Privacy changes in Australia

Privacy strengthened in Australia

The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.

Fines of $1.7 million are possible for breaches.

Privacy - Sony executives bow in apology post Playstation breach in 2011

Execs bow post Playstation breach in 2011

Australian Privacy Principles

The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.

The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges

A number of the APPs are quite different from the existing principles, including

  • APP 7  -on the use and disclosure of personal information for the purpose of direct marketing, and
  • APP 8 – on cross-border disclosure of personal information.

The OAIC gets teeth

The Privacy Act now includes greater powers for the OAIC which include:

  • conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy

In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could  have a serious impact on company finances as well as reputations.

One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.

For more information on the APPs and the OAIC’s APP guidelines, visit this link –  Australian Privacy Principles.

Credit Reporting is changing too

The Privacy Act now includes new credit reporting provisions including:

  • introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
  • introduction of civil penalties for breaches of certain credit reporting provisions
  • requiring credit providers to have an external dispute resolution scheme if they want to participate in the credit reporting scheme. The scheme must be recognised under the Privacy Act.

For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed

A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.

We can help

We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please  contact us at Resilience Outcomes for assistance.

cyber identity security

Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security. 

If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!

This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!

Compromised systems accessed through the criminal service seem to include

Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans  on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.

This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.

A culture of entitlement is corrosive

A culture of entitlement is corrosive in a government agency or any organisation

I’ve just come across a USA government document which is both fun to read and educational. Its called the Encyclopedia of ethical failure 2013, its published by the US Defense department. The dry title doesn’t do this piece justice, I think the title should be “A culture of entitlement in an organisation is corrosive”.

http://www.flickr.com/photos/twicepix/ - culture of entitlement is corrosive

A culture of entitlement is corrosive just like acid

The reason that you should be reading it is that it is a series of sometimes funny and tragic stories about how employees forget that the employee/employer relationship is a two-way street. Maybe it is also about how employers forget that their staff are human. They sometimes do dumb things and forget about the consequences of their actions.

Steven Dubner from Freakanomics interviewed the current and past editors Steve Epstein and Jeff Green. Interestingly they said that it was difficult to find common characteristics (M/F, race, religiosity, seniority) between the people who did these things. Green and Epstein suggested that they all didn’t think about the consequences of their actions properly. The other thing to notice is that security people, intelligence officers and lawyers commit these crimes too.

Maybe as a collection these are cases of a man or woman failing to identify the full consequences of their actions. I could put it in risk terms, individual failure to realise initial risk and downstream consequences when the they get caught.

The other observation that is interesting is that some people are cheap to bribe. Some of these people lost their careers and potential earnings of millions of dollars over a lifetime for hundreds of dollars in cash or kind. This is an sign that the perpetrators haven’t thought about personal risk and/or their decision-making is visceral. It makes me wonder whether one possible mitigation against fraud is teaching employees decision-making to improve the way that they weigh up alternatives. Maybe the SWOT analysis is the best preventative tool against fraud!

Because the document was written by the US Defense department, it has a military flavour, but the examples run the gamut of the US Federal public service. Here are some of my favourite excerpts. I’m sure you’ll get a laugh out of these and some food for thought. Maybe some of these are familiar in your organisation…..

FBI Undercover Parties

According to an FBI report, upon the retirement of a senior FBI official, FBI personnel from around the country journeyed to Washington to attend the official’s retirement party.  Many out-of-town G-men traveled on official orders and public expense. According to their travel orders, the purpose of the trip was to attend an ethics conference! According to the news report, only five people actually attended the ethics forum.

“But, Judge, I didn’t get anything!” 

 An offshore safety inspector found much of the Government’s equipment to be in need of repairs to meet safety standards. He then referred the business to his brother-in-law’s repair shop. The rig operators smelled a rat and called the FBI. They discovered that, in return for each referral, the brother-in-law was treating the inspector to an evening with a lady of dubious morals.

The case was brought to trial. In his defense, the inspector claimed that he had not received a “thing of value” in return for the referral. The judge didn’t buy it – and neither did his wife.

Courting Trouble

A former official of the U.S. Tax Court, Fred Fernando Timbol Jr., was sentenced to 18 months in prison and three years of supervised release in connection with a bribery conspiracy.

Timbol was a facilities services officer in the Facilities Management Section of the U.S. Tax Court.  Timbol was responsible for assisting in the award of contracts to contractors who provided maintenance, construction, and other related service to the Court.  Timbol admitted to soliciting and accepting over $12,000 from a government contractor in exchange for rigging the award of at least six inflated contracts.  As part of a plea agreement and by order of the court, Timbol also agreed to pay restitution  of $24,143.

DVD Bootleggers MIA During Government Work Hours

A Federal employee used his Government computer to make illegal copies of commercial DVDs in violation of copyright laws.  He and another employee also used their Government computers and duty time to watch the movies.  The other employee took lunches lasting up to three hours in order to watch the DVDs and take naps.  Initially the employees’ supervisors signed off on this behavior, even assigning extra work to others to make up for the employees’ time wasted napping and movie watching.  The employee who copied the DVDs received a written reprimand.  The supervisor received an oral admonishment for failing to address the misconduct, and another employee received a Letter of Counseling for knowingly accepting a pirated DVD.  In a similar case, a civilian employee working for the U.S. Army in Germany was involved in selling pirated DVDs.  He used the profits from his illegal operation to buy vacation homes and luxury cars and to pay for frequent European ski vacations.  He devoted some of his duty time to the marketing and selling of the bootleg videos, including taking payments while on the job.  Even though the employee had left Federal service by the time the accusations against him were substantiated, administrative action was taken to bar him from US Army Europe installations.

This next one is interesting because of the recent Asiana crash 

FAA Employee Sentenced for Bribery

A former employee of the Federal Aviation Administration (FAA) was convicted of bribery.  In carrying out his primary responsibility of reviewing and processing applications for FAA-issued pilot certificates, the employee accepted bribes of $2,000 and an all-expense paid trip to Korea in exchange for preferential treatment of applications for Korean pilots from the flight school, Wings Over America.

The employee was sentenced to pay a $2,000 fine and serve four months in prison, followed by three years probation for violating 18 U.S.C. 201(b)(2).  Bribery occurs when a public official seeks or accepts anything of value in return for being influenced in the performance of an official act.

government Lawyer  in Tucson Illegally Possesses Sheep Skull and Horns

The Assistant U.S. Attorney (AUSA) prosecuted an individual for illegally killing a bighorn sheep on an Indian Reservation. As a result of the prosecution, the hunter forfeited the bighorn sheep and trophy (skull and horns), valued at approximately $5,000, to the Arizona Game and Fish Department. Pursuant to a request from the AUSA, the Arizona Game and Fish Department entered into an agreement with the AUSA allowing him to publicly display the skull and horns in his office, but requiring their return upon request. However, after leaving employment with the U.S. Attorney’s office, the AUSA took the skull and horns with him and treated them as his personal property. When the former AUSA was questioned a year later about his possession of the skull and horns, he claimed that an unspecified Indian had sent the skull and horns to him in appreciation for his work on the prosecution of the hunter. Investigation showed that such a gift would have been contrary to tribal practices and no member of the tribe could be found who knew anything about the alleged gift.

CIA Employee Drives Overseas Auto Scheme

As a U.S. Federal employee residing in Egypt, the CIA agent discovered that he could purchase an imported vehicle in Egypt without having to pay the normal 150% excise tax. This fact had created a black market in which Egyptian car brokers would pay U.S. employees to register luxury cars in their names in order to allow the dealers to evade import taxes. Investigators found that while in Cairo, Egypt, the employee had agreed to accept $25,000 in exchange for changing the status of his personally-owned vehicle with the Egyptian Ministry of Foreign Affairs, which would allow him to participate in the scheme

———————–

So there’s some of the highlights from my perspective. You can download the full document here (163 pages). You’ll find that it references most vices! What do you think about the alternative title - “A culture of entitlement in an organisation is corrosive”?