How Safe Is “COVIDSafe” – Australia’s COVID-19 Contact-Tracing App?

As the world struggles to deal with the spread of coronavirus disease 2019 (COVID-19), governments are turning to technology to help “flatten the curve” and slow the rate of transmissions. Although Australia has been relatively successful in mitigating the widespread health impacts of COVID-19, the federal government has encouraged all Australians to download its COVIDSafe digital contact-tracing app (the App), citing that the relaxation of COVID-19 restrictions may depend on the App’s take-up by the Australian public. Due to privacy concerns, support for a contact-tracing app has, unsurprisingly, been mixed, even within the government itself.

Australia is not the first country to offer contact-tracing apps as a solution to the current pandemic. In fact, the App is based on Singapore’s TraceTogether app, which launched in late March 2020 and has been released as “open-source” code so that it can be used by other countries. However, contact-tracing is not the only technological measure being introduced to try and stop COVID-19. In Europe, some mobile operators are sharing data with Italian, German and Austrian health authorities to map movements and the concentration of individuals. Some overseas governments have implemented more invasive measures. For example, the South Korean government is using smartphone location data, surveillance footage and credit card records to monitor whether people have been complying with self-isolation measures, while the Chinese government is using surveillance apps to track its citizens’ locations and to prohibit entry into prescribed locations under certain conditions.

In Australia, the App is designed to digitise the manual contact tracing process that already occurs when an individual tests positive to COVID-19. The App uses a “Bluetooth digital handshake”, which logs Bluetooth connections between users’ phones by recording the encrypted hash code of other App users, as well as the date, time, duration and proximity of the contact. This enables the App to record who you were near to for a certain length of time (provided they also have the App installed and running). This data is encrypted at all times while held on a user’s phone (not accessible even to them) and will only be held for a period of 21 days before being automatically deleted. Importantly, the App cannot ascertain where you were, as the App does not collect geolocation data.

In the event that an individual tests positive for COVID-19, they will be asked to upload the history of “digital handshakes” recorded by the App to a secure information storage system. If they consent, their information will then be assessed by state and territory public health officials who will review the data for the purposes of contacting individuals who have recently been in close contact with the infected individual. Individuals notified as a result of contact-tracing through the App will only be informed that they have been in close contact with an individual who has contracted COVID-19. They will not be notified who that individual is, or when and where the contact occurred. The government has committed to shutting down operation of, and deleting all data collected by, the App at the conclusion of the pandemic.

The federal government released the App for download on 26 April 2020. So far, downloads have exceeded expectations, surpassing 1.13 million within the first 12 hours. The government has indicated that the App requires at least 40% uptake in order to be successful. Despite the App’s early success, there are still privacy concerns among the general public, creating a large hurdle in reaching the targeted 40% adoption rate.

The federal government has attempted to alleviate the public’s concerns with the App’s privacy policy, frequently asked questions and summary information reiterating that the data is encrypted, is only used on a consensual basis and will not be used for law enforcement purposes, such as enforcing lockdown restrictions or for general surveillance. To support these claims, the Federal Minister of Health, Greg Hunt, issued a determination under the Biosecurity Act 2015 (Cth) (the Determination) preventing the App’s data from being used for purposes other than contact tracing and limited associated purposes, such as investigating whether a breach of the Determination has occurred. According to Mr Hunt, the new laws will provide that “not even a court order during an investigation of an alleged crime” can access the data. The Determination also ensures that the data remains within Australia, that individuals cannot be required to use the App (for example, to enter a shopping centre or restaurant) and generally supports the limitations contained within the App’s privacy policy and FAQ, including that the data will be deleted after 21 days, that it cannot be uploaded without consent and that the government must delete all App data after the pandemic has concluded, among others).

By enacting the Determination, the government has proactively limited its data use rights further than would have applied had they merely complied with the Privacy Act 1988 (Cth) (the Privacy Act). Despite this, while the Determination’s restrictions are a positive for those concerned, there are a number of matters that still need to be further enshrined in legislation. Unfortunately, the federal government is currently not slated to return to parliament until August; however, the government is attempting to be flexible during this time and has flagged the potential of a May sitting. As such, those not satisfied with the level of protections currently offered by the App, for example the currently ambiguous end date of when the pandemic has “concluded”, may have to wait to have those concerns alleviated.

Regardless of the legislative and legal framework in place, the federal government has historically not had an ideal record on protecting data privacy within its organisations and agencies. For example, in 2016 the OAIC found breaches of the Privacy Act by the Department of Health for weak encryption techniques when protecting public health records and the federal government’s My Health Records system has suffered 115 data breaches across the last three years. These incidents serve as a useful reminder that, despite all the safeguards put in place, there is always the potential risk of data breaches arising from use of the App.

Australian FlagVery few of us in a democratic society, such as Australia, expect our government to trace us through our smartphones. However, the ability for smartphone technology to outpace the spread of COVID-19 means it is a valuable tool that should be considered in the defence against this pandemic. It is clear that the key to success for the government is to address any potential data privacy risks and to educate people on the privacy safeguards of the App, in order to ensure a higher uptake among the populous. Moving forward, it will be the government’s obligation to enforce these protections, protect data from misuse and data breaches and, when it is no longer necessary, roll back the App’s usage in order to return Australian society back to normality as soon as possible.

Cybercriminals Are Beginning to Master the Exploitation of Public Entities

Public service is a public trust

Hooded HackerIn March, 2020, a smaller municipality of approximately 145,000 people fell victim to a sophisticated ransomware attack.  When city officials issued statements to the public that personal information was not compromised, the cybercriminals retaliated.  The bad actors flooded the internet and dark web with personal information from a portion of the stolen 200 gigabytes of data, and demanded nearly $700,000 in a ransom payment from the city coffers to make them stop.  As a result, not only did the criminals shut down critical city functions with a traditional ransomware attack, they displayed a new and emerging tactic – exfiltration of personal data to extort ransom payments from smaller municipalities.[1]  Historically, municipalities have been reticent to pay ransoms, choosing instead to rebuild their infrastructure.  However, given that this response is becoming untenable, municipalities are now more lucrative targets.

In particular, smaller cities and publically funded entities are becoming welcomed targets because they are often underfunded and underprepared for a sophisticated attack.  Further, cybercriminals understand and exploit public officials’ responsibility to keep the public informed – which often triggers public officials to rush to make public statements prior to understanding the full scope of the attack.  In this case, the bad actors leveraged public misstatements to embarrass and strong arm the municipality into paying a pricy ransom (whether city will pay is unclear).  But as ransomware attacks become more sophisticated and directed at smaller municipalities at a greater pace, there are certain steps public sector leaders should consider in evaluating their cybersecurity posture and planning for what some say is the inevitable cyber-attack.

The first step in evaluating a municipality’s existing cybersecurity posture is to conduct a Cybersecurity Threat Risk Assessment (“Assessment”).  The purpose of this Assessment is to identify cybersecurity vulnerabilities in its policies, procedures, and IT environment and to provide remediation strategies as appropriate.  As a best practice, an outside team, comprised of an IT firm and cyber counsel, provides a specialized and objective evaluation.  Certainly the pandemic is creating distressed situations, which makes the competition for investment dollars stiff.  However, a detailed evaluation of the municipality’s cyber-risk profile and documented steps taken to remediate any gaps is an easy way to signal to potential investors and ratings agencies that the municipality is worth the investment.

Next, such an Assessment must include a review (or creation) of the municipality’s Incident Response Plan (“IRP”) – the municipality’s systematic and documented method of approaching and managing its response to a cyberattack.  At the heart of an IRP is the inherent strategy to first understand the scope of the cyber incident before issuing statements, especially to the public.  When smaller cities appear to be disorganized or underprepared in their response, it can alert the public and savvy municipal investors that the city lacked the proper internal controls to protect its sensitive information.  This tarnishes the city’s reputation and highlights a poor cyber-risk mitigation strategy, which hurts public confidence and possibly the receipt of much needed investor capital.

Finally, municipalities should test their IRP via a mock cyberattack exercise to make sure that key people know what to do, who to contact, how to communicate to the public, and how to respond to the crisis, especially in the current operating environment where many officials likely will have to control the situation with a remote response force.  Remember, many IRPs were developed prior to the pandemic and may not be easily executed in today’s operating environment.

With a little up front planning, smaller municipalities can show potential investors that they have mitigated their cyber-risk in the wake of this new cyber tactic.  After all, and no matter the goal, the front-end cost of an Assessment and IRP will be far greater than potential recovery efforts absent one – as exemplified by the $700,000 ransom recently demanded.

Our Data Privacy & Cybersecurity, Restructuring & Insolvency, and Public Finance Practices are well-positioned to help navigate what risks impact the public sector.  We can also assist in overall cybersecurity compliance efforts and help develop integrated compliance policies that can be administered effectively and efficiently in the face of uncertain times and operating environments.

[1] See, e.g., LA County Hit with DoppelPaymer Ransomware Attack, (last accessed April 26, 2020).

Complimentary Webinar – How to Prepare and Conduct an Internal Privacy Audit

It is good practice for companies to audit their privacy processes to ensure regulatory compliance as well as detect potential weaknesses and gaps. Left unchecked, lack of compliance and gaps can result in fines and worse, data breaches.

Join partner Annette Demmel and associate Mareike Lucht, of our Data Privacy & Cybersecurity Practice, for a complimentary webinar, where they will explain how to analyse your company’s privacy processes, assess whether you have set up the necessary procedures to comply with the GDPR, provide guidance on how to close gaps on short notice (and on a long-term basis), and how your company’s privacy structure can profit from regularly fulfilling the GDPR accountability obligations. The webinar will take place Wednesday, May 6 at 4 p.m. CET/ 10 a.m. EDT / 7 a.m. PDT. To register click here. 1.0 hour CLE available for AZ, CA, CT, NJ, and NY and CPE (IAPP).

Fraud in Times of Crisis

Computer securityFollowing recent data security blogs by Francesca Fellowes and Dillon Ravikumar on April 20 and March 26, this update shares guidance from our colleagues in litigation. Ian Debbage and Gareth Timms, write about one of the intended aims of a security breach; fraud – what it is, how you can reduce the risks of fraud and what you need to do to prevent losses. As many organisations are adapting to new ways of working, and security risks are heightened, this guidance is essential reading. To read the full update, click here.

Complimentary Webinar: Privacy Law, Coronavirus, and Post-Pandemic Best Practices

On April 30, 2020, Partner, Elliot Golding will co-present a complimentary webinar,  Privacy Law, Coronavirus, and Post-Pandemic Best Practices.  The program, organized by Bloomberg Law, will address recent HIPAA changes and temporary waivers, telehealth privacy and cyber considerations, and practical tips and recommendations to manage privacy and cyber risk during these challenging times.

Additional information about the session and registration may be found here.

New York’s SHIELD Act Provisions Now In Effect

Data Protection ShieldThe final provision of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), 2019 N.Y. Ch. 117, took effect on March 21, 2020.  For more information on the SHIELD Act, visit our previous blog post, New York Cybersecurity Upgrades: Are you Ready?, which provides an overview of the most-recent provision that took effect on March 21, 2020.  It also discusses the heightened compliance concerns due to New York’s current stay-at-home order resulting in numerous individuals working remotely and utilizing applications for remote communication.

With all of the SHIELD Act provisions now in effect and the world working remotely at unprecedented levels, compliance efforts and vulnerability concerns have become more complex.  As such, covered organizations should take stock and ensure that their practices and programs are in compliance with the SHIELD Act’s cybersecurity requirements and designed to reduce vulnerability to cyberattacks to the extent possible.  Please reach out to our Data Privacy & Cybersecurity team, if you have any questions about how the SHIELD Act impacts your organization.

A Timely Reminder: Maintain Data Security in the Face of the Pandemic

Computer securityThe ongoing Coronavirus pandemic and related Government guidance, requiring social distancing and individuals to work from home where possible, has resulted in many organisations rapidly having to adapt the way in which they operate.

Despite the unprecedented challenges that will need to be faced over the coming weeks, including in many cases significantly reduced resources (both in terms of staff and funds), it is important that organisations do what they can to try to maintain data security protections whilst taking the actions necessary to deal with this crisis. This may include the need to send unusual and sometimes urgent communications to individuals, which can increase the risk of breaching data protection laws. Continue Reading

CCPA Enforcement Still Imminent; Temporary Exemptions May Lapse

CCPA-California-Consumer-Privacy-ActDespite the request for a delay in the enforcement of the California Consumer Privacy Act of 2018 (CCPA) made by five leading advertising and marketing trade associations, it appears CCPA enforcement will continue as planned.  As evidence of this, the California Attorney General recently issued a press release reminding Californians of their rights and businesses’ obligations under the CCPA.  In addition, the expected extension of existing but temporary CCPA partial exemptions for certain employee and B2B personal information until the end of 2020 may not materialize, given the extended recess of the California legislature and its intention to prioritize only relief-related bills.  Absent legislative action, employee and B2B data will become fully subject to the CCPA on January 1, 2021. Continue Reading

The European Commission is set to review the GDPR

EU FlagIt has been almost two years since the GDPR came into force and now the European Commission (“EC”) is set to undertake a review and eventually report on issues regarding the application of the GDPR. Specifically, the EC will report on the international transfer provisions and cooperation and consistency mechanisms between supervisory authorities.

The EC is currently in the “roadmap” phase of the process. A roadmap aims to inform citizens and stakeholders about the EC’s work. One element of the roadmap is to gather feedback from citizens and stakeholders, and the opportunity to provide such feedback opened on 2 April 2020. The closing date for feedback is 29 April 2020. There is a 4000 character limit on the feedback function, but word documents can be uploaded where they contain research or other findings that support the feedback being provided. This feedback will be used to further develop and finesse the review. There are specific rules for providing feedback, which are linked here. Continue Reading

LexBlog