Legal & Regulatory Risk – Page 5

Consumer Data Right Draft Rules – submissions closing soon

May 06 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

the three ways in which CDR data may be requested;
the requirements for consent to collect CDR data;
rules relating to the accreditation process; and
rules relating to the thirteen privacy safeguards for CDR data.

PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES

Mar 26 2019

By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

IoT (internet of things) legislation makes an appearance in the U.S. Senate

Mar 19 2019

By Cameron Abbott and Ella Richards

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

Ratings agency starting to factor in Cyber risk profile

Mar 08 2019

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels. How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas.

To encrypt or not encrypt? That is the question

Feb 18 2019

By Cameron Abbott and Ella Richards

In response to the new controversial anti-encryption laws, Australian tech heavyweights have banded together to kick and scream over the restrictive implications the laws are already having on their industry.

Quick history lesson; the Assistance and Access Bill permit law enforcement to demand companies running applications such as Whatsapp to allow “lawful access to information”. This can be through either decryption of encrypted technology, or providing access to communications which are not yet encrypted. These ‘backdoors’ are intended to provide the good guys with the opportunity to fight serious crime, however there’s serious fear that in reality, these doors could throw out privacy or let in unwanted guests.

While the legislation states that backdoors should only be created if it doesn’t result in any ‘systemic weakness’; this is yet to be defined in a concrete and informative way. Industry points out that once created any such measure has the potential to be exploited by others. There is no such thing as a “once” only back door.

There is little doubt that this will end up in litigation as larger industry players challenge the abstract concepts in the legislation against the reality of their technology.

StartupAUS, an industry group of tech executives, have made several recommendations to amend the legislation. Even though they’re not holding their breath for any significant changes, they’re demanding more transparency around the requirements. Their recommendations include scrapping the requirement for an employee to build capabilities to intercept communications, tightening the scope of ‘designated communication providers’, giving oversight on how companies will be targeted and increasing what constitutes a ‘serious offence’.

Australia’s legislative response to the problem faced by law enforcement is one of the most heavy handed in the democratic world, and now has the world of technology companies with their significant impact on our economy watching the latest debate on reforms with great concern.

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

Feb 06 2019

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

Encryption bill to give unprecedented power

Dec 04 2018

By Cameron Abbott and Wendy Mansell

The Coalition government is attempting to pass large-scale decryption reforms which will give sweeping powers to law enforcement agencies for overt and covert computer access.

The reforms have caused significant controversy as they may force tech companies and communications providers to modify their services, creating “systemic weaknesses” for intelligence agencies to exploit. However many point out these same vulnerabilities may be utilised by criminals.

Further the potential repercussions of these reforms may undermine consumers’ privacy, safety and trust through unprecedented access to private communications. This could have anti-competitive effects, as the reputations of Australian software developers and hardware manufacturers will suffer within international markets.

At the same time, the harsh reality that terrorists and organised crime increasingly utilise these technologies to evade surveillance highlights a very clear problem for law enforcement authorities.

We won’t seek to suggest where the balance between these interests should lie, but the debate rages on. Stay tuned.

China in breach of cyber-security pact

Nov 23 2018

By Cameron Abbott and Wendy Mansell

It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.

The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.

In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.

Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.

Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.

A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.

Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research. It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships. Physical acts of a similar nature would not be so easily accepted.

China’s main security agency linked to cyber intellectual property theft

Nov 21 2018

By Cameron Abbott and Wendy Mansell

In April 2017, PWC, in collaboration with BAE Systems’ published a report on “Operation Cloud Hopper”, which exposed a cyber espionage campaign being conducted by a China-based threat actor. The report suggests that Operation Cloud Hopper is almost certainly the same threat actor known as “APT10”, a Chinese group thought to be behind cyber-attacks against many countries including Japan, Canada and America.

Recently it has been reported that there are links between China’s Ministry of State Security (MSS) and Operation Cloud Hopper. These allegations are from U.S based firm CrowdStrike who have recognised ties between Operation Cloud Hopper and the MSS Tianjin Bureau.

There is no confirmation that the MSS is behind the Cloud Hopper attacks, however Dr Adrian Nish, Head of Threat of Intelligence at BAE Systems said that there is “no reason to doubt” the claims.

The term “Cloud Hopper” describes a technique where cyber espionage groups “hop” from cloud storage services and infiltrate Australian IT systems. Operation Cloud Hopper is responsible for the theft of intellectual property from a number of Australian companies, primarily focused on mining, engineering and professional services firms.

In a week full of news about China activities in the region, the suggestion of state sponsored hacking thefts is a salient warning to companies that their core intellectual property assets are at risk if not well secured.

Apple calls for comprehensive US privacy laws

Oct 25 2018

By Cameron Abbott and Jessica McIntosh

It’s uncomfortable to think one of the world’s biggest business leaders has this week stood up and told us all ”our own information from the everyday to the deeply personal is being weaponized against us with military efficiency” what’s more uncomfortable, these powerful words are only a small snippet of a seriously forceful and passionate speech Tim Cook delivered in Brussels on Wednesday.

Catagory:Legal & Regulatory Risk