November 24, 2017
Data breach notification laws seem to be in vogue in Australia at the moment. In 90 days, on 22 February 2018, the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect for those organisations and agencies covered under the Privacy Act 1988. That has the potential to have a major impact on the way privacy and data security is regulated in Australia and make the extent of data breaches more transparent. It will bring Australia into line with best practice, even if the Act is far from the gold standard. It is a complicated piece of legislation which requires careful analysis of the extent of data breaches, consideration of exemptions and appreciation of which is the best options available to the affected entity to ensure compliance.
In New South Wales an opposition member, Paul Lynch, introduced the Privacy and Personal Information Protection Amendment (Notification of Serious Violations of Privacy by Public Sector Agencies) Bill 2017 into the Legislative Assembly on 16 November 2017. If passed Read the rest of this entry »
Posted in Privacy
|
Post a comment »
November 22, 2017
Uber, like many modern disrupting businesses, relies on data. Lots of it to make its app effective. In October 2016 Uber suffered a disastrous data breach, affecting the personal information of 57 million customers and drivers. The hackers stole names, email addresses, phone numbers as well as the names and driver licences of 600,000 drivers in the US alone. That can make up a treasure trove of data that can be used in identity theft. Uber says that location data, credit card numbers, bank account details, social security numbers and birth dates were not compromised. Or at least that is what it says. Uber’s credibility has taken a hit.
The story has been picked up by Read the rest of this entry »
Posted in Privacy
|
1 Comment »
November 19, 2017
The development of privacy related actions in either common law or equity in Australian courts has been glacial at best. It has been marked by hesitation and wariness heavily seasoned by a major case of conniptions by decision makers. Efforts to have the courts here do what is effortlessly done in other common law countries, recognise a tort of an invasion of privacy have come to nought. As for Tribunals’ decisions on privacy, the less said the better. The legislature, irrespective of which party occupies the treasury benches, has been equally languid, when not down right resistant, in legislating for a statutory tort of privacy. The need for an actionable tort of privacy has been consistently recommended by whichever law reform commission has looked at the issue. The main opponents these days are media lawyers for news outlets, governments who don’t want a fight with media outlets over such a reform and some of the more conservative commentators who see any such right as being a bill of rights by stealth or some such nonsense.
In the weekend Sydney Morning Herald reports on a class action which may test privacy law in Paramedics launch class action over the sale of their medical records to personal injury solicitors. The breaches are Read the rest of this entry »
Posted in Privacy
|
1 Comment »
November 17, 2017
To those who think the cloud is the answer to their security prayers think again. Vulnerabilities in a cloud service occur often enough. Flaws in service provided by third party providers are a chronic problem. The onus still remains with the party that collects the data but too many organisations assume that once it is stored via a third party provider, such as in the cloud, that responsibility disappears. Often times data in the cloud is not encrypted or otherwise protected. ABC has learned these and a few other lessons with a data breach in its cloud services, being a misconfigured storage bucket, according to the the Australian article ABC caught in massive data leak. That data seems to Read the rest of this entry »
Posted in Privacy
|
1 Comment »
November 10, 2017
Revenge porn, non consensual posting of intimate pictures or videos on line, is currently regulated by means of criminal offences in Victoria, South Australia, New South Wales and the ACT. There is no specific civil cause of action or a statute based tort of interference with privacy. There have been successful prosecutions of individuals, usually ex partners of the victim who posted intimate images in their possession to humiliate and harm the victim. And that is for the good. However, a criminal prosecution is a very blunt instrument and one Read the rest of this entry »
Posted in Privacy
|
1 Comment »
November 6, 2017
It is less than 6 months before the mandatory data breach notification laws take effect. February 22 2018 to be precise. It will impact all organisations and agencies covered by the Privacy Act and may require them to report data breaches of personal information. This has been the norm in 48 states of the United States for some time. In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual. That is an indicator of the frequency and impact of data breaches on business and government. Cyber crime for profit and malicious hacking is a chronic problem. In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach. There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.
The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach. There is little point trying to comply while dealing with a data breach. Notifications must be made within 30 days from the date the breach is detected. That is the outer limit. While the time frame seems generous, given the Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
1 Comment »
The Information Commissioner’s Office has been an active regulator in the United Kingdom. The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million. Each regulator has its own regulatory armaments. The difference is that the ICO is active. The Australian Information Commissioner is not.
This fine is the first by the ICO involing the data broking industry.
The ICO issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls. Prodial received a record fine but the investigation continued and went to the source of the data. That is quite a common feature of regulatory investigations. Commonly one investigation for Read the rest of this entry »
Posted in Privacy, UK Information Commissioner's Office
|
1 Comment »
November 2, 2017
Contractors and third party providers are notorious for being weak points in data security. Some of the largest data breaches have occurred through poor data security of contractors. The Sony and Target breaches were caused by hackers accessing sites through a contractors access point. It happens in Australia on a more regular basis than people appreciate. And it has now happened in Australia on a very significant scale. Itnews reports that files, which included full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses was made available on line by a contractor. In all personal information of 50,000 Australians were compromised. Of that 50,000 Read the rest of this entry »
Posted in Privacy
|
1 Comment »
In late September this year Deloitte was the target of a successful sophisticated cyber attack which involved compromising client emails and confidential data of its clients, many of which are significant organisations. As is commonly the case with major data breaches the impact of the breach is not immediately known. Often it requires a review to determine the extent of the breach. It is not uncommon for hackers to remain undetected for weeks and sometimes months as they access data and decide what to steal or leak. In the case of Deloitte’s breach was much larger than originally thought affecting the emails of 350 clients among which were US Government agencies including a server hosting emails for the US departments of state, energy, homeland security, and defense, the United States Postal Service, the National Institute of Health and the Federally guaranteed mortgage companies Fannie Mae and Freddie Mac. The reputational damage to Deloittes has been immense, not least because it and the other big 3 accounting firms market themselves as experts in consulting in data storage, data security and compliance with privacy laws.
According to itgovernance in List of data breaches and cyber attacks in October 2017 – 55 million records leaked October was a bad but not untypical month in terms of data breaches which affected a broad range of companies. There were financially inspired attacks such as Read the rest of this entry »
Posted in Privacy
|
1 Comment »
October 31, 2017
Last week the Joint Committee of Public Accounts and Audit released its long awaited report into Cybersecurity Compliance. It is a valuable report which makes clear that the Committee “gets it” as far as the need to maintain proper cyber security by agencies which are increasingly reliant on data being stored, used and disclosed online by its users. The Committee was also frank in its assessment that key agencies are falling down in this regard. For those practicing in this area that comes as little surprise. There remains a poor cyber security and privacy culture in Read the rest of this entry »
Posted in Privacy
|
1 Comment »