Catagory:Breaches

1
New Privacy Enforcement Act commences in Australia
2
Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach
3
Argentina announces upgrades to data protection obligations
4
The Importance of Managing DSARs
5
Uber found to have breached Australian’s privacy following 2016 hack
6
To pay or not to pay the ransom? Organisations may find their decision easier with government guidance
7
REvil strikes again – ransomware attack on UnitingCare Queensland
8
Other Australian companies attacked by the same ransomware attack on the JBS meat processing company
9
Ransomware attack on the world’s largest meatpacking company JBS
10
Another attack on critical infrastructure – New York’s subway hacked

New Privacy Enforcement Act commences in Australia

Dec 14 2022
Browse archives for December 14, 2022
Posted in

Breaches, Legal & Regulatory Risk, Litigation of Data Breaches, New Developments, Privacy, Data Protection & Information Management

Tagged with , , , , , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Read More

Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach

Sep 29 2022
Browse archives for September 29, 2022
Posted in

Breaches, Government Regulation, Legislation & Enforcement, Managing Threats & Attacks, Privacy, Data Protection & Information Management

Tagged with , , , , , , ,
Share

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Over the past two years, the Privacy Act has been the subject of long-awaited reform in Australia however, it seems the Optus data breach may have given it some much needed momentum.

The Optus attack is understood to have affected the details of 11.2m Optus customers, and of that 2.8m individuals have had their driver’s licence and/or passport numbers compromised. The hacker claims to have extracted the data from an API – software that allows two different systems to talk to each other. Therefore, if the claim is true the hacker didn’t need to provide authentication (e.g. a username and password) to retrieve the data.

In the wake of the attack, the Government has shared its plans to pursue substantial reforms that will include increased penalties under the Privacy Act (currently capped at $2.22m per offence) as well as changes to data breach notification laws to allow companies to rapidly inform financial institutions of affected individuals in an effort to minimise fraud.

The data breach also highlights the risks involved in collecting large amounts of personal information and storing this for excessive time periods. While the Privacy Act promotes the collection of a minimum amount of personal information, i.e. only that information that is necessary for a particular purpose and which the entity intends to use or disclose – individuals generally have limited control over how long their information is retained for.

During the initial stages of the Privacy Act review, the Attorney General’s Department sought submissions from entities on their views as to whether individuals should be given the right to have their personal information erased. Optus in submissions to the review argued against such a change stating that the right to erase personal data would involve significant technical hurdles and compliance costs that would outweigh the benefits. Of course this incident has happened just as stores are gearing up for Halloween – a fitting time for those public submissions to come back to haunt them.

Argentina announces upgrades to data protection obligations

Sep 16 2022
Browse archives for September 16, 2022
Posted in

Breaches, Government Regulation, Legislation & Enforcement, New Developments, Privacy, Data Protection & Information Management

Tagged with , , ,
Share

By Cameron Abbott, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

Argentina’s Data Protection Authority, the Agency for Access to Public Information (the Agency), has published a draft bill that proposes to bring Argentina’s 22 year old data protection law more in line with the European Union’s General Data Protection Regulation.

Amongst other things, the bill modernises Argentina’s data protection law to deal with more recent issues including cloud computing, biometric and genetic data. It provides greater scope for international transfers of information by allowing transfers under the sanction of adequate data protection guarantees in the absence of a decision by the Agency that the importing country has adequate data protection. It additionally requires Data Controllers to document and notify the Agency of data breaches within 48 hours of becoming aware of a breach.

The draft bill is open for public comment until 30 September 2022. Any entity wishing to submit commentary is encouraged to reach out to K&L Gates to help facilitate the submission process.

The Importance of Managing DSARs

Jun 28 2022
Browse archives for June 28, 2022
Posted in

Breaches, Government Regulation, Legislation & Enforcement, Privacy, Data Protection & Information Management

Tagged with , , , ,
Share

By Claude-Étienne Armingaud and Inès Demmou

With its December 2021 fine imposed on French telephone operator Free Mobile, the French data protection authority (CNIL) reiterated the importance of responding to data subject access requests (DSARs) within the relevant timeline (usually 30 days), with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data (Article 32 GDPR). 

Another sanction by the Dutch Supervisory Authority relating to the principle of data minimization confirmed that such DSARs could not be conditioned by overly complex mechanisms, such as a requirement to upload a full copy of an identity document.

These sanctions demonstrate that data subjects have acquired the awareness necessary to exercise their rights, and that data controllers must implement effective channels and internal processes to handle DSARs properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of the GDPR. 

To find out more, see our full alert here.

Uber found to have breached Australian’s privacy following 2016 hack

Jul 27 2021
Browse archives for July 27, 2021
Posted in

Breaches, Government Regulation, Legislation & Enforcement, Privacy, Data Protection & Information Management

Share

By Cameron Abbott and Jacqueline Patishman

In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australian’s personal information from unauthorised access.

Read More

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

Jul 26 2021
Browse archives for July 26, 2021
Posted in

Breaches, Government Regulation, Legislation & Enforcement, New Developments, Privacy, Data Protection & Information Management

Tagged with
Share

By Cameron AbbottRob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Read More

REvil strikes again – ransomware attack on UnitingCare Queensland

Jun 28 2021
Browse archives for June 28, 2021
Posted in

Breaches, Managing Threats & Attacks, Privacy, Data Protection & Information Management

Tagged with , ,
Share

By Cameron Abbott and Jacqueline Patishman

Following a ransomware infection in late April, UnitingCare Queensland has suffered a nearly 2 month long ordeal to regain control of its systems. UnitingCare was a victim of malware called Sodinokibi/REvil which encrypted its files and attempted to delete backups.

Read More

Other Australian companies attacked by the same ransomware attack on the JBS meat processing company

Jun 10 2021
Browse archives for June 10, 2021
Posted in

Breaches

Tagged with , ,
Share

By Cameron AbbottRob Pulham and Jacqueline Patishman

It’s been reported that at least 7 other Australian companies are among the group of companies that were affected by the recent ransomware attack on JBS meat by the cybercriminal group REvil.

Read More

Ransomware attack on the world’s largest meatpacking company JBS

Jun 09 2021
Browse archives for June 09, 2021
Posted in

Breaches

Tagged with , , , ,
Share

By Cameron AbbottRob Pulham and Jacqueline Patishman

Last week, a ransomware attack on the world’s largest meatpacking company caused a temporary shut-down of its operations in Australia and North America. The attack infiltrated the company’s quality assurance systems and ultimately prevented normal production.

Read More

Another attack on critical infrastructure – New York’s subway hacked

Jun 08 2021
Browse archives for June 08, 2021
Posted in

Breaches

Tagged with , , , ,
Share

By Cameron AbbottRob Pulham and Jacqueline Patishman

In April, New York’s subway authority was hacked by a group of cybercriminals with suspected Chinese government connections. The authority is responsible for operating all of New York’s train and bus systems and the attack exposed vulnerabilities in the services used by millions every day.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.