy is top of privacy regulators’ agenda around the world the school administrators in Moorebank have installed fingerprint scanners at their toilets.  The rationale, to stop vandalism.  A ridiculously out of proportion response to an eternally chronic problem.  It brings to mind the saying that the problem with teachers are that they have never left school. Because if this initiative was not so concerning it would be just regarded as juvenile.

According to the State Education Department it is not compulsory to register their fingerprints however the alternative is to get an access card from the office every time a student wants to use the bathroom.  What sort of choice is that!  Making the alternative difficult and potentially embarrassing effectively restricts the choice.  It makes it a non choice.  In real terms there is no alternative but to consent for most students. The consultation process, Read the rest of this entry »

The US Federal Trade Commission warned as far back as July that it would focus on illegal sharing of highly sensitive health data.  That was preceded with a warning in September 2021 to Health Apps and Connected Device Companies that they had to comply with health breach notification rules.  In June 2021 the FTC settled with Flo Health, a fertility tracking app which inappropriately shared sensitive health data with Facebook and Google. On 11 August 2022 the FTC announced it was embarking on commercial surveillance rule making.

In that context it is not surprising that the FTC has commenced proceedings against Kochava for selling data which tracks people when they are involved in sensitive activities, such as attending health clinics and places of worship.

The media release provides:

The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use. Read the rest of this entry »

The Irish Data Protection Commission has reportedly fined Instagram 405 million euros for misusing personal information.  The mishandling involves publiclly displaying their phone numbers and emails addresses and permitting them to create business accounts.

This represents the second biggest fine by an EU regulator.

The story is covered by the Australian which provides:

A 2020 investigation by Ireland’s Data Protection Commission found that children between the ages of 13 and 17 were allowed to create and operate business accounts on the Instagram platform, which published the children’s phone numbers and in some cases email addresses. Read the rest of this entry »

The repetition of tens of millions of records being breached each month can have a numbing effect and can lead the reader to be either blase or resigned (they are different) to each installment.  It can lead to the wrong attitude that data breaches are inevitable.  That old saw is relied on by organisations who don’t like regulation or being made to pay more attention to data security.

It governance has compiled its list of data breaches for August and calculated that 97, 456,345 records were breached in 112 publicly disclosed incidents. The reference to public disclosure is important.  There is significant under reporting.  Later disclosures by affected organisations and breaches being discovered by third parties (including hackers) provide ample evidence that some organisations try to avoid disclosing breaches when they think they can get away with it. Further, in many cases while the data breach can be established organisations are reluctant to provide information of how many records have been accessed.  That makes getting a complete figure a difficult proposition.

For August some of the data breaches:

• the University of Kashmir has suffered a data breach which has resulted in the personal information of a million current and former students being offered for sale online.
• according to a notification to the Maine Attorney General Nelnet Servicing has suffered a data breach affecting the personal information of 2,501.324 which was discovered on 17 August.  Nelnet Servicing  provides technology services to EdFinancial and OSLA, including portals that student loan borrowers use to create and access their student loan accounts.
• Practice Resources, LLC notified the California Attorney General’s Office that it had been the victim of a ransomware attack.  It also notified 942,138 patients affected by the breach.
• EmergOrtho has suffered a data breach which according to its filings with the Department of Health and Human Services affected 68,661 individuals.
• Hjedd, a Chinese adult content provider has leaked 14 million user accounts, 24G of files.

Read the rest of this entry »

It is trite to say that technology has faced outpaced the common law and statute when it comes to regulating surveillance practices.  In Australia the Privacy Act 1988 has inadequate coverage with exemptions for journalists and political parties.  The Australian Privacy Principles contain exemptions which limit their effectiveness.  And finally the regulator is timid.  The surveillance devices legislation while technically neutral is drafted for an analog world.  Neither legislation nor legislators have considered the impact of persistent surveillance where devices could track individuals throughout the day with the assistance of Artificial Intelligence.  It is not a dystopian future.  It is real and, again, described in the Wall Street Journal’s article The Two Faces of China’s Surveillance State where the capacity of the State to monitor its citizens is significant which it seeks to use to crush dissent and potential dissent and offer a better future that such overweening controls brings.  The first is a human rights abuse as the Office of the High Commissioner on Human Rights report makes clear in OHCHR Assessment of human rights concerns in the Xinjiang Uyghur Autonomous Region, People’s Republic of China  while the latter is a Faustian bargain.

Meanwhile in Australia ASIC has found that there is “room for improvement” by life insurers in their use of surveillance.  In its review of 4,800 individual disability income insurance claims it found that where physical surveillance was used in mental health claims in half of those instances it was unwarranted. The total sample size was small, a total of 10 instances, but for half to be unwarranted is a concern.  Similarly it found that the user of surveillance was unwarranted in 17.5% of cases because the insurer could have at least Read the rest of this entry »

The Standing Committee on Access to Information, Privacy and Ethics has been examining investigation tools used by the Royal Canadian Mounted Police (“RCMP”), including spyware. Not surprisingly the Commissioner is playing catch up as the RCMP have not consulted/liased with the Commissioner notwithstanding the clear privacy issues and potential for misuse.  It is a classic and typical case of police and other agencies grabbing a new tool and then having to deal with the real policy issues of when and how to use it, usually after some publicity about its use. Such an investigation long overdue in Australia at the Federal and State level as the police forces embrace privacy intrusive technology and engage in ways inconsistent with respecting privacy.

The history of the enquiry is well described in Read the rest of this entry »

Given the tight time frame to report it was not a surprise that the Royal Commission would set up a homepage promptly.  Of course the commissioner was approached long before the announcement and has no doubt organised her team and had started preliminary work.  Nevertheless the alacrity in setting up the homepage is impressive. It is found here.

At this stage the published material from the Commission is limited to the Letters Patent.  That will no doubt change in the very near future.

The Letters Patent provides Read the rest of this entry »