Peter A Clarke

Today Australian Financial Review reports in Dreyfus pledges sweeping data privacy reforms that the Commonwealth Government will commit to “sweeping reforms” to data privacy laws in the life of this parliament.  That is within at most 3 years.  He also made a similar pledge in an interview with ABC Radio National’s Law Report on 28 June 2022.

This is welcome news although it should be tempered with caution borne of many false dawns in the past.  The commitment is to data privacy laws and not privacy laws per se.  Hopefully the distinction is not significant.  If the reforms ignored legislating a statutory cause of action for interferences with privacy and retained the current regulatory structure where the Information Commissioner was responsible for taking any action for breaches that would be a retrograde step.  Similarly maintaining the multitude of exclusions from the operation of the Privacy Act 1988, such as employment records and the small business exemption (to name but two) and the broadly drawn exemptions within the Australian Privacy Principles would be a matter of concern. Hopefully the Government will consider both the Australian Law Reform Commission Reports For Your Information: Australian Privacy Law and Practice (ALRC Report 108) of 2008 and Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  But it is also important for it to consider legislating standards consistent with the General Data Protection Regulation which came into force on 25 May 2018.

The history of privacy reform has been dismal with ample blame to be assigned on all parties.  The Labor Government was selective in accepting and implementing recommendations from the 2008 Australian Law Reform Commission Report.  It could have legislated a statutory cause of action, as was recommended.  There was no good policy reason for Attorney General Dreyfus to commission yet another inquiry into privacy, this time on serious investigations in privacy in the digital era.  It was can kicking.  The issues were no different even if the impact of the digital economy was greater.  The Coalition when in government has done the bare minimum in reforming the Privacy Act 1988.  It made no effort to consider the recommendations of the ALRC 2008 and effectively shelved the Serious Invasions Report when it was completed in 2014.  It instituted a departmental review of the Privacy Act 1988 which has proceeded in a languid fashion.  Why a departmental investigation would be better than 2 ALRC reports is not clear.  The business community have doggedly resisted any form of privacy rights which gives individuals a direct right of action.  The rationale has always been weak but now is just anachronistic.  The Business Council  of Australia lauds the conciliation process run by the Information Commissioner as being largely successful in resolving complaints.  And why wouldn’t the Business Council support the status quo.  The Information Commissioner deals with complaints quietly and settlements are miserly.  It is also a timid regulator.  As business organisations hate the light it is a system that suits malefactors.  And business likes the small business exemption, which makes no logical sense given businesses with a turnover of less than $3 million can hold masses of personal information but is beyond regulation.  Of course media organisations have chosen sectional interest over public good in wanting to retain the media exemption. The Federal Court has not had its finest moments in decisions involving the Privacy Act 1988. The Full Court decision in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (the Ben Grubb decision) was as wrong headed as it is possible to be in constraining the definition of personal information and regarding data collected by Telstra could not be used to identify Ben Grubb, and therefore be personal information.  It is an analog decision in the digital era. What is also clear is that principles based legislation is not easy to work with.  The terms are vague and the exemptions many.

Against this grim backdrop one can only hope the Government will look as much overseas as with the Australian Law Reform Commission’s recommendation when implementing the reform.  It should also not be afraid of a root and branch change to the Privacy Act 1988.  It is a weak vessel.

The article Read the rest of this entry »

Deloitte Australia has released it 2022 Privacy Index, this year titled Every Breath You Take.  It is a very useful survey, focusing especially on APP 5. The results are sobering.  While some industries perform better than other generally there is a compliance problem. 

The web article provides:

Read the rest of this entry »

The New Zealand Financial Markets Authority (“FMA”) has released an information sheet to assist financial institutions with cyber security. 

The press release provides:

The Financial Markets Authority (FMA) – Te Mana T?tai Hokohoko has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems, and meet any relevant licence obligations. Read the rest of this entry »

The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors.  They are worlds apart. 

CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts.  More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web. 

CafePress carefully did everything wrong after discovering the data breach including:

• while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
• instead of telling customers that  a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
• CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
• CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.

CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

The FTC took action in March 2022 for the data breach and cover up.

Last week the FTC announced a Consent Agreement with Cafe Press.  The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000. 

The FTC Press Release Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released the guidance Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).

The abstract provides:

The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication introduces the mSCP and gives an overview of the resources available from the project’s GitHub site, which is continuously curated and updated to support each new release of macOS. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules. This publication also describes use cases for leveraging the mSCP content.

Interesting matters raised Read the rest of this entry »

The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity  and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.

The abstract provides:

Abstract

Some of the interesting issues Read the rest of this entry »

The US has had a long tradition of commercialising customer lists.  It is curious With that has come the “data broker” putting holders of data in touch with those who are keen to use that data.  In the analog age it was a matter of mild concern, typically with people getting unexpected correspondence and offers.  A common example was someone signing up for a hunting magazine getting offered a membership of the National Rifle Associate.  In terms of scale the problem was real and concerning but not threatening to a person’s privacy.  Most people subscribe to a limited number of publications and it wasn’t until relatively recently the fetish for being required to provide masses of personal information for even the most anodyne activity. 

The digital age and the appreciation of businesses of the advantage of knowing as much about customers or potential customers combined with the vastly improved ability to collect masses of data and process them into useful information has mean the collection of information is key.  And that has led to worrying practices, such as the collection of sensitive and health information.  In that context on 15 June 2022 Senator Elizabeth Warren introduced Senate Bill 4408 to  prohibit data brokers from selling and transferring certain sensitive data was introduced in the U.S. Senate.

Australia has not had a tradition or framework for data brokers but that does not mean there has not been the sale of data from time to time.  Recently the Federal Government has made the transference of data between government agencies and educational institutions much easier.  The privacy protections were added as an afterthought.  It remains a problematical piece of legislation.

The Bill would Read the rest of this entry »

The Markup has published a most extraordinary story, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, where hospitals which had installed the Meta Pixel had collected sensitive personal information and sent it to Facebook.  Meta Pixel is an analytical tool that allows a company to track its website visitors activities. This piece of code helps identify Facebook and Instagram users and see how they interacted with the content on the website . This information can be used to target people with ads based on interests. It used to be called the Facebook Pixel.  The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household. https://www.natlawreview.com/article/motion-preliminary-approval-accellion-data-breach-settlement-filed-california

A more traditional health data breach was involving the Baptist Medical Center and Resolute Hospital which involved an unauthorised party accessing and exfiltrated data from their network between March 31, 2022 and April 24. The information may have included:

• full name, date of birth, and address
• Social Security number
• health insurance information, such as the name of insurer/government payor and the policy and/or group number
• medical information, such as medical record numbers, dates of service, provider and facility names, chief complaint or reason for a visit, and other visit procedure and diagnosis information
• billing and claims information, such as account and claim status, billing and diagnostic codes, and payor information

Meanwhile at Yuma Regional Medical Centre Read the rest of this entry »

After Choice’s comprehensive report, the firestorm of media coverage and obstinate response by Bunnings it was always a strong possibility that the Information Commissioner would look at the material Choice collected.  Given the Commissioner’s findings against 7 Eleven’s use of facial recognition technology Bunnings et al may have some difficulties because they adopted wheezes to supposedly comply with the Privacy Act which were rejected by the Information Commissioner.  Such problematical Read the rest of this entry »

The Federal Trade Commission (FTC) today released a very important report to Congress, Combatting Online Harms Through Innovation, warning about abuses of AI.  Those abuses include privacy intrusive practices and biases built into AI.  It highlights the growing body of work warning of worrying aspects of Artificial Intelligence in accuracy, biases and privacy intrusive processes, including surveillance.

The press release Read the rest of this entry »