Archive: May 2019

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
Surveillance software targets WhatsApp users
Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents
Sharing of ‘abhorrent violent material’ now an offence under new laws
Consumer Data Right Draft Rules – submissions closing soon

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants

By Cameron Abbott, Rob Pulham, Michelle Aggromito, Max Evans and Rebecca Gill

Protecting personal data is a fundamental aspect of any privacy regime. As we become more technological advanced, organisations are finding innovative ways to interact with consumers through more intuitive communication channels, such as voice recognition via digital assistants. But not everyone trusts such technology, as Microsoft’s April 2019 report on voice assistants and conversational artificial intelligence has found.

The report found that 41% of voice assistant users were concerned about trust, privacy and passive listening. Other interesting findings of the report include:

  • A majority of users (52%) had concerns surrounding security for personal information, and around a quarter of the users (24%) had suspicions surrounding the ways in which companies might use the information.
  • Almost half the users (41%) were concerned with their devices actively listening or recording conversations when idle.
  • Around a quarter of the users (14%) did not trust the companies behind the voice assistant, and 36% of users did not want their personal information or data being used.

According to the report, headlines surrounding topics such as misunderstood commands and unrequested purchases have greatly influenced consumer attitudes towards these forms of technology. Clearly users are struggling to reconcile the competing interests. The technology understands you better the more information it collects from you. Where will you draw the line between these interests?

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Here’s the health sector at a glance:

  • Of the 964 eligible data breaches notified to the OAIC from 1 April 2018 to 31 March 2019, health information breaches accounted for 249 notifications (just over a quarter of all notifications). This is consistent with international trends which often show the health sector as a leading reporter of data breaches.
  • Human error was the leading cause of data breaches in the health sector, accounting for 55% of the breaches. This figure was relatively higher when compared to the average rate of data breaches in other industries due to human error (35%).
  • Human error in the health industry typically involved sending personal information to the wrong recipients via email and other forms communication.

Of itself, these figures seem to paint a grim picture for the health sector, which is the leading reporter of data breaches in Australia. However, there may be a silver lining for health organisations. As the Report identifies, the statistics arguably reflect the health sector’s preparedness to report data breaches. This potentially suggests a greater maturity and understanding of their obligations than other sectors that deal with less sensitive data, and could well be influenced by the more regulated nature of the sector, as well as the fact that the sector routinely deals with sensitive health information which inherently carries higher risk of causing serious harm if misused.

For more insights into health information and the scheme, check out our blog posts “My Health Records – to opt-in, or to opt-out? That is the question” and “Mandatory data breach reporting in 60 seconds”, or feel free to contact us for any assistance or information.

Surveillance software targets WhatsApp users

By Cameron Abbott, Rob Pulham and Michelle Aggromito

Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.

This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.

The surveillance software effectively rendered the app’s prized end-to-end encryption redundant as it allowed the attacker to read messages on the compromised devices.

WhatsApp released a fix last Friday and has encouraged all its users to update their apps, but some questions still remain.

In particular, while the app update fixes the issue that allowed the attack in the first place, it is not clear if the update can also remove the surveillance software embedded in already compromised devices.

WhatsApp has described the hackers as “a private company that has been known to work with governments to deliver spyware”, which news outlets have reported is Israel’s NSO Group. Regardless of the parties involved, the ability to defy WhatsApp’s encryption is a scary reminder of the potential impact of a “technical capability” that could be required under the recently enacted Australian encryption laws (except that it has not been kept secret!). If you would like to know more about the new laws, check out our recent blog posts ‘What do you need to know about the encryption killing legislation’ and ‘To encrypt or not encrypt? That is the question’, or feel free to contact us for any assistance or information.

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

The key findings of the Report include:

  • the largest credential stuffing attacks of 2018 occurred in the video media sector. The market for stolen media and entertainment accounts is thriving as the accounts are sold in bulk;
  • the attacks usually occurred after reported data breaches; and
  • checker programs (or “All-in-One” applications) such as SNIPR are common. These programs allow attackers to validate stolen credentials or to generate combination lists. The credentials can then be sold, traded or harvested for various types of personal information.

Recent credential stuffing attacks demonstrate how your entire digital life can be exposed following a data breach paired with a credential stuffing attack. A successful credential stuffing attack can significantly damage a brand’s reputation and increase its operational costs – even though the attack wasn’t the brand’s fault.

Businesses should consider implementing multi-factor authentication, which can be effective in preventing credential stuffing attacks. Consumers should also be educated about phishing emails and the dangers of using the same password for all logins!

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Some interesting results of the Study were:

  • only 22% of Australian respondents agreed that they had sufficient staffing to achieve a high level of cyber resilience (globally the figure wasn’t much higher, at 30%);
  • 79% of Australian respondents did not have a cybersecurity incident response plan (CSIRP) that applied consistently across the entire enterprise;
  • more than half of the Australian respondents who had CSIRPs said they did not test them; and
  • of the 11 countries, Australia reportedly experienced the biggest increase (70%) in the volume of cybersecurity incidents in the past 12 months, compared against 61% overall.

The Study also highlights the key characteristics of “high performing” organisations that are cyber resilient, and emphasises the need to have skilled IT personnel and consistent enterprise-wide CSIRPs.

We all see the regular occurrence of breach events – it is not like we are not well warned.  With the mandatory reporting the consequences are far more public and painful, but obviously not painful enough for Australian companies to truly tackle the problem head on.

Sharing of ‘abhorrent violent material’ now an offence under new laws

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Governments around the world are imposing more responsibilities on tech providers to deal with online harms. In response to the recent attacks in Christchurch, in which a gunman livestreamed on Facebook his attack on a mosque, the Australian Government recently enacted the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Cth) (Act). The Act, which commenced on 6 April 2019, was pushed through swiftly and has a broad reach.

Under the Act, internet, content and hosting service providers must refer details of any ‘abhorrent violent material’ that records or streams ‘abhorrent violent conduct’ to the Australian Federal Police. Abhorrent violent material is material that is audio, visual or audio-visual, and that records or streams ‘abhorrent violent conduct’. Such conduct includes acts of terrorism, murder, attempted murder, torture, rape and kidnapping.

Content and hosting service providers must also remove or cease to host abhorrent violent material ‘expeditiously’, which is left undefined in the Act. It is also immaterial whether the content or hosting service is provided within or outside Australia.

The Act also imposes significant criminal penalties on individuals and companies for failing to meet their obligations. For instance, the penalty for a company for failing to delete such violent material is either a fine of up to $10.5 million, or a fine of up to 10 per cent of the company’s annual turnover, whichever is the greater.

The Act will have wide ramifications for tech service providers and any such organisations that may fall under the Act’s scope should implement and check their reporting and screening processes in order to avoid committing an offence under these new laws. As it stands, many such providers are not in any position to comply with these laws.

Consumer Data Right Draft Rules – submissions closing soon

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

  • the three ways in which CDR data may be requested;
  • the requirements for consent to collect CDR data;
  • rules relating to the accreditation process; and
  • rules relating to the thirteen privacy safeguards for CDR data.

K&L Gates has previously blogged on the CDR in relation to the Australian Open Banking regime.

A quick recap: In May 2018, the Commonwealth Government committed to implement the CDR in line with the recommendations of the Review into Open Banking in Australia. The CDR is a competition and consumer reform which aims to give Australian consumers greater control over their data. It will allow a consumer to require a company, such as their bank, to share their data with another accredited service provider, such as another bank or a comparison site, for the purposes the consumer has authorised. The expectation is that this will create more choice for consumers and facilitate competition amongst providers.

The Draft Rules would be made under the proposed Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), which provides the framework for the CDR.

Although the CDR will initially apply to the banking sector followed by energy and telecommunications, the intention is that it will be rolled out economy-wide on a sector-by-sector basis, so now is a good time to become familiar with the proposed framework and to start planning for its potential effect on your organisation’s processes.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.