CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Big banks want a slice of the Apple Pay pie
2
What Pokémon ‘needed’ to know about you
3
Brexit and Data Protection
4
ATMs Remain Vulnerable Worldwide
5
Microsoft welcomes big win against government information requests
6
EU-US Privacy Shield certifications to open in August
7
EU-US Privacy Shield approved
8
Agreed changes to EU-US Privacy Shield strengthens data transfer pact
9
Report finds average cost of data breach reaches $4 million
10
European Data Protection Supervisor less than impressed with EU-US Privacy Shield

Big banks want a slice of the Apple Pay pie

By Cameron Abbott and Rebecca Murray

It is not often that any one of Australia’s ‘Big Four’ banks find that they are too small to influence the shaping of new payment technology in Australia. However, three of Australia’s largest financial institutions have chosen to join forces in applying to the ACCC seeking authorisation to enter into joint negotiations with Apple Inc to install their own electronic payment applications on iPhones. The application to the ACCC can be seen here.

As yet, Apple, which operates its own lucrative Apple Pay electronic payment application, does not allow third-party electronic payment apps to be loaded onto iPhones. The applicants, National Australia Bank, the Commonwealth Bank of Australia, Westpac Banking Corp and the smaller Adelaide Bank and Bendigo Bank contend that restricting the technology through which iPhone mobile wallets function, known as Near Field Technology, equates to anti-competitive behaviour.

In a joint statement, the banks state that they ‘want to ensure that Australian consumers can make payments easily through their choice of mobile wallet providers, have access to the latest developments in contactless payment technology, and can benefit from common security standards across the mobile payment system.’ The joint statement can be seen here.

ANZ is conspicuously absent from the joint application having ‘blinked first’ by agreeing to give Apple a nice cut of the action in Australia by using Apple Pay.

What Pokémon ‘needed’ to know about you

By Cameron Abbott and Rebecca Murray

The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.

Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.

Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.

Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.

Brexit and Data Protection

Linked article by Andrew W. Gilchrist, Arthur Artinian, Andrew R. Danson, Philip J. Morgan, Daniel L. Clyne

As part of K&L Gates continued coverage of the issues raised by Britain’s exit of the EU (see our dedicated Brexit Hub here), our European colleagues have made an assessment of the post-Brexit landscape with respect to UK’s data protection laws.

Although there will be no immediate impact (given it is expected that it will take at least 2 years before any Brexit is finalised), companies should begin to consider what legal framework may apply in the post-Brexit world. For more information, please see here.

ATMs Remain Vulnerable Worldwide

By Susan Altman

Bank ATMs worldwide remain vulnerable to security hacks according to Bank Info Security®.  A recent large theft of cash from dozens of ATMs in Taiwan using malicious software highlights the continuing problem.  Investigators suspect two Russian nationals were behind the hack.  Three types of malware were reported to have been used, which may have enabled the bad guys to command the machines to dispense large amounts of cash simply by sending a text message.

ATMs are considered vulnerable because of their aging software.  According to Kaspersky Lab, about 90% of the world’s ATM machines still run Window XP, the software operating system Microsoft generally stopped supporting in April 2014.  Most ATM manufacturers continued to use Windows XP, layering on other security software while trying lock down the operating system to protect account data.  In addition to using old software, some ATMs are physically accessed by a single key that opens up an entire fleet of the physical boxes holding the machine’s computer—a triumph of human convenience over security.  Finally, ATMs need a network connection in order to communicate with banks, so like all IoT devices and machines, they are vulnerable to remote hacks.

Microsoft welcomes big win against government information requests

By Cameron Abbott and Simon Ly

Last week, the US Court of Appeals for the Second Circuit reversed a previous lower court decision and found in favour of Microsoft in a long running dispute over a government information request.

In 2014, the US government successfully received a warrant for email records sought in connection with a drug case. Microsoft refused to comply with the orders and was subsequently found to be in contempt of court. However, the Court of Appeal has now ruled that the US government could not force Microsoft to hand over customer emails stored in an offshore server in Ireland because, amongst other things, the Stored Communications Act did not intend to legislate to allow for such warrant provisions. This decision comes hot off the heels of the EU-approved Privacy Shield, and it will be interesting to see how a similar decision will be dealt with moving forward in light of this regime.

This represents a big win for Microsoft and the tech sector more broadly as service providers now have a basis for maintaining the position of protecting its users’ privacy. This decision also highlights that legal regimes are territorial notwithstanding the global nature of new technology offerings.

To read Microsoft’s news release following the decision, please see here.

EU-US Privacy Shield certifications to open in August

By Cameron Abbott, Simon Ly and Rowena Baer

As a follow up to our latest blog post, the European Union and European Commission yesterday announced that the Privacy Shield arrangement has been adopted.

Companies wanting to utilise the Privacy Shield for their Trans-Atlantic data transfers are able to apply for certification with the U.S. Department of Commerce from 1 August 2016, with the US and EU to brief companies on the application process later this week.

For a legal perspective and analysis of the Privacy Shield, please see our colleagues’ report here.

To keep up to date and for an overview of the changes, please see here.

EU-US Privacy Shield approved

By Cameron Abbott, Rob Pulham, Simon Ly and Rowena Baer

When the Safe Harbour arrangements were struck down the EU and US worked to create a replacement and flesh out the details of this new arrangement (see our last article on this issue here). We have all been somewhat nervously watching to see if the new ‘Privacy Shield’ would get final approval amid some criticism from some quarters. Good news, last Friday the EU member states on the Article 31 Committee voted to approve a revised Privacy Shield.

The new arrangement provides a welcome measure of certainty for businesses whose Trans-Atlantic data transfers have been left in legal limbo since the European Court of Justice declared the longstanding Safe Harbor Framework invalid in October 2015.

The European Commission has released a statement expressing their confidence in the adoption of the new Privacy Shield, noting that the new pact is “fundamentally different” from its predecessor. The new Privacy Shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

International tech industry groups have also praised the move as a win for both consumers and businesses as the pact provides robust consumer privacy protections. Voicing their support of the Privacy Shield, Microsoft released a detailed blog post on how the Privacy Shield is progress for privacy rights, declaring that the regime is an “important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers”.

Whilst we are still at the early stages, companies should begin assessing the Privacy Shield’s impact on their existing agreements and also more broadly their data strategy, keeping in mind that the regime relates only to EU-US data transfers. In particular, consideration should be given to the transitional arrangements in the Privacy Shield. Companies should also be aware of the potential challenges to this regime (and related issues post-Brexit) as there is concern about the shelf life of the Privacy Shield.

For more information, please see the EU’s page here and the US’s page here.

Agreed changes to EU-US Privacy Shield strengthens data transfer pact

By Cameron Abbott and Giles Whittaker

The US and the European Union reportedly reached an agreement on the language of a key data transfer pact, including clearer limits on U.S. surveillance and stricter rules for companies holding information of Europeans. The updated EU-US Privacy Shield was sent to EU member states, who are expected to vote on the proposal in July. The revised data transfer pact is said to include stricter cross-border data-handling rules for companies using Europeans’ information for targeted online advertising, and also has detailed the specific condition under which U.S. government intelligence services would collect data in bulk and the safeguards on how the data is used.

Meanwhile, U.S. Chamber of Commerce Executive Vice President and Head of International Affairs Myron Brilliant urged the EU’s member states to quickly sign off on the updated version, saying that the new framework for trans-Atlantic data transfer is critical for companies on both sides of the pond.

Further information regarding the report by Reuters can be read here.

Report finds average cost of data breach reaches $4 million

By Cameron Abbott and Giles Whittaker

A report sponsored by IBM and conducted by the Ponemon Institute found that the average cost of a data breach has grown to $4 million, up 29% from 2013. The survey also found cybersecurity incidents continued to witness growth in both volume and sophistication, with 64% more security incidents reported in 2015 than the preceding year. According to the study, the companies lose $158 per compromised record. Also not surprisingly, breaches in highly regulated industries were even more costly. For instance, healthcare breaches reached $355 per record – a full $100 more than in 2013.

Read the full report conducted by the Ponemon Institute here.

European Data Protection Supervisor less than impressed with EU-US Privacy Shield

By Cameron Abbott, Rob Pulham and Giles Whittaker

The EU-US Privacy Shield data-sharing agreement has come under scrutiny from the European Data Protection Supervisor Giovanni Buttarelli. Mr Buttarelli has expressed concerns that the Privacy Shield, which will outline how data (including personal information) should be handled in foreign jurisdictions, is “not robust enough to withstand future legal scrutiny”.

While Mr Buttarelli said he “appreciates” the efforts made to develop a solution to replace Safe Harbour, he emphasised that “significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect…the key data protection principles” which are afforded in Europe with particular regard to “necessity, proportionality and redress mechanisms”.

Giovanni Buttarelli’s statement regarding the Privacy Shield can be found here.

Copyright © 2018, K&L Gates LLP. All Rights Reserved.