admin – Page 18 – Cyber Law Watch

The OAIC engages in more in-depth investigations and stronger exercise of its power

Jun 28 2019

By Cameron Abbott, Rob Pulham and Jacqueline Patishman

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

US Internet of Things bill advanced to vote on House floor

Jun 14 2019

By Cameron Abbott and Rebecca Gill

Just a few months ago, we blogged on the ‘Internet of Things’ (or IoT) legislation making an appearance in the US Senate. But now the legislation may be becoming a reality. On Wednesday, the House Committee on Oversight and Reform advanced the Internet of Things Cybersecurity Improvement Act of 2019 to a vote on the House floor.

The bipartisan legislation aims to reduce the risk to critical government information technology infrastructure from cyberattacks, and directs the National Institute of Standards and Technology to develop recommendations for use and management of internet-connected devices by March 31 2020.

Major privacy and security breaches confirmed this week: Westpac, the ANU and Princess Polly targeted

Jun 07 2019

By Cameron Abbott, Allison Wallace and Rebecca Gill

It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.

Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

Jun 03 2019

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Canada proposes to increase penalties for tech giants in its Digital Charter

May 27 2019

By Cameron Abbott and Rebecca Gill

The Canadian federal government has proposed to introduce a combination of fines for companies that violate privacy laws, in order to rein in the growing power of Silicon Valley tech giants.

Canada’s Innovation Minister recently announced a 10-point Digital Charter that aims to provide more transparency into how companies collect and use personal information and stronger rights for consumers to consent to the use of their data. Key principles of the Charter include giving Canadians control over their data, promoting ethical use of data, ensuring that the online marketplace is competitive to facilitate growth of Canadian businesses, and implementing “meaningful penalties” for violations of privacy laws.

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants

May 17 2019

By Cameron Abbott, Rob Pulham, Michelle Aggromito, Max Evans and Rebecca Gill

Protecting personal data is a fundamental aspect of any privacy regime. As we become more technological advanced, organisations are finding innovative ways to interact with consumers through more intuitive communication channels, such as voice recognition via digital assistants. But not everyone trusts such technology, as Microsoft’s April 2019 report on voice assistants and conversational artificial intelligence has found.

The report found that 41% of voice assistant users were concerned about trust, privacy and passive listening. Other interesting findings of the report include:

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

May 16 2019

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Surveillance software targets WhatsApp users

May 15 2019

By Cameron Abbott, Rob Pulham and Michelle Aggromito

Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.

This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

May 14 2019

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

May 13 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Author - admin