June 12, 2022
It has been a feature of US law that the states are enacting privacy and data security laws at quite a rate to make up for the lack of federal oversight. In that way some states in the USA is surpassing Australia, such as in California.
Features of the Vermont law Read the rest of this entry »
Justice John Dixon has provided a very valuable judgment in Agustin-Bunch v Smith (No 2) [2022] VSC 290 providing a very useful and detailed analysis of how to plead, and more particualrly how not to plead defences. It ended up being a bad day at the office for the defendants.
The plaintiffs by writ seeks:
The second plaintiff seeks damages pursuant to s 236 of the Australian Consumer Law (‘ACL’), contending that the defendants had engaged in misleading or deceptive conduct in contravention of s 18 of the ACL [1].
On 12 April 2021, the court refused the plaintiffs’ application for an interlocutory injunction restraining the defendants from publishing or causing to be published in any form, or maintaining online for download, or uploading so as to make available for publication online:
(a) 15 specific videos;
(b) hyperlinks to a Facebook group described by the plaintiffs as the ‘Dr Farrah Hate Page’;
(c) certain Facebook and Instagram posts;
(d) the imputations and representations set out in nominated paragraphs of the plaintiffs’ statement of claim; and
(e) any matter of and concerning the plaintiffs to the same purport or effect as any of the publications referred to.
The relevant publications alleged to convey defamatory imputations are videos [6] where Dr Smith speaks partly in Tagalog and partly in English to a Filipino audience [7].
The defendants pleaded the defences of:
The plaintiffs allege about 70 imputations and the defendants plead a truth defence to approximately 60 imputations [10].The defences have been Read the rest of this entry »
June 11, 2022
Privacy and cyber security in the health industry is both critical and critically inadequate in the main. Health organisations are notoriously vulnerable to cyber attack and poor privacy privacy practices on a day to day in person basis.
The US Food and Drug Administration (“FDA”) is in the process of revising its guidance to deal with cyber threats. To that end it is released the draft Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions and will be reviewing it in June and July.
The abstract provides:
The need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information. In addition, cybersecurity threats to the healthcare sector have become more frequent, more severe, and more clinically impactful. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.
This guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk. These recommendations can facilitate an efficient premarket review process and help ensure that marketed medical devices are sufficiently resilient to cybersecurity threats.
It is a very useful detailed and dense 49 page resource. Impossible to summarise in a post. For those interested in privacy law it is a great resource.
Some useful comments Read the rest of this entry »
The National Institute of Standards and Technology (“NIST”) has released the draft Using Business Impact Analysis to Inform Risk Prioritization and Response the Abstract.
The NIST states:
Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses can be easily expanded to consider other cyber-risk compromises and remedies.
This initial public draft of NIST IR 8286D provides comprehensive asset confidentiality and integrity impact analyses to accurately identify and manage asset risk propagation from system to organization and from organization to enterprise, which in turn better informs Enterprise Risk Management deliberations. This document adds expanded BIA protocols to inform risk prioritization and response by quantifying the organizational impact and enterprise consequences of compromised IT Assets.
The Abstract provides:
June 10, 2022
In Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know Forbes has undertaken a comprehensive review of developments in 202. It is one of the best articles of the year to describe the current developments with cyber attacks, the state of readiness to meet them and what needs to be done. It is an excellent article. Depressingly it seems the preparedness in the United States is just as inadequate as it is in Australia.
The other benefit of the article is that it links to other excellent articles.
The article Read the rest of this entry »
The Monetary Authority of Singapore has revised Guidelines on Business Continuity Management for financial institutions to strengthen resilience against service disruptions arising from a range of circumstances including cyber attacks, and physical threats.
The media release provides:
The Monetary Authority of Singapore (MAS) today issued revised Guidelines on Business Continuity Management (BCM) for financial institutions (FIs), to help FIs strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. The revisions take into account learnings from the handling of the COVID-19 pandemic and increased digitalisation in the financial sector.
2 The revised Guidelines provide new insights on measures that FIs can take to better manage the increasingly complex operating environment and threat landscape to enable the continuous delivery of services to their customers. Under the revised Guidelines, FIs should:
a)adopt a service-centric approach through timely recovery of critical business services facing customers;
b) identify end-to-end dependencies that support critical business services, and address any gaps that could hinder the effective recovery of such services; and
c) enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises.
3 Mr Vincent Loy, Assistant Managing Director (Technology), MAS, said, “Against the backdrop of an increasingly volatile and complex environment, the new Guidelines will help financial institutions to take an agile and holistic approach in sustaining their critical business services when faced with threats and risk of disruption.”
The guidelines are found here.
On a more sombre note Crikey reports that federal government departments have not fulfilled cybersecurity basics. That Read the rest of this entry »
The National Institute of Standards and Technology (“NIST”) has announced a review on FIPS 180-4, Secure Hash Standard (SHS).
In its media release the NIST states Read the rest of this entry »
June 9, 2022
The health industry is a prime target for cyber attack. The volume of data collected by health services providers is enormous. A person is required to provide a detailed history, including name, address, date of birth, health insurance details as well as information about one’s physical and mental condition. A hacker’s nirvana. KordaMentha raised this point, which I have made for years, in Why healthcare is a red-hot cybercrime target.
Not surprising that it has been reported in Hack of Medical Imaging Provider Affects Data of 2 Million that Shields Health Care Group in the Massachusetts has had a data breach involving access topersonal information of 2 million persons. That makes it the biggest health data breach this year in the United States.
It Read the rest of this entry »
A change of Federal government gives rise to a new opposition and some new shadows. Senator James Paterson has been made Shadow Minister for Cyber Security.
As part of that responsibility the good Senator in Cyber security needs ‘like-minded’ nations: Paterson has been reported as calling for more collaboration to combat transnational cyber security threats. The report Read the rest of this entry »
The National Institute of Standards and Technology (“NIST”) has released Measuring the Common Vulnerability Scoring System Base Score Equation for comment. It is a particularly useful document in that calculating the severity of information technology vulnerabilities permits prioritisation of remediation techniques. It also helps to understand the risk of a vulnerability.
The abstract Read the rest of this entry »