Legal & Regulatory Risk – Page 11

Event: Learn With Us – Update on Cybersecurity

Apr 05 2016

2016 is shaping up to be another big year for developments in cybersecurity and privacy.

We finally expect to see mandatory data breach reporting laws introduced into Australia; there are continuing developments in relation to the US/EU “Safe Harbor” framework and its proposed replacement the “Privacy Shield”; ever-growing connectivity between “Internet of Things” devices; hackable cars; self-driving cars; and of course our favourite topic, drones.

Not to mention the increasing usefulness of data analytics and the steady migration of data into the “cloud”, along with data breaches that have become too prolific to list.

Join Cameron Abbott, Partner, and Rob Pulham, Senior Associate, in our Melbourne office Thursday 14 April 2016 12.45pm to 2.00pm for our annual update on all things cybersecurity and privacy, where we will:

highlight some of the key developments over the past 12 months
consider how your business should be placed to handle issues that are regularly arising in practice
look forward to the (near) future and what it may bring.

Lunch will be provided. We hope you can join us – please register here.

CPD/CLE points:
You can claim one substantive law CLE point for your attendance at this session.

Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack

Mar 31 2016

By Cameron Abbott and Simon Ly

In a story that would make an excellent plot to a sequel to Ocean’s 13, the Federal Reserve Bank of New York has been the target of a successful major cyber hack. Part of the targeted attack was an attempt to steal nearly $1 billion from Bangladesh Bank’s account.

If anyone would be well protected it would be the NY Fed, right? Well, while they were able to block some 30 transactions, 5 were successful, resulting in $81 million being stolen from Bangladesh Bank’s account.

The NY Fed has released a statement outlining that its systems were not breached, but instead pointing to SWIFT, a member-owned cooperative relied upon by banks to authenticate international monetary transactions. In response, a SWIFT representative stated that it “reiterates that the SWIFT network itself was not breached”. For its part, the NY Fed agreed that it “viewed this as a major lapse on the part of FRB NY”.

It will be fascinating to see how this he-said she-said blame game plays out. The current state of events is that the Bangladesh Bank is engaging legal counsel to establish grounds for recompense.

It goes without saying that these mind boggling figures and the nature of the attack emphasise that no one is immune from attacks. Next time someone tells you that it can’t happen to your organisation – remember this example.

For more information, please see Bloomberg’s report here.

Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.

Mar 28 2016

By Tyler Kirk

In the US, the Securities and Exchange Commission has encouraged its regulated entities to self-report. If entities do not self-report, there is the very real possibility that a whistleblower may disclose a cybersecurity incident to the Commission. Significantly, the SEC has indicated that it would take a more adversarial position against an entity that does not self-report.
When self-reporting cybersecurity incidents to the SEC, it is important to approach the Commission with a well thought out plan for responding to the incident. Moreover, a remediation strategy should be a part of every entity’s cybersecurity policies and procedures.

After a cybersecurity incident, SEC regulated entities, such as investment companies and their boards, should move quickly to establish the scope of the incident, decide whether to self-report to the SEC, and begin the remediation process. According to the Commission, under some circumstances, the SEC has tools available to assist with remediation.

Importantly, self-reporting cybersecurity incidents to the SEC could benefit an investment company and its board by leading to a reduced penalty in the event an enforcement action is brought on the basis of the incident.

A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine

Mar 09 2016

By Ted Kornobis

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) instituted its first data security enforcement action, in the form of a consent order against online payment platform Dwolla, Inc.

The CFPB joins several other regulators that have recently issued statements or instituted enforcement actions in this space, including the Securities and Exchange Commission (“SEC”), Commodities Futures Trading Commission (“CFTC”), the Financial Industry Regulatory Authority (“FINRA”), the National Futures Association (“NFA”), the Department of Justice (“DOJ”), state attorneys general, and the Federal Trade Commission (“FTC”), which has been active in this area for several years.

To read more click here.

Apple sends passionate message to customers following court order to hack iPhone

Feb 18 2016

By Cameron Abbott and Meg Aitken

A US District Court has ordered Apple to assist US law enforcement agents to bypass the security features, disable the auto-erase function and ultimately access the data contained within an iPhone 5C that was used by one of the San Bernardino shooters, Syed Rizwan Farook.

Apple’s CEO Tim Cook responded to the order with an open letter to customers discussing the privacy and security implications of the order and calling for public discussion on the issue.

Read Apple’s Customer Letter here.

Access the Court Order here.

Privacy concerns over Westfield’s ticketless parking system

Feb 05 2016

By Cameron Abbott, Meg Aitken and Shirley Chen

Westfield has sidelined the SMS feature of its ticketless parking system this week due to concerns it breached Australian privacy laws.

Westfield’s newfangled ticketless parking system attempted to make parking quicker and easier for shoppers by scanning car number plates on entry and exit of their carparks, and sending an SMS notification to registered parkers recording their entry time and an alert message when their free parking time was nearly up. To register for the service, users were merely required to provide a name, license plate number and phone number (with no verification).

Privacy experts raised the alarm that any person could register false details and track another person’s physical location via the SMS notifications. This was a particular worry for those in domestic violence situations and could also potentially enable stalking or thieves to determine when homeowners had left their houses. The feature’s Terms and Conditions failed to address any of these issues.

The SMS service is currently suspended as internal investigations are conducted, though the rest of the ticketless parking system and app continue to operate.

Learn more about the ticketless parking system here.

Read the ITNews report on the issue here.

AMCHAM Cyber Security Panel Luncheon

Sep 22 2015

K&L Gates partner, Cameron Abbott will feature as part of panel of professionals active in the Cyber industry at an American Chamber of Commerce (AMCHAM) luncheon on Wednesday 28 October 2015.

The panel will discuss developments in the world of cyber security, the intent of the mandatory data-breach scheme and the far reaching impact that cyber security breaches can have on a business’s reputation and value.

The session will be moderated by Dr Tobias Feakin, Senior Analyst and Director, International Cyber Policy Centre.

For full details of the event and to register click here

Australian Prudential Regulation Authority (APRA) paper

Jul 06 2015

by Jim Bulling and Julia Baldi

APRA has released an information paper on outsourcing involving shared computing services, including cloud. The paper discusses risks for outsourcing shared services and ways in which APRA regulated entities may seek to minimise these risks.

See the information paper here.

Catagory:Legal & Regulatory Risk