By Cameron Abbott, Rob Pulham and Allison Wallace
Further to our blog post yesterday, we’ve prepared a summary into the implications of the Privacy Amendment (Notifiable Data Breaches) Bill 2017 that has now been passed by both houses of Parliament. Read our article here.
By Cameron Abbott and Allison Wallace
As foreshadowed by the Attorney General’s Department last year, the Australian government is pushing ahead with its plan to introduce mandatory data breach notification laws, with Parliament today agreeing to a third reading of the Privacy Amendment (Notifiable Data Breaches) Bill 2016. You can find more about the proposed legislation here. We’ll keep you updated as the bill makes its way through parliament.
By Cameron Abbott and Allison Wallace
Australia’s Information and Privacy Commissioner Timothy Pilgrim is making enquiries into allegations that the personal information of customers of three Australian telcos is being sold online.
Fairfax uncovered an alleged rort involving ‘corrupt insiders’ at the offshore call centres of Telstra, Optus and Vodafone, which has allegedly seen details including customers’ addresses, dates of birth and billing statements leaked to at least one private company in India, which is then allegedly selling the information for up to $1000.
Commissioner Pilgrim has said in a statement that he is working to determine what further action may need to be taken.
All three telcos have also released statements, reiterating that they take the privacy of their customers seriously. Vodafone and Optus have met with the AFP, which has now passed the matter on to Indian authorities.
By Cameron Abbott, Simon McDonald and Meg Aitken
The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.
Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.
Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.
Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.
Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.
Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.
Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) here.
Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015) here.
Access the Office of the Australian Information Commissioner’s Press Release here.
By Cameron Abbott and Meg Aitken
Following its launch in November 2014, the Australian Cyber Online Reporting Network (ACORN) has revealed it fielded 39,000 reports of cybercrime from individuals and organisations in 2015. Fraud was the most commonly reported cybercrime, with 19,232 reports being made to ACORN last year.
Prominent data analytics group and credit bureau, Veda revealed similarly worrying statistics in the Veda 2015 Cybercrime and Fraud Report, noting that in 2015, 1 in 4 Australians reported being a victim of identity theft at some stage, up 7% from 2014. The report also suggests that Australians are becoming increasingly concerned about the risk of cybercrime and identity theft.
Veda has projected that 2016 will see even greater numbers of cybercrime attacks on individuals, firms and government agencies as the ‘Internet of Things’ further develops, reliance on social media grows and a profound amount of personal information and data continues to be collected.
Read the ACORN quarterly statistics reports here.
By Cameron Abbott and Meg Aitken
Don’t say we (and Microsoft) didn’t warn you, a prominent Melbourne hospital’s IT system that runs on an outdated and unsupported Windows operating system, Microsoft XP, was hacked last week.
Microsoft recently activated the end-of-life phase for Windows 8, 9 and 10 and encouraged users to transition to the company’s supported operating systems in order to prevent security incidents. The same process was undertaken for Microsoft XP in 2014; however the hospital continued to use the platform in some departments.
The pathology department was the primary victim of the attack and staff were reportedly forced to manually process blood tissue and urine samples while the electronic system was compromised. Fortunately, highly sensitive patient information is not believed to have been accessed by the hackers.
It has been reported that the hospital is now expediting plans to upgrade its IT systems.
Access the media release here.
By Jim Bulling
It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.
In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:
You can download a copy of the framework here
These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.
By Jim Bulling
Insurers in the U.S. and Europe are forecasting that the market for cyber insurance will grow exponentially in the next five years as more companies look to beef up protection against malicious cyber attacks.
While the insurers see a significant new market emerging, there are signs that they are wary of the risks and this is impacting on premiums and the limitations being placed on cover. There are a number of insurers offering cyber cover in the Australian market and companies looking for additional protection would be well served by closely examining the terms of the proposed cover to ensure it extends to the more significant cyber risks and does so in a way that complements rather than overlaps the existing insurance program which an organisation has in place (eg Public Indemnity , Directors and Officers Liability, Crime and Property).
It is also worth noting that insurance should only be seen as one component of an organisation’s risk management processes around cybersecurity. A leading insurance broker has suggested that investment in technology is the most important factor in reducing the risk profile while the contribution from insurance is much more modest and to be effective needs to be accompanied by investment in technology.
K&L Gates partner, Cameron Abbott will feature as part of panel of professionals active in the Cyber industry at an American Chamber of Commerce (AMCHAM) luncheon on Wednesday 28 October 2015.
The panel will discuss developments in the world of cyber security, the intent of the mandatory data-breach scheme and the far reaching impact that cyber security breaches can have on a business’s reputation and value.
The session will be moderated by Dr Tobias Feakin, Senior Analyst and Director, International Cyber Policy Centre.
For full details of the event and to register click here
By Cameron Abbott and Melanie Long
According to recent research conducted on behalf of cybersecurity firm Clearswift, finance and HR departments represent the biggest cybersecurity threat to organisations. The study polled more than 4500 information technology decision makers, security professionals and employees in the US, UK, Germany and Australia and found that 46% of respondents believed that finance departments posed a security threat to their organisation. In addition, 42% of respondents believed the same of an organisation’s HR departments.
Copyright © 2024, K&L Gates LLP. All Rights Reserved.