Tag: Report

1
Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants
2
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
3
Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
4
Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents
5
Report finds finance and HR departments the greatest cybersecurity threats to organisations

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants

By Cameron Abbott, Rob Pulham, Michelle Aggromito, Max Evans and Rebecca Gill

Protecting personal data is a fundamental aspect of any privacy regime. As we become more technological advanced, organisations are finding innovative ways to interact with consumers through more intuitive communication channels, such as voice recognition via digital assistants. But not everyone trusts such technology, as Microsoft’s April 2019 report on voice assistants and conversational artificial intelligence has found.

The report found that 41% of voice assistant users were concerned about trust, privacy and passive listening. Other interesting findings of the report include:

  • A majority of users (52%) had concerns surrounding security for personal information, and around a quarter of the users (24%) had suspicions surrounding the ways in which companies might use the information.
  • Almost half the users (41%) were concerned with their devices actively listening or recording conversations when idle.
  • Around a quarter of the users (14%) did not trust the companies behind the voice assistant, and 36% of users did not want their personal information or data being used.

According to the report, headlines surrounding topics such as misunderstood commands and unrequested purchases have greatly influenced consumer attitudes towards these forms of technology. Clearly users are struggling to reconcile the competing interests. The technology understands you better the more information it collects from you. Where will you draw the line between these interests?

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Here’s the health sector at a glance:

  • Of the 964 eligible data breaches notified to the OAIC from 1 April 2018 to 31 March 2019, health information breaches accounted for 249 notifications (just over a quarter of all notifications). This is consistent with international trends which often show the health sector as a leading reporter of data breaches.
  • Human error was the leading cause of data breaches in the health sector, accounting for 55% of the breaches. This figure was relatively higher when compared to the average rate of data breaches in other industries due to human error (35%).
  • Human error in the health industry typically involved sending personal information to the wrong recipients via email and other forms communication.

Of itself, these figures seem to paint a grim picture for the health sector, which is the leading reporter of data breaches in Australia. However, there may be a silver lining for health organisations. As the Report identifies, the statistics arguably reflect the health sector’s preparedness to report data breaches. This potentially suggests a greater maturity and understanding of their obligations than other sectors that deal with less sensitive data, and could well be influenced by the more regulated nature of the sector, as well as the fact that the sector routinely deals with sensitive health information which inherently carries higher risk of causing serious harm if misused.

For more insights into health information and the scheme, check out our blog posts “My Health Records – to opt-in, or to opt-out? That is the question” and “Mandatory data breach reporting in 60 seconds”, or feel free to contact us for any assistance or information.

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

The key findings of the Report include:

  • the largest credential stuffing attacks of 2018 occurred in the video media sector. The market for stolen media and entertainment accounts is thriving as the accounts are sold in bulk;
  • the attacks usually occurred after reported data breaches; and
  • checker programs (or “All-in-One” applications) such as SNIPR are common. These programs allow attackers to validate stolen credentials or to generate combination lists. The credentials can then be sold, traded or harvested for various types of personal information.

Recent credential stuffing attacks demonstrate how your entire digital life can be exposed following a data breach paired with a credential stuffing attack. A successful credential stuffing attack can significantly damage a brand’s reputation and increase its operational costs – even though the attack wasn’t the brand’s fault.

Businesses should consider implementing multi-factor authentication, which can be effective in preventing credential stuffing attacks. Consumers should also be educated about phishing emails and the dangers of using the same password for all logins!

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Some interesting results of the Study were:

  • only 22% of Australian respondents agreed that they had sufficient staffing to achieve a high level of cyber resilience (globally the figure wasn’t much higher, at 30%);
  • 79% of Australian respondents did not have a cybersecurity incident response plan (CSIRP) that applied consistently across the entire enterprise;
  • more than half of the Australian respondents who had CSIRPs said they did not test them; and
  • of the 11 countries, Australia reportedly experienced the biggest increase (70%) in the volume of cybersecurity incidents in the past 12 months, compared against 61% overall.

The Study also highlights the key characteristics of “high performing” organisations that are cyber resilient, and emphasises the need to have skilled IT personnel and consistent enterprise-wide CSIRPs.

We all see the regular occurrence of breach events – it is not like we are not well warned.  With the mandatory reporting the consequences are far more public and painful, but obviously not painful enough for Australian companies to truly tackle the problem head on.

Report finds finance and HR departments the greatest cybersecurity threats to organisations

By Cameron Abbott and Melanie Long

According to recent research conducted on behalf of cybersecurity firm Clearswift, finance and HR departments represent the biggest cybersecurity threat to organisations. The study polled more than 4500 information technology decision makers, security professionals and employees in the US, UK, Germany and Australia and found that 46% of respondents believed that finance departments posed a security threat to their organisation. In addition, 42% of respondents believed the same of an organisation’s HR departments.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.