Author - admin

1
UK unveils plan to diverge from GDPR
2
Reminder for One-Month Deadline to Implement New SCCs in New Contracts
3
Get with the program – China’s new privacy laws are coming
4
Uber found to have breached Australian’s privacy following 2016 hack
5
To pay or not to pay the ransom? Organisations may find their decision easier with government guidance
6
Ransomware attacks – is there harm even when nothing is stolen?
7
Would mandatory reporting of ransomware payments cause more good or trouble?
8
New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems
9
New US / Aus cross-border data access regime
10
REvil strikes again – ransomware attack on UnitingCare Queensland

UK unveils plan to diverge from GDPR

By Norin McFadden and Claude-Étienne Armingaud

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

Reminder for One-Month Deadline to Implement New SCCs in New Contracts

By Jake Bernstein and Jane Petoskey

In early June 2021, the European Commission published a new set of standard contractual clauses (SCCs) effective June 27, 2021 for cross-border data transfers and between controllers and processors.  The new SCCs cover changes in data protection laws, including the invalidation of the EU-US Privacy Shield and the fallout from the Court of Justice of the European Union’s (CJEU) Schrems II opinion (regarding US intelligence laws). The new cross-border data transfer SCCs also use a modular approach to allow for more accurate identification of roles and responsibilities of the contracting parties.  In terms of timing, organizations may use the old SCCs in new contracts until September 27, 2021, and contracts existing before September 27, 2021 must change to the new SCCs by December 27, 2022. For additional information on the SCCs, read our K&L Gates EU Data Protection Alert here.

Please do not hesitate to contact the K&L Gates LLP Cybersecurity and Privacy team of attorneys if you need assistance updating new or existing contracts with the new SCCs by the above deadlines.

Get with the program – China’s new privacy laws are coming

By Cameron Abbott and Ella Richards

The People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) on Friday the 20th of August 2021. The new privacy regime strengthens the protection around the use and collection of personal data and introduces a new requirement for user consent.

The PIPL, closely resembling the European Union’s General Data Protection Regulation, prevents the personal data of PRC nationals from being transferred to countries with lower standards of data security; a rule that may pose inherent problems for foreign businesses. The PIPL was introduced following an increase in online scamming and individual service price discrimination – where the same service is offered at different prices based on a user’s shopping profile. However, while businesses and some state entities face stronger collection obligations, the PRC state security department will maintain full access to personal data.

Although the final draft of the PIPL is yet to be released, the new law is set to commence on the 1st of November 2021. Companies will face fines of up to 50 million yuan ($7.6 million USD), or 5% percent of their annual turnover if they fail to comply. For an in-depth discussion of the Draft PIPL released in August 2020, see our K&L Gates publication here.

Uber found to have breached Australian’s privacy following 2016 hack

By Cameron Abbott and Jacqueline Patishman

In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australian’s personal information from unauthorised access.

Read More

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

By Cameron AbbottRob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Read More

Ransomware attacks – is there harm even when nothing is stolen?

By Cameron Abbott and Ella Richards

In November 2020, accounting and consulting firm Nexia Australia (Nexia) was alerted to a “REvil” ransomware attack taking place within its system. The attackers threatened to post personal information of Nexia’s clients, customers and staff online unless it paid a $1m ransom within 72 hours.

It was reported that the hackers appeared to have posted Nexia’s confidential files onto the dark web; however, further investigation revealed that the hackers had merely posted screenshots of Nexia’s files. Realising this, Nexia dismissed the threat and refused to pay the ransom.

But it didn’t end there.

Shortly after the attack, a news service found the Nexia screenshots on the dark web and publicised that the company’s confidential information had been stolen and shared. Not only did Nexia have to reassure panicking clients that their confidential information remained uncompromised, it had to convince the Australian Securities and Investments Commission, the Australian Federal Police and the Privacy Commissioner that nothing of concern had been taken.

It doesn’t help that ransomware-as-a-service is becoming an increasingly lucrative business for cybercriminals to launch this type of attack. All that is needed is off-the-shelf malware, a wallet of cryptocurrency and it’s ready to deploy against an unsuspecting organisation.

The attack on Nexia demonstrates that even if there is no evidence that confidential information has been leaked, organisations can still suffer significant damage. The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.

As Warren Buffet famously quoted, “It takes 20 years to build a reputation and 5 minutes to ruin it”.  While Nexia recovered valiantly, this serves as a lesson that even when unsuccessful, the public ramifications of a ransomware attack are not to be underestimated.

Would mandatory reporting of ransomware payments cause more good or trouble?

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

Read More

New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The United States Department of Homeland Security has developed the Cyber Security Evaluation Tool (CSET) which provides a systematic (and repeatable) process that critical infrastructure asset owners can use to assess and improve their cyber security management systems. This tool has a particular focus on the security of industrial control systems and information networks.

Read More

New US / Aus cross-border data access regime

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The Telecommunications Legislations Amendment (International Orders) Bill 2020 has just cleared both houses of parliament. The new bill establishes a reciprocal cross-border data access regime between the United States and Australia which will allow for cross-border communications between foreign governments for national security and law enforcement purposes.

Read More

REvil strikes again – ransomware attack on UnitingCare Queensland

By Cameron Abbott and Jacqueline Patishman

Following a ransomware infection in late April, UnitingCare Queensland has suffered a nearly 2 month long ordeal to regain control of its systems. UnitingCare was a victim of malware called Sodinokibi/REvil which encrypted its files and attempted to delete backups.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.