11 minute read
Legally Mine
by Brenda van Rensburg Head of Data Security, Terrene Global Privacy Officer/Analyst for HBF
A digital footprint is the trail of data you leave behind with every interaction you have with the digital world.1 From the latest website you visited to the last app you downloaded; your data is important to someone or some entity. Ignorant arguments have been raised which suggests that there is nothing to hide. However, very little attention is given to why this data is being collected.
There is a misconception that if you cannot see it then it cannot be real. However, Cambridge Analytica2 has revealed that your digital footprint, your digital data, is more valuable than sensitive information as defined in the Privacy Act. 3 The collection, storage and sharing of your data is legal and no consent is needed. Australia’s legislation is limited and unlike the General Data Protection Regulations (GDPR), it does not protect individuals from the collection of this data. Ironically, there is also no legal recourse for an individual who has been a victim to an information data breach.4 Additionally, a person’s reputation and company could experience significant brand damage as a result of the collection of this data.
Without regulations, data is ‘legally mine.’ This article will discuss the collection, storage and sharing of information/data and the steps a business should take to reduce brand damage.
Data v Information
There is a significant difference between data and information. The latter is defined in the Privacy Act and is focused on the collection of Personal Identifiable Information which is legible.5 It is, for all intended purposes, the legible text which is collected, stored, and shared. The former, however, is a collection of data which requires normalisation in order to understand it.6 It is the ‘basic element that can be processed or produced by a computer to convey information.’7 Arguably, without an algorithm, or a specific skillset, the average person would not understand it.
The Privacy Act highlights factors which include information and sensitive information that can identify a person.8 Little attention is given to the term ‘data’. Arguably, data is the binary information with no substantial value. Therefore, a person using a tool such as ‘Wireshark’ would legally ‘eavesdrop’ on digital conversation and gather data without a person’s consent.9 Ironically, data is not recognised within the Privacy Act and thus this method is not considered as malicious.
Collection of Data
Wireshark is a tool that is used to gather data from any device that uses the same network. To the average person, it lists ‘captured’ data/packets which would have no meaning or value. However, to a trained professional, this data could reveal
some potentially harmful information. For example, it could show the source of who sent the data; the destination of where the data is going; the protocol used; how big each packet is; and an option to investigate more information depending on the type of packet.10 In other words, there is enough data to create a profile for the next target. On the flip side, however, there are many businesses that knowingly collect data. In the case of Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, Cleeson J recognised that businesses often use information for the purpose of income.11 Sales, after all, are the life blood of a business, and the best way to increase sales is by truly knowing your customer. This can be achieved through a strategic marketing campaign.12 Ironically, cybercriminals are using similar tactics to gather information about their customers.13
Target’s statistician, Andrew Pole, found out that they could learn a great deal about their customers just from their purchases. Every time a customer used their ‘loyalty card’ a significant amount of data would be collected. After analysing the data, Target was able to determine who was pregnant just from the products they purchased. Notably, many may feel that this type of information would not be invasive. However, the father of a teenage daughter would disagree.14 Target's revenue grew by over $20 billion just by cornering the ‘baby business.’15 Oddly, cybercriminals are applying similar tactics in the form of phishing emails.16
Limitation in Legislation
It could be argued that the Australian Privacy Act is more of a guideline to how businesses should collect, store, and share information. The Act focuses on businesses that fall within the definitions of the Australian Privacy Principles (APP). Any business, which does not have a turnover of $3 million or more, does not have to follow this legal instrument.17 Unlike European Union’s GDPR, the Privacy Act could be argued as a toothless tiger. There is yet to be a penalty imposed on a business for a data breach.18 In July 2020, highly sensitive information was compromised in one of WA’s biggest privacy breaches.19 This breach was associated with the use of a 3rd party pager server. According to the Privacy Act a business could face up to 2000 penalty points depending on the infringement.20 However, since the amendments in 2018, there are no records of any penalties or fines imposed on any business. The GDPR, however, takes a data breach extremely seriously. They actively fine companies for breaching the regulations. In the Tietosuojavaltuutettu case, the courts found that Jehovah Witnesses had breached the GDPR because they collected information about individuals during door-to-door preaching.21 This measure would be completely ignored under the current Australian legal system. The gaping hole within legislation, together with the lack of definitions for technical terms, leaves Australians and Australian businesses vulnerable to privacy breaches. Due to these limitations, data can be shared with many entities without consent. Thus, any person can collect, store, and share data legally.
Data Breach & the Legal Impact
Notably, the lack of legislation is not the only ‘hole in the legislative wall’. A data breach could impact a business’ brand and possibly lead to a class action lawsuit.
In November 2018, the Marriot International Inc. faced a significant data breach.22 Customers information was kept in plain text format. In other words, sensitive information such as credit card and passports were not encrypted.23 Cybercriminals accessed the system through a trojan. Trojans require user interaction before it can be installed into a system.24 This can easily be achieved if enough information is gathered about a target and they are lured to react to an attack like a phishing email. Marriot International Inc experienced a 16% drop in the stock market within 3 months after the breach occurred.25 Unfortunately, this was not the only thing they lost. Apart from the obvious cost in repairing the damage, Marriott International Inc recently faced a class action lawsuit.26 In unprecedented COVID-19 times, where Marriott International Inc. saw stock prices plummet by over 59%, a class action law suit could quite easily close doors to several of Marriott’s struggling venues.
Public Wi-Fi is probably one of the most notorious areas for gathering data. Lawyers, and other professionals, who are obligated to protect sensitive information could be exposed to ethical violations and ‘malpractice liability’.27 Data gathered through this type of medium could impact a firm’s brand and ultimately a lawyer’s career. It should be policy that lawyers should not be using their work computers/ devices on any public Wi-Fi. Here are some tips one can adopt when traveling or working out of the office: • Use your personal hotspot or a portable ‘wireless modem’ • Ensure each device password protected with the potential of being erased if the device is stolen or lost. • Ensure you delete networks you may have used through your computer settings. Lawyers, and professional, should be vigilant about the information they collect; how they store it and how they share it. According to ECU and the Law Society, 94% of lawyers send confidential data via email. Fifty three percent send confidential data to non-business accounts.28 According to the Legal Professions Rules 2010 (WA), lawyers have a responsibility to keep their client information confidential.29
Here are some simple measures you can take when collecting, sharing, and storing sensitive information:
• Ensure your data is encrypted and backed up. • Do not send word processing formatted documents as this may reveal changes and comments found within the document. • Encrypt all documents before sending them. • Do not send the encryption key/ password within the same email. • Make sure that all your data is stored in a local and secure locations. Your
IT team, or IT Service Provider, should be able to assist in this matter.
Conclusion
Data can be retrieved easily through several malicious methods. Ironically, cybercriminals use similar methods, that businesses use, to collect data. This makes it increasingly difficult for businesses, and individuals, to recognise the differences between those with genuine intent and those with malicious intent. There should be a vested interest to ensure the term ‘data’ is incorporated into legislation. This, in turn, could help courts interpret the difference between data and information.
Ironically, data has been proven to be more damaging than information itself. Data is, understandably, needed both legally and business-wise. However, with the increase of data breaches, customers are becoming frustrated with the lacklustre approach to protecting their privacy. A class action lawsuit would most definitely impact the future of a business and, indirectly, the economy. Professional businesses that owe an obligation to keep their client’s information confidential owe a duty of care to ensure that this data is secured and protected. These businesses should go beyond reasonable care to protect data and sensitive information. There should be a company policy on how data is collected, stored, and shared especially in areas that place a business, and an individual’s privacy, at risk.
BIBLIOGRPAHY
ARTICLES/BOOkS/REPORTS
Allen, Jeffrey, Techno-ethics and the Practice of Law (2011) 24 American Journal of Family Law 4 Dumeresque, David, ‘The Corporate Digital Footprint: Exactly Who Owns and Controls It? The Emergence of the Digital Director.’ (2013) 29 Strategic Direction 7 Hadnagy, Christopher, et al, ‘Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails (2015 John Wiley & Sons, Incorporated) Kohl, Uta and Andrew Charlesworth, Information Technology Law (Taylor and Francis, 4th ed. 2013) Sanaei, Mohamad Reza and Farzad Movahedi Sobhani, Information Technology and E-Business marketing Strategy (2018) 19 Information Technology and Management Schmitt, Michael, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press, 2013) Shneble, Christopher, et al., The Cambridge Analytica Affair and Internet Mediated Research (2018) 19 EMBO Reports 8 Ramalho-Santos, Joao, ‘Data’ (2008) 555 Nature 7696 Rountree, Derrick, Security for Microsoft Windows System Administrators (Syngress, 2010) Tanner, Nadean ‘Wireshark, Cybersecurity Blue Team Toolkit’ (John Wiley & Sons, 2019)
CASES
Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63. Giller v Procopets [2008] VSCA 236 Proceedings against Tietosuojavaltuutettu(Jehovantodistajat–Uskonnollinenyhdyskunta,Intervening) [2019]1 C.M.L.R.5
LEGISLATION
Legal Professions Rule 2010 (WA) Privacy Act 1988 (Cth)
OTHER
ECU, Client Data Potentially at Risk Due to Lawyer’s Lack of Cybersecurity, ECU (Web Page, 2018) < https://www.ecu. edu.au/news/latest-news/2018/05/client-data-potentially-atrisk-due-to-lawyers-lack-of-cybersecurity> Haywood, Kelly, and Gary Adshead, ‘Unforgivable’: The Privacy Breach that Exposed Sensitive Details of WA’s Virus Fight, The Age (Web Page, 2020) < https://www.theage. com.au/national/western-australia/unforgivable-the-privacybreach-that-exposed-sensitive-details-of-wa-s-virus-fight20200720-p55dsm.html> Hill, Kashmir, How Target Figured Out A Teen Girl Was Pregnant Before her Father Did Forbes (London, 2012) Market Watch (Web Page) < https://www.marketwatch.com/ investing/stock/mar> Moses, The Hack of Marriott hotels Exposed 5 Million Passports in Plain Text, Invest in Cyber (Web Page, 2019), <http://invest-in-cyber.com/the-hack-of-marriott-hotelsexposed-5-million-passports-in-plain-text/> Insurance Specialists, List of Data Breaches in Australia and Overseas (Web Page, 2020) < https://www. insurancespecialists.com.au/data-breach-list/> O’Flaherty, Kate ‘Marriott CEO Reveals new Details about mega Breach’ Forbes (Web Page, 2019) < https://www. forbes.com/sites/kateoflahertyuk/2019/03/11/marriott-ceoreveals-new-details-about-mega-breach/#39e8ae07155c> Peters, Jeff, How to Use Wireshark, (Web page, 2020) < https://www.varonis.com/blog/how-to-use-wireshark/> Scroxton, Alex, Marriott Slapped with Class Action Lawsuit over 2018 Breach, Computer Weekly (Web Page, 2018) < https://www.computerweekly.com/news/252487841/Marriottslapped-with-class-action-lawsuit-over-2018-breach>
Endnotes
1 David Dumeresque, ‘The Corporate Digital Footprint: Exactly Who Owns and Controls It? The Emergence of the Digital Director.’(2013) 29 Strategic Direction 7. 2 Christophe Oliver Shneble, et al., The Cambridge Analytica Affair and Internet Mediated Research (2018) 19 EMBO Reports 8. 3 Privacy Act 1988 (Cth). 4 Giller v Procopets [2008] VSCA 236. 5 Privacy Act 1988 (Cth) s 6. 6 Joao Ramalho-Santos, Data (2008) 555 Nature 7696. 7 Michael Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press, 2013). 8 Privacy Act 1988 (Cth). 9 Nadean H. Tanner, ‘Wireshark, Cybersecurity Blue Team Toolkit’ (John Wiley & Sons, 2019) 10 Jeff Peters, How to Use Wireshark, (2020 Web Page) < https://www.varonis.com/blog/how-to-usewireshark/>. 11 Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63. 12 Mohamad Reza Sanaei and Farzad Movahedi Sobhani, Information Technology and E-Business marketing Strategy (2018) 19 Information Technology and Management. 13 Uta Kohl and Andrew Charlesworth, Information Technology Law (Taylor and Francis, 4th ed. 2013). 14 Kashmir Hill, How Target Figured Out A Teen Girl Was Pregnant Before her Father Did (2012) Forbes. 15 Ibid. 16 Christopher Hadnagy, et al, ‘Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails (2015 John Wiley & Sons, Incorporated). 17 Privacy Act 1988 (Cth). 18 Insurance Specialists, List of Data Breaches in Australia and Overseas (Web Page, 2020), https:// www.insurancespecialists.com.au/data-breach-list/>. 19 Kelly Haywood and Gary Adshead, ‘Unforgivable’: The Privacy Breach that Exposed Sensitive Details of WA’s Virus Fight, The Age (Web Page, 2020) < https://www. theage.com.au/national/western-australia/unforgivablethe-privacy-breach-that-exposed-sensitive-details-ofwa-s-virus-fight-20200720-p55dsm.html>. 20 Privacy Act 1988 (Cth). 21 Proceedings against Tietosuojavaltuutettu(Jehovanto distajat–Uskonnollinenyhdyskunta,Intervening) [2019]1 C.M.L.R.5. 22 Kate O’Flaherty, ‘Marriott CEO Reveals new Details about mega Breach’ Forbes (Web Page, 2019) < https://www.forbes.com/sites/ kateoflahertyuk/2019/03/11/marriott-ceo-reveals-newdetails-about-mega-breach/#39e8ae07155c>. 23 Moses, The Hack of Marriott hotels Exposed 5 Million Passports in Plain Text, Invest in Cyber (Web Page, 2019), http://invest-in-cyber.com/the-hack-of-marriotthotels-exposed-5-million-passports-in-plain-text/>. 24 Derrick Rountree, Security for Microsoft Windows System Administrators (Syngress, 2011). 25 Market Watch (Web Page) < https://www.marketwatch. com/investing/stock/mar>. 26 Alex Scroxton, Marriott Slapped with Class Action Lawsuit over 2018 Breach, Computer Weekly (Web Page, 2018) < https://www.computerweekly.com/ news/252487841/Marriott-slapped-with-class-actionlawsuit-over-2018-breach>. 27 Jeffrey Allen, Techno-Ethics, and the Practice of Law (2011) 24 American Journal of Family Law 4. 28 ECU, Client Data Potentially at Risk Due to Lawyer’s Lack of Cybersecurity, ECU (2018, Web Page) < https://www.ecu.edu.au/news/latest-news/2018/05/ client-data-potentially-at-risk-due-to-lawyers-lack-ofcybersecurity>. 29 Legal Professions Rule 2010 (WA).
