Cyber Law Watch

Insight on how cyber risk is being mitigated and managed across the globe.

1
Quick Tips for Entities Looking to Protect Against Cyber Breaches
2
European Court of Justice Declares EU/US Safe Harbour Decision Invalid
3
AMCHAM Cyber Security Panel Luncheon
4
Report finds finance and HR departments the greatest cybersecurity threats to organisations
5
Ashley Madison Hackers Release User Data
6
Australian Cyber Security Centre (ACSC) 2015 Threat Report
7
ASIC Releases Updated Guidance on Electronic Disclosure
8
Ashley Madison Data Security Breach
9
Breaches Update – July 2015
10
Australian Prudential Regulation Authority (APRA) paper

Quick Tips for Entities Looking to Protect Against Cyber Breaches

By Jim Bulling

Research in Australia and overseas suggests that most cyber breaches can either be prevented or the impact of any attack can be significantly limited by a range of low cost and easy to implement measures. These include the following:

  • Username and password standards should be sophisticated.
  • Administrative and privileged access should be controlled.
  • Undesirable applications should removed.
  • Automated patching tools and processes should be used.
  • Data should be backed up regularly.
  • Access to mobile devices should require authentication and data should be encrypted.
  • Anti virus software and filters should be used.

Research released by the Australian Defence Signals Directorate (DSD) indicates that at least 85% of the cyber intrusions that the DSD has responded to would have been mitigated had organisations implemented the above strategies.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

AMCHAM Cyber Security Panel Luncheon

K&L Gates partner, Cameron Abbott will feature as part of panel of professionals active in the Cyber industry at an American Chamber of Commerce (AMCHAM) luncheon on Wednesday 28 October 2015.

The panel will discuss developments in the world of cyber security, the intent of the mandatory data-breach scheme and the far reaching impact that cyber security breaches can have on a business’s reputation and value.

The session will be moderated by Dr Tobias Feakin, Senior Analyst and Director, International Cyber Policy Centre.

For full details of the event and to register click here

Report finds finance and HR departments the greatest cybersecurity threats to organisations

By Cameron Abbott and Melanie Long

According to recent research conducted on behalf of cybersecurity firm Clearswift, finance and HR departments represent the biggest cybersecurity threat to organisations. The study polled more than 4500 information technology decision makers, security professionals and employees in the US, UK, Germany and Australia and found that 46% of respondents believed that finance departments posed a security threat to their organisation. In addition, 42% of respondents believed the same of an organisation’s HR departments.

Read More

Ashley Madison Hackers Release User Data

By Cameron Abbott and Melanie Long

On 19 August 2015 the group known as ‘The Impact Team’, who a month earlier hacked into online affair website Ashley Madison, made good on its threat and released a “data dump” of Ashley Madison users’ personal information. A second and larger release of stolen data occurred 2 days later and appears to have included emails sent by Noel Biderman, Ashley Madison’s founder and CEO of parent company Avid Life Media.

Following the release of the stolen data, acting Australian Information Commissioner, Timothy Pilgrim, announced the launch of an investigation into the breach which is to be conducted in liaison with the Office of the Privacy Commissioner of Canada (where Avid Life Media is based). On 28 August 2015 Noel Biderman stepped down from his role as CEO of Avid Life Media.

Read the ABC news’ article in relation to the first data release here.

ABC news’ article relating to second data release can be found here.

The Office of the Australian Information Commissioner’s press release relating to its investigation can be found here.

 

Australian Cyber Security Centre (ACSC) 2015 Threat Report

By Cameron Abbott and Melanie Long

On 29 July 2015, ACSC released its first unclassified ‘Threat Report’ (Report).  The Report highlights the increasing number, type and sophistication of cyber security threats in Australia, and is a timely reminder to organisations to re-assess the level of their cyber security.

The key takeaway messages from the Report include:

  • even organisations that may not think that they hold valuable information, or that they would be of interest to cyber adversaries, could be a target for malicious cyber activities
  • ensuring a resilient, cyber-secure Australia requires coordination between government and the private sector, with organisations and their users taking greater responsibility for the security of their networks and information.

Read More

ASIC Releases Updated Guidance on Electronic Disclosure

by Jim Bulling and Julia Baldi

ASIC has released updated guidance on electronic disclosure. RG 221:Facilitating online financial services disclosures. It outlines ASIC’s expectations for financial services providers that use (or plan to use) technology, including email and the internet, to deliver financial product and financial services disclosures to clients.

See RG 221 here.

Ashley Madison Data Security Breach

By Cameron Abbott and Melanie Long

On 19 July 2015 the Avid Life Media dating website Ashley Madison, which is aimed at married people who want to have an affair, was hacked by a group known as ‘The Impact Team’. The Impact Team has threatened to release users’ profiles if Ashley Madison and other Avid Life Media websites such as Established Men and Cougar life are not shut down. The Impact Team claims to have stolen the details (including names, addresses, credit card numbers and personal sexual fantasies) of over 37 million users.

The story was broken by Brian Krebs, a former cyber crime writer for the Washington Post, on his blog ‘Krebs on Security’. A link to his article, which includes a statement made by Avid Life Media following the hack, can be found here.

Breaches Update – July 2015

by Jim Bulling and Julia Baldi

U.S. Office of Personal Management (OPM)
The U.S. government has confirmed a second cyber attack on the OPM database. Hackers are confirmed to have stolen the personal information in relation to former, current and prospective federal government employees effecting at least 21.5-mllion people (almost 7% of the entire U.S. population).

See the ABC report here, CNN report here and Guardian report here.

OPM’s website, sets out how person’s may have been affected by the breach and what OPM is doing to assist those affected. OPM has sent notifications to those affected by the incident and is offering free identity theft monitoring and restoration services including identity theft insurance and credit monitoring.

OPM has also outlined a cybersecurity action report, available here.

Read More

Australian Prudential Regulation Authority (APRA) paper

by Jim Bulling and Julia Baldi

APRA has released an information paper on outsourcing involving shared computing services, including cloud. The paper discusses risks for outsourcing shared services and ways in which APRA regulated entities may seek to minimise these risks.

See the information paper here.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.