Cyber Law Watch

Insight on how cyber risk is being mitigated and managed across the globe.

1
Ransomware attacks – is there harm even when nothing is stolen?
2
Australian Privacy Reform Series Refresher: What Are These Reforms?
3
Disclosure Obligations for Cyber Ransom Payments: A New Cyber Security Act is Coming
4
Artificial Intelligence and the Data Conundrum
5
Modern Adtech Regulated Under Antiquated Law: How Video Killed the Internet Star
6
Security of Critical Infrastructure – Adoption of Cyber Security Framework and Mandatory Reporting Deadline Approaches While the Regulator Moves From “Education” to “Enforcement” Mode
7
ASIC and OAIC’s New Information Sharing MoU: What You Need to Know
8
9,948,575,739 Reasons to Change Your Passwords now
9
AI’s Next Frontier: The New Voice of Scam Calls?
10
Decree No. 2024-388 and Its Implications for Intermediation Platforms

Ransomware attacks – is there harm even when nothing is stolen?

In November 2020, accounting and consulting firm Nexia Australia (Nexia) was alerted to a “REvil” ransomware attack taking place within its system. The attackers threatened to post personal information of Nexia’s clients, customers and staff online unless it paid a $1m ransom within 72 hours.

It was reported that the hackers appeared to have posted Nexia’s confidential files onto the dark web; however, further investigation revealed that the hackers had merely posted screenshots of Nexia’s files. Realising this, Nexia dismissed the threat and refused to pay the ransom.

But it didn’t end there.

Shortly after the attack, a news service found the Nexia file screenshots on the dark web and publicised that the company’s confidential information had been stolen and shared. Not only did Nexia have to reassure panicking clients that their confidential information remained uncompromised, it had to convince the Australian Securities and Investments Commission, the Australian Federal Police and the Privacy Commissioner that nothing of concern had been taken.

It doesn’t help that ransomware-as-a-service is becoming an increasingly lucrative business for cybercriminals to launch this type of attack. All that is needed is off-the-shelf malware, a wallet of cryptocurrency and it’s ready to deploy against an unsuspecting organisation.

The attack on Nexia demonstrates that even if there is no evidence that confidential information has been leaked, organisations can still suffer significant damage. The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.

As Warren Buffet famously quoted, “It takes 20 years to build a reputation and 5 minutes to ruin it”.  While Nexia recovered valiantly, this serves as a lesson that even when unsuccessful, the public ramifications of a ransomware attack are not to be underestimated.

Australian Privacy Reform Series Refresher: What Are These Reforms?

By Cameron Abbott, Rob Pulham, and Stephanie Mayhew

In 2023 the Attorney-General’s Department released the “Privacy Act Review Report” (Review Report), which considered whether the Australian Privacy Act 1988 (Cth) and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy.

Read More

Disclosure Obligations for Cyber Ransom Payments: A New Cyber Security Act is Coming

By Cameron Abbott, Rob Pulham, Stephanie Mayhew, Dadar Ahmadi-Pirshahid and Lauren Hrysomallis

A new Cyber Security Act is set to be unveiled in Parliament’s next sitting from 12 August, as reported by the ABC. The proposed Act would require Australian businesses and government bodies to disclose when they make a ransom payment to cybercriminals in the event of a hack, or face penalties of up to AU$15,000 for failing to notify.

Read More

Artificial Intelligence and the Data Conundrum

By Paul R. Haswell and Cameron Abbott

As much as artificial intelligence (AI) remains a hot topic to companies and individuals alike, there remains limited detailed regulation in place. The European Union published its Artificial Intelligence Act on 12 July 2024, but other jurisdictions have been slow or piecemeal in its regulation of AI.

Read More

Modern Adtech Regulated Under Antiquated Law: How Video Killed the Internet Star

By Cameron Abbott and Rob Pulham

In their recent article available here, Katie Staba and Corey Bieber from our Chicago office discuss emerging advertising technology issues, including new applications of the California Invasion of Privacy Act and the Video Privacy Protection Act.

Security of Critical Infrastructure – Adoption of Cyber Security Framework and Mandatory Reporting Deadline Approaches While the Regulator Moves From “Education” to “Enforcement” Mode

By Cameron Abbott, Rob Pulham, Damien Timms, Dadar Ahmadi-Pirshahid and Adam Asadurian

Some key compliance dates approach for responsible entities of critical infrastructure assets under the Security of Critical Infrastructure Act (SOCI Act).

Read More

ASIC and OAIC’s New Information Sharing MoU: What You Need to Know

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Lauren Hrysomallis

ASIC has further focused its attention on the duties of companies and directors with regards to cyber resilience with the signing of a Memorandum of Understanding (MoU) with the Office of the Australian Information Commissioner (OAIC).

Read More

9,948,575,739 Reasons to Change Your Passwords now

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Jordan Booth

Cybernews has reported on its researchers’ discovery of what could be the largest leaked password compilation of all time, with a record 9,948,575,739 plaintext passwords in a file called “rockyou2024.txt” (see article).

Read More

AI’s Next Frontier: The New Voice of Scam Calls?

By: Cameron Abbott, Rob Pulham, Dadar Ahmadi-Pirshahid, and Adam Asadurian

Astonishingly (…or perhaps not, for anyone who’s answered a phone call recently), “imposter calls” are the number one offender of spam calls in the United States, amounting to 33% of all phone calls according to a recent study by QR Code Generator.

Read More

Decree No. 2024-388 and Its Implications for Intermediation Platforms

By Claude-Étienne Armingaud and Kenza Berrada

Digital intermediation service platforms within the sectors of chauffeur-driven transportation and goods delivery have new responsibilities since the enactment of Decree no. 2024-388 on 25 April 2024. Operating under the framework established by Article L. 7345-1 of the French Labor Code, this Decree has initiated a systematic collection and transmission protocol for data concerning platform workers’ activities to the French Employment Platforms Social Relations Authority (ARPE).

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.