Archive: May 2017

1
Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers
2
Australia and China to Cooperate Against Cybercrime
3
“WannaCry” Ransomware Attack Causes Disruption Globally – with the worst yet to come
4
No Cybersecurity? No Business, Banks Say
5
New Mexico’s New Data Breach Notification Laws
6
The police are reading … a lot … more than half a million times last year

Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers

By Cameron Abbott and Edwin Tan

On 5 May 2017, a federal district court in New York ordered four people involved in breaching the networks of two law firms and stealing confidential information to pay approximately $8.9 million in fines.

According to the Securities and Exchange Commission, the hackers installed malware on the law firms’ networks, enabling them to view and copy data held by the law firms. The stolen data included emails revealing the details of clients considering mergers or acquisitions. Armed with this information, the hackers purchased shares in those companies ahead of public announcements, quickly amassing profits of almost $3 million.

There are concerns that hackers consider law firms as “low risk, high reward” targets, as a successful breach can reveal sensitive information about a multitude of clients such as trade secrets and financial data. These breaches can result in firm clients being exposed to massive commercial and legal risk.

One can be cynical at expenditure on security, let’s face it, it means less money in partners’ pockets – but cases like this are a salient warning of the hidden costs of getting security wrong!

Australia and China to Cooperate Against Cybercrime

By Cameron Abbott and Edwin Tan

On 21 April 2017, Australian and Chinese Government representatives attended the inaugural Australian-China High-Level Security Dialogue. The Dialogue was launched to promote discussion between the two countries in the areas of counter-terrorism, cybercrime and other important security issues.

According to a joint statement by both parties, Australia and China reaffirmed their commitment to cooperate on cybersecurity issues. The key commitments include:

  • supporting the work of the UN Group of Governmental Experts and to act in accordance with its reports;
  • establishing an information-sharing mechanism to assist in combating cybercrime and preventing cyber incidents that could cause problems between the countries;
  • working together against internet distribution of child sex abuse material, e-mail scams and other transnational cybercrime activities;
  • discussing options for joint operations against cybercrime; and
  • exchanging cybersecurity delegations and regulatory documents to enhance understanding, cooperation and mutual trust.

The second High-Level Security Dialogue session will be held in China in the first half of 2018. One imagines that this is a tricky dialogue to foster, but clearly Australia takes the view of better off having China “in the tent than out”.  Read the joint statement here.

“WannaCry” Ransomware Attack Causes Disruption Globally – with the worst yet to come

By Cameron Abbott and Edwin Tan

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected.  Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

No Cybersecurity? No Business, Banks Say

By Cameron Abbott and Edwin Tan

A recent survey by leading analytics company FICO revealed that 75 percent of senior fraud managers in Asia Pacific banks were prepared to stop working with business partners that fail cybersecurity audits. 65 percent of respondents confirmed that preventing cybercrime is a key focus in 2017, with the majority nominating cybercrime as having the largest potential financial impact on banks.

Large retailers and telecommunications companies were identified as the greatest data breach risks for banks. Dan McConaghy, president of FICO Asia-Pacific, explained that the problem was compounded in the Asia Pacific by a huge growth in sales by poorly protected companies.

Companies are going to have to realise that data security is now a sales issue and not simply an afterthought.

New Mexico’s New Data Breach Notification Laws

By Cameron Abbott and Edwin Tan

New Mexico has followed other U.S. states in enacting data breach notification laws coming into effect on 16 June 2017. The statute will only apply to computerised data, which is narrower in scope compared to Australian laws that also apply to physical records.

The key provisions from the new data breach laws include:

  • Companies must notify New Mexico residents, the Attorney General and Consumer Reporting Agencies as appropriate within 45 days of discovery of data breaches that pose “a significant risk of identity theft or fraud”;
  • Companies that disclose Personal Identifying Information to third party vendors must contractually require the vendors to implement and maintain reasonable security procedures; and
  • Civil penalties of $10 per instance of failed notification up to a maximum of $150,000.

There are concerns that this adds another layer of complexity for companies trying to remain compliant, as they will now have to comply with data breach notification laws of 48 states and 3 territories. We think that there may be a big push for a unified federal law on this issue in the near future.

The police are reading … a lot … more than half a million times last year

By Cameron Abbott and Edwin Tan

News Corp reported today that law enforcement agencies accessed the private data of Australian individuals about 541,300 times during the past 12 months. This is an estimated increase of about 60 percent compared to the previous year.

This is in addition to the Australian Federal Police (AFP) confirming on Friday that an officer had accessed phone records without a warrant earlier in the year. No action was taken against the officer.

The 2015 amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) made it mandatory for telecommunications companies and internet service providers to retain metadata. This metadata can be accessed without a warrant by 21 government agencies, including the AFP.

However, journalists’ telecommunications data cannot be accessed by agencies without first obtaining a “Journalist Information Warrant”. An agency must apply to a Federal Court judge or a nominated Administrative Appeals Tribunal member to be granted the warrant.

The breach has sparked calls for an independent and public inquiry into the AFP, with Senator Nick Xenophon calling the incident “a complete failure with no real explanation”.  Not the last we will hear about this issue we think.  Read more about this here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.