A review of the current and future trends in cyber-security, how the law may treat a breach of cyber-security and what you can do to minimise your exposure.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Cyber Security in the Interconnected World
1. [Insert image here to match
your presentation – contact
Meg in BD to obtain images]
Cyber Security in the
Interconnected World
Craig Subocz, Senior Associate
8 March 2016
##Insert FileSite Doc ID
2. The information contained in this
presentation is intended as general
commentary and should not be regarded as
legal advice. Should you require specific
advice on the topics or areas discussed
please contact the presenter directly.
Disclaimer
2
3. > What is cyber security?
> Current and future threats
> Legal ramifications
> The Victorian Privacy Data Security
Standards
Agenda
3
4. > Cyber security comprises active
steps taken to:
> safeguard an IT environment
from unauthorised access; and
> to ensure that information
contained on the IT environment
is not accessed, used or
disclosed without authorisation
What is Cyber Security?
4
5. > Federal Government refers to “cyber
adversaries”
> A cyber adversary is “an individual or
organisation that conducts cyber
espionage, crime or attack”
> Adversaries include:
> Foreign state-owned adversaries;
> Organised crime
> Issue-motivated groups or individuals
with personal grievances
Source: Australian Cyber Security Centre, 2015 Threat Report (July 2015)
Current and Future Threats
5
8. > Cyber intrusion
> Spear phishing and social engineering
> Remote Access Tools
> Watering-hole Techniques
> Compromised legitimate website hosts
malware
> Malware/Ransomware
> Distributed Denial of Service
Current and Future Threats
8
9. > Potential breach of statutory
obligations of privacy
> Failure to take reasonable steps to
secure personal information
> Possible breach of director’s duties
> Possible breach of contract
> Disruption to business continuity
> Possible breach of duty (negligence)
Legal Ramifications
9
10. > Many businesses bound by the
Privacy Act 1988 (Cth)
> Australian Privacy Principle 4
> An organisation must take
‘reasonable steps’ to protect the
personal information it holds from
misuse and loss and from
unauthorised access, modification
or disclosure
Breach of Privacy
10
11. > ‘Reasonable steps’ depends on the
circumstances
> Example: IT network vulnerability allows personal
information to be harvested:
> If vulnerability could have been addressed relatively
inexpensively and/or quickly, then may not have
taken ‘reasonable steps’
> Example: Malware detection software detects
suspicious activity but IT department takes no
action
> Privacy Commissioner may conclude that
reasonable steps were not taken
Breach of Privacy
11
12. > Directors must act with a reasonable degree of care,
diligence and skill (Corporations Act 2001 (Cth), s
180(1))
> Corporation suffers an information security breach
incident causing significant disruption to its business
> Did the directors adequately plan for and oversee cyber
security?
> If not, did they discharge their duty?
> March 2015: ASIC released REP 429 “Cyber Resilience:
Health Check”
> Expressly highlighted cyber security as a focus for
entities regulated by ASIC
Director’s Duties
12
13. > May 2013: Target installed anti-malware
software
> Thanksgiving 2013: Malware installed on
Target servers
> 12 December 2013: US Govt warned Target
of an attack
> 15 December 2013: Target confirmed it had
removed malware
> 19 December 2013: Target acknowledged
breach
> May 2014: Target CEO resigned
Target Hack
13
14. > Target allegedly could have prevented
the theft of their customers’ credit cards
> Allegedly ignored warnings from its
software
> Sales in the 2013 holiday period were 3-
4% lower than in previous years
> Up to 70 million customers were affected
> August 2015: Target US settled lawsuits
with VISA
> March 2016: Litigation continues
Target Hack
14
15. > Cyber security breaches may disrupt your
business continuity and may adversely
affect your capacity to deliver
goods/services to your customers
> Will a force majeure clause to excuse
non-compliance?
> Can you plan anticipated delivery dates
to implement a fallback if your business is
interrupted by a cyber security breach
(either to your business or a supplier’s
business)?
Contract Issues
15
16. > Look at your key supplier contracts to see if
they address cyber security
> Are there provisions dealing with privacy?
> Are there provisions dealing with service
unavailability and your rights?
> Do your suppliers have the appropriate
security certifications?
> Do their regularly test their readiness?
> What rights do you have against a supplier if
their system is undone by a cyber security
breach?
Contract Issues
16
17. > Framework developed to address issues in
Victorian Government cyber resilience
> Applies to 2000+ Victorian Govt agencies
(though Councils are exempt)
> Establishes Victorian Protective Data
Security Standards (VPDSS)
> VPDSS currently in draft form
> Expected to commence in 2016
Victorian Protective Data
Security Framework
17
18. > VPDSS comprises 20 high level mandatory
requirements + supporting material in the form of
non-mandatory guidance
> Guidance notes still being prepared
> Standards include Security Management
Framework and Contracted Service Providers
Standards
> Security Management Framework compels board
and executive buy-in to implement security
management internally
> Contracted Service Providers Standard requires
agencies to address security management in
contracts in an enforceable manner
Victorian Protective Data
Security Standards
18
19. > Cyber threats evolving
> Cyber security requires board and executive attention
> Use resources such as ASIC Report 429 as a means of
informing the board to set a strategy for improving cyber
resilience
> Review engagements with suppliers to determine
whether and to what extent cyber security is addressed
> If appropriate, discuss what suppliers will do in relation
to cyber security and seek to embed their undertakings
in contract documents
> Monitor communications from relevant regulators, eg.
Privacy Commissioner
> Seek external assistance, if required
Summary
19