Category: Privacy, Data Protection & Information Management

1
GDPR: Irish supervisory authority fines WhatsApp 225 million
2
Uber found to have breached Australian’s privacy following 2016 hack
3
To pay or not to pay the ransom? Organisations may find their decision easier with government guidance
4
Would mandatory reporting of ransomware payments cause more good or trouble?
5
New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems
6
New US / Aus cross-border data access regime
7
REvil strikes again – ransomware attack on UnitingCare Queensland
8
$300 million of the Victorian Budget set aside to improve cyber security
9
Australia’s international cyber strategy pivots towards critical technology in neighboring countries
10
Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack

GDPR: Irish supervisory authority fines WhatsApp 225 million

By Claude-Etienne Armingaud, Camille Scarparo and Léa Fertani.

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

Uber found to have breached Australian’s privacy following 2016 hack

By Cameron Abbott and Jacqueline Patishman

In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australian’s personal information from unauthorised access.

Read More

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

By Cameron AbbottRob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Read More

Would mandatory reporting of ransomware payments cause more good or trouble?

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

Read More

New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The United States Department of Homeland Security has developed the Cyber Security Evaluation Tool (CSET) which provides a systematic (and repeatable) process that critical infrastructure asset owners can use to assess and improve their cyber security management systems. This tool has a particular focus on the security of industrial control systems and information networks.

Read More

New US / Aus cross-border data access regime

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The Telecommunications Legislations Amendment (International Orders) Bill 2020 has just cleared both houses of parliament. The new bill establishes a reciprocal cross-border data access regime between the United States and Australia which will allow for cross-border communications between foreign governments for national security and law enforcement purposes.

Read More

REvil strikes again – ransomware attack on UnitingCare Queensland

By Cameron Abbott and Jacqueline Patishman

Following a ransomware infection in late April, UnitingCare Queensland has suffered a nearly 2 month long ordeal to regain control of its systems. UnitingCare was a victim of malware called Sodinokibi/REvil which encrypted its files and attempted to delete backups.

Read More

$300 million of the Victorian Budget set aside to improve cyber security

By Cameron Abbott and Jacqueline Patishman

The recently released Victorian budget shows that more than $300 million of the 2021-2022 state budget is to be used to improve the government’s ability to prevent, detect and control cyber risks. Well sort of… it also includes a range of more vanilla possible projects such as case administration systems at AAT, upgrading radio communication for Forest Fire Management Fire Victoria staff – so perhaps it is not as large a cybersecurity spend as it first looks.

Read More

Australia’s international cyber strategy pivots towards critical technology in neighboring countries

By Cameron Abbott, Michelle Aggromito, Jacqueline Patishman and Emily Gamaroff

In a bid to maintain stability in the Indo-Pacific region, Australia has pledged $37.5 million to bolster the security and development of critical technology in neighboring countries as part of its updated International Cyber Engagement Strategy. The funding aims to promote the resilience of critical technologies in Southeast Asia and to support Australia’s Pacific neighbours by improving online safety, counter misinformation and to fight cybercrime.

Read More

Even the Best Fall Down Sometimes: Nine Network suffers large-scale cyber attack

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

Channel Nine has suffered the largest cyber attack on a media company in Australia’s history, according to reports from IT News, the AFR and Nine News.

The cyber attack, reported by Channel Nine as a variation of a ransomware attack, struck early Sunday morning, resulting in television and digital production systems being offline for more than 24 hours. The attack impaired Channel Nine’s ability to broadcast from its Sydney studios, forcing the media outlet to shift operations to its Melbourne studios.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.