CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Privacy Standardization in the United States: We Need Consensus
2
Open Government? – political misstep leads to privacy breach
3
IoT devices, they’re smart, stylish but not secure! Now they can melt down the power grid.
4
I Spy With My Little Phone – New Laws giving access to your phone data
5
FAKE APPS FIND A WAY TO GOOGLE PLAY!
6
242 data breaches reported in second quarter of notifiable data breach regime
7
My Health Records – To opt-in, or to opt-out? That is the question
8
GDPR – What to expect in France
9
Eureka! California Just Adopted a Strong Consumer Privacy Law
10
Facebook fined £500,000 over Cambridge Analytica scandal

Privacy Standardization in the United States: We Need Consensus

By Susan P. Altman

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced this month that it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk relating to protecting privacy in complex networking environments. The goal of the project is to develop a privacy framework that can deliver practical tools for developers of innovative technologies (such as IoT and AI) that will ultimately yield stronger privacy protections for individuals. NIST, which promotes innovation and industrial competitiveness, has had great success with broad adoption of its Cybersecurity Framework Version 1.1 released earlier this year, according to Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. It is now sponsoring outreach efforts throughout the U.S. to gather the best ideas for a useful and effective privacy framework.
NIST correctly notes that cybersecurity is central to managing privacy risk, but not sufficient in itself. Privacy professionals both inside and outside the U.S. are responding to (and perhaps leading) consumer privacy expectations with positions that NIST politely understates as reflecting “multiplying visions.” A framework of balanced standards for building privacy protections into technology design will benefit society broadly.
NIST, which focuses on standards for technology developers, is only one of several U.S. agencies addressing privacy concerns. For example, the U.S. Department of Commerce’s National Telecommunications and Information Administration is currently engaged in gathering input in order to formulate core, high-level principles on data privacy with a stated goal of avoiding contributing to a fractured and stifling regulatory landscape. And of course, the Federal Trade Commission, the big dog in consumer protection enforcement, continues its efforts to protect consumer privacy while critically analyzing the economic impact of such protection on competition and innovation.

Open Government? – political misstep leads to privacy breach

By Cameron Abbott and Keely O’Dowd

Navigating the political terrain and party politics can be a treacherous journey for any politician.

Recently, we have been captivated by a political misstep that involved the tabling of approximately 80,000 confidential and unredacted Cabinet documents of a former Government in the Victoria Parliament. In usual circumstances, these documents would have remained confidential for 30 years, unless the former Government consented to the release of the documents.  However, in an attempt to seek an advantage in the political arena, the Victorian Government of the day decided to release these documents in Parliament and online.

Read More

IoT devices, they’re smart, stylish but not secure! Now they can melt down the power grid.

By Cameron Abbott and Jessica McIntosh

Internet-of–things (IoT) devices are considered part and parcel of modern day living, however it can no longer be overlooked, this so called ‘smart technology’ continues to spark serious security concerns. Until recently concerns centred on individual security and privacy, now Princeton University has widen the scope and found (if compromised) IoT devices have the potential to disrupt the power grid. It’s worth repeating, researchers at Princeton University last week presented at the 27th USENIX Security Symposium in Baltimore (US) and stated high – wattage IoT devices, dubbed BlackIoT, pose a significant risk to power grids. As a result, local power outages and large-scale blackouts could be a likely consequence of compromised IoT devices.

This new type of attack, labelled the ‘manipulation of demand via IoT’ (MadIoT) involves attackers leveraging a botnet, powered by Wi-Fi enabled high- wattage devices such as air conditioners and heaters to manipulate the power demand in the grid. This allows an attacker to hijack the devices in totality and simultaneously switch them on or off.

The scenario played out was ‘if the sudden increase in demand is greater than the threshold, it can cause the system’s frequency to drop considerably before primary controllers can react’. This instability can result in the activation of the generators’ protective relays, loss of generators and finally a blackout. Whilst it is estimated an attacker would need a botnet of approximately 90,000 air conditioners and 18,000 heaters within a specified geographical area, experts say this is by no means an impossible task.

The newly discovered vulnerability reinforces how important it is that consumers and companies alike perform their own due diligence with respect to integrating IoT devices, time and time again we are seeing these devices being stylish and trendy but not well secure. Therefore, assumptions can no longer be made regarding the adequacy of in built security – instead manufactures must recognise the importance of secure coding practices so this new type of abuse can be easily detected and dealt with. Government sponsored attacks would find these forms of vulnerability very attractive.

I Spy With My Little Phone – New Laws giving access to your phone data

By Cameron Abbott and Colette Légeret

Yesterday, the Australian Government unveiled the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 which aims to compel telecommunication and multi-national tech companies (Providers) to give law enforcement and security agencies (Agencies) access to personal encrypted data of suspected criminals, including terrorists, child sex offenders and criminal organisations.

Read More

FAKE APPS FIND A WAY TO GOOGLE PLAY!

By Cameron Abbott and Jessica McIntosh

Over the last two months a string of fake banking apps have hit the Google Play store, leaving many customers wondering whether they have been affected by the scam. A report by security firm ESET found users of three Indian banks were targeted by the apps which all claimed to increase credit card limits, only to convince customers to divulge their personal data, including credit card and internet banking details. The impact of this scam was heightened as the data stolen from unsuspecting customers was then leaked online by way of an exposed server.

The report claims these apps all utilise the same process:

  1. Once the app is downloaded and launched a form appears which asks the user to fill in credit card details (including credit card number, expiry date, CVV and login credentials)
  2. Once the form is completed and submitted a pop up customer service box is displayed
  3. The pop up box thanks users for their interest in the bank and indicates a ‘Customer Service Executive’ will be in contact shortly
  4. In the meantime, no representative makes contact with the customer and the data entered into the form is sent back to the attacker’s server – IN PLAIN TEXT.

The ESET report alarming revealed that the listing of stolen data on the attacker’s server is accessible to anyone with the link to the data, this means sensitive stolen personal data was available to absolutely anyone who happens to comes across it.

Whilst, the reality is any app on your personal smartphone may place your phone and personal data at risk, (as discussed here ‘Research Reports say risks to smartphone security aren’t phoney‘)

Customers can mitigate risk by:

  • only using their financial institutions official banking apps, these are downloadable from the relevant institution’s official website;
  • paying attention to the ratings, customer reviews when downloading from Google Play;
  • implementing security controls on your smartphone device from a reputable mobile security provider; and
  • contracting their financial institution directly to seek further guidance on the particular banking apps in use.

 

It cannot be overlook, whilst Google Play moved quickly to remove the apps we query how it was so easy for cyber criminals to launch fake apps on Google Play in the first place.

242 data breaches reported in second quarter of notifiable data breach regime

By Warwick Andersen, Rob Pulham and Colette Légeret

The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.

Read More

My Health Records – To opt-in, or to opt-out? That is the question

By Cameron Abbott and Keely O’Dowd

This year all Australians will have a My Health Record created. A My Health Record will operate as a digital medical file that allows healthcare providers to upload health information about a patient. This information may include prescriptions, medical conditions and test results. A patient’s digital medical file will be stored in a national electronic database operated by Australian Digital Health Agency (ADHA).

Read More

GDPR – What to expect in France

By Claude-Etienne Armingaud, CIPP/E

On July 2, 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

One of the new aspects of GDPR also includes the joint control operations by several EU supervisory authorities.

The themes which will guide the CNIL’s actions over the following months will include:

  • Recruitment operations

While the development of big data solutions and AI-assisted recruitment, through the use of algorithm offer the vast possibility to assess the applicants and predicts their adequacy for the position on the basis of pre-defined criteria, such technologies are also likely to impact a broad number of data subjects and subject them to arbitrary or opaque decision making outcomes. The CNIL will therefore target the transparency and the selection requirements, as well as retention periods for the surrounding meta data.

  • Real estate documentation

Fair home access is a key concern of our times. French Decree no.2015-1437 dated 5 November 2015 aims at protecting tenants with regard to information which may be requested. However, almost three years after this decree, it seems that asking additional documentation remains common practice, including sensitive data such as medical files. The lack of proportionality between the documents requested and the purposes of the processing may affect the compliance of realtors, who will be a priority control target.

  • Connected e-ticketing services

The MAPTAM Act allowed for local territorial administration to outsource the parking ticket process and the automation thereof. However, several complaints emerged since the beginning of the year from data subjects who perceived a decrease in their protection under the data protection framework. As such, the CNIL will also target the conditions under which the outsourcing operations have been performed and the conditions for use, retention and safeguarding of the data subjects’ information.

While the guidance addresses the control aspects of its activities, the CNIL also mentioned that the follow up to such controls, notably in terms of sanctions against the controlled companies, would be assessed at a later stage and will take into consideration good faith efforts initiated by targeted companies. The French Privacy team of K&L Gates remains available to assist you in your implementation and evaluation of your GDPR compliance strategy.

As a consequence, it remains a priority to validate a sound action plan to reach compliance with GDPR undertakings by the end of this year for all impacted companies.

 

Source in French: CNIL website

Eureka! California Just Adopted a Strong Consumer Privacy Law

By Susan P Altman

While the rest of us were still recovering from the May 25 effective date of the EU’s General Data Protection Regulation (GDPR), California, the most populous and largest economy of any of the United States, confidently adopted a broad consumer privacy law. The California Consumer Privacy Act of 2018 (CCPA) was enacted June 28 and becomes operative on January 1, 2020. Unlike existing industry-specific U.S. privacy laws, the CCPA has a broad overall scope, more like the GDPR. It ensures California residents the right to know what information about them is being collected and sold or disclosed, to reject the sale of their personal information, to access the information, and to receive equal service and price, even if they exercise their privacy rights.

Unlike the GDPR, the CCPA does not extend to extra-territorial coverage. The CCPA applies only to for-profit businesses doing business in California and sets certain thresholds for business activity and size, thereby protecting most of the Silicon Valley start-up community from the cost of compliance. The CCPA protects the rights of “consumers,” who are natural persons residing in California, and generally does not apply to California residents while they are outside of California.

A business that is required to comply with CCPA will need to update its website, and include a conspicuous link on the homepage to a page titled, “Do Not Sell My Personal Information.” In addition, the website must describe the consumer’s privacy rights and annually update its privacy policy to reflect current practices. Consumers will be able to opt-out of collection practices; although children (or their parents) must opt-in. Consumers must be able to contact businesses regarding their collected information. Amendments and corrections to the CCPA are expected.

Facebook fined £500,000 over Cambridge Analytica scandal

By Cameron Abbott and Sarah Goegan

The UK Information Commissioner’s Office (ICO) has issued a notice of intent to levy a £500,000 fine against Facebook for breaches of the UK’s Data Protection Act 1998. The ICO found that Facebook failed to protect its users’ data and be transparent about how that data was being harvested. This failure, ICO said, did not enable users to understand how and why they may be targeted by a political party or campaign.

The fine comes as part of a larger investigation by ICO into misuse of data in political campaigns, and responds to the highly publicised allegations that Cambridge Analytica used data obtained from Facebook to target voters in the 2016 US presidential election.

Read More

Copyright © 2018, K&L Gates LLP. All Rights Reserved.