Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp...
Transcript of Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp...
![Page 1: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/1.jpg)
1
Community Legal Centres QueenslandPrivacy and data breachesCathy LyndonSpecial Counsel
25 October 2019
What we will cover
Practical steps CLCs can take
Mandatory Data Breach regime
What is personal information?
Context
![Page 2: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/2.jpg)
2
![Page 3: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/3.jpg)
3
![Page 4: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/4.jpg)
4
Overview of privacy obligations
Privacy law framework
LEGAL SOURCES OF
PRIVACY OBLIGATIONS
Workplace Surveillance legislationNSW, ACT, SA
Listening devices legislation
Other protectivelegislation
SPAM ActDo Not Call ActRTI/FOI Acts
Contractualobligations
Common Law(ConfidentialityCommercial-in
-Confident)
Privacy legislationPrivacy Act (Cth)
Information Privacy Act (Qld)
![Page 5: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/5.jpg)
5
Privacy Act enforcement
Investigations & conciliation
Enforceable undertakings
Injunctions and determinations
Penalties for corporations: up to $102,000 or $1.7million for serious or repeated breaches
Public reports
OAIC enforcement toolkit includes:
Commencement of NDBS
Facebook & Cambridge Analytica
OAIC QtrlyReport
CBA Data Loss
PageUp
Facebook #2
OAIC QtrlyReport #2
Cathay Pacific
Nova &Vic Govt
![Page 6: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/6.jpg)
6
Inadequate password protection Little control over privileged accounts Poor user account management, especially de-provisioning
of unused accounts Inadequate controls over remote access Lack of security monitoring for suspicious and malicious
activity
Lessons learned –causes of breaches
![Page 7: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/7.jpg)
7
Mandatory data breach regime
Objective test – entities are not generally expected to make enquiries about the circumstances of each affected individual
Reasonable person means a person in the entity’s position: Properly informed; Based on information: immediately available following reasonable enquiries OR an assessment of the breach
What is serious harm?
![Page 8: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/8.jpg)
8
Relevant matters (a non-exhaustive list)
Kind or kinds of information
Sensitivity of information
Whether protected by one or more security measures
The likelihood those security measures may be overcome
The person or persons who have (or could) obtain the information
Whether security measures render unintelligible or meaningless
The likelihood those security measures could be overcome
The nature of the harm …
Name DOB
Example 1
![Page 9: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/9.jpg)
9
Name
DOBAddress
Example 2
Name
DOB
Address
Phone number
Example 3
![Page 10: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/10.jpg)
10
High risk credentials
Potential impacts
~ 23% of individual will experience emotional harm from a data breach notification
~ 2% of individuals believe they have experienced a phishing or telephone scam resulting from the data breach
< 0.5% experience actual misuse
![Page 11: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/11.jpg)
11
Remedial Action
Recover? Change? Successful?
Assessment and notification stepsStep 1 - Assessment Step 2 – Notify
CommissionerStep 3 – Notify individuals
Obligation Positive duty to investigate (once suspect)
Determine if there are reasonable grounds to believe that there has been an eligible data breach
(must be reasonable and expeditious assessment)
Prepare statement about breach and provide to Privacy Commissioner
Timing 30 days to make assessment if unsure if eligible data breach
As soon as practicable after becoming aware that thereare reasonable grounds to believe eligible data breach
As soon as practicable after statement (step 2) is prepared
![Page 12: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/12.jpg)
12
Notification of eligible data breach
1 2 3Prepare and submit compliant statement to OAIC
If practicable, take reasonable steps to notify, using the usual method of communication, the contents of the statement to individuals: to whom the relevant
information relates, or who are at risk from the
eligible data breach
Otherwise publish the statement by: publishing a copy on the
organisation’s website if it has one, and
taking reasonable steps to publicise the contents of the statement
Consequences of failing to notify
Investigations Determinations Compensation Enforceable undertakings
Civil penalties(up to A$2.1m)
Same enforcement regime
![Page 13: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/13.jpg)
13
Data breach scenario
[INSERT PHOTOGRAPH]The data breach
![Page 14: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/14.jpg)
14
Ready, set… notify?
Is the personal information likely to have been lost or accessed?
Type and volume of personal information?
Individuals who are or may be affected (are they vulnerable)?
Cause of the breach?
Extent of the breach?
Was it caused by third party (hacker) and are motives malicious?
Possible harm(s) that may occur to individuals affected?
How can breach be contained and remediated or how can PI be secured or recovered?
Checklist – assessing the data breach
![Page 15: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/15.jpg)
15
How to prepare
![Page 16: Community Legal Centres Queensland · Cambridge Analytica OAIC Qtrly Report CBA Data Loss PageUp Facebook #2 OAIC Qtrly Report #2 Cathay Pacific Nova & Vic Govt. 6 Inadequate password](https://reader033.fdocuments.in/reader033/viewer/2022050216/5f61d9848f562d46a9598652/html5/thumbnails/16.jpg)
16
Train your employees and volunteers on identifying, escalating and actioning breaches
Identify data breach response team
Develop a data breach response plan• Contain, Assess, Notify, Review• Communications
Review IT security, recovery options and insurance
To do
Questions?