Zhenhua Data leak of the personal information of 35,000 Australians.

September 15, 2020

The collection and analysis of vast amounts of personal information is the hugely valuable for business, politics and public administration. It has been described as the twenty first century equivalent of what oil was to the twentieth century. It has revolutionised the way business is done and services are provided, for profit and otherwise.  The use of personal information has more dystopian uses, such as  surveillance by states as well as being able to used as part of a cyber campaign.

China is at the forefront of the cyber triaphilia; a keeness bordering on obsession with surveillance, a proficiency in cyber attacking and, finally a willingness and often desire to interfere with other states activities or at least individuals in those states.

Zhenhua Data is a company whose main clients are the Chinese Communist Party and the Peoples Liberation Army.  That is neither here nor there except that the ABC reports in Chinese database collects information on thousands of Australians, from PMs to pop stars it had built up a data base of 35,000 Australians according to a leak of 2.4 million entries in data leaked from Zhenhua Data.  The data base seems to have been built up with information publicly available but also sources which would normally keep that information private.

There has been much hand wringing as to why  a Chinese data firm collect information about a disparate group of people who seemingly have little to do with each other beyond them being public figures to a greater or lesser degree. The answer is quite straightforward.  Most governments Read the rest of this entry »

Australian Information Commissioner v Facebook Inc; Federal Court rejects application to set aside ruling granting the Commissioner leave to serve process on the US Based Facebook

September 14, 2020

The Federal Court today dismissed an application by Facebook against a previous ruling granting the Australian Information Commissioner leave to serve legal documents on Facebook USA.

The issue in the application was Facebook contending that it did not carry out business in Australia.

The terms of the application and the supporting affidavit are not publicly searchable, yet. The hearing took place on 6 May 2020.

The orders of Justice Thawley are:

  1. The interlocutory application dated 6 May 2020 be dismissed.
  2. The written reasons for judgment not be published beyond the parties until further order.
  3. The parties have until 12 pm on 16 September 2020 to advise the Court of any orders for redactions sought, together with a concise written explanation as to why those redactions ought be made.
  4. Unless any party applies within 7 days for a different order with respect to costs, the first respondent pay the applicant’s costs of the interlocutory application.

The Commissioner had a restrained Read the rest of this entry »

Attorney General refers issue of judicial impartiality and legislative framework for corporations and financial services regulation to the Australian Law Reform Commission

Last Friday, 11 September 2020, the Commonwealth Attorney General referred two matters to the Australian Law Reform Commission:

  1. a review into judicial impartiality with a final report due on 30 September 2021; and
  2. a review of the legal framework for corporations and financial services with a final report due on 30 November 2023.

The Media Release Read the rest of this entry »

Privacy breaches in the age of COVID

September 13, 2020

Cicero said “Laws are silent in time of war.”  The modern day equivalent is “laws are selectively ignored in times of pandemic.”  In the area of privacy laws that variation is very apposite.  In this pandemic the Victoria Police have been notably more assertive (read aggressive), paternalistic (read preachy, especially the Falstaffian Luke Cornelius’ intemperate verbal lashing of this or that civilian who attracts his ire) and selective about which laws they follow (as in don’t follow) than their interstate equivalents.  By a large margin and from the outset of the COVID.   The latter point is illustrated by Victoria Police reportedly using mobile surveillance units to remotely monitor citizens for breaches of the COVID laws. 

Putting aside the concerning willingness of Victoria Police officers to adopt such a dystopian method of performing their duties, as they see it.  I would be very interested to see the legal advice which regarded those actions as consistent with the Privacy and Data Protection Act 2014.  It is particularly concerning given the units are being deployed where there have been no complaints to police or even evidence of a breach.  That is just blanket surveillance pure and Read the rest of this entry »

Commonwealth extends trading while insolvent protections

September 9, 2020

The Attorney General announced yesterday that the Commonwealth Government will extend the insolvency and bankruptcy protections previously enacted in relation to:

  • trading while insolvent
  • increasing the threshold at which creditors can issue a statutory demand and the time for responding to a statutory demand.

The protections will extend until 31 December 2020.

The Attorney General’s media release provides:

The Morrison Government will continue to provide regulatory relief for businesses that have been impacted by the Coronavirus crisis by extending temporary insolvency and bankruptcy protections until 31 December 2020.

Regulations will be made to extend the temporary increase in the threshold at which creditors can issue a statutory demand on a company and the time companies have to respond to statutory demands they receive.

The changes will also extend the temporary relief for directors from any personal liability for trading while insolvent.

These measures were part of more than 80 temporary regulatory changes the Government made designed to provide greater flexibility for businesses and individuals to operate during the coronavirus crisis.

The extension of these measures will lessen the threat of actions that could unnecessarily push businesses into insolvency and external administration at a time when they continue to be impacted by health restrictions.

These changes will help to prevent a further wave of failures before businesses have had the opportunity to recover.

In addition, the Government is providing an unprecedented level of support totalling $314 billion to cushion the blow for workers, households and businesses during the coronavirus crisis.

As the economy starts to recover, it will be critical that distressed businesses have the necessary flexibility to restructure or to wind down their operations in an orderly manner.

The Government will continue to help businesses successfully adapt and restructure so that they can bounce back on the other side of this crisis.

As the Age reports in ‘More harm than good’: Businesses get reprieve but thousands still set to fail on the the changes, importantly that the extensions may actually harm rather than benefit Read the rest of this entry »

ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security

August 22, 2020

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

  • on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
  • on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

  • between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »

Data breaches in a political party point to poor data protection and governance.

August 20, 2020

One of the many flaws in the Privacy Act 1988 is that political parties are exempt from its coverage. That was not an omission or unintended consequence of the drafting. There was a specific carve out for political parties in section 7C of the Privacy Act.  The provision, titled Political acts and practices are exempt, is comprehensive in exempting political organisations and their sub contractors (sub section 3) and their volunteers (sub section 4).  These provisions were passed with bipartisan support.  It was and remains a major public policy failing.

The lifeblood of political parties is data.  Data allows political parties to refine messages and target voters.  That data comes from constituents contacting their local members, polling, gleaning information from social media and other forms of information collection. Gone are the days when political parties relied on rough quantative surveys and the gut feel of hardened political operatives.  Political parties know focus on blocks and streets, not suburbs and electorates when they are not targeting individual voters.  Most of that data is personal information.

The other store of data that political parties store are membership lists.  Membership lists are nuggets of gold for apparatchiks in their constant quest to work numbers, whether in pre selection fights or competing for positions within the many committees within all political parties. And internal competition can be fierce, much fiercer than between political parties.  Factions spend an enormous amount of time signing up members to electorate branches while rival factions monitor those activities and attempt to derail them whenever possible, as well as signing up their members.   The desire to thwart one’s opponents easily descends into regrettable acts of skullduggery. And that seems to be at the core of the data breach of the Victorian Division of the Liberal Party as reported in Warring Victorian Liberals spring a data leak.

By any measure a data breach involving the access and distribution of the personal details of Liberal Party members without their consent is a very serious matter.  Many members of political parties are quite open about their membership, some are very vocal about it.  But many are not for a range of legitimate reasons, be it causing difficulties in their jobs (such as working in the public service) or personal, not wanting family members to know they are active.  And because of the corrosive nature of inter party fighting it attracts unwanted attention as seems to have occurred with members being called and quizzed on their membership and who paid their membership fees.  Worse, the story reports that details of the list have been provided to journalists.

The response is typically familiar when political parties suffer embarrassing data leaks, call in the police.  It looks and sounds strong and means very little.  The police come in, look around, take a few statements, realise quickly they are part of a pantomine (though they probably knew that before putting on granite faces and walking in with clipboards tucked under an arm) and send their carefully typed report up the chain of command until it gets a nose bleed.  Weeks pass then months go buy and on a Friday afternoon close to Christmas a press release announces the investigation is closed.  And that is probably the right result.  Because the problem is not about criminal activity, it is about poor governance and poor understanding of what is required to properly collect, store and use personal information.  And for better or worse, generally worse, the appropriate party to investigate is the Australian Information Commissioner should investigate, which can’t be done because political parties have been exempted from coverage.  Some of the most data intensive organisations in Australia collecting some of the most sensitive personal information are exempt.  It is a failure of public policy on a staggering scale.

The article Read the rest of this entry »

Android handsets track users movements and send information to Google…even when location history is turned off

August 18, 2020

Stories about Google knowing more about its users than the users themselves are so ubiquitous, like Google, that they rarely make their way onto the back page of a paper let alone the front page.  What is more concerning and noteworthy is recent run of stories of social media platforms, like Facebook, and data collecting companies, like Google, collecting and using data contrary to the supposed settings.  The Australian reports on the latest example of this egregious behaviour with Google knows your every move even with ‘location history’ off.  In short Google is tracking a phone’s movements even when settings to protect privacy are activated.  The way this was determined was through a test where software was installed to detect (described as tap) data being sent to Google.  This data stream was identified.  The nub of the problem is that the consent to use data went beyond that which was agreed, with that data being sold by brokers to police forces, governments and spy agencies.  The data collected includes Read the rest of this entry »

Australian Competition & Consumer Commission sues Google for misleading and deceptive conduct… but it really is a breach of data privacy case

July 27, 2020

Last Friday the Australian Competition & Consumer Commission (“ACCC”) announced that it has commenced proceedings against Google LLC alleging misleading and deceptive conduct in failing to inform consumers and obtain their informed consent  from 2016 that it was combining their personal information in Google accounts with information gleaned from their activities in non Google sites which use Google technology.  The ACCC also alleges that Google misled consumers about changes to its privacy policy.

The ACCC has not released the concise statement and the case has not appeared on the Federal Court website as yet.  It is interesting, and something of a relief, that the ACCC is stepping up and taking on privacy related cases instead of the Australian Information Commissioner.  Unfortunately the Commissioner has a lamentable track record in enforcing privacy breaches, particularly in the Federal Court.

The nature of the case as described by the ACCC seems to follow a tried and true approach used by the Federal Trade Commission in the United States, attacking privacy and data breaches through breaches of contractual terms or misleading and deceptive conduct.  It is also an approach that the Federal Court is more comfortable with.  To date the Federal Court has produced judgments that betray a bewildering befuddlement regarding privacy principles; namely Read the rest of this entry »

HQ Insurance Pty Limited v Stonehatch Risk Solutions Limited (No 2) [2020] FCA 1010 (16 July 2020): application for preliminary discovery, rule 7.23 Federal Court rules, claim for relief under s 1324(1) Corporations Act, reasonable enquiries

July 22, 2020

In HQ Insurance Pty Limited v Stonehatch Risk Solutions Limited (No 2) [2020] FCA 1010 the Federal Court per Thawley dismissed an application for preliminary discovery on the grounds that the applicant failed to establish that reasonable inquiries were made.

FACTS

The dramatis personae are:

  • HQ,  an Australian bloodstock and livestock insurance broker specialising in equine insurance. It holds an AFSL which authorises it to advise and deal in general insurance [17].
  • Stonehatch,  a United Kingdom (UK) based insurance broker specialising in bloodstock insurance. It does not hold an AFS [17]]
  • Ausure (Upper Hunter) Pty Ltd trading as Ausure Insurance Solutions (NSW),  an insurance broker which brokered equine thoroughbred insurance through Stonehatch as its wholesale broker in the UK where the equine risks were underwritten by various Lloyd’s syndicates [18].

On 25 September 2018, HQ completed its purchase of Ausure’s client book of insurance policies. HQ transferred the insurance files to their own wholesale broker, Integro Brokers Limited, in the UK, on 18 October 2018 [19].

Under the agreement between Read the rest of this entry »