Australian Information Commissioner releases Notifiable Data Breaches resources

December 18, 2017

It is always in the enforcement that regulators are judged.  And how effective legislation is.  In the privacy sphere that is no different.  The Privacy Amendment (Notifiable Data Breaches) Act 2017  commences operation on 22 February 2018.

The Australian Information Commissioner has released the final resources (used to be called guidelines) on the operation of the Act and what is expected of organisations and agencies.  They are set out below.

Resources are one thing it is the culture that is as important.  The excellent article When cultures collide: the debate we’re not having on data privacy highlights Read the rest of this entry »

Federal Court Criminal Proceedings Rules in effect and Federal Court releases forms for lodgment

The Federal Court announced today that forms used in proceedings under the Federal Court criminal Proceedings Rules are now accessible and can be lodged by external users.  The Rules can be found Read the rest of this entry »

Health records re identified in significant data breach

There is significant controversy about whether data can be scrubbed so that it can not be re identified.  What is less controversial is that many organisations put insufficient effort into de identifying data.  The authors of a paper Health Data in an Open World have demonstrated how they have re identified patients in an supposedly de identified open health data set.  The authors, academics at the Shcool of Computing and Information Systems at the University of Melbourne summarised what they did Read the rest of this entry »

Queensland law firms attacked by hackers and lose millions

Law firms have long been a target for hackers.  They hold vast troves of valuable information about clients and significant sums of money in trust.  They generally constitute a soft target because they have a poor understanding of cyber security and what their obligations are under the Privacy Act 1988 and do not Read the rest of this entry »

The internet of things and hacking…

December 16, 2017

There has been a flurry of stories relating to the internet of things and lack of data security, to wit businesses being hacked through access points existing courtesy of connected devices.  In the UK dozens of British Heating systems have been found to be vulnerable to hacking.  In that case Read the rest of this entry »

Attorney General announces reference to the Australian Law Reform Commission into class actions and third party litigation funders

December 15, 2017

The Commonwealth Attorney General has announced a formal reference to the Australian Law Reform Commission, made on 11 December 2017, of class actions and litigation funders.  The heading of the media release leaves little doubt on what is on the Government’s mind: Protecting Australians from exorbitant legal fees.  It is hard to see class actions being abolished given Read the rest of this entry »

Risk assessments predict 2018 will be a significant year for cyber attacks

December 5, 2017

MacAfee has released a 2018 Threats Predictions Report.  While the European Banking Authority has released its risk assessment report. In that report the EBA found:

  •  cyber risk and data security were identified as the “main drivers for increasing operational risk”
  • 55% of banks “foresee an increase in operational risk in their bank”. This is an increase from 43% last year and 35% in 2015.
  • most EU banks are still taking steps to address the weaknesses stemming from the technology-driven evolution to their industry.
  • because of the reliance on  IT platforms, digitalised product channels for banking services, outsourcing to third-party providers  42 % of the respondents stated that cyber risk and data security is the main cause of increasing operational risk
  • that cyber risk is  one of the key risks threatening data integrity and business continuity in the financial system”. It also said that banks are facing increasing complex cyber attacks from “intruders trying to gain unauthorised access to critical systems and data”.
  • cyber risks pose operational, legal and reputational risks including business interruptions, data and software loss, cyber extortion, fraud, breach of privacy, network failure liabilities and damages to physical assets, which can result in financial losses
  • the growing use of third party services by financial services may impact on the ability of institutions to manage their risks such as strategic, reputational, compliance and operational risk and that is a cause of increased systemic risk. The EBA noted that these risks should be mitigated adequately by banks and embedded in a sound and efficient risk management policy.  That means money and effort.

The EBA produced a draft guidance designed to support the adoption of cloud-based solutions by banks earlier this year. Interestingly the EBA Read the rest of this entry »

US Supreme Court to review digital privacy through the prism of the 14th Amendment, warrantless searches

November 27, 2017

The US Supreme Court has been remarkably strong on recognising a right to privacy through various Amendments to the Constitution, mainly the Read the rest of this entry »

UK drone users are to sit safety tests under proposed new law

November 26, 2017

The response of governments to the phenomenal rise of the unmanned aerial vehicles across the world has ranged from the tentative to the woeful.  Admittedly it has provided significant challenges to regulators as light, portable drones sold in their thousands are difficult to monitor and where there is a breach of the regulations difficult to prosecute. Governments are also wary of limiting the commercial utility of drones, which can transform transport and delivery, such as delivering blood to hospitals.

The regulation of drones in Australia is spotty at best. The nature of the regulation depends on whether drones are being used for recreational or for business and commercial purposes.  The primary regulator is the Civil Aviation Safety Authority (the “CASA”) . The focus of the regulation is air safety.  Through my posts over the years on drones this sort of regulation is far from adequate.  Drones have the potential, and often do, to interfere with people’s privacy.

The regulation such as it is is poorly enforced.  The complaints process is cumbersome and there are difficulties in identifying the drone and its owner after the fact. CASA could be doing a better job.
Read the rest of this entry »

Another data breach by an Australian Government Agency…this time the Department of Social Services

It has been a bad year for data breaches in Australia.  Perhaps not as bad as America where the Equifax data breach, involving 145 million Americans, took matters to a whole new level in terms of volume of data stolen, the impact of that credit reporting information on the individuals affected and the truly dreadful response. Similarly the recently announced Uber breach, involving 57 million individuals, has been a new low in terms of woeful data security and appalling subsequent management.  But Australian agencies and organisations have, through data breaches most recently a data breach involving 50,000 Australians from the Department of Finance, the Australian Electoral Commission and other agencies, shown that there remains a poor culture of privacy protections and data security.  Lax regulation and little in the way of consequences for breaches of the legislation have largely contributed to this poor state of affairs.

The Guardian reports on a breach at the Department of Social Services involving yet another breach by a third party contractor which has necessitated the department writing to 8,500 individuals, 2,000 current and 6,500 former employees of the Department.  The compromise involved Read the rest of this entry »