Merry Christmas and seasons greetings to all.

As is my tradition on this page, I mark Christmas with one of the most wonderful editorials ever written, the “Yes, Virginia, there is a Santa Claus.” ? This 1897 editorial by the New York Sun is the epitome of good prose; it is precise, effective, warm and clear.? Even the most hardened cynic cannot be moved by the simple plea for a belief in the better and the essence of? Christmas, its spirituality and the concept of redemption.? It is easy to scoff at such “naive” beliefs.? Every year I

The editorial took on a life of its own and is regarded as one of the great pieces of journalistic prose,.? It still attracts column inches of analysis and shameless reproduction.? Because the message is as apt today was it was over a hundred years ago.? An

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say there is no Santa Claus. Papa says, “If you see it in The Sun, it’s so.” Please tell me the truth, is there a Santa Claus?
Virginia O’Hanlon
“115 West Ninety-Fifth Street”

VIRGINIA
? ? Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.?All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

? ? Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.?Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

? ? Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove??Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see.?Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

? ? You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.
Is it all real? Ah, VIRGINIA, in all this world there is nothing else as real and abiding.

? ? No Santa Claus! Thank God! he lives and he lives forever. A thousand years from now, VIRGINIA, nay, ten times ten thousand years from now, he will continue to make glad the hearts of children.

The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough.? Compared to the Australian Information Commissioner it is frenetic and hyper aggressive.? In a field where the breaches are many most regulators are subject to criticism of not doing enough.? But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.

EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent.? It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.

As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.

The statement of the FTC provides:

The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.

How much money can a company take in by selling virtual costumes, dance moves, and pi?atas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.

For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.

According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:

• • “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
  • “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”

Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC. Read the rest of this entry »

The reviews, as in many, of the Privacy Act 1988 have been a lesson in what not to do when reviewing legislation.  The Federal Government’s response to the 2008 Australian Law Reform Commission Report was modest, selective, incomplete and largely a failure of public policy.  The amendments to the Act, which took effect in 2014, did not go very far.  The Government commissioned yet another  review in 2013, which reported in 2014, did not materially advance the findings contained in the 2008 Report.  The Government did not accept the recommendations but rather, in 2019, commenced yet another review, this time by the Attorney General’s Department.    

Innovation AU in Privacy Act Review complete after three years reports that the Attorney General has the product of the Review.  It appears that the Government is on track to release the Report with a view to amending the Privacy Act some time in 2023.    

The article Read the rest of this entry »

The misuse of the Victorian Police’s database, known as LEAP, has been chronic and systemic for many years.? The reports of those misdeeds by sworn officers are regular.? I posted on them on 9 February 2014 with Leakage of LEAP data an ongoing privacy issue …. for so long. on 18 May 2015 with Another problem with the Victorian Police, the LEAP database and privacy, on 16 October 2016 with Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour,? IBAC released a 33 page report on Unauthorised access and disclosure of information held by Victoria Police.

The key findings of that IBAC report were:

• • Unauthorised access and disclosure of information are key enablers of other corrupt behaviour. These corruption risks are often overlooked as risks by agencies. This is evident in the lower than expected number of reports made to IBAC, and in the behaviours uncovered in investigations undertaken by IBAC and other public sector agencies. It is expected that as the understanding of information misuse as an enabler of corruption increases, this will help detection and investigation by Victoria Police.
  • Unauthorised disclosures to the media is a risk across public sector agencies, including Victoria Police which frequently deals with issues of high public interest. These incidents are difficult to substantiate due to the source of the information leaks often being difficult to identify.
  • Sharing information with approved third parties also presents many corruption risks. Although policies may be in place to control information access and disclosure by third parties, the proactive detection and enforcement of information misuse by agencies owning the information is difficult. This is especially relevant for Victoria Police, which holds significant private personal details about citizens.
  • Increased use of personal devices and smart phones in the workplace has made unauthorised disclosure of information much easier. This is particularly the case for those Victoria Police employees who use their personal mobile phones to conduct their work duties,⁵ including using cameras to capture evidence or using applications to take notes or recordings.
  • IBAC intelligence suggests information misuse is under-reported across the entire public sector, including Victoria Police. This may be due to it being under-detected, an under-appreciation for information security and privacy rights, or a lack of awareness that information misuse and disclosure may constitute an offence in itself.
  • The number of reports of information misuse made to IBAC related to Victoria Police is higher than from other public sector agencies but is also declining. The higher number of reports may be due to Victoria Police employees and members of the public having a higher level of awareness of the risks related to information misuse, due to the large amount of sensitive information their organisation holds. The declining number of reports over time may reflect under-reporting and the difficulties in detection. A recent spike in reported incidents in 2017-18 may reflect improving information security practices by Victoria Police and its employees.
  • Victoria Police and IBAC often do not detect information misuse until they are investigating other misconduct or corrupt actions. This is partly due to information security systems, which have not been fully developed, and a lack of proactive monitoring and auditing processes in place to detect unauthorised information access.
  • Customised auditing of information access is under-utilised by Victoria Police and its benefits are under-appreciated. A program of proactive, extensive and repeated auditing could be used to identify and deter unauthorised access of information.
  • The introduction in 2016 of the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS) across the public sector is expected to reduce unauthorised information access and disclosure. For Victoria Police, the VPDSS does not represent a materially higher standard for information security than the previous Standards for Law Enforcement Data Security. However the VPDSS represents a shift from prescriptive standards to a more flexible risk-based approach.

It is also relevant to note that the Victorian Information Commissioner, not the strongest or most rigorous privacy regulator, handed down a critical report on the privacy and information handling at the Victoria Police.? The 15 August report, Examination report into privacy and information handling training at Victoria Police published, find that the Victoria Police did not comply with its privacy obligations.? The media release provides:

Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.

On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.

The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).

IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.

During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations.

“In performing its law enforcement functions, Victoria Police collects, manages, and uses sensitive and personal information of Victorians, including delicate information related to some of the most vulnerable members of the community” said Information Commissioner Sven Bluemmel.

“A lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information.”

The examination found that as of February 2022, Victoria Police had not provided any privacy-specific training available for its members for more than a year. The examination also found a lack of resources within its Privacy unit and Education Unit.

While no dedicated privacy training was available to Victoria Police members, there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.

Due to a lack of dedicated privacy training and awareness provided, the examination found that Victoria Police may not be compliant with its obligations under IPP 4.1.

In contrast, the examination found that since the 2016 report of the Royal Commission into Family Violence, Victoria Police has done extensive work on providing family violence training to its personnel, including providing comprehensive guidance about handling information gathered in a family violence context.

“Victoria Police’s response to the Royal Commission into Family Violence demonstrates it can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced” said Mr. Bluemmel.

Victoria Police has accepted the findings of the examination and has provided further resourcing to its privacy team. It has also undertaken to review privacy and information handling education annually.

OVIC will continue its engagement with Victoria Police to promote, support, and ensure reasonable steps are taken to protect the personal information of Victorians.

The ABC reports in Victoria Police allegedly use LEAP database to pursue, stalk, harass women prompting calls for inquiry that the problem continues but now legal action is being taken against the Victoria Police.? It provides:

Rachel Wilks was just 15 when Jayden Faure used his position as a police officer to try to pursue a relationship with her.?

Ms Wilks had been assaulted by a family member. She was alone in the city with no phone or train ticket home when she came into contact with police.

“I was in a super vulnerable place,” she said. Read the rest of this entry »

Not all data breaches involve criminal acts by hackers breaking into a network and exfiltrating data.? Sometimes an organisation will be reveal data through its own actions.? Telstra has suffered a data breach involving ‘s data breach impacting 132,000. ? The breach involved a technical error resulting in it making personal information available on line.? Telstra describes it as a misalignment of databases.? Technical errors of this nature are not inevitable. Poor planning by IT is a common reason, focusing on the end result rather than the protections needed on the way through,? On 31 March 2020, the Federal Court of Australia? made publicly available? the names of details of several hundred people with cases currently or previously in the Court and the Federal Circuit Court (FCC) through the Commonwealth Courts Portal. Anyone visiting the Portal could have accessed the names and details of a person seeking asylum and information about their claim. The data breach was caused by an internal IT error.? The Federal Court should have been investigated by the Information Commissioner.? To its credit it did commission a review by Professor John McMillan in August 2020 which resulted in a 38 page report which was, not unusually for the Australian public service, a mix of polite tut tutting, gentle patting on the back for the work done and anodyne recommendations for improvement.? If the breach had happened in the United States the landing would have been much bumpier.? The Federal Court does have a publicly available data breach response plan.? It is fairly bare boned. One would expect a much more detailed plan to be available within the organisation.

Telstra is something of a frequent flier in the data breach world with a data breach in October 2022 with Australia’s Telstra hit by data breach, two weeks after attack on Optus, in May 2021 with Telstra service provider hit by cyber attack as hackers claim SIM card information stolen, in July 2018 with Telstra customer stumbles across contact details of 66,000 fellow customers,? in 2018 with Medical records exposed by flaw in Telstra Health’s Argus software and in Telstra privacy breach leaves customer’s voicemail exposed amongst other matters. If Telstra was operating in the United Kingdom or United States the regulators would take very strong and very public action.

The ABC has run a reasonably detailed story Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) released a preliminary public draft of NIST SP 1800-36A: Executive Summary, Enhancing Internet Protocol-Based IoT Device and Network Security.? For a change, pleasant for those overwhelmed by documentation to read, it is quite brief.

The NIST provides excellent guidance on technical issues associated with privacy and data security.? While the publications are not officially required compliance they are hugely influential and far superior to the broad guidance released by privacy regulators in Australia and New Zealand and probably even more effective than those of the United Kingdom’s Information Commissioner who provides comprehensive and detailed guidance documents.

Given the privacy regulation has already been strengthened this year and will be overhauled next year it is important that organisations pay heed to relevant publication produced by the NIST.? Complying with these guidelines would assist an organistion if there is a breach and the Information Commissioner starts investigating, which she now has greater powers to do as well as now having the power to impose fines.? The overseas experience is that commonly poor compliance on general aspects of data handling cause an organisation as many difficulties with regulators as the data breach which attracted the regulators attention.

The abstract provides:

Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one is where a device is convinced to join an unauthorized network, which would take control of the device. The other side is where a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network as part of the network-layer onboarding process. Additional safeguards, such as verifying the security posture of the device before other operations occur, can be performed throughout the device lifecycle. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, recommended practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices. We show how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.

Some of the interesting issues raised by the guidance Read the rest of this entry »

The woes of Medibank continue with it going offline this weekend to revamp/enhance/add data security.  It has put the best spin on it with its media release Medibank to undertake ‘Operation Safeguard’ at the weekend.  What few organisations really appreciate is the very heavy financial cost of dealing with a data breach.  The expense of bringing in experts to manage the immediate crisis becomes an costly exercise in determining the extent of the damage, then staff or consultants to liaise with media and government.  The costs continue with offering support to affected clients/customers/patients and then revamping an organisation’s security network. which is where Medibank finds itself.  Medibank also has to deal with an investigation by the Information Commissioner and a possible class action.

The media release Read the rest of this entry »

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.? It is effectively a self assessment though there are consequences if there is no notification when there should have been one.? It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.? The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.? There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.? This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.? In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.? This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.? It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.? When regulators respond to a notification they often find a litany of other issues.? Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.? Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .? Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

On 27 October 2022 Medlab pathology announced that it had experienced a cyber attack in February 2022. The timing is interesting given the Optus Data notified customers in September about the breach and in October further notifications and advice was provided.? Coincidence.? It is very curious.

In its statement Medlab doesn’t say when the breach was first detected however confirms that the ACSC contacted Medlab in June when it detected data that had been published on the dark web.? Its explanation as to why it did not notify customers until 27 October is general and convoluted to the point of disingenuous. It says that it took several months to download and analyse “what information was and who it belonged ot.”? That is far from best practice and would attract the ire of regulators in England and? the European Union.? Medlab’s statement is not good. It begs many more questions than it answers.? Perhaps it is the best that could be done given the way Medlab handled the breach.

Subsequent to the October announcement there were reports stating that the cyber attack affected 223,000 Australians and:

• 17,539 individual medical and health records associated with a pathology test;
• 28,286 credit card numbers and individuals’ names. Of these records, ~15,724 have expired and ~3,375 have a CVV code; and
• 128,608 Medicare numbers (not copies of cards) and an individual’s name.

The Office of the Information Commissioner undertook preliminary enquiries which is entirely understandable given the size of the breach, the apparent delay in notification and the? sensitivity of the personal information lost.? Those enquiries have led to today’s announcement that it would open a formal investigation.? That is hardly surprising.

Under the legislation an affected organisation has 30 days to notify the Commissioner and clients if there has been a notifiable data breach.? It is critically important to respond efficiently to the data breach.? That means having a plan that can be put in place before suffering a data breach. Trying to understand the law as well as undertake remediation efforts as well as continue to run the business at the time of the data breach is a recipe for poorly thought through actions, missteps and poor outcomes possibly ending up with the regulator investigating.

This may be a very influential investigation in setting parameters as to what reasonable steps are taken to investigate the data breach and notification to customers.? A complicating factor is the likelihood that the data breach notification regime will be overhauled.? It may still be an influential investigation if the Commissioner sets down principles if there is a determination or the court may provide judicial guidance on what reasonable steps constitute Read the rest of this entry »

In Re Straightline Construction Co Pty Ltd [2022] VSC 708 the Supreme Court, per Gardiner AsJ, considered an application to set aside a statutory demand on the grounds that the applicant was not a party to the agreement giving rise to a liability which formed the basis of a statutory demand.? This is quite a common issue where parties are involved in the building and construction industry.? It is not uncommon for builders to work through multiple entities, many of whose names are quite similar. ? As this case demonstrates, it is not simply enough for the Applicant to allege that the wrong party was served with a demand as another entity was a party to the contract. As this case shows such a contention can be successfully challenged if the respondent has contemporaneous documentation and concessions by representatives of the applicant .

FACTS

?On 9 December 2021, Hansen Yuncken Pty Ltd (‘Hansen Yuncken’), as head contractor, engaged Straightline Civil Pty Ltd (‘Straightline Civil’), as subcontractor, (‘the Hansen Yuncken Contract’) to carry out retention and foundation piling works as part of a large residential construction project at Bills Street, Hawthorn (‘the Project’) [6]

Straightline Construction’s evidence was that:

• it defined the issue as

[Straightline Construction] disputes that the debt claimed in the Statutory Demand is due and payable, by reason of there being a genuine dispute that the debt is owing as the Company is not the entity which contracted with [Browns] to perform the services detailed in the Invoices, and the debts have not been sufficiently particularised.

• ?Straightline Construction was incorporated in March 2020
• Straightline Construction performs civil construction works in metropolitan Melbourne, partiuclarly in? Brighton and Clayton
• there are various ‘Straightline’ entities with different controllers, each having its own role in different projects & that Straightline Construction is not involved in the Hansen Yuncken contract at all [38]
• where it is said that Browns had dealings with ‘Straightline’ for several years, it was in fact engaged by four separate Straightline entities depending on the project and the entity involved in the Project was Straightline Civil, not Straightline Construction [40].
• a direction should have been issued to make it clear that invoices were to be issued to Straightline Civil and not Straightline Construction [41] invoices addressed to Straightline Construction should have been requested to be reissued to Straightline Civil.
• on 20 September 2022, Peter Greenstreet, an Operations Manager of Browns, sent an email enquiring as to whom the invoices for the remaining works on the Project should be issued to & Oltan Yemez, representing Straightline Civil, responded, stating that all invoices should be issued to Straightline Civil [42].
• an ASIC search of Straightline Civil? records Tarkan Gulenc as the sole director & the correspondence referred to between Mr Gulenc and representatives of Browns confirms that Straightline Civil admits it owes the debt [43]
• in regard to correspondence relied on by Browns to support their proposition that Straightline Construction owes the debt, the reference to intentions to pay? does not refer to Straightline Construction being liable to pay the debt [46].
• the communications containing promises to pay in the text message exchanges on 8 July 2022 were in the context of a statutory demand having been served by Browns approximately one month before and no reference to the identity of the contracting party as Straightline Civil [47]
• an agreement has been reached (which he refers to as the ‘Tri-Partite Deed’) between representatives of Hansen Yuncken, Straightline Civil, and Browns in relation to the payment of outstanding amounts, whereby Hansen Yuncken agrees to pay progress payments due to Straightline Civil in respect of the Project directly to Browns, in satisfaction of outstanding invoices rendered by Browns in relation to the Project (including those the subject of the Demand) and that a total of $193,775.56 has been paid to date, being the payment of $105,739.93 (including GST) in relation to the July Payment Schedule and $88,035.63 (including GST) in relation to the August Payment Schedule [51] – [52].
• Staightline Construcion has never been contracted to perform subcontract work on any sites in Hawthorn [12]

The respondent’s evidence Read the rest of this entry »