The National Institute of Standards and Technology (“NIST”) releases excellent guides in relation to all manner of technology.  It is particularly helpful in providing processes to improve cyber security and deal with data breaches.

Last week the NIST through its  National Cybersecurity Center of Excellence (NCCoE) released

• Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and
• SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways.

The focus of both guides highlights the importance of timely and appropriate patching so as to enable  organisations to have an adequate cybersecurity system.

Patching is a form of preventive maintenance of computing technologies.  It helps prevent compromises, data breaches, operational disruptions, and criminal acts.

SP 800 – 40

SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and sets up processes for patching.

Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

The publication refers to Read the rest of this entry »

On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022.  It became law on 1 April 2022.  It’s genesis is traced back to reforms proposed by the Productivity Commission’s  Inquiry Report into Data Availability and Use (2017).

The Minister’s Second Reading Speech provides:

I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.

This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.

2020 has shown us how critical this piece of legislation is.

We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.

Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.

Government data and digital services have been fundamental to the government’s response to these events.

Data allowed Australians to receive timely and reliable services in a time of need.

Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.

It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.

The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis. Read the rest of this entry »

The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022.  Settlement was reached last month.  The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:

•   not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
• a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
• until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years

The terms of settlement follows a standard structure used by the FTC and in this context:

• restraining the Defendants to continue with the breaches alleged;
• requiring the Defendants to destroy all Personal Information Collected  within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
• destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
• ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
• requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years. 

What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation.  This is a significant development in regulation.  It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and Read the rest of this entry »

The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022.  This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021).  The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.   

The USA has critical instructure legislation.  Most recently President Biden signed Strengthening American Cybersecurity Act of 2022.   Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours. 

In short compass what does each Act do?

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)  amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors.  Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included. Read the rest of this entry »

In a 5 – 0 decision the High Court allowed an appeal from the Victorian Supreme Court in Stubbings v Jams 2 Pty Ltd [2022] HCA 6 and the operation of certificates of independent advice and unconscionable conduct.  The lead judgment is that of Kiefel CJ, Keane and Gleeson with separate opinions by Gordon and Steward.

FACTS

The facts

The appellant owned two houses in Narre Warren, both mortgaged to Commonwealth Bank with weekley repayments of between $260 and $280 per week. The appellant did not live in either house.  He lived at rental premises at Boneo, where he worked repairing boats for the owner of the property [7].

The Appellant fell out with the owner,  ceased work and, needing to move house, sought to purchase another property on the Mornington Peninsua [7].

At the relevant time the appellant:

• was unemployed
• had no regular income
• had not filed tax returns in several years and
• was in arrears on rates payments in respect of the two Narre Warren properties [8]

After a home loan application to ANZ was rejected for lack of financial records, the appellant was introduced to Mr Zourkas [8] who described himself as a “consultant”, in the business of introducing potential borrowers to Ajzensztat Jeruzalski & Co (“AJ Lawyers”) [9]. The service AJ Lawyers provided to clients was to facilitate the making of secured loans by those clients [9].

The primary judge found that Zourkas played an “important and essential” role in these transactions, in that his involvement ensured that AJ Lawyers never dealt directly with the borrower or guarantor, such as the appellant [9]

When the appellant and Zourkas met on a number of occasions in 2015:

• at the first meeting, the appellant said that he “wanted to buy a little house” to live in, to which Mr Zourkas responded that “there would not be a problem going bigger and getting something with land”  O which resulted in the appellant finding a five?acre property with two houses on it in Fingal, available for $900,000.
• at another meeting, Zourkas told the appellant that he could borrow a sum sufficient to pay out the existing mortgages over the Narre Warren properties, purchase the Fingal property, and have approximately $53,000 remaining to go towards the first three months’ interest on the loan [10] .
•  Zourkas advised the appellant that he could then sell the Narre Warren properties, reducing the loan to approximately $400,000, which the appellant could then refinance with a bank at a lower interest rate [10]

The calculation was that:

• two Narre Warren properties and the Fingal property would secure the appellant’s obligations as guarantor
• the existing debt to Commonwealth Bank secured on the Narre Warren properties totalled approximately $240,000.
• on the basis that the two properties had a market value of $770,000, the appellant’s equity was thus worth about $530,000 [11].

On 30 June 2015, the appellant signed a contract to Read the rest of this entry »

What’s worse, the cover up or the crime?  The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies.  For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence.  So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up. 

CafePress failed to secure its clients sensitive information and then tried to cover up the data breach.  The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled  CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?   The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach.  As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring.  That is standard practice for the FTC.

The FTC has set out in history and the outcome in its press release which Read the rest of this entry »

The Age has run another article on lack of privacy online, with Online privacy is a farce. Click here to agree.  It is an interesting and quite well written piece but nothing in it hasn’t been written before, sometimes more eloquently.  NBC did a piece with Online privacy fears are real last November. It is Read the rest of this entry »

After a false start the ABC is installing mandatory iview login requirements for its television services.  This has raised the hackles of privacy advocates.  In February the Conversation fired up with Mandatory logins for ABC iview could open an intimate window onto your life.   Most recently, as in earlier this week Malcolm Crompton, a former privacy commissioner, has claimed that this will stymie debate and free expression of ideas.  It has also attracted the ire in itwire with ABC appears to be hell-bent on compulsory iview logins and ABC is urged to ditch hated feature on its streaming platform iview – but the public broadcaster is adamant it WILL roll out this week.   Vanessa Teague has produced a very effective youtube video setting out the problems with data sharing (https://www.youtube.com/watch?v=20bqzIoB-Fw).   The problem is that while Vanessa’s post is very thoughtful and persuasive it has been read by 491 views as of today’s date.  It has been the subject of chatter amongst privacy advocates but not much more than that.  That makes it completely ineffective.  Innovation Australia in Last ditch call to stop ABC mandatory login highlights the problem, that a last ditch effort is usually a forlorn hope.  It provides:

Privacy and security experts have called on the ABC to halt its switch to mandatory user accounts at the eleventh hour, warning that the public broadcaster has failed to justify the increased risks of tracking users and sharing data with US tech giants.

Letters to ABC management from the Australian Privacy Foundation and a former privacy commissioner released this week call for the ABC to reconsider the decision, saying the purported benefits are not proportional to the risks they introduce, while a leading cybersecurity expert warned data is still being collected even though users opt-out of tracking.

The ABC intends to make the switch to mandatory user accounts for its iview video-on-demand service on Tuesday, claiming it will allow more personalisation features that it says users want, and that tracking audiences and their viewing habits is now commonplace. Read the rest of this entry »

It is interesting to see the National Institute of Standards and Technology recently release an Introduction to Cybersecurity for Commercial Satellite Operations.  It is too interesting not to post on even if the chances of working on cyber security for satellites is probably a little bit removed from most practitioners experience.  Put another way, I am not expecting a call from Elon Musk to do some cyber security work on a Space X satellite.  That said, the principles are as applicable to more terrestrial equipment. 

The rationale for the paper is pithily described in the abstract stating:

Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

The NIST recommends using the cybersecurity Framework to develop a profile that involves:

Step 1: Establish Scope and Priorities.  While it is Read the rest of this entry »

Ransomware remains an ongoing, growing and developing form of malware that is particularly damaging to businesses.  Ransomware encrypts an organization’s data and demands payment as a condition of restoring access to that data. It can also be used to steal  information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The Australian Cyber Security Centre has provided some guidances on how organisations can minimise the risk of suffering a ransomware attack and what to do when attacked. In my experience many organisations do not have regard to this or any other guidance until it is too late.  Given the potential disastrous impact of a ransomware attack this is false economy.

By far and away the best source of guidance and practical assistance are the publications put out by the US National Institute of Standards and Technology (“NIST”). NIST recently released Ransomware Risk Management: A Cybersecurity Framework Profile.  It is a very useful and timely document. The abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Through a table it sets out the appropriate ISO/ID.AM/NIST guides against issues and explains how the guides operate.

Also released with it was a White Paper titled Getting Started with Cybersecurity Risk Management: Ransomware.

With the threat of ransomware growing, this “quick start guide” will help organizations use the National Institute of Standards and Technology (NIST) “Ransomware Risk Management: A Cybersecurity Framework Profile” to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely used voluntary guidance to help organizations better manage and reduce cybersecurity risk, the customized ransomware profile fosters communications and risk-based actions among internal and external stakeholders, including partners and suppliers.

The Framework provides a very useful section containing basic ransomware tips Read the rest of this entry »