The GDPR: Practical European Guidance on personal data breach notification requirements

The GDPR introduces a new mandatory requirement for all controllers to notify the appropriate data protection authority of a “personal data breach” likely to result in a risk to people’s rights and freedoms, for example following a cyber-attack. This will include providing the regulator with a significant amount of information about the breach and marks … Read more

Google DeepMind trial failed to comply with data protection law

On 3 July 2017 the Information Commissioner’s Office (“ICO“) determined that the Royal Free NHS Foundation Trust (the “Trust“) had breached the Data Protection Act 1998 (the “Act”) when it provided patient details to Google’s DeepMind. The Trust provided personal data of approximately 1.6 million patients to Google’s Deep Mind as part of clinical safety … Read more

WannaCry: A chance to test systems and raise awareness at a global level?

In one of the most dramatic and widespread cyber attacks to date, on Friday 12 May 2017, a worldwide ransomware attack known as “WannaCrypt” or “WannaCry” began infecting hundreds of thousands of computers in over 150 countries. Starting in the UK and Spain, critical infrastructure operators around the world including those in the health, transport, … Read more

UK’s cyber security breaches survey and Verizon’s data breach report suggest progress – but more to do

April 2017 welcomed two insightful publications on the current cyber security landscape. The UK Department for Culture, Media and Sport’s annual Cyber Security Breaches Survey (the “Survey“) and Verizon’s 2017 Data Breach Investigations Report (the “Report“), highlight the changing attitude of businesses toward cyber security, the specific threats facing organisations, and the opportunities for mitigating … Read more

New Mirai based malware variants – BrickerBot and a Bitcoin miner

The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others. Mirai … Read more

One step closer to Australian data breach class actions

The Privacy Amendment (Notifiable Data Breaches) Act 2016 (Cth), which received assent on 22 February 2017, proposes a number of amendments to the Privacy Act 1988 (Cth) that could act as a trigger for Australian class actions in the data breach space. The proposed amendments, which are yet to be proclaimed, will require entities regulated … Read more

New mandatory data breach reporting law passed

The Federal Government has today passed the Privacy Amendment (Notifiable Data Breaches) Act 2016 to amend the Privacy Act 1988 to include mandatory notification of eligible data breaches. This was the government’s third attempt at legislating data breach notification as a result of recommendations from the Australian Law Reform Commission in 2008. The rules are aimed … Read more