CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
I Spy With My Little Phone – New Laws giving access to your phone data
2
FAKE APPS FIND A WAY TO GOOGLE PLAY!
3
242 data breaches reported in second quarter of notifiable data breach regime
4
My Health Records – To opt-in, or to opt-out? That is the question
5
GDPR – What to expect in France
6
Eureka! California Just Adopted a Strong Consumer Privacy Law
7
Facebook fined £500,000 over Cambridge Analytica scandal
8
OAIC’s controversial decision broadens scope for the disclosure of personal information
9
Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm
10
Former MasterChef contestant falls victim to online fraud attack

I Spy With My Little Phone – New Laws giving access to your phone data

By Cameron Abbott and Colette Légeret

Yesterday, the Australian Government unveiled the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 which aims to compel telecommunication and multi-national tech companies (Providers) to give law enforcement and security agencies (Agencies) access to personal encrypted data of suspected criminals, including terrorists, child sex offenders and criminal organisations.

Read More

FAKE APPS FIND A WAY TO GOOGLE PLAY!

By Cameron Abbott and Jessica McIntosh

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

 

It cannot be overlook, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

242 data breaches reported in second quarter of notifiable data breach regime

By Warwick Andersen, Rob Pulham and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.

Read More

My Health Records – To opt-in, or to opt-out? That is the question

By Cameron Abbott and Keely O’Dowd

This year all Australians will have a My Health Record created. A My Health Record will operate as a digital medical file that allows healthcare providers to upload health information about a patient. This information may include prescriptions, medical conditions and test results. A patient’s digital medical file will be stored in a national electronic database operated by Australian Digital Health Agency (ADHA).

Read More

GDPR – What to expect in France

By Claude-Etienne Armingaud, CIPP/E

On July 2, 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

One of the new aspects of GDPR also includes the joint control operations by several EU supervisory authorities.

The themes which will guide the CNIL’s actions over the following months will include:

  • Recruitment operations

While the development of big data solutions and AI-assisted recruitment, through the use of algorithm offer the vast possibility to assess the applicants and predicts their adequacy for the position on the basis of pre-defined criteria, such technologies are also likely to impact a broad number of data subjects and subject them to arbitrary or opaque decision making outcomes. The CNIL will therefore target the transparency and the selection requirements, as well as retention periods for the surrounding meta data.

  • Real estate documentation

Fair home access is a key concern of our times. French Decree no.2015-1437 dated 5 November 2015 aims at protecting tenants with regard to information which may be requested. However, almost three years after this decree, it seems that asking additional documentation remains common practice, including sensitive data such as medical files. The lack of proportionality between the documents requested and the purposes of the processing may affect the compliance of realtors, who will be a priority control target.

  • Connected e-ticketing services

The MAPTAM Act allowed for local territorial administration to outsource the parking ticket process and the automation thereof. However, several complaints emerged since the beginning of the year from data subjects who perceived a decrease in their protection under the data protection framework. As such, the CNIL will also target the conditions under which the outsourcing operations have been performed and the conditions for use, retention and safeguarding of the data subjects’ information.

While the guidance addresses the control aspects of its activities, the CNIL also mentioned that the follow up to such controls, notably in terms of sanctions against the controlled companies, would be assessed at a later stage and will take into consideration good faith efforts initiated by targeted companies. The French Privacy team of K&L Gates remains available to assist you in your implementation and evaluation of your GDPR compliance strategy.

As a consequence, it remains a priority to validate a sound action plan to reach compliance with GDPR undertakings by the end of this year for all impacted companies.

 

Source in French: CNIL website

Eureka! California Just Adopted a Strong Consumer Privacy Law

By Susan P Altman

While the rest of us were still recovering from the May 25 effective date of the EU’s General Data Protection Regulation (GDPR), California, the most populous and largest economy of any of the United States, confidently adopted a broad consumer privacy law. The California Consumer Privacy Act of 2018 (CCPA) was enacted June 28 and becomes operative on January 1, 2020. Unlike existing industry-specific U.S. privacy laws, the CCPA has a broad overall scope, more like the GDPR. It ensures California residents the right to know what information about them is being collected and sold or disclosed, to reject the sale of their personal information, to access the information, and to receive equal service and price, even if they exercise their privacy rights.

Unlike the GDPR, the CCPA does not extend to extra-territorial coverage. The CCPA applies only to for-profit businesses doing business in California and sets certain thresholds for business activity and size, thereby protecting most of the Silicon Valley start-up community from the cost of compliance. The CCPA protects the rights of “consumers,” who are natural persons residing in California, and generally does not apply to California residents while they are outside of California.

A business that is required to comply with CCPA will need to update its website, and include a conspicuous link on the homepage to a page titled, “Do Not Sell My Personal Information.” In addition, the website must describe the consumer’s privacy rights and annually update its privacy policy to reflect current practices. Consumers will be able to opt-out of collection practices; although children (or their parents) must opt-in. Consumers must be able to contact businesses regarding their collected information. Amendments and corrections to the CCPA are expected.

Facebook fined £500,000 over Cambridge Analytica scandal

By Cameron Abbott and Sarah Goegan

The UK Information Commissioner’s Office (ICO) has issued a notice of intent to levy a £500,000 fine against Facebook for breaches of the UK’s Data Protection Act 1998. The ICO found that Facebook failed to protect its users’ data and be transparent about how that data was being harvested. This failure, ICO said, did not enable users to understand how and why they may be targeted by a political party or campaign.

The fine comes as part of a larger investigation by ICO into misuse of data in political campaigns, and responds to the highly publicised allegations that Cambridge Analytica used data obtained from Facebook to target voters in the 2016 US presidential election.

Read More

OAIC’s controversial decision broadens scope for the disclosure of personal information

By Warwick Andersen, Rob Pulham and Georgia Mills

In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt.  In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox.  The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.

Read More

Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm

By Cameron Abbott and Sarah Goegan

The idea of lawyers “ambulance chasing” seems to have taken on a new form. An investigation by the ABC has revealed how technology is being used to share health information with lawyers to generate work.

The ABC has revealed that HealthEngine, Australia’s largest online doctor’s appointment booking service, shared daily lists of prospective clients with law firm Slater and Gordon, based on personal medical information shared by users with the app.

Read More

Copyright © 2018, K&L Gates LLP. All Rights Reserved.