Tag: data protection

Uniformity of Law: NSW Government opens consultation to consider making Data Breach Reporting mandatory in respect of State Government Agencies
Sorry Sir, Our Data Breach Response Plan is Out of Stock
Who have you been giving your name and number to? A cautionary tale
To encrypt or not encrypt? That is the question
Is Microsoft giving us a window to our personal data?
Australian organisations hit by thousands of significant cyber incidents
Brexit and Data Protection
Yes it can cost you your job…even if you are the boss!

Uniformity of Law: NSW Government opens consultation to consider making Data Breach Reporting mandatory in respect of State Government Agencies

By Cameron Abbott, Warwick Anderson and Max Evans

We have blogged numerous times on the notifiable data breach scheme provided for in Part IIIC of Privacy Act 1988 (Cth) including more recently in relation to its success in assisting the preparedness of the health sector to report and respond to data breaches.

Whilst the NSW Information Privacy Commissioner recommends that public sector agencies notify it and affected individuals where a data breach creates a risk of serious harm, neither NSW privacy laws nor the notifiable data breach scheme require public sector agencies in NSW to provide such notification. There are many reasons for state government agencies to mandatorily report data breaches. Informing citizens when privacy breaches occur provides an opportunity for individual protection against potentially adverse consequences, whilst mandatory data breach reporting would address the current under-reporting of data breaches in NSW, which according to the consultation may be the norm.

Read More

Sorry Sir, Our Data Breach Response Plan is Out of Stock

By Cameron Abbott, Michelle Aggromito and Max Evans

We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.

Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.

Read More

Who have you been giving your name and number to? A cautionary tale

By Cameron Abbott and Allison Wallace

Have you inadvertently given the owners of global, searchable databases of phone numbers and associated names access to your entire contact list?

We suspect that you cannot confidently answer “no”.

In yet another tale of why you should read the terms of use and service of apps and other online products you download or sign-up to use, we’ve recently been exposed to the shock of having your name appear on a complete stranger’s phone, after they’re given your number (but not your name) to call you. We asked the question of how this could happen – and found the answer to be quite alarming.

The Samsung Smart Call function, which is powered by Hiya, boasts that it allows you to “deal with spam the easy way”, by letting you know who is calling you, even if their number is not saved in your contact list. In theory, this is a handy tool, and in the context of robocalls or other unsolicited marketing calls, doesn’t create any privacy issues. But when the database which powers the function contains the names and numbers of (we suspect) millions of private citizens, this becomes quite concerning.

So, how do private numbers (and the names of their associated users) come to be listed in databases such as Hiya? Well, for one, anyone who downloads the Hiya app is given the option to share their contacts. If they do, and your number is saved to their phone, your details will become part of the database. We have no doubt that many who download and use the Hiya app didn’t realise what they were signing up for (or what they were signing up their entire contact list for) – because they didn’t read the terms of use. This also begs the question – are companies like Hiya properly satisfying their privacy obligations merely by asking users to “opt in” to share their contacts?

Hiya is of course not the only “caller ID” app on the market – a quick search of the Apple App store reveals numerous other options for download – including Truecaller, Caller-ID, Sync.ME and CallHelp. In 2018, Hiya reached 50 million active users worldwide, while Truecaller’s website says it has over 130 million daily active users. Those figures of course would barely scrape the surface of the number of names and phone numbers held in their collective databases.

In case you’re wondering how much damage could really be done by a third party having access to your name and phone number – think about all of the things your number is linked to. Your Facebook, your Gmail, maybe even your bank account and credit cards. Information is power – and this is the kind of information that could easily allow hackers to wreak a reasonable amount of havoc. So before you sign-up to a new app, take the time to read the terms of service, because your use could not only be exposing your personal information, but that of your entire contact list.

To encrypt or not encrypt? That is the question

By Cameron Abbott and Ella Richards

In response to the new controversial anti-encryption laws, Australian tech heavyweights have banded together to kick and scream over the restrictive implications the laws are already having on their industry.

Quick history lesson; the Assistance and Access Bill permit law enforcement to demand companies running applications such as Whatsapp to allow “lawful access to information”. This can be through either decryption of encrypted technology, or providing access to communications which are not yet encrypted. These ‘backdoors’ are intended to provide the good guys with the opportunity to fight serious crime, however there’s serious fear that in reality, these doors could throw out privacy or let in unwanted guests.

While the legislation states that backdoors should only be created if it doesn’t result in any ‘systemic weakness’; this is yet to be defined in a concrete and informative way. Industry points out that once created any such measure has the potential to be exploited by others. There is no such thing as a “once” only back door.

There is little doubt that this will end up in litigation as larger industry players challenge the abstract concepts in the legislation against the reality of their technology.

StartupAUS, an industry group of tech executives, have made several recommendations to amend the legislation. Even though they’re not holding their breath for any significant changes, they’re demanding more transparency around the requirements. Their recommendations include scrapping the requirement for an employee to build capabilities to intercept communications, tightening the scope of ‘designated communication providers’, giving oversight on how companies will be targeted and increasing what constitutes a ‘serious offence’.

Australia’s legislative response to the problem faced by law enforcement is one of the most heavy handed in the democratic world, and now has the world of technology companies with their significant impact on our economy watching the latest debate on reforms with great concern.

Is Microsoft giving us a window to our personal data?

By Cameron Abbott and Allison Wallace

We often blog on this page about personal information being breached, data being hacked, systems being compromised – and tell cautionary tales of the difficulties businesses can experience if they experience a data breach.

So what if there was a good news story? A way to know what information there is out there about you, so that if it is compromised, you can take control? Microsoft may just be working on such a solution.

Multiple websites (see here and here) have now reported on Microsoft’s “Project Bali” – which, although still in a private testing phase is accessible to a lucky few, by invite only.

The Project Bali website reportedly describes the tech giant’s project as “a new personal data bank which puts users in control of all data collected about them” and will allow users to “store all data (raw and inferred) generated by them ..[and] to visualise, manage, control, share and monetise the data”.

It is reported that the project was borne from a Microsoft Research paper in 2014 that delved into the concept of “Inverse Privacy” – allowing consumers to access the data that any given business holds about them, increasing transparency, something consumers value.

In theory, Project Bali seems like a good antidote to the increasing number of privacy incursions we are seeing (such as this and this). However, whether the idea is commercialised and becomes publicly available, only time will tell. We will keep you posted.

Australian organisations hit by thousands of significant cyber incidents

By Cameron Abbott and Rebecca Murray

The Australian Cyber Security Centre’s (ACSC) 2016 Threat Report has revealed that Australian businesses and government have been subject to more than 15,000 significant incidents that they know of. Read the report here. They were the first to admit that given reporting is optional they cannot really determine the full impact.

Due to the current reporting regime, the ACSC has had to rely on data from callouts to CERT Australia (the national first responder to cyber incidents) to assess the extent of the problem in the private sector. CERT Australia responded to 14,804 incidents from the private sector from June 2015 to June 2016. Of those callouts, 418 involved systems of national interest and critical infrastructure. The banking, finance, energy and communications sectors were the most heavily targeted.

While the Government has introduced a bill to mandate serious data breach notification that is set to be passed in the near future (find out more about the bill here), until then, we will continue to go mostly unaware of damaging malicious cyber activity launched against Australian organisations because the private sector largely refuses report these incidents.

Brexit and Data Protection

Linked article by Andrew W. Gilchrist, Arthur Artinian, Andrew R. Danson, Philip J. Morgan, Daniel L. Clyne

As part of K&L Gates continued coverage of the issues raised by Britain’s exit of the EU (see our dedicated Brexit Hub here), our European colleagues have made an assessment of the post-Brexit landscape with respect to UK’s data protection laws.

Although there will be no immediate impact (given it is expected that it will take at least 2 years before any Brexit is finalised), companies should begin to consider what legal framework may apply in the post-Brexit world. For more information, please see here.

Yes it can cost you your job…even if you are the boss!

By Cameron Abbott and Giles Whittaker

The CEO of Austrian aerospace parts maker FACC, has been fired following a cyber fraud that cost the company 42 million euros (AUD $65 million). FACC also fired their CFO in February soon after the cyber fraud.

Executives are being held responsible for business’ cybersecurity measures, and while FACC declined to comment on the details of Walter Stephan’s shortcomings, their supervisory board concluded that Walter Stephan had “severely violate his duties, in particular in relation to the fake president incident”. It is likely that this violation is in reference to a lack of adequate cybersecurity procedures or protections, which would be considered essential for most businesses in this technologically integrated era.

So how was it done? The technique used to deceive FACC into handing over their money is known as a ‘fake president incident’. To put it simply, the hackers sent an email to an employee posing as the CEO, and requested that funds be transferred to a specified account for a fake acquisition project. It would appear the board figured it shouldn’t have been that easy.

More information about this cyber fraud can be found in an article by reuters.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.