Category: Privacy, Data Protection & Information Management

1
IoT devices, they’re smart, stylish but not secure! Now they can melt down the power grid.
2
I Spy With My Little Phone – New Laws giving access to your phone data
3
242 data breaches reported in second quarter of notifiable data breach regime
4
My Health Records – To opt-in, or to opt-out? That is the question
5
GDPR – What to expect in France
6
Facebook fined £500,000 over Cambridge Analytica scandal
7
OAIC’s controversial decision broadens scope for the disclosure of personal information
8
Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm
9
Research reports say risks to smartphone security aren’t phoney
10
Report savages US Government agencies’ cybersecurity efforts

IoT devices, they’re smart, stylish but not secure! Now they can melt down the power grid.

By Cameron Abbott and Jessica McIntosh

Internet-of–things (IoT) devices are considered part and parcel of modern day living, however it can no longer be overlooked, this so called ‘smart technology’ continues to spark serious security concerns. Until recently concerns centred on individual security and privacy, now Princeton University has widen the scope and found (if compromised) IoT devices have the potential to disrupt the power grid. It’s worth repeating, researchers at Princeton University last week presented at the 27th USENIX Security Symposium in Baltimore (US) and stated high – wattage IoT devices, dubbed BlackIoT, pose a significant risk to power grids. As a result, local power outages and large-scale blackouts could be a likely consequence of compromised IoT devices.

This new type of attack, labelled the ‘manipulation of demand via IoT’ (MadIoT) involves attackers leveraging a botnet, powered by Wi-Fi enabled high- wattage devices such as air conditioners and heaters to manipulate the power demand in the grid. This allows an attacker to hijack the devices in totality and simultaneously switch them on or off.

The scenario played out was ‘if the sudden increase in demand is greater than the threshold, it can cause the system’s frequency to drop considerably before primary controllers can react’. This instability can result in the activation of the generators’ protective relays, loss of generators and finally a blackout. Whilst it is estimated an attacker would need a botnet of approximately 90,000 air conditioners and 18,000 heaters within a specified geographical area, experts say this is by no means an impossible task.

The newly discovered vulnerability reinforces how important it is that consumers and companies alike perform their own due diligence with respect to integrating IoT devices, time and time again we are seeing these devices being stylish and trendy but not well secure. Therefore, assumptions can no longer be made regarding the adequacy of in built security – instead manufactures must recognise the importance of secure coding practices so this new type of abuse can be easily detected and dealt with. Government sponsored attacks would find these forms of vulnerability very attractive.

I Spy With My Little Phone – New Laws giving access to your phone data

By Cameron Abbott and Colette Légeret

Yesterday, the Australian Government unveiled the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 which aims to compel telecommunication and multi-national tech companies (Providers) to give law enforcement and security agencies (Agencies) access to personal encrypted data of suspected criminals, including terrorists, child sex offenders and criminal organisations.

Read More

242 data breaches reported in second quarter of notifiable data breach regime

By Warwick Andersen, Rob Pulham and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.

Read More

My Health Records – To opt-in, or to opt-out? That is the question

By Cameron Abbott and Keely O’Dowd

This year all Australians will have a My Health Record created. A My Health Record will operate as a digital medical file that allows healthcare providers to upload health information about a patient. This information may include prescriptions, medical conditions and test results. A patient’s digital medical file will be stored in a national electronic database operated by Australian Digital Health Agency (ADHA).

Read More

GDPR – What to expect in France

By Claude-Etienne Armingaud, CIPP/E

On July 2, 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

One of the new aspects of GDPR also includes the joint control operations by several EU supervisory authorities.

The themes which will guide the CNIL’s actions over the following months will include:

  • Recruitment operations

While the development of big data solutions and AI-assisted recruitment, through the use of algorithm offer the vast possibility to assess the applicants and predicts their adequacy for the position on the basis of pre-defined criteria, such technologies are also likely to impact a broad number of data subjects and subject them to arbitrary or opaque decision making outcomes. The CNIL will therefore target the transparency and the selection requirements, as well as retention periods for the surrounding meta data.

  • Real estate documentation

Fair home access is a key concern of our times. French Decree no.2015-1437 dated 5 November 2015 aims at protecting tenants with regard to information which may be requested. However, almost three years after this decree, it seems that asking additional documentation remains common practice, including sensitive data such as medical files. The lack of proportionality between the documents requested and the purposes of the processing may affect the compliance of realtors, who will be a priority control target.

  • Connected e-ticketing services

The MAPTAM Act allowed for local territorial administration to outsource the parking ticket process and the automation thereof. However, several complaints emerged since the beginning of the year from data subjects who perceived a decrease in their protection under the data protection framework. As such, the CNIL will also target the conditions under which the outsourcing operations have been performed and the conditions for use, retention and safeguarding of the data subjects’ information.

While the guidance addresses the control aspects of its activities, the CNIL also mentioned that the follow up to such controls, notably in terms of sanctions against the controlled companies, would be assessed at a later stage and will take into consideration good faith efforts initiated by targeted companies. The French Privacy team of K&L Gates remains available to assist you in your implementation and evaluation of your GDPR compliance strategy.

As a consequence, it remains a priority to validate a sound action plan to reach compliance with GDPR undertakings by the end of this year for all impacted companies.

 

Source in French: CNIL website

Facebook fined £500,000 over Cambridge Analytica scandal

By Cameron Abbott and Sarah Goegan

The UK Information Commissioner’s Office (ICO) has issued a notice of intent to levy a £500,000 fine against Facebook for breaches of the UK’s Data Protection Act 1998. The ICO found that Facebook failed to protect its users’ data and be transparent about how that data was being harvested. This failure, ICO said, did not enable users to understand how and why they may be targeted by a political party or campaign.

The fine comes as part of a larger investigation by ICO into misuse of data in political campaigns, and responds to the highly publicised allegations that Cambridge Analytica used data obtained from Facebook to target voters in the 2016 US presidential election.

Read More

OAIC’s controversial decision broadens scope for the disclosure of personal information

By Warwick Andersen, Rob Pulham and Georgia Mills

In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt.  In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox.  The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.

Read More

Ambulance chasing through data sharing? Health app accused of sharing personal health information with law firm

By Cameron Abbott and Sarah Goegan

The idea of lawyers “ambulance chasing” seems to have taken on a new form. An investigation by the ABC has revealed how technology is being used to share health information with lawyers to generate work.

The ABC has revealed that HealthEngine, Australia’s largest online doctor’s appointment booking service, shared daily lists of prospective clients with law firm Slater and Gordon, based on personal medical information shared by users with the app.

Read More

Research reports say risks to smartphone security aren’t phoney

By Rob Pulham, Warwick Andersen and Sarah Goegan

Beware! Your favourite apps may be putting your phone and data at risk. Reports from Allot and BitSight have examined rising threats to the security of our mobile devices.

Read More

Report savages US Government agencies’ cybersecurity efforts

By Cameron Abbott and Sarah Goegan

You would think government agencies would have a keen focus on cybersecurity risks, but apparently not! A report by the United States Office of Management and Budget (OMB) has found that nearly three-quarters of Federal agencies reviewed have either “at risk” or “high risk” cybersecurity arrangements. 71 of 96 agencies assessed were either missing, had insufficiently deployed or had significant gaps in their fundamental cybersecurity policies, processes or tools.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.