Privacy by design awards offer some interesting insights

May 9, 2022

The concept of Privacy by design has been in existence since the 1990.  It has been hugely influential and a very important set of principles for businesses and government in developing and maintaining an adequate privacy structure. It is described by the Australian Information Commissioner as:

‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This means building privacy into the design specifications and architecture of new systems and processes.

It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively alter a product or service to address privacy issues that come to light.

The CyberCX Privacy has awarded  Design Awards for organisations who have successfully implement privacy by design.  The awards for 2022have been announced

The results are:

Overall winner:  Apple

2022 Top Performer: Australian Corporate: National Australia Bank

2022 Top Performer: Federal Government:  Australian Broadcasting Corporation
2022 Top Performer: State Government:  Service NSW
Principle 1: Proactive not Reactive; Preventative not Remedial: 2022 Top Performer Apple
 
Principle 2: Privacy as the Default Setting:  2022 Top Performer Apple
 
Principle 3: Privacy Embedded into Design:  2022 Top Performer Airbnb
 
Principle 4: Full Functionality – Positive-Sum, not Zero-Sum: 2022 Top Performer BP
 
Principle 5: End-to-End Security – Full Lifecycle Protection: 2022 Top Performer Uber Eats
 
Principle 6: Visibility and Transparency – Keep it Open:   2022 Top Performer Australian Broadcasting Corporation
 
Principle 7: Respect for User Privacy – Keep it User-Centric: 2022 Top Performer Australian Broadcasting Corporation

CyberCx grouped organisations into 11 sectors being Read the rest of this entry »

The UK Information Commissioner’s Office launches its updated Artificial Intelligence data protection risk toolkit.

May 6, 2022

Artificial Intelligence (“AI”) is becoming a significant issue for lawyers generally and regulators in particular.   Its impact on the law is apparent with the Full Bench, of 5 justices, ruling in Commissioner of Patents v Thaler [2022] FCAFC 62 last month that an inventor in terms of patent law must be a natural person, not AI.  This was an appeal from a decision of Justice Beach on 30 July 2021 in Thaler v Commissioner of Patents [2021] FCA 879 who relevantly ordered:

  • The determination of the Deputy Commissioner that s 15(1) of the Patents Act 1990 (Cth) is inconsistent with an artificial intelligence system or device being treated as an inventor be set aside.
  • The matter as to whether patent application no. 2019363177 satisfies the formalities under the Patents Regulations 1991 (Cth) and its examination be remitted to the Deputy Commissioner to be determined according to law in accordance with these reasons.

In its reasons the Full Court found  that identification of the “inventor” was central to the operation of the legislation. Under s 15, only the inventor or someone claiming through the inventor is entitled to a patent.

Thaler will probably make its way to the High Court. 

But the use of AI is more prosaic and ubiquitous than in inventing devices.  That is likely to be both a public good and a cause for concern.  At the moment the technology and its implementation is far outpacing the law and regulation.  That is a concern given the potential forseeable and unforseeable consequences.  In that regard I thoroughly recommend Machines Behaving Badly; the Morality of AI by Toby Walsh.   I attended a presentation by Professor Walsh organised by the Centre for Artificial Intelligence and Digital Ethics (CAIDE) last Wednesday

Regulators in the United Kingdom and Europe have been much more alive to the need for guidance and consideration of AI and its effect on privacy and data security than in Australia where the regulator takes a more languid approach and seems to be letting the ACCC to take the running on big tech issues.  In that vein the Information Commissioner’s Office (‘ICO’) announced, on 4 May 2022, that it had launched its updated AI and data protection risk toolkit. It is an important document for Read the rest of this entry »

NIST Updates Cybersecurity Guidance for Supply Chain Risk Management NIST SP 800 – 161

The National Institute of Standards (“NIST”) and Technology today released the updated guidance Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. It was prepared in response to to Presidential Executive order 14028.  

It is a timely and valuable resource dealing with cyber security risks in supply chains.  Supply chain vulnerabilities is a chronic problem for organisations.  Given the relatively sparse material generated in Australia on this issue it should be used by those working in the cyber security and privacy sphere.

NIST’s summary of the Executive Order in so far as it is relevant to it provides:

The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity  issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Section 4 directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines, which are ultimately aimed at federal agencies but which also are available for industry and others to use, include: 

    • criteria to evaluate software security,  
    • criteria to evaluate the security practices of the developers and suppliers, and 
    • innovative tools or methods to demonstrate conformance with secure practices. 

NIST is to consult with other agencies in producing some of its guidance; in turn, several of those agencies are directed to take steps to ensure that federal procurement of software follows that guidance.

The EO also assigns NIST to work on two labeling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce – and purchasers to be informed about– products created with greater consideration of cybersecurity risks and capabilities.

The Guide is 326 pages long, extensive even for NIST.  

The abstract Read the rest of this entry »

National Institute of Science and Technology releases Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases

May 5, 2022

The National Institute of Science and Technology (“NIST”) today released NISTIR 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases.

The abstract provides:

In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.

The report is aimed at security professionals on the technical side however anyone involved in privacy and data protection would get a benefit from it.  

It is, as is common with NIST reports and guides, a voluminous document, at 94 pages, making Read the rest of this entry »

Cybersecurity authorities publish a joint advisory on most frequently exploited vulnerabilities

May 3, 2022

The Cybersecurity and Infrastructure Security Agency (‘CISA’) along with:

  • the Federal Bureau of Investigation (‘FBI’),
  • National Security Agency (‘NSA’),
  • Australian Cyber Security Centre (‘ACSC’),
  • Canadian Centre for Cyber Security (‘CCCS’),
  • New Zealand National Cyber Security Centre (‘NCSC’), and the UK’s National Cyber Security Centre (‘NCSC’),

has published a joint cybersecurity advisory, titled ‘2021 Top Routinely Exploited Vulnerabilities’.

The advisory provides a detailed overview of the 15 most commonly exploited cybersecurity vulnerabilities and exposures of 2021.

The advisory aims to help organisations prioritise their mitigation strategies, and highlights the importance of prioritising several mitigation measures related to:

  • vulnerability and configuration management;
  • identity and access management; and
  • protective controls and architecture.

The  press release relevantly provides:

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory today on the common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021.?? 

Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies. Read the rest of this entry »

Google reveals a privacy friendly side which announcements on changes to cookies policy, action against doxxing and removal of images policy

Google has been attracting some plaudits for being responsive to concerns about privacy abuses.  In October 2021  Google started allowing people under 18 or their parents request to delete their photos from search results. Users must specify that they want Google to remove “Imagery of an individual currently under the age of 18” and provide some personal information, the image URLs and search queries that would give rise to the results. Google also now allows requests to remove non-consensual explicit or intimate personal images from Google, along with involuntary fake pornography

It is pleasing that these changes have been made of Google’s own volition but it was done  at a time of regulator pressure and adverse findings regarding the use of Google Analytics by the CNIL. 

Recently Google announced  its plan to include a “reject all” button on cookie banners.  Google is now giving consumers more choice and control on how their data is tracked. 

The UK Information Commissioner is huffed stating:

We welcome news of Google’s revised approach to cookie consent. It’s a change we’ve been seeking through our ongoing discussions with Google and broader adtech work. The new ‘reject all’ option gives consumers greater control and balance of choice over the tracking of their online activity.

“There’s still a long way to go to address concerns around consent across the whole online advertising industry, but short term, we expect to see industry following Google’s lead to provide clearer choices for consumers. This is only a first step; current approaches to obtaining cookie consent need further revision in order to provide a smoother and increasingly privacy-friendly browsing experience.”

As of this week Google has updated its personal information removal policy to allow doxxing victims to remove personal identifiable information from search engines.

The statement from Google, per Read the rest of this entry »

Dutch Data Protection Office fines the Dutch Ministry 565,000 Euros for data protection breaches.

The difference between Australian Privacy regulation and the European regulation under the General Data Protection Regulation has been well known.  The protections are greater under the GDPR than Australia’s Privacy Act 1988 and the size of the fines are much greater. That is made clear with the Data Data Protection Australian imposing a fine of 565,000 Euros on the Ministry of Foreign Affairs for violations of Articles 13(1)(e) and 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

The media release provides:

The Dutch Data Protection Authority (DPA) fined the Dutch Ministry of Foreign Affairs €565,000 for long-term, large-scale, serious infringements of the General Data Protection Regulation (GDPR) in its visa-issuing process.

NVIS, the digital system used by the Ministry of Foreign Affairs for the Schengen visa process, is inadequately secured. As a result, there is a risk that unauthorised persons could access and change files. Furthermore, the Ministry of Foreign Affairs failed to provide visa applicants with sufficient information about the sharing of their personal data with third parties. Read the rest of this entry »

In the matter of Credit Clear Limited [2022] VSC 206 (29 April 2022): security for costs,

Justice Riordan considered an appeal against an order for security for costs in In the matter of Credit Clear Limited [2022] VSC 206.  The appellants were unsuccessful across the board. 

FACTS

By originating process filed 15 July 2020, the plaintiffs made an application under:

(a) sections 175, 232, 233, 461(1)(k), 1041H(1), 1324(1) and 1325 of the Corporations Act 2001 (Cth) (‘the Act’);

(b) sections 12DA and 12GM of the Australian Securities and Investments Commission Act 2001(Cth) (‘the ASIC Act’);

(c) Sections 237 and 243 of the Australian Consumer Law, being Schedule 2 of the Competition and Consumer Act 2020 (Cth) (‘ACL’); and

(d) the inherent jurisdiction of the Court [2].

The plaintiffs sought the following substantive relief in their points of claim [4]:

(a) The first plaintiff (‘Mr McKendrick’) sought to be reinstated as a director of the first respondent (‘Credit Clear’).

(b) The appellant sought the following relief:

B. Declarations and or orders under s 1325 of the Act, alternatively s 233(1)(c) and or (j) of the Act, s 12GM of the ASIC Act and or ss 237 and 243 of the ACL, that the Separation Agreement dated 11 November 2016 and Intellectual Property Assignment Agreement dated 11 November 2016 (by which the plaintiffs were forced to give up their interests in the first defendant together with the intellectual property rights owned by the first plaintiff) are void on the grounds they were procured under duress, undue influence, unconscionable conduct and or misleading and deceptive conduct in contravention of 1041H(1) of the Act, s 12DA of the ASIC Act and or s 18 of the ACL;

C. A declaration that the second plaintiff is entitled to hold 20% of the issued ordinary shares in the first defendant;

D. Rectification of the share register of the first defendant pursuant to s 175 of the Act to reinstate the second plaintiff as a member and to record that it holds a number of fully paid ordinary shares representing 20% of issued shares in the first defendant alternatively that it holds 6,805,555 fully paid ordinary shares in the first defendant;

E. A declaration that the affairs of the first defendant are being conducted contrary to the interests of the members as a whole and or are oppressive to, or unfairly prejudicial to, or unfairly discriminatory against the second plaintiff, or in the interests of and to the benefit of the second to third defendants and not the first defendant or its members;

F. An order that the second and or third defendants purchase the second plaintiff’s shareholding in the first defendant at fair value; Read the rest of this entry »

Ransomware attacks surging after a briefish end of year pause

April 30, 2022

Ransomware attacks have surged early this year according to databreach today with Cybercrime: Ransomware Attacks Surging Once Again based on a report by the NCC Group.  it’s findings are that:

  • Ransomware attacks increased 53% compared with February, representing continued growth since the start of the year
  • The most targeted sectors continue to be Industrials (34%), Consumer Cyclicals (21%), and Technology (7%)
  • The most targeted regions were North America (44%) and Europe (38%) – a return to the usual split after seeing both regions with a similar number of victims in February
  • The most prolific ransomware variants were again Lockbit 2.0 (96 victims) and Conti (71 victims)

An interesting, and worrying development, is that the percentage of data being restored after paying the demanded ransom has dropped.  On average only 61% of the data is restored whereas 65% was restored in 2020. the key caveat to reporting on ransomware is that the figures are notoriously spongey.  Many affected businesses don’t report attacks if they pay the ransom.

To show that the threat is real in the US the ransomware group going by the name Conti posted on the dark web data belonging Elgin County which had been hit by a ransomware attacked.  Yesterday Austin Peay State University admitted to being a victim of a ransomware attack.  This is the twelfth US institute of higher education being successfully targeted by ransomware gangs Read the rest of this entry »

Australian Competition and Consumer Commission releases 4th interim report as part of its Digital Platform Services Inquiry, raising privacy issues on collection of data

April 29, 2022

Yesterday the Australian Competition and Consumer Commission (“ACCC”) yesterday released Interim Report No s – General online retail marketplaces.

In broad compass the report covers, as its brief description states:

  • intensity of competition in the relevant markets
  • trends in online shopping and general online retail marketplaces
  • the conduct of marketplaces in their roles as platforms to facilitate interaction between third party sellers and consumers; including, where marketplaces also supply their own products on their platform, the impact that these sales and associated practices may have on competition with third-party sellers
  • relationships between marketplaces and third party sellers
  • relationships between marketplaces and consumers, as well as third party sellers and consumers.

The report necessarily deals with the issue of data collection and privacy.  It does not contain any new insight or previously unknown fact or issue however it does synthesise and summarise the relevant issues.  All too often these issues are not considered with this level of focus.  In that regard it relevantly states Read the rest of this entry »