2017 – Page 4 – Cyber Law Watch

Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers

May 24 2017

On 5 May 2017, a federal district court in New York ordered four people involved in breaching the networks of two law firms and stealing confidential information to pay approximately $8.9 million in fines.

According to the Securities and Exchange Commission, the hackers installed malware on the law firms’ networks, enabling them to view and copy data held by the law firms. The stolen data included emails revealing the details of clients considering mergers or acquisitions. Armed with this information, the hackers purchased shares in those companies ahead of public announcements, quickly amassing profits of almost $3 million.

There are concerns that hackers consider law firms as “low risk, high reward” targets, as a successful breach can reveal sensitive information about a multitude of clients such as trade secrets and financial data. These breaches can result in firm clients being exposed to massive commercial and legal risk.

One can be cynical at expenditure on security, let’s face it, it means less money in partners’ pockets – but cases like this are a salient warning of the hidden costs of getting security wrong!

Australia and China to Cooperate Against Cybercrime

May 24 2017

By Cameron Abbott and Edwin Tan

On 21 April 2017, Australian and Chinese Government representatives attended the inaugural Australian-China High-Level Security Dialogue. The Dialogue was launched to promote discussion between the two countries in the areas of counter-terrorism, cybercrime and other important security issues.

According to a joint statement by both parties, Australia and China reaffirmed their commitment to cooperate on cybersecurity issues. The key commitments include:

supporting the work of the UN Group of Governmental Experts and to act in accordance with its reports;
establishing an information-sharing mechanism to assist in combating cybercrime and preventing cyber incidents that could cause problems between the countries;
working together against internet distribution of child sex abuse material, e-mail scams and other transnational cybercrime activities;
discussing options for joint operations against cybercrime; and
exchanging cybersecurity delegations and regulatory documents to enhance understanding, cooperation and mutual trust.

The second High-Level Security Dialogue session will be held in China in the first half of 2018. One imagines that this is a tricky dialogue to foster, but clearly Australia takes the view of better off having China “in the tent than out”. Read the joint statement here.

“WannaCry” Ransomware Attack Causes Disruption Globally – with the worst yet to come

May 15 2017

By Cameron Abbott and Edwin Tan

A ransomware known as “WannaCry” affected 200,000 people in 150 countries over the weekend, locking computer files and demanding payment to release them. As of this morning, Australia and New Zealand users seem to have avoided the brunt of the attack, with the Federal Government only confirming three reports of Australian companies being affected. Not that ransomware attacks tend to be the subject of reporting – there is quite a high rate of payment of affected users as the pricing is deliberately cheaper than most alternatives unless your back-up process is very good.

The ransomware utilises vulnerabilities in out-of-date, unpatched versions of Microsoft Windows to infect devices. It spreads from computer for computer as it finds exposed targets, without the user having to open an e-mail attachment or click a link as is commonplace in most attacks. Ransom demands start at US$300 and doubles after three days.

The U.K. National Health Service (NHS) was among the worst hit organisations, forcing hospitals to cancel appointments and delay operations as they could not access their patients’ medical records. The Telegraph suggested that 90 percent of NHS trusts were using a 16 year old version of Windows XP which was particularly vulnerable to the attack. More attacks are anticipated throughout the working week as companies and organisations turn on their devices.

The U.K. National Cyber Security Center has released guidance to help both home users and organisations limit the impact of the attacks. It can be read here.

No Cybersecurity? No Business, Banks Say

May 12 2017

By Cameron Abbott and Edwin Tan

A recent survey by leading analytics company FICO revealed that 75 percent of senior fraud managers in Asia Pacific banks were prepared to stop working with business partners that fail cybersecurity audits. 65 percent of respondents confirmed that preventing cybercrime is a key focus in 2017, with the majority nominating cybercrime as having the largest potential financial impact on banks.

Large retailers and telecommunications companies were identified as the greatest data breach risks for banks. Dan McConaghy, president of FICO Asia-Pacific, explained that the problem was compounded in the Asia Pacific by a huge growth in sales by poorly protected companies.

Companies are going to have to realise that data security is now a sales issue and not simply an afterthought.

New Mexico’s New Data Breach Notification Laws

May 05 2017

By Cameron Abbott and Edwin Tan

New Mexico has followed other U.S. states in enacting data breach notification laws coming into effect on 16 June 2017. The statute will only apply to computerised data, which is narrower in scope compared to Australian laws that also apply to physical records.

The key provisions from the new data breach laws include:

Companies must notify New Mexico residents, the Attorney General and Consumer Reporting Agencies as appropriate within 45 days of discovery of data breaches that pose “a significant risk of identity theft or fraud”;
Companies that disclose Personal Identifying Information to third party vendors must contractually require the vendors to implement and maintain reasonable security procedures; and
Civil penalties of $10 per instance of failed notification up to a maximum of $150,000.

There are concerns that this adds another layer of complexity for companies trying to remain compliant, as they will now have to comply with data breach notification laws of 48 states and 3 territories. We think that there may be a big push for a unified federal law on this issue in the near future.

The police are reading … a lot … more than half a million times last year

May 02 2017

By Cameron Abbott and Edwin Tan

News Corp reported today that law enforcement agencies accessed the private data of Australian individuals about 541,300 times during the past 12 months. This is an estimated increase of about 60 percent compared to the previous year.

This is in addition to the Australian Federal Police (AFP) confirming on Friday that an officer had accessed phone records without a warrant earlier in the year. No action was taken against the officer.

The 2015 amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) made it mandatory for telecommunications companies and internet service providers to retain metadata. This metadata can be accessed without a warrant by 21 government agencies, including the AFP.

However, journalists’ telecommunications data cannot be accessed by agencies without first obtaining a “Journalist Information Warrant”. An agency must apply to a Federal Court judge or a nominated Administrative Appeals Tribunal member to be granted the warrant.

The breach has sparked calls for an independent and public inquiry into the AFP, with Senator Nick Xenophon calling the incident “a complete failure with no real explanation”. Not the last we will hear about this issue we think. Read more about this here.

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

Apr 19 2017

By Cameron Abbott and Giles Whittaker

The Food and Drug Administration (FDA), after a previous warning in 2014, threatens legal action against Abbott Labs if the company fails to address safety and security issues in implanted cardiac devices sold by St Jude Medical – a recent subsidiary acquired by Abbott Labs. The internet of things takes a much more serious tenure when it’s a medical device compared to your fridge!

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns. A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices. Many of the cybersecurity concerns first came to light after medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to investment firm Muddy Waters Research (MWR). MWR subsequently publically announced the product design failures while short-selling St. Jude Medical’s stock in order to capitalise on the expected market response.

As the public increases its awareness of cybersecurity issues it becomes apparent that a failure to adequately consider these issues – as a day to day function of operating a business or prior to the acquisition of a new business – can result in significant damage to a company’s bottom line. The recent short-selling by MWR indicates the necessity for cybersecurity considerations to form central in a company’s business model, otherwise risk having its inadequacies called out in a public forum. And we are not even thinking about what litigation liability risk these sorts of issues might raise.

Draft law proposes security assessment of data exported out of China

Apr 17 2017

By Cameron Abbott and Allison Wallace

The Cyberspace Administration of China has released a draft law that would impose an annual security assessment on firms exporting data out of China.

The proposed legislation would apply to any business which transfers more than 1000 gigabytes of data, or which affects more than 500,000 users, and is the latest of several safeguards announced in recent times against threats such as hacking and terrorism.

Under the draft law, economic, technological or scientific data whose transfer would post a threat to public or security interests would be banned, and there would be extra scrutiny of sensitive geographic data.

Businesses would also have to obtain the consent of users before transmitting it overseas.

The draft law follows another passed in November 2016 which formalised a range of controls over firms that handle data in industries the Chinese government labels critical to national interests.

McDonald’s India (inadvertently) delivering more than just burgers in India

Mar 28 2017

By Cameron Abbott and Allison Wallace

McDonald’s has fallen foul of customer expectations after its McDelivery app leaked the personal information of about 2.2 million users.

Access to the names, emails, home addresses and phone numbers of users was made readily available due to a poorly configured server, according to security firm Fallible.

The fast food giant told the Times of India that the app is safe to use – but Fallible tested the app again after McDonald’s said it had updated it to fix the issue, and found that it was still leaking data.

Old-school data breach sees hospital investigated

Mar 28 2017

By Cameron Abbott and Allison Wallace

While health institutions around the world work to secure patients’ personal information and prevent the hacking or leaking of data from their systems, one Melbourne hospital is being investigated after medical records were found lying in a gutter in a nearby street.

Fairfax Media reports Australia’s Privacy Commissioner Timothy Pilgrim is investigating how the paper records of 31 patients of the John Fawkner Private Hospital were removed from the premises last month.

The documents, which were found by a local resident, were sent to both the Privacy Commissioner, and Victoria’s Health Complaints Commissioner.

Under current legislation, there is no obligation for the hospital to notify the affected patients that their privacy has been breached. All this will change under the new data breach notification laws, which were passed by the Australian government last month, and are expected to come into force within the next 12 months.

This breach is a timely reminder for all businesses, government agencies and other organisations covered by Australia’s privacy laws to take stock of how they store personal information – whether it be in a filing cabinet, on a hard-drive, or in a cloud – and ensure it is secure.

Archive:2017