Announcements of privacy bills in both United Kingdom and the United States

May 15, 2022

As part of the Queen’s Speech, read by the Prince of Wales, the UK government announced that it would introduce a Data Reform Bill.

The Bill proposes to provide the Information Commissioner’s Office with greater powers to take  “stronger action” against businesses that breach data rules.

The background and briefing notes states that the Bill will focus on a flexible, “outcomes-focused” approach rather than “box-ticking,” and will simplify the rules relating to the use of personal data for research purposes.

While the UK government complained that the UK General Data Protection Regulation (“GDPR”) and the Data Protection Act of 2018 as “highly complex and prescriptive” legislation that imposes excessive administrative burdens on business it will nonetheless seek renewal of the European Commission’s adequacy decision  upon its automatic expiry in 2025.  This will permit personal data to continue to flow uninhibited between the EU and the UK.

In the United States the US House of Representatives passed the Promoting Digital Privacy Technologies Act on 11 May 2022. It provides for the Director of the Office of Science and Technology Policy, acting through the Networking and Information Technology Research and Development Program, to coordinate with the Director of the National Science Foundation, the Director of the National Institute of Standards and Technology, the Federal Trade Commission, and the heads of other federal agencies, as appropriate, to accelerate the development, deployment, and adoption of privacy enhancing technologies. This is one way of dealing with privacy intrusions and one that is finding some favour given the disappointing performance of regulators and privacy intrusive legislation that is enacted from time to time.

The bill defines privacy enhancing technology as Read the rest of this entry »

22 Council of Europe members sign sign new additional protocol to Cybercrime Convention

The Council of Europe (‘CoE’) announced that the 22 Council of Europe Member States had signed the Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence (‘Second Additional Protocol to the Budapest Convention’). 

The Second Additional Protocol provides for:

  • a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscriber information;
  • effective means to obtain subscriber information and traffic data;
  • immediate co-operation in emergencies;
  • mutual assistance tools; and
  • personal data protection safeguards.

Interestingly Second Additional Protocol was signed by the non-CoE Member States of Chile, Colombia, Japan, Morocco, and United States. But not Australia.  That is more than Read the rest of this entry »

CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 (12 May 2022): application to set aside statutory demand, offsetting claim,

The Federal Court, per Halley J, set aside a statutory demand in CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 in finding that an offsetting claim constitutes a genuine dispute. It is a very good decision setting out the complications of offsetting claims arising from building contracts relied upon in setting aside a statutory demand which is based on a certificate and judgment obtained under the Security of Payments Act.

FACTS

CBS engaged Axis as a sub-contractor to undertake work at a building site located in Gungahlin in the Australian Capital Territory [12].

The chronological events Read the rest of this entry »

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022): ss 912A(1)(a) & (h) Corporations Act 2001 (Cth), failure to have adequate cybersecurity risk management in place,

May 14, 2022

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

  • was:
    • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
    • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
  • carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
  • authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

  • electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

  • since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
  • had 9 cybersecurity incidents between June 2014 and May 2020, being:
    • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
    • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
    • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
    • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
    • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
    • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
    • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
    • an unauthorised person used an AR Practice’s employee’s email address:
      • in August 2019 to send phishing emails to over 150 clients ; and
      • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

  • computer systems not having up-to-date antivirus software installed and operating;
  • no filtering or quarantining of emails;
  • no backup systems in place, or backups not being performed; and
  • poor password practices including:
    • sharing of passwords between employees,
    • use of default passwords,
    • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

National Institute of Standards and Technology releases CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B

May 13, 2022

The National Institute of Standards and Technology today released its CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B.  it is a very technical document, even by NIST standards, coming in at 80 pages.

The publication amends NIST SP 800 – 140B by:

  1. Defining a more detailed structure and organization for the Security Policy
  2. Capturing Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Building the Security Policy document as a combination of the subsection information
  4. Generating the approved algorithm table based on lab/vendor selections from the algorithm tests

The abstract Read the rest of this entry »

Data breach at the California State Bar, with 322,000 confidential attorney disclipline files exposed to the public, an excrutiating experience ongoing from 27 February 2022

May 10, 2022

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time Read the rest of this entry »

US President signs Better Cybercrime Metrics into law

It is obvious to anyone practising in the privacy and data security area that reliable statistics about the incidence of cybercrime, the number of people or organisations affected and the cost of those criminal acts are hard to come by.  The causes are numerous, victims being unwilling to report crimes, organisations affected by hacks doing their best to keep the publicity to a minimum, differing definitions of certain crimes and the inefficient collation of what data there is.

It is therefore welcome that the US is regularising the collection of data realting to cyber crime and cyber enabled crime.  The Act Read the rest of this entry »

US state of Connecticut passes comprehensive consumer privacy bill

In the United States the states have traditionally been active in law reform, often leading the way until the Federal Government steps in and makes nationwide laws, to the extent permissible by the constitution.  There have been notable exceptions, such the New Deal legislation of the 1930s and the Lyndon Johnson’s frenetic legislative activity of the 1960s.  But with privacy the US states have lead the way, with the California Consumer Privacy Act of 2018 (CCPA) being the most comprehensive.

Australian States could legislate for proper privacy protections in Australia.  There is ample scope to provide greater protections and  but choose not to do so.

The US North Eastern State of Connecticut has passed a comprehensive privacy Act, S.B.6  AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE MONITORING.  With Connecticut’s Bill that will be the fifth state of the Union to have have a comprehensive privacy law.  It will take effect on 1 January 2023.

The official description of what the legislation, if signed by the Governor, is:

To: (1) Establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

The legislation applies to persons conducting business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut that :

  • controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
  • controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The legislation does not regulate:

  • nonprofit organizations,
  • institutions of higher education,
  • financial institutions or data subject to the GLBA,
  • HIPAA covered entities or business associates.
  •  business-to-business and employee data. Consumer Rights
  • certain personal information under the
    • Fair Credit Reporting Act,
    • Driver’s Privacy Protection Act of 1994,
    • Family Educational Rights and Privacy Act,

Under the Bill consumers have the right Read the rest of this entry »

High Court hears argument in Google LLC v Defteros [2022] on 3 May 2022

May 9, 2022

The Full Bench of the High Court heard argument in Google LLC v Defteros [2022].  It is a case of considerable interest to defamation practitioners.  The key issue is whether a search engine a publisher of defamatory material on a third party website to which that search engine provides a hyperlink when the search result on its own conveys no defamatory imputation.  Also Google seeks a ruling on what is required to notify the search engine of defamatory publication for the purposes of the common law doctrine of innocent dissemination and the statutory defence under section 32 of the Defamation Act 2005. 

The transcript of oral argument before their Honours can be found here.

It is an appeal from a decision from the Victorian Court of Appeal in Defteros v Google LLC [2021] VSCA 167 (17 June 2021).  Interestingly on that occasion the appellant, Defteros, was unsuccessful.  Google’;s cross application for leave to appeal was refused. 

Special leave was granted on 10 December 2021 conditional upon Google paying Defteros’s costs of the appeal and not disturbing the costs orders in the Court of Appeal and at trial.  The transcript of the Special Leave Application can be found here.  In short, there is a public interest in resolving the issue. 

The essence of Google’s submissions is that the trial judge and the Victorian Court of Appeal erroneously found that the provision of a hyperlink was participation in the communication of defamatory material for the purpose of publication.  

The submissions of both parties can be found Read the rest of this entry »

FBI reports that over $43 billion stolen through Email compromise from June 2016 until 31 December 2021.

The Federal Bureau of Investigation (“FBI”) has issued a public service announcement reporting that there were 241,206 domestic and international incidents involving a total loss of $43,312,749,946 arising from what is described as a Business Email Compromise.  

A business Email Compromise is defined as:

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.

The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.

Interestingly there was a 65% increase in global losses between July 2019 and December 2021. The FBI concludes that that is due to the COVID restrictions which caused more work and business virtually. 

With every scam there needs to be Read the rest of this entry »