June 28, 2022
The New Zealand Financial Markets Authority (“FMA”) has released an information sheet to assist financial institutions with cyber security.
The press release provides:
The Financial Markets Authority (FMA) – Te Mana T?tai Hokohoko has published an information sheet to help financial services firms enhance the resilience of their technology and operational systems, and meet any relevant licence obligations. Read the rest of this entry »
Posted in New Zealand Privacy Commissioner, Privacy
|
Post a comment »
June 27, 2022
The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors. They are worlds apart.
CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts. More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web.
CafePress carefully did everything wrong after discovering the data breach including:
- while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
- instead of telling customers that a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
- CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
- CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.
CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.
The FTC took action in March 2022 for the data breach and cover up.
Last week the FTC announced a Consent Agreement with Cafe Press. The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000.
The FTC Press Release Read the rest of this entry »
Posted in Federal Trade Commission, Privacy
|
Post a comment »
June 26, 2022
The National Institute of Standards and Technology (“NIST”) has released the guidance Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP).
The abstract provides:
The macOS Security Compliance Project (mSCP) provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. This publication introduces the mSCP and gives an overview of the resources available from the project’s GitHub site, which is continuously curated and updated to support each new release of macOS. The GitHub site provides practical, actionable recommendations in the form of secure baselines and associated rules. This publication also describes use cases for leveraging the mSCP content.
Interesting matters raised Read the rest of this entry »
Posted in Privacy
|
Post a comment »
June 24, 2022
The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.
The abstract provides:
This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028 and was initially published in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This document also discusses the foundations to developing the recommended consumer profile and related considerations. NIST reviewed a landscape of relevant source documents to inform the consumer profile and engaged with stakeholders across a year-long effort to develop the recommendations.
Some of the interesting issues Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
June 19, 2022
The US has had a long tradition of commercialising customer lists. It is curious With that has come the “data broker” putting holders of data in touch with those who are keen to use that data. In the analog age it was a matter of mild concern, typically with people getting unexpected correspondence and offers. A common example was someone signing up for a hunting magazine getting offered a membership of the National Rifle Associate. In terms of scale the problem was real and concerning but not threatening to a person’s privacy. Most people subscribe to a limited number of publications and it wasn’t until relatively recently the fetish for being required to provide masses of personal information for even the most anodyne activity.
The digital age and the appreciation of businesses of the advantage of knowing as much about customers or potential customers combined with the vastly improved ability to collect masses of data and process them into useful information has mean the collection of information is key. And that has led to worrying practices, such as the collection of sensitive and health information. In that context on 15 June 2022 Senator Elizabeth Warren introduced Senate Bill 4408 to prohibit data brokers from selling and transferring certain sensitive data was introduced in the U.S. Senate.
Australia has not had a tradition or framework for data brokers but that does not mean there has not been the sale of data from time to time. Recently the Federal Government has made the transference of data between government agencies and educational institutions much easier. The privacy protections were added as an afterthought. It remains a problematical piece of legislation.
The Bill would Read the rest of this entry »
Posted in Big Data, Privacy
|
Post a comment »
June 18, 2022
The Markup has published a most extraordinary story, Facebook Is Receiving Sensitive Medical Information from Hospital Websites, where hospitals which had installed the Meta Pixel had collected sensitive personal information and sent it to Facebook. Meta Pixel is an analytical tool that allows a company to track its website visitors activities. This piece of code helps identify Facebook and Instagram users and see how they interacted with the content on the website . This information can be used to target people with ads based on interests. It used to be called the Facebook Pixel. The Meta Pixel sends information to Facebook via scripts running in a person’s internet browser, so each data packet comes labeled with an IP address that can be used in combination with other data to identify an individual or household. https://www.natlawreview.com/article/motion-preliminary-approval-accellion-data-breach-settlement-filed-california
A more traditional health data breach was involving the Baptist Medical Center and Resolute Hospital which involved an unauthorised party accessing and exfiltrated data from their network between March 31, 2022 and April 24. The information may have included:
-
full name, date of birth, and address
-
Social Security number
-
health insurance information, such as the name of insurer/government payor and the policy and/or group number
-
medical information, such as medical record numbers, dates of service, provider and facility names, chief complaint or reason for a visit, and other visit procedure and diagnosis information
-
billing and claims information, such as account and claim status, billing and diagnostic codes, and payor information
Meanwhile at Yuma Regional Medical Centre Read the rest of this entry »
Posted in Privacy
|
Post a comment »
June 17, 2022
After Choice’s comprehensive report, the firestorm of media coverage and obstinate response by Bunnings it was always a strong possibility that the Information Commissioner would look at the material Choice collected. Given the Commissioner’s findings against 7 Eleven’s use of facial recognition technology Bunnings et al may have some difficulties because they adopted wheezes to supposedly comply with the Privacy Act which were rejected by the Information Commissioner. Such problematical Read the rest of this entry »
Posted in General
|
Post a comment »
The Federal Trade Commission (FTC) today released a very important report to Congress, Combatting Online Harms Through Innovation, warning about abuses of AI. Those abuses include privacy intrusive practices and biases built into AI. It highlights the growing body of work warning of worrying aspects of Artificial Intelligence in accuracy, biases and privacy intrusive processes, including surveillance.
The press release Read the rest of this entry »
Posted in Federal Trade Commission, Privacy
|
Post a comment »
June 16, 2022
Colorado’s governor has just signed into law legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions. This highlights that facial recognition is capable of proper regulation, that privacy issues can be regulated and there is a public good in properly regulating this form of technology.
It has been well summarised in The National Law Review as:
Ramping up the state’s continued focus on data privacy, on June 8, 2022, Colorado Governor Jared Polis signed legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions of higher education.
The new law, SB 113, requires an agency, defined as “an agency of the state government or of a local government; or a state institution of higher education,” that intends to “develop, procure, use or continue to use facial recognition service” to provide notice of intent to use those services with its “reporting authority” prior to using the technology. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The Choice story regarding some of our biggest retailers using facial recognition in their stores continues to attract media coverage. As well it should. The ABC has undertaken a broad brush review, Renewed calls for national guidelines on using facial recognition technology after CHOICE investigation, regarding the science of facial recognition and the legal regulation, or more accurately the lack thereof. The Conversation weighs in for some analysis with Bunnings, Kmart and The Good Guys say they use facial recognition for ‘loss prevention’. An expert explains what it might mean for you.
The Oz with Faceprint technology: Kmart, Bunnings and The Good Guys are scanning customers’ faces in stores reports on the (usual) call for Federal Government action to ban facial recognition. Bunnings has decided to join the fray and attack the Choice article stating:
We are disappointed by CHOICE’s inaccurate characterisation of Bunnings’ use of facial recognition technology in selected stores. This technology is used solely to keep team and customers safe and prevent unlawful activity in our stores, which is consistent with the Privacy Act.
In recent years, we’ve seen an increase in the number of challenging interactions our team have had to handle in our stores and this technology is an important tool in helping us to prevent repeat abuse and threatening behaviour towards our team and customers.
There are strict controls around the use of the technology which can only be accessed by specially trained team. This technology is not used for marketing, consumer behaviour tracking, and images of children are never enrolled.
We let customers know if the technology is in use through signage at our store entrances and also in our privacy policy, which is available via the homepage of our website.
It is a wholly unconvincing defence of the facial technology and proper notice of the use of the facial recognition technology. It is a weak defence because:
- What is the safety issue? It is not terrorism or armed robberty? It is challenging interactions which constitutes abuse and “threatening behaviour”. What exactly does challenging interactions mean. These terms have been misused on occasion by organisations and government to extend to dissent or disagreement of any form. If it is arguments at the check out why is it necessary to obtain facial recognition data of all individuals. With these interactions why isn’t it sufficient to take a picture of the malefactor using a camera or smartphone and then use that as a resource to enforce a banning order, if that is what is anticipated.
- What is the threshold for the use of the facial recognition? A prior argument or what? It is all very vague.
- how is the technology being used to keep team and customers people safe? If a small proportion of individuals cause a problem how does that justify the hoovering up of thousands of images.
- how long are the images kept for? Are they being distributed throughout all Bunnings Stores? Are they provided to Bunnings staff for delivery purposes? It is possible for a customer who engages in “challenging interactions” to order on line and have products delivered.
- what are strict controls regarding the use of the technology. It is a statement that means nothing., What is the special training that the team receive before they can access the technology.
- how does the Bunnings screen out children? What is the age cut off? How is that determined? By an algorithm or a specially trained staff.
- the notice to the customers is a joke. The signage at the store entrance is in small print. Nothing is done to bring that to the customers attention. Similarly burying reference to it in the privacy policy is unsatisfactory, as the Information Commissioner found with 7 Eleven’s notice on web site. How Bunnings can rely on this argument given the Commissioner’s findings last year is quite extraordinary.
Read the rest of this entry »
Posted in General
|
Post a comment »