FILED Newsletter | Dec 2022
RecordPoint
Giving highly-regulated organizations a competitive edge with safer, more secure, better managed data.
Hi there,
Welcome to all the new subscribers to the FILED Newsletter, our monthly round-up of relevant news, opinion, guidance, and other useful links in the world of data, records and information management. This month:
But first...
??When it comes to data breaches, focusing on the perimeter will never be enough
We’re more than a month on from?the Medibank hack , and the hacker may be the only person who has drawn a line under the issue, last week announcing “case closed”, with?a final 5GB dump of data on the dark web.
Everyone else—the victims, the government, and the business, security, and compliance community—is still grappling with the fallout.
Medibank CEO David Koczkar apologized again to customers and said it wasn’t “case closed” from Medibank’s perspective, and they were doing everything they could to remain vigilant and support customers. Meanwhile:?
For Australian businesses, one of the biggest impacts will be the amendments to the Privacy Act.
Updated Privacy Act – bigger fines and more focus on data retention
Under the amended Privacy Act, the maximum penalty that can now be applied for a serious or repeated privacy breach will be increased from $2.22 million to the greater of:
The amendment also strengthens aspects of Australia’s privacy regime, through greater powers for the Privacy Commissioner to resolve privacy breaches, seek information about notifiable data breaches, and publish or share information about its investigations with other regulators. The Bill will become law once assented to by the Governor-General.
While these changes have been prompted by several high-profile data breaches in recent months, the penalties apply to?any?serious or repeated breach of privacy, not only data breaches. This means a material failure to comply with any of the?Australian Privacy Principles ?could attract the new penalties.
The terms ‘serious’ and ‘repeated’ are not defined in the Privacy Act, and some commentators have raised concerns that it is hard to be sure whether conduct meets the standard. We expect these terms to be further defined as part of the broader reforms of the Privacy Act (anticipated in 2023).?
The OAIC has also published guidance on these terms, which can be seen?here .?
This is still only part of the solution
When it comes to the Medibank breach, the focus of reporting and investigation is often still on how the attacker gained access, and how that could have been prevented. Fewer people are asking why the business had so much data, from so many customers (and former customers), and why it was so poorly managed.?
Focusing on the “fence” (security perimeter) when it comes to data security only gets you so far. You need to keep your valuables “tidy and in a locked safe”.?
No matter how secure your perimeter is, if you don’t know where your sensitive data is, if you’re not removing what you can, or if you have poor data access controls, all it takes is for someone with (often unnecessary) access to click on the wrong link.
领英推荐
???Privacy and governance
During spiraling Covid-19 cases in 2020,?the Victorian government sent citizens’ contact tracing data for potential use by controversial data mining firm Palantir.??
Related: the United Kingdom’s National Health Service is also poised to?build one of the biggest health data platforms in the world with Palantir .?
Google will pay US $392 million to 40 states ?in the largest ever US privacy settlement, after a 2018 investigation found the tech giant tracked user location even after they opted out. Google has since ceased these practices, and a result of the lawsuit the company says it will be more transparent with users over what it collects.?
???Security
According to estimates from researchers:?three dozen groups of Russian hackers infected 890,000 user devices with malware, obtaining 50 million passwords—all within the first seven months of 2022.
Australia will establish a 100-person team to “hack the hackers” , starting with ransomware groups.??
A hacker capitalized on a TikTok challenge to spread malware . The trick used the promise of naked pictures to send unwitting users to download a malware package from source code hosting platform GitHub and join a “community” on chat platform Discord. This ingenious use of legitimate services is worrying security researchers.?
A former cybersecurity expert and expert social engineer reflects on what’s missing in security, which he learned penetration testing some of the world’s largest organizations . He broke into one financial institution four years in a row by just walking through the front door and convincing staff he was an auditor.?
???The latest from RecordPoint
Are you getting value from the data your business collects, or are you just collecting more of it? Data enrichment can streamline data minimization, save costs, and make it more likely you will provide the right data when needed.
As technology shifts, your on-premises legacy EDRMS is likely growing more out of date.?Learn how to choose the right pathway to move beyond this outdated situation .
That's all for this month: remember,?make sure to subscribe?to receive notifications when the next edition is live!
??? We want to talk to you!
Do you know someone working at the forefront of the privacy, security, and data space? We’re working on something new, and we’d love to talk to innovative thinkers and doers who are keen to share their knowledge and experience with the world.?
If this is you or someone you know, leave a comment under this edition and we'll set something up!