Government Regulation, Legislation & Enforcement – Page 14

New Mexico’s New Data Breach Notification Laws

May 05 2017

New Mexico has followed other U.S. states in enacting data breach notification laws coming into effect on 16 June 2017. The statute will only apply to computerised data, which is narrower in scope compared to Australian laws that also apply to physical records.

The key provisions from the new data breach laws include:

Companies must notify New Mexico residents, the Attorney General and Consumer Reporting Agencies as appropriate within 45 days of discovery of data breaches that pose “a significant risk of identity theft or fraud”;
Companies that disclose Personal Identifying Information to third party vendors must contractually require the vendors to implement and maintain reasonable security procedures; and
Civil penalties of $10 per instance of failed notification up to a maximum of $150,000.

There are concerns that this adds another layer of complexity for companies trying to remain compliant, as they will now have to comply with data breach notification laws of 48 states and 3 territories. We think that there may be a big push for a unified federal law on this issue in the near future.

The police are reading … a lot … more than half a million times last year

May 02 2017

By Cameron Abbott and Edwin Tan

News Corp reported today that law enforcement agencies accessed the private data of Australian individuals about 541,300 times during the past 12 months. This is an estimated increase of about 60 percent compared to the previous year.

This is in addition to the Australian Federal Police (AFP) confirming on Friday that an officer had accessed phone records without a warrant earlier in the year. No action was taken against the officer.

The 2015 amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) made it mandatory for telecommunications companies and internet service providers to retain metadata. This metadata can be accessed without a warrant by 21 government agencies, including the AFP.

However, journalists’ telecommunications data cannot be accessed by agencies without first obtaining a “Journalist Information Warrant”. An agency must apply to a Federal Court judge or a nominated Administrative Appeals Tribunal member to be granted the warrant.

The breach has sparked calls for an independent and public inquiry into the AFP, with Senator Nick Xenophon calling the incident “a complete failure with no real explanation”. Not the last we will hear about this issue we think. Read more about this here.

Draft law proposes security assessment of data exported out of China

Apr 17 2017

By Cameron Abbott and Allison Wallace

The Cyberspace Administration of China has released a draft law that would impose an annual security assessment on firms exporting data out of China.

The proposed legislation would apply to any business which transfers more than 1000 gigabytes of data, or which affects more than 500,000 users, and is the latest of several safeguards announced in recent times against threats such as hacking and terrorism.

Under the draft law, economic, technological or scientific data whose transfer would post a threat to public or security interests would be banned, and there would be extra scrutiny of sensitive geographic data.

Businesses would also have to obtain the consent of users before transmitting it overseas.

The draft law follows another passed in November 2016 which formalised a range of controls over firms that handle data in industries the Chinese government labels critical to national interests.

Is Uber’s Greyball pushing the boundaries of what is legally and ethically OK?

Mar 13 2017

By Cameron Abbott and Allison Wallace

Ridesharing service Uber has been using a self-developed program called Greyball in a bid to avoid regulatory scrutiny and other law enforcement activity.

As reported in The New York Times, the program uses various techniques to survey government officials when rolling out the service in new cities. This came after Uber’s services encountered legal issues (including cars being impounded and drivers fined) as it tried to operate in new locations, including in Melbourne, Australia. Read More

Australia’s new data breach notification laws: what they mean for you

Feb 15 2017

By Cameron Abbott, Rob Pulham and Allison Wallace

Further to our blog post yesterday, we’ve prepared a summary into the implications of the Privacy Amendment (Notifiable Data Breaches) Bill 2017 that has now been passed by both houses of Parliament. Read our article here.

Update: Mandatory Data Breach Notification Laws closer to being introduced

Feb 07 2017

By Cameron Abbott and Allison Wallace

As foreshadowed by the Attorney General’s Department last year, the Australian government is pushing ahead with its plan to introduce mandatory data breach notification laws, with Parliament today agreeing to a third reading of the Privacy Amendment (Notifiable Data Breaches) Bill 2016. You can find more about the proposed legislation here. We’ll keep you updated as the bill makes its way through parliament.

SAP criticises impending EU data protection laws

Jan 18 2017

By Cameron Abbott and Allison Wallace

SAP has expressed concerns over the implications of the landmark EU data privacy regulations, saying the penalties that will be imposed are too high, and could impede the development of Europe’s start-up culture.

The data privacy regulation will be implemented in May 2018, and includes fines for EU companies up to 4 per cent of their global revenues if they commit a significant breach of data privacy.

In an interview with the Financial Times, SAP’s head of products and innovation, Bernd Leukert said he believes the penalties are too high, and put companies at risk of losing their entire revenue if they commit multiple breaches.

Mr Leukert said he also fears that the EU regulations were not properly aligned with laws in other jurisdictions, such as the US.

UK companies taking on cybersecurity-related insurance in soaring numbers

Jan 09 2017

By Cameron Abbott and Allison Wallace

There was a 50% growth in the adoption of cybersecurity-related insurance in the UK between 2015 and 2016.

CFC Underwriting discovered the trend after polling industry representatives at the 2016 Cyber Symposium late last year.

The underwriter, which provides cyber insurance to more than 20000 clients globally, found the factors driving clients to purchase these kinds of policies included the “fear factor” of a cyber attack (23%) and the impending introduction of the European General Data Protection Regulation in 2018 (26%).

More than half of the respondents to the poll (53%) indicated they believed electronic computer crime will lead to an increase in insurance claims. Earlier figures released by CFC Underwriting revealed it handled over 400 claims on cyber policies in 2016, a 78% increase on 2015.

Data breach penalties could cost U.K. companies £122B in 2018

Oct 18 2016

By Cameron Abbott and Rebecca Murray

U.K. businesses could face up to £122 billion in penalties for data breaches when EU legislation comes into effect in 2018, according the Payment Card Industry Security Standards Council (PCI SSC). The EU’s General Data Protection Regulation (GDPR) will introduce fines for groups of companies of to €20 million or 4% of annual worldwide turnover, significantly higher than the current maximum of £500,000. This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4 billion in 2015 to £122 billion, the PCI SSC calculated. For large U.K. organisations, this could see regulatory fines for data breaches soar to £70 billion, more than a 130-fold increase, rising to an average of £11 million per organisation. Regulatory fines for SMEs could see a 57-fold increase, rising to £52 billion, averaging £13,000 per SME. Read more at ComputerWeekly.com by clicking here.

Victorian ruling clarifies application of privacy principles to social media accounts

Oct 13 2016

By Cameron Abbott and Rebecca Murray

The Victorian Supreme Court recently confirmed that an employer was not obliged to immediately notify an employee that it was accessing her Facebook messages during a disciplinary investigation. This case clarifies the manner in which the Victorian Information Privacy Principles (IPPs) apply to social media.

In this case, an employer conducted an investigation into an employee after a colleague reported her for making a number of abusive remarks over Facebook. During the investigation, the employer accessed the employee’s Facebook messages without her knowledge. She was subsequently found guilty of misconduct and given a final warning.

The employee appealed the case to the Supreme Court of Victoria after the Victorian Civil and Administrative Tribunal (VCAT) found that her employer had complied with the IPPs. In her appeal, she questioned whether the ways her employer collected and used the information was necessary “for the purposes of a workplace disciplinary investigation” and whether accessing it without her knowledge or consent was “necessary for one or more of the organisations functions or activities’ for the purposes of IPP 1.1”.

The Supreme Court of Victoria confirmed VCAT’s finding that collecting further information was necessary under IPP 1.1 as the employer was conducting a misconduct investigation “which was a legitimate purpose” and said there was nothing to suggest its approach was inconsistent with the right to privacy. Furthermore, the court found that VCAT was correct in finding that IPP 1.3 (and 1.5) did not impose an obligation of immediate notification on the employer as it could have jeopardised the integrity of the disciplinary investigation. Access the IPPs here. and read the court’s decision here.

Importantly, this case demonstrates that privacy law doesn’t automatically prevent employers from accessing the social media accounts of their employees to conduct investigations in appropriate circumstances.

Catagory:Government Regulation, Legislation & Enforcement