IIS Newsletter #1 2024

View this email in your browser

Welcome to Issue #1 2024 of the IIS Partners Newsletter.

Balancing National Security and Privacy; Cyber Security Concerns and Further Reforms; TikTok Marketing Pixels; Safe and Responsible AI; and Poor Data Governance in Australia

Happy New Year and welcome to Issue #1 2024 of the IIS Partners Newsletter! ? This year, IIS will be celebrating its 20th?year serving Australian and global clients.?Thank you for being part of the journey. We look forward to commemorating our significant milestone throughout the year with you.

IIS Community Contributions

IAPP ANZ Advisory Board

Partner Nicole Stephensen has been appointed to the IAPP ANZ Advisory Board from January 2024. This follows on from several years as KnowledgeNet Chair for (Brisbane / Gold Coast) and as a founding Board member (together with Partner Malcolm Crompton AM) of the iappANZ, the predecessor to IAPP in the region.

Future of AI Summit 2023 ?

The Future of AI Summit was hosted on 18 December by the NSW Department of Customer Service, to showcase how AI is being used in NSW Government to improve and transform the lives of its citizens. ?

IIS Founder & Partner Malcolm Crompton AM participated in a discussion panel on the NSW AI Assurance Framework (version 2.0) and emphasised the importance of risk allocation in planning for failure and when things are not going right for users. Malcolm added that the NSW AI Assurance Framework could be improved by having a feedback loop requirement in place that allows for ongoing monitoring and evaluation. ?

If your organisation is looking to develop the right approach to AI governance, please contact us?here.

National Security and Privacy White Paper ?

Partner Mike Trovato and Analyst Simon Liu have developed an IIS?white paper?on ‘The Delicate Balance Between National Security and Privacy’. In a world that is experiencing multiple conflicts and persistent threats, there is a need to strike a balance in pursuing the two worthy goals while avoiding false dichotomies. ? We delve into the OAIC’s ‘4A framework’, which was developed to provide guidance on how law enforcement and national security authorities can assess and deploy their powers to protect Australians, while respecting our privacy.

Upcoming Events and Appearances

Adelaide KnowledgeNet, 22 February ?

Nicole Stephensen will be speaking at the Adelaide IAPP KnowledgeNet on the Australian privacy law reforms expected in 2024. This session will dive deep into the ‘agreed’ recommendations, focusing on the nuances and practical steps needed to prepare for them. It will also highlight what to look out for in relation to the ‘agreed in principle’ recommendations. ? More information and registration options are available?here.

News and Notables

Cyber security is Australian business leaders’ biggest worry ?

The Australian Financial Review’s?annual Chanticleer survey?and similar surveys of more than 50 top Australian executives have reported that cyber?security threats remain as the one of the top challenges in 2024.?Key concerns of business leaders relating to cyber security risks include ‘after-the-event’ type challenges such as understanding their organisation’s ability to sustain operations if the disruption lasts for a long time, and practical aspects like dealing with the media, regulators and negative public attention. ?

IIS wrote about these issues in our white paper?“Optus 2022?cyber attack: Shining a light on the inevitable”, describing the powerful lessons learned in the Service NSW major cyber incident of 2020-21. See also?our review?of Service NSW’s post incident response.

Businesses face fines for the failure to report ransomware information ?

Following the release of the?National Cyber Security Strategy?in November, the Australian Government is conducting a consultation on proposed new cyber security legislation and on changes to the Security of Critical Infrastructure Act 2018 via a?Consultation Paper. ?

The Paper includes a proposal for a mandatory no-fault, no-liability ransomware reporting obligation for businesses to report ransomware incidents and payments. The obligation could be restricted only to businesses with an annual turnover of more than $10 million per year, which would capture approximately 42,000 businesses.

TikTok faces investigation by the OAIC over their data handling practices ?

The OAIC is investigating?TikTok’s use of marketing pixels, which follow individuals’ online actions and can collect data even though individuals are not using the app. TikTok claimed that individuals consented to advertisement tracking by visiting websites that have the TikTok pixel tool installed, for example, Hulu and Etsy. The claims and counterclaims in this case could have major implications for the protection of online privacy, especially in relation to how consent is operationalised.? ?

Marketing pixels are one example of third-party plugins on websites or mobile apps with privacy implications. Typically, such plugins have the same access to customer data as the website or app owner, which means the risk of inadvertent data leakage. There are solutions to this issue with Privacy Enhancing Technologies that gives the website or app owner dynamic control over all data going to third parties, without impacting the user experience. ? If your organisation is looking to assess or manage the risks of third-party plugins, please contact us?here.

Australian Government releases interim response to safe and responsible AI consultation ?

The Australian Government has published its?interim response?to the safe and responsible AI consultation held in 2023, to understand the use of AI in high-risk settings, where harms could be difficult to reverse while ensuring that the vast majority of low risk AI use continues to flourish largely unimpeded. The Government is now considering mandatory guardrails for AI development and deployment in high-risk settings, whether through changes to existing laws or the creation of new AI specific laws. ? Australia is closely monitoring how other jurisdictions – including the EU, US and Canada – are responding to the challenges of AI and will continue to work with other countries to shape international efforts in this area.

Are you at risk of a data breach due to poor data governance? ?

The Australian Governance Institute of Australia has published a?report on data governance in Australia, which found that many organisations do not have effective data governance in place to reduce the risk of a data breach. More than half of organisations do not have a data governance framework, and almost 60% say the board does not have an understanding of the organisation’s current data governance challenges. ?

Advice from the OAIC is to first establish the data you are holding, and then conduct a risk assessment and formulate a remediation plan. This provides a baseline for targeted risk mitigation actions to reduce both the likelihood and impact of a data breach. ? Knowing where to start can be a challenge for organisations with data collected over many years and stored in multiple systems, but there are reasonably mature technologies available today that can automate the data discovery process. For more information, please refer to this?post?from TrustWorks360. ?

? ?