April 14, 2022
Wired reports that the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI released an advisory about the a malware toolset which can interfere with industrial control systems. Given Australia has just passed an updated critical infrastructure legislation this is a particularly relevant development. The state of protection by Australian organisations is generally poor, legislation notwithstanding.
The advisory Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The health industry always features prominently with data breaches and commensurate poor privacy and data security practices. To show the consequences of one, entirely avoidable, lapse upon a poorly protected organisation note that salutory example of the data breach at the Christie Clinic in Illinois. A single email account was compromised resulting in unauthorised access and resulting in the personal information of 503,000 individuals. It is the third largest recorded health data breach thus far in 2022. It is Read the rest of this entry »
Posted in Privacy
|
Post a comment »
April 11, 2022
The National Institute of Standards and Technology (“NIST”) releases excellent guides in relation to all manner of technology. It is particularly helpful in providing processes to improve cyber security and deal with data breaches.
Last week the NIST through its National Cybersecurity Center of Excellence (NCCoE) released
The focus of both guides highlights the importance of timely and appropriate patching so as to enable organisations to have an adequate cybersecurity system.
Patching is a form of preventive maintenance of computing technologies. It helps prevent compromises, data breaches, operational disruptions, and criminal acts.
SP 800 – 40
SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and sets up processes for patching.
Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.
The publication refers to Read the rest of this entry »
Posted in General
|
Post a comment »
April 10, 2022
On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022. It became law on 1 April 2022. It’s genesis is traced back to reforms proposed by the Productivity Commission’s Inquiry Report into Data Availability and Use (2017).
The Minister’s Second Reading Speech provides:
I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.
This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.
2020 has shown us how critical this piece of legislation is.
We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.
Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.
Government data and digital services have been fundamental to the government’s response to these events.
Data allowed Australians to receive timely and reliable services in a time of need.
Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.
It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.
The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis. Read the rest of this entry »
Posted in General
|
Post a comment »
April 7, 2022
The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022. Settlement was reached last month. The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:
- not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
- a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
- until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years
The terms of settlement follows a standard structure used by the FTC and in this context:
- restraining the Defendants to continue with the breaches alleged;
- requiring the Defendants to destroy all Personal Information Collected within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
- destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
- ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
- requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years.
What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation. This is a significant development in regulation. It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and Read the rest of this entry »
Posted in Federal Trade Commission, Privacy
|
Post a comment »
March 31, 2022
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022. This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021). The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.
The USA has critical instructure legislation. Most recently President Biden signed Strengthening American Cybersecurity Act of 2022. Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours.
In short compass what does each Act do?
The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors. Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included. Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »
March 30, 2022
In a 5 – 0 decision the High Court allowed an appeal from the Victorian Supreme Court in Stubbings v Jams 2 Pty Ltd [2022] HCA 6 and the operation of certificates of independent advice and unconscionable conduct. The lead judgment is that of Kiefel CJ, Keane and Gleeson with separate opinions by Gordon and Steward.
FACTS
The facts
The appellant owned two houses in Narre Warren, both mortgaged to Commonwealth Bank with weekley repayments of between $260 and $280 per week. The appellant did not live in either house. He lived at rental premises at Boneo, where he worked repairing boats for the owner of the property [7].
The Appellant fell out with the owner, ceased work and, needing to move house, sought to purchase another property on the Mornington Peninsua [7].
At the relevant time the appellant:
- was unemployed
- had no regular income
- had not filed tax returns in several years and
- was in arrears on rates payments in respect of the two Narre Warren properties [8]
After a home loan application to ANZ was rejected for lack of financial records, the appellant was introduced to Mr Zourkas [8] who described himself as a “consultant”, in the business of introducing potential borrowers to Ajzensztat Jeruzalski & Co (“AJ Lawyers”) [9]. The service AJ Lawyers provided to clients was to facilitate the making of secured loans by those clients [9].
The primary judge found that Zourkas played an “important and essential” role in these transactions, in that his involvement ensured that AJ Lawyers never dealt directly with the borrower or guarantor, such as the appellant [9]
When the appellant and Zourkas met on a number of occasions in 2015:
- at the first meeting, the appellant said that he “wanted to buy a little house” to live in, to which Mr Zourkas responded that “there would not be a problem going bigger and getting something with land” O which resulted in the appellant finding a five?acre property with two houses on it in Fingal, available for $900,000.
- at another meeting, Zourkas told the appellant that he could borrow a sum sufficient to pay out the existing mortgages over the Narre Warren properties, purchase the Fingal property, and have approximately $53,000 remaining to go towards the first three months’ interest on the loan [10] .
- Zourkas advised the appellant that he could then sell the Narre Warren properties, reducing the loan to approximately $400,000, which the appellant could then refinance with a bank at a lower interest rate [10]
The calculation was that:
- two Narre Warren properties and the Fingal property would secure the appellant’s obligations as guarantor
- the existing debt to Commonwealth Bank secured on the Narre Warren properties totalled approximately $240,000.
- on the basis that the two properties had a market value of $770,000, the appellant’s equity was thus worth about $530,000 [11].
On 30 June 2015, the appellant signed a contract to Read the rest of this entry »
Posted in General, High Court, Legal
|
Post a comment »
March 18, 2022
What’s worse, the cover up or the crime? The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies. For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence. So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up.
CafePress failed to secure its clients sensitive information and then tried to cover up the data breach. The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them? The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach. As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring. That is standard practice for the FTC.
The FTC has set out in history and the outcome in its press release which Read the rest of this entry »
Posted in Federal Trade Commission, Privacy
|
Post a comment »
March 17, 2022
The Age has run another article on lack of privacy online, with Online privacy is a farce. Click here to agree. It is an interesting and quite well written piece but nothing in it hasn’t been written before, sometimes more eloquently. NBC did a piece with Online privacy fears are real last November. It is Read the rest of this entry »
Posted in Privacy
|
Post a comment »
After a false start the ABC is installing mandatory iview login requirements for its television services. This has raised the hackles of privacy advocates. In February the Conversation fired up with Mandatory logins for ABC iview could open an intimate window onto your life. Most recently, as in earlier this week Malcolm Crompton, a former privacy commissioner, has claimed that this will stymie debate and free expression of ideas. It has also attracted the ire in itwire with ABC appears to be hell-bent on compulsory iview logins and ABC is urged to ditch hated feature on its streaming platform iview – but the public broadcaster is adamant it WILL roll out this week. Vanessa Teague has produced a very effective youtube video setting out the problems with data sharing (https://www.youtube.com/watch?v=20bqzIoB-Fw). The problem is that while Vanessa’s post is very thoughtful and persuasive it has been read by 491 views as of today’s date. It has been the subject of chatter amongst privacy advocates but not much more than that. That makes it completely ineffective. Innovation Australia in Last ditch call to stop ABC mandatory login highlights the problem, that a last ditch effort is usually a forlorn hope. It provides:
Privacy and security experts have called on the ABC to halt its switch to mandatory user accounts at the eleventh hour, warning that the public broadcaster has failed to justify the increased risks of tracking users and sharing data with US tech giants.
Letters to ABC management from the Australian Privacy Foundation and a former privacy commissioner released this week call for the ABC to reconsider the decision, saying the purported benefits are not proportional to the risks they introduce, while a leading cybersecurity expert warned data is still being collected even though users opt-out of tracking.
The ABC intends to make the switch to mandatory user accounts for its iview video-on-demand service on Tuesday, claiming it will allow more personalisation features that it says users want, and that tracking audiences and their viewing habits is now commonplace. Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »