Catagory:Government Regulation, Legislation & Enforcement

1
UK telecoms company handed record fine for data breach
2
ABS blames IBM for Census fail in damning report
3
Ashley Madison data breach joint findings released
4
Government committed to introducing Mandatory Data Breach Notification laws
5
The White House issues response guide to a cyber attack
6
Microsoft welcomes big win against government information requests
7
EU-US Privacy Shield certifications to open in August
8
EU-US Privacy Shield approved
9
Agreed changes to EU-US Privacy Shield strengthens data transfer pact
10
Report finds average cost of data breach reaches $4 million

UK telecoms company handed record fine for data breach

By Cameron Abbott and Rebecca Murray

Major UK telecoms company, TalkTalk has been fined £400,000 for failing to adequately safeguard personal data when they were hacked in October 2015. The Information Commissioner’s Office’s (ICO) investigation revealed that hackers obtained the details of 156,959 customers, including names, addresses, birthdates, phone numbers and email addresses. In over 15,000 cases, hackers even gained access to bank account details and sort codes. The cyber-attack triggered the launch of a committee inquiry into protection of personal data online. You can read the inquiry report here.

After in depth investigation, the ICO found that TalkTalk’s failure to implement even the most basic cyber security measures allowed hackers to easily penetrate its systems causing substantial damage and distress to its customers. See how the investigation unfolded here and read the ICO’s penalty notice here. The ICO identified TalkTalk’s principal errors as failing to actively monitor its own activities and allowing vulnerabilities to go unnoticed, failing to update its database to protect from bugs, failing to respond to two previous attacks on the same webpages and failing to fix a bug in the software for which a fix was readily available.

It would seem regulators are losing patience with organizations that don’t take their security obligations seriously.

ABS blames IBM for Census fail in damning report

By Cameron Abbott and Rebecca Murray

The Australian Bureau of Statistics (ABS) has blamed the 2016 Census website failure on IBM in a damning Senate inquiry submission. ABS chief statistician David Kalisch said the infrastructure offered by IBM did not adequately prepare for “not unusual” and “anticipated” denial of service attacks on Census night, which ultimately caused the site to be taken down for security reasons. You can read the submission, which was made available online by The Guardian here.

Ashley Madison data breach joint findings released

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Read more about the report here.

Government committed to introducing Mandatory Data Breach Notification laws

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

 

The White House issues response guide to a cyber attack

By Cameron Abbott and Simon Ly

Last week, the White House issued the US government’s response guide to cyber attacks titled “Presidential Policy Directive – United States Cyber Incident Coordination”.

Billed to combat “malicious activity, malfunction, human error and acts of nature”, the Directive aims to provide a guide to handle significant cyber incidents while fostering the advancement of technology and innovation. The Directive has a five-level grading system. It has been reported that no hack attack has reached level 5 yet, with this being reserved for a “threat to infrastructure, government stability or American lives”.

If it wasn’t apparent already, this guide emphasises the growing risks of cyber attacks both to governments and companies. It will be interesting to see the Directive in action as the response to the Directive has been mixed, with some saying it doesn’t go far enough and that it simply codifies existing practices. This criticism seems a little unfair because you would hope that existing practices were relatively well thought through and thus not a bad standard to entrench.

For more information, you can access the White House’s press release here.

Microsoft welcomes big win against government information requests

By Cameron Abbott and Simon Ly

Last week, the US Court of Appeals for the Second Circuit reversed a previous lower court decision and found in favour of Microsoft in a long running dispute over a government information request.

In 2014, the US government successfully received a warrant for email records sought in connection with a drug case. Microsoft refused to comply with the orders and was subsequently found to be in contempt of court. However, the Court of Appeal has now ruled that the US government could not force Microsoft to hand over customer emails stored in an offshore server in Ireland because, amongst other things, the Stored Communications Act did not intend to legislate to allow for such warrant provisions. This decision comes hot off the heels of the EU-approved Privacy Shield, and it will be interesting to see how a similar decision will be dealt with moving forward in light of this regime.

This represents a big win for Microsoft and the tech sector more broadly as service providers now have a basis for maintaining the position of protecting its users’ privacy. This decision also highlights that legal regimes are territorial notwithstanding the global nature of new technology offerings.

To read Microsoft’s news release following the decision, please see here.

EU-US Privacy Shield certifications to open in August

By Cameron Abbott, Simon Ly and Rowena Baer

As a follow up to our latest blog post, the European Union and European Commission yesterday announced that the Privacy Shield arrangement has been adopted.

Companies wanting to utilise the Privacy Shield for their Trans-Atlantic data transfers are able to apply for certification with the U.S. Department of Commerce from 1 August 2016, with the US and EU to brief companies on the application process later this week.

For a legal perspective and analysis of the Privacy Shield, please see our colleagues’ report here.

To keep up to date and for an overview of the changes, please see here.

EU-US Privacy Shield approved

By Cameron Abbott, Rob Pulham, Simon Ly and Rowena Baer

When the Safe Harbour arrangements were struck down the EU and US worked to create a replacement and flesh out the details of this new arrangement (see our last article on this issue here). We have all been somewhat nervously watching to see if the new ‘Privacy Shield’ would get final approval amid some criticism from some quarters. Good news, last Friday the EU member states on the Article 31 Committee voted to approve a revised Privacy Shield.

The new arrangement provides a welcome measure of certainty for businesses whose Trans-Atlantic data transfers have been left in legal limbo since the European Court of Justice declared the longstanding Safe Harbor Framework invalid in October 2015.

The European Commission has released a statement expressing their confidence in the adoption of the new Privacy Shield, noting that the new pact is “fundamentally different” from its predecessor. The new Privacy Shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice”.

International tech industry groups have also praised the move as a win for both consumers and businesses as the pact provides robust consumer privacy protections. Voicing their support of the Privacy Shield, Microsoft released a detailed blog post on how the Privacy Shield is progress for privacy rights, declaring that the regime is an “important achievement for the privacy rights of citizens across Europe, and for companies across all industries that rely on international data flows to run their businesses and serve their customers”.

Whilst we are still at the early stages, companies should begin assessing the Privacy Shield’s impact on their existing agreements and also more broadly their data strategy, keeping in mind that the regime relates only to EU-US data transfers. In particular, consideration should be given to the transitional arrangements in the Privacy Shield. Companies should also be aware of the potential challenges to this regime (and related issues post-Brexit) as there is concern about the shelf life of the Privacy Shield.

For more information, please see the EU’s page here and the US’s page here.

Agreed changes to EU-US Privacy Shield strengthens data transfer pact

By Cameron Abbott and Giles Whittaker

The US and the European Union reportedly reached an agreement on the language of a key data transfer pact, including clearer limits on U.S. surveillance and stricter rules for companies holding information of Europeans. The updated EU-US Privacy Shield was sent to EU member states, who are expected to vote on the proposal in July. The revised data transfer pact is said to include stricter cross-border data-handling rules for companies using Europeans’ information for targeted online advertising, and also has detailed the specific condition under which U.S. government intelligence services would collect data in bulk and the safeguards on how the data is used.

Meanwhile, U.S. Chamber of Commerce Executive Vice President and Head of International Affairs Myron Brilliant urged the EU’s member states to quickly sign off on the updated version, saying that the new framework for trans-Atlantic data transfer is critical for companies on both sides of the pond.

Further information regarding the report by Reuters can be read here.

Report finds average cost of data breach reaches $4 million

By Cameron Abbott and Giles Whittaker

A report sponsored by IBM and conducted by the Ponemon Institute found that the average cost of a data breach has grown to $4 million, up 29% from 2013. The survey also found cybersecurity incidents continued to witness growth in both volume and sophistication, with 64% more security incidents reported in 2015 than the preceding year. According to the study, the companies lose $158 per compromised record. Also not surprisingly, breaches in highly regulated industries were even more costly. For instance, healthcare breaches reached $355 per record – a full $100 more than in 2013.

Read the full report conducted by the Ponemon Institute here.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.