Archive: March 2020

1
Forgotten Issues: What Business Continuity Planning in the COVID-19 Era Isn’t Contemplating
2
Not So Zoomy: Use of Videoconferencing Technology “Zoom” on the Rise, but Privacy and Data Security Inadequacies suggest Users should Tread Carefully
3
A phishing pandemic – Part I
4
Doctor, how are we tracking? China, South Korea, Singapore and Thailand Using Smart Phone Applications to Halt the Spread of Corona Virus
5
Privacy in the time of COVID-19
6
Uniformity of Law II: NSW Government pledges to introduce Mandatory Data Breach Reporting in respect to State Government Agencies
7
This is your digital life (of no consent or control): The Australian Information Commissioner takes Facebook to Court
8
Watching Me, Watching You: Chinese Surveillance Cameras Banned in South Australia amidst Security Concerns
9
Front and Centre: Privacy makes Front-Page, without a breach!
10
You’ve got mail…and lots of it according to the latest OAIC report!

Forgotten Issues: What Business Continuity Planning in the COVID-19 Era Isn’t Contemplating

By Cameron Abbott, Warwick Andersen, and Max Evans

As the world grinds to a halt following the dispersion of COVID-19 and businesses around the globe experience a significant downturn, more and more businesses are turning towards their Business Continuity Plan (BCP) in order to mitigate the potential impacts of this worldwide emergency on business sustainability. However, a key aspect of BCP’s is that they encapsulate the full scale of collateral issues that may arise from such an emergency.

From a technology perspective, BCP’s need to consider access. This issue is twofold: being access to premises in which businesses operate in order to correct system defects and system outages, as well as access to external premises that provide technology services such as data storage or data security services.

Read More

Not So Zoomy: Use of Videoconferencing Technology “Zoom” on the Rise, but Privacy and Data Security Inadequacies suggest Users should Tread Carefully

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

As the world grinds to a halt following the perpetuation of COVID-19, more and more businesses have turned to remote work arrangements. This has led to a sharp rise in the use of videoconferencing technology Zoom. However, as the Australian Financial Review notes, flawed data security and privacy practices mean that the use of Zoom could be disastrous for corporate and personal privacy.

Concerns surrounding the use of Zoom arose earlier this year, with critical security vulnerabilities enabling hackers to predict Meeting ID’s and therefore join active meetings, and also allowing any website to forcibly join a user to a Zoom call with their video camera activated and without the user’s permission. Whilst a number of these errors were patched up, as the article notes, Zoom refused to disable the ability for hackers to forcibly join to a call anyone visiting a malicious site, raising security red flags and undermining public confidence in Zoom’s attitude towards data security. A strange response given that part of its attraction had been a perceived stronger approach to security.

Read More

A phishing pandemic – Part I

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

It’s upsetting to report, but should come as no surprise, that scammers are seeking to take advantage of organisations during the COVID-19 pandemic.

The Australian Competition and Consumer Commission’s Scamwatch website reports that phishing attacks are on the rise, with scammers impersonating the World Health Organisation and other agencies. Scams include anything from offering victims a vaccine for COVID-19 to investment opportunities created by the pandemic.

Read More

Doctor, how are we tracking? China, South Korea, Singapore and Thailand Using Smart Phone Applications to Halt the Spread of Corona Virus

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

A slew of Asian countries have begun to use telecommunications networks, Smart Phone Applications and messaging services to assign, inform, track and/or monitor individuals which may have contracted COVID-19, including those which are required to undertake a process of self-isolation, according to articles from Wired, Channel News Asia and Bangkok Post.

In China, apps such as WeChat and AliPay have been utilised to assign individuals health codes, referred to as colour codes, to determine whether they should undertake a process of self-isolation. According to the NY Times a green code enables its holder to move about unrestricted, a yellow code asks the individual to stay home for seven days whilst a red code requires a two-week quarantine. In South Korea, government authorities have sent out texts detailing the movements of specific people infected with COVID in addition to using a smartphone app to ensure people who are required to self-isolate are staying home.

Read More

Privacy in the time of COVID-19

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

Nothing can stop us from talking about privacy, including a pandemic! Yesterday, the Office of the Australian Information Commissioner (OAIC) issued guidance on the collection, use and disclosure of personal information during the COVID-19 pandemic (Guidance). 

It mainly serves as a reminder to organisations that even in these pressing times, they must comply with the Australian privacy regime. However, it also highlights what organisations can collect and do with personal information for the purposes of preventing and managing the spread of COVID-19.

Read More

Uniformity of Law II: NSW Government pledges to introduce Mandatory Data Breach Reporting in respect to State Government Agencies

Cameron Abbott, Warwick Andersen and Max Evans

Following on from the consultation opened by the NSW Government in July 2019 (the subject of a previous blog), NSW Attorney-General Mark Speakman has committed to introducing a mandatory data breach scheme, according to an article by ITNews.

At present, neither NSW privacy laws nor the notifiable data breach scheme under Part IIIC of the Privacy Act 1988 (Cth) require public sector agencies in NSW to notify the NSW Privacy Commissioner and affected individuals where a data breach creates a risk of serious harm. This led to a consultation conducted by the Department of Communities and Justice in late 2019, which revealed “overwhelming public support” for the introduction of a mandatory data breach scheme in NSW, with the NSW Government “sharing a view” that the relevant scheme should be introduced.

Read More

This is your digital life (of no consent or control): The Australian Information Commissioner takes Facebook to Court

By Cameron Abbott, Rob Pulham and Rebecca Gill

In a first for Australia, the Australian Information Commissioner (Commissioner) has launched proceedings in the Federal Court of Australia, seeking penalties against Facebook for serious and/or repeated interferences with privacy. The contraventions relate to the conduct disclosed by the Cambridge Analytica scandal, which involved the This is Your Digital Life app (App). We’ve previously blogged about the App here.

It is unclear how the penalties will be calculated in this proceeding. The penalty rate applicable to the relevant period (being from March 2014 to May 2015) is a maximum of $1.7 million. Some have suggested that fines may be in the billions if the maximum rate is applied to each individual affected as a single “contravention” (with possibly over 300,000 contraventions in total!). This may be fun to calculate, but highly unlikely to be applied in reality.

Read More

Watching Me, Watching You: Chinese Surveillance Cameras Banned in South Australia amidst Security Concerns

By Cameron Abbott and Max Evans

Following Australia’s latest round of expanded 5G restrictions, the South Australian Government has made a decision to remove all close circuit surveillance cameras made by a Chinese surveillance giant from health department buildings, according to an article by the Sydney Morning Herald.

The article notes that the relevant cameras are made by the partially state-owned Chinese surveillance technology company Hikvision, which was blacklisted in October 2019 by the United States for their alleged role in human rights violations and in purporting to create a surveillance network amongst federal agencies. Issues with Hikvision in South Australia were first identified in the course of a Commonwealth-funded trial in which Hikvision cameras were to be used in the rooms of aged care residents as a means to improve overall safety.

Read More

Front and Centre: Privacy makes Front-Page, without a breach!

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

Privacy lawyers have been waiting for this day for years (some of us decades). Privacy is on the front page of the Sydney Morning Herald and the Age, despite there being no actual data breach. According to the article, Alinta Energy, one of the Australia’s biggest energy companies, is putting the privacy of its over 1.1 million retail gas and electricity customers at risk through poor privacy protections and a lack of proper oversight.

While this is an interesting piece of investigative journalism, what is really interesting is that privacy is now newsworthy even in the absence of a data breach.  It has been a long time coming but it seems society now rates privacy as front page news.  As our lawyers have already been pointing out in giving presentations this year – privacy has finally hit the big time!

You’ve got mail…and lots of it according to the latest OAIC report!

By Cameron Abbott and Michelle Aggromito

With email being one of the most common forms of communication, it’s not surprising that inboxes these days accumulate thousands of emails that, perhaps, aren’t always electronically filed or deleted (not ours of course).

As the Office of the Australian Information Commissioner (OAIC) has indicated in its most recent report on notifications received under the Notifiable Data Breach (NBD) scheme, email accounts are frequently being used for storage, and this raises inherent risk. Yes it’s convenient, but using email to send personal information, such as copies of passports, bank account details and credit card information, can very quickly lose its appeal. If the email account is accessed by a malicious actor through a phishing attack or a rogue employee, the end result can be exploitation of that information for criminal gain.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.