Category: Litigation of Data Breaches

1
Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures
2
Update on the Criminalisation of Non-Consensual Distribution of Intimate Images in WA: Another Conviction in Australia
3
The OAIC engages in more in-depth investigations and stronger exercise of its power
4
PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK
5
Ratings agency starting to factor in Cyber risk profile
6
Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid
7
Open Government? – political misstep leads to privacy breach
8
US Court signals that proving data breach class actions will be difficult
9
Facebook’s Potential $70 billion Legal Challenge
10
Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

Insufficiency meets Punishment: Polish DPA issues largest fine for Insufficient Security and Organisational Measures

By Cameron Abbott and Max Evans

Further to the Facebook and Tesco scandals, and the apparent statistic increase of enforcement fines issued, the Polish Data Protection Authority has issued a landmark fine of €645,000 against online retail company morele.net for insufficient security and organisational measures violating data confidentiality and integrity principles prescribed in the EU’s General Data Protection Regulation.

Read More

Update on the Criminalisation of Non-Consensual Distribution of Intimate Images in WA: Another Conviction in Australia

By Olivia O’Brien, Philip Murray and Kathleen Weston

Just a few months ago, we published an article on the criminalisation of the non-consensual distribution of intimate images in Western Australia. Only this week, there has been a second successful conviction under the Criminal Law Amendment (Intimate Images) Act 2018 (WA) (WA Act) in the Rockingham Magistrate’s Court.

Read More

The OAIC engages in more in-depth investigations and stronger exercise of its power

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

Read More

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Read More

Ratings agency starting to factor in Cyber risk profile

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels.  How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas. 

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

Open Government? – political misstep leads to privacy breach

By Cameron Abbott and Keely O’Dowd

Navigating the political terrain and party politics can be a treacherous journey for any politician.

Recently, we have been captivated by a political misstep that involved the tabling of approximately 80,000 confidential and unredacted Cabinet documents of a former Government in the Victoria Parliament. In usual circumstances, these documents would have remained confidential for 30 years, unless the former Government consented to the release of the documents.  However, in an attempt to seek an advantage in the political arena, the Victorian Government of the day decided to release these documents in Parliament and online.

Read More

US Court signals that proving data breach class actions will be difficult

By Andrew C. Glass, David D. Christensen, Cameron Abbott and Matthew N. Lowe

In the US, several attempts at class actions for those affected by a data breach have failed challenges in early procedural stages.  In Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. Apr. 11, 2018), the Seventh Circuit allowed a data breach class action to survive the pleadings stage.  At the same time, the Court indicated that the plaintiffs may have a tough time proving their claims on the merits or establishing that class certification is warranted.  At the end of the day, the Dieffenbach decision may prove to be less of a boon and more of a bust for plaintiffs in data breach class actions.  Although it may provide a means to get into court, the decision makes clear that obtaining a favorable outcome may be a “difficult task.”  For a full summary of the Dieffenbach decision please see our client alert here.

Facebook’s Potential $70 billion Legal Challenge

By Rob Pulham, Warwick Andersen and Georgia Mills

In another blow to embattled Facebook, British and US lawyers have launched a class action lawsuit against the social media giant, along with Cambridge Analytica and two other companies for allegedly misusing the data of over 87 million people.

Read More

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

By Cameron Abbott and Giles Whittaker

The Food and Drug Administration (FDA), after a previous warning in 2014, threatens legal action against Abbott Labs if the company fails to address safety and security issues in implanted cardiac devices sold by St Jude Medical – a recent subsidiary acquired by Abbott Labs. The internet of things takes a much more serious tenure when it’s a medical device compared to your fridge!

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns. A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices. Many of the cybersecurity concerns first came to light after medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to investment firm Muddy Waters Research (MWR). MWR subsequently publically announced the product design failures while short-selling St. Jude Medical’s stock in order to capitalise on the expected market response.

As the public increases its awareness of cybersecurity issues it becomes apparent that a failure to adequately consider these issues – as a day to day function of operating a business or prior to the acquisition of a new business – can result in significant damage to a company’s bottom line. The recent short-selling by MWR indicates the necessity for cybersecurity considerations to form central in a company’s business model, otherwise risk having its inadequacies called out in a public forum. And we are not even thinking about what litigation liability risk these sorts of issues might raise.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.