14 November 2019

News round-up 15 November 2019 — Breach enforcement for banks, ACCC sues Google and Medicare data matching

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

Step right up! Step right up! And behold as regulators, governments and tech companies jostle for the position of strongest advocate for privacy and cyber security. At least, that’s what it has felt like in recent weeks with a series of strong announcements. In our latest news roundup, we explore the key takeaways for businesses.

Key articles: 

Banks warned to expect ‘tougher’ breach enforcement amid poor ‘cyber hygiene’

Summary: The financial regulator warned Australian banks to expect tougher enforcement, as it uses data-driven insights to support enhance supervision of its security regulation, CPS 234.

Key risk takeaway: At the beginning of 2019, we signalled an expected shift towards more substantive oversight of compliance by the Australian Prudential Regulation Authority over its security standards, and that’s what we’ve been promised in this speech. The warnings come with some insight – based on data from the first four months of the CPS 234 regulatory regime, APRA executive board member Geoff Summerhayes outlined the key areas it expects to see financial providers making improvements. And they’re the greatest hits of good security – patching systems for security flaws, implementing better access control (especially for privileged user accounts), completing an inventory of IT assets that need to be managed and governing the security capabilities of third parties and suppliers.

Tags: #compliance #cps234 #cyberriskassessment

ACCC sues Google over location data

Summary: Google is facing allegations from the consumer watchdog that it has misled consumers about the personal location data it collects, keeps and uses.

Key risk takeaway: Described by the Australian Competition and Consumer Commission (ACCC) as a “world first”, this action speaks to the continued elevation of privacy as a headline consumer issue. The ACCC’s allegations against Google reflect a growing focus on how businesses deal with transparency and disclosure – core principles relating to the appropriate handling of customer information. Businesses can embed these principles into their products or services by conducting privacy impact assessments when starting new initiatives.

Tags: #privacy #privacybydesign #privacyimpactassessment

NAB, CBA, Telstra, and Microsoft to test Australian government AI ethics principles

Summary: Australian businesses have said they will test a new ethics framework issued by the Australian Government that sets out eight principles to guide the ethical design, development, integration and use of artificial intelligence (AI) systems.

Key risk takeaway: The principles in the Government’s framework are a concise summary of key issues that should be front of mind when developing a new AI systems (or indeed any new technology). However, business should be wary of using them as a substitute for rigorous assessment of relevant compliance, reputational, social and digital risks. Many of the principles (eg. “privacy protection and security”) reflect what is already enshrined in law (eg. in the Privacy Act). The principles have attracted criticism from some quarters, with some questioning whether they will have any real impact, or merely provide an ethical veneer for questionable processes.

Tags: #AI #data #ethics #regulation

Microsoft says it will apply California privacy law across the country

Summary: Microsoft will apply the privacy protections from a stringent California law to its customers across the US, which it hopes will push other states to adopt similar measures.

Key risk takeaway: At the very least, Microsoft’s strong endorsement of the California Consumer Privacy Act (CCPA) is another sign of large businesses recognising the importance of publicly and proactively embracing privacy. In making the announcement, Microsoft laid out some of its core privacy practices, which could be instructive for other businesses running privacy programs, including: recognising privacy as a fundamental human right, creating a privacy dashboard for users to understand and control their personal data, and committing to providing greater transparency and control (as required by CCPA). The CCPA – often likened to Europe’s General Data Protection Regulation – has been hotly debated by US lawmakers, not least in context of (as yet unsuccessful) discussions to create federal-level privacy legislation in the US.

Tags: #privacy #privacyregulations

Privacy fears over proposed Medicare data matching scheme

Summary: Privacy concerns have been raised with proposed laws that would allow the Department of Health to access and share health information for Medicare compliance purposes.

Key risk takeaway: Organisations need to maintain focus on individuals’ inherent right to privacy, even while pursuing initiatives that will deliver benefits from the use of data. Data matching initiatives can promise wide-scale efficiency and innovation advantages – in this case, the government says it will be better able to detect fraudulent Medicare claims – but consumers and privacy advocates have increasingly made clear that they don’t accept that accept a paradigm in which “privacy and public good … be mutually exclusive”. Privacy by design approaches, such as conducting privacy impact assessments, can embed privacy considerations into data-driven initiatives at early stages of their development.

Tags: #privacy #privacybydesign #privacyimpactassessment

Ransomware infects popular web-hosting provider SmarterASP

Summary: A web-hosting company with more than 440,000 customers has been hit by ransomware, forcing a number of its customers websites offline.

Key risk takeaway: This cautionary tale unites two of the dominant cyber trends of recent years – ransomware and third-party attacks. Businesses are increasingly aware of the risk that ransomware poses to them directly, with many adopting key measures to protect themselves. This report reflects that business operations can also be substantially disrupted if a supplier of critical services is infected. Hosting providers have reportedly become a highly attractive target for cybercriminals for this very reason. Due diligence on the security protections in place with any key supplier is increasingly critical, as is having clear commitments and processes on response and recovery processes in the event the supplier experiences a cyber incident.

Tags: #ransomware #supplierrisk