Category: Legal & Regulatory Risk

1
OAIC releases draft guide for conducting big data activities
2
Yes it can cost you your job…even if you are the boss!
3
Hacked accounts anyone?
4
Australian Government releases Cyber Security Strategy
5
Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack
6
Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.
7
A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine
8
Apple sends passionate message to customers following court order to hack iPhone
9
Privacy concerns over Westfield’s ticketless parking system
10
Australian Prudential Regulation Authority (APRA) paper

OAIC releases draft guide for conducting big data activities

By Cameron Abbott and Simon Ly

Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.

The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.

One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.

The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.

Yes it can cost you your job…even if you are the boss!

By Cameron Abbott and Giles Whittaker

The CEO of Austrian aerospace parts maker FACC, has been fired following a cyber fraud that cost the company 42 million euros (AUD $65 million). FACC also fired their CFO in February soon after the cyber fraud.

Executives are being held responsible for business’ cybersecurity measures, and while FACC declined to comment on the details of Walter Stephan’s shortcomings, their supervisory board concluded that Walter Stephan had “severely violate his duties, in particular in relation to the fake president incident”. It is likely that this violation is in reference to a lack of adequate cybersecurity procedures or protections, which would be considered essential for most businesses in this technologically integrated era.

So how was it done? The technique used to deceive FACC into handing over their money is known as a ‘fake president incident’. To put it simply, the hackers sent an email to an employee posing as the CEO, and requested that funds be transferred to a specified account for a fake acquisition project. It would appear the board figured it shouldn’t have been that easy.

More information about this cyber fraud can be found in an article by reuters.

Hacked accounts anyone?

By Cameron Abbott and Giles Whittaker

Have you been hacked? If you are the user of a Google, Yahoo or Microsoft e-mail account then it is a possibility. Alex Holden, the founder and Chief Information Officer of Hold Security who discovered the hack has identified 272.3 million account credentials have been stolen. The majority of these accounts are users of Mail.ru which is Russia’s most popular e-mail service.

57 million Mail.ru account credentials had been hacked and Mail.ru “are now checking any combinations of usernames/passwords match users’ e-mails and are still active”, from initial checks there were no live combinations.

Google and Yahoo are yet to provide any response.

This recent hack, which was performed by a young Russian hacker who is more determined to become famous than rich from his recent efforts after only asking for 50 roubles (less than $1) for the entire dataset, is one of the biggest collection of stolen credentials since the attacks on major US banks and retailers two years ago. The information which was stolen, as suggest by Holden in an interview with Reuters is “potent [and] it is floating around in the underground…which can be abused multiple times.”

Some of the stolen credentials include those for employees of large US banking, manufacturing and retail companies. When considering that 22 percent of big data breaches come from stolen online credentials (according to a recent survey of 325 computer professional) and hacks of this nature typically allow for further break-ins or phishing attacks by accessing the contacts of each hacked account, the domino effect of a hack such as this is substantial. Furthermore, individuals that like to re-use their preferred passwords across multiple accounts have exposed themselves to additional hacks.

So what is the take away message? According to Will Harwood, founder and Chief Technology Officer of Silicon SAFE, the solution as he told Infosecurity is to put the “password data in a dedicated hardware supported database that only allows data to be stored and compared, never revealed.”

For more of Will Harwood’s security suggestions and the Infosecurity article click here.

To read more about Alex Holden’s discovery of the Russian hacker click here.

Australian Government releases Cyber Security Strategy

By Cameron Abbott and Giles Whittaker

Cybersecurity appears to be a new popular expenditure, particularly in Australia, as Malcom Turnbull announces his government’s new Cyber Security Strategy initiative budgeted to cost $230 million over 4 years in addition to the $400 million allocated in the 2016 Defence White Paper over 10 years.

So what do we get for all that money? The government has announced their 5 themes of action over the next 4 years which includes:

  1. a national cyber partnership;
  2. strong cyber defences;
  3. global responsibility and influence;
  4. growth and innovation; and
  5. a cyber smart nation.

This will include the funding to establish a Cyber Security Growth Centre through a National Innovation and Science Agenda. The Growth Centre is intended to serve as an innovation hub which will identify and prioritise cybersecurity challenges and identify opportunities for Australia to build globally competitive commercial solutions.

Cybersecurity is grabbing global attention and the Turnbull government has appointment their first Cyber Ambassador. The role of the Cyber Ambassador will be to identify opportunities for practical international cooperation and ensure Australia is situated to take advantage of new commercial opportunities.

Small businesses are often left exposed to hackers due to a lack of resources allocated to cybersecurity and, are targeted for their potential provide a back door to other companies, are often targeted. Turnbull’s no business left behind strategy sees small businesses being allocated $15 million in grants to have their systems tested and improved by The Council of Registered Ethical Security Testers (CREST).

For further information access the government’s plan here.

Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack

By Cameron Abbott and Simon Ly

In a story that would make an excellent plot to a sequel to Ocean’s 13, the Federal Reserve Bank of New York has been the target of a successful major cyber hack. Part of the targeted attack was an attempt to steal nearly $1 billion from Bangladesh Bank’s account.

If anyone would be well protected it would be the NY Fed, right? Well, while they were able to block some 30 transactions, 5 were successful, resulting in $81 million being stolen from Bangladesh Bank’s account.

The NY Fed has released a statement outlining that its systems were not breached, but instead pointing to SWIFT, a member-owned cooperative relied upon by banks to authenticate international monetary transactions. In response, a SWIFT representative stated that it “reiterates that the SWIFT network itself was not breached”. For its part, the NY Fed agreed that it “viewed this as a major lapse on the part of FRB NY”.

It will be fascinating to see how this he-said she-said blame game plays out. The current state of events is that the Bangladesh Bank is engaging legal counsel to establish grounds for recompense.

It goes without saying that these mind boggling figures and the nature of the attack emphasise that no one is immune from attacks. Next time someone tells you that it can’t happen to your organisation – remember this example.

For more information, please see Bloomberg’s report here.

Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.

By Tyler Kirk

In the US, the Securities and Exchange Commission has encouraged its regulated entities to self-report. If entities do not self-report, there is the very real possibility that a whistleblower may disclose a cybersecurity incident to the Commission. Significantly, the SEC has indicated that it would take a more adversarial position against an entity that does not self-report.
When self-reporting cybersecurity incidents to the SEC, it is important to approach the Commission with a well thought out plan for responding to the incident. Moreover, a remediation strategy should be a part of every entity’s cybersecurity policies and procedures.

After a cybersecurity incident, SEC regulated entities, such as investment companies and their boards, should move quickly to establish the scope of the incident, decide whether to self-report to the SEC, and begin the remediation process. According to the Commission, under some circumstances, the SEC has tools available to assist with remediation.

Importantly, self-reporting cybersecurity incidents to the SEC could benefit an investment company and its board by leading to a reduced penalty in the event an enforcement action is brought on the basis of the incident.

A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine

By Ted Kornobis

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) instituted its first data security enforcement action, in the form of a consent order against online payment platform Dwolla, Inc.

The CFPB joins several other regulators that have recently issued statements or instituted enforcement actions in this space, including the Securities and Exchange Commission (“SEC”), Commodities Futures Trading Commission (“CFTC”), the Financial Industry Regulatory Authority (“FINRA”), the National Futures Association (“NFA”), the Department of Justice (“DOJ”), state attorneys general, and the Federal Trade Commission (“FTC”), which has been active in this area for several years.

To read more click here.

Apple sends passionate message to customers following court order to hack iPhone

By Cameron Abbott and Meg Aitken

A US District Court has ordered Apple to assist US law enforcement agents to bypass the security features, disable the auto-erase function and ultimately access the data contained within an iPhone 5C that was used by one of the San Bernardino shooters, Syed Rizwan Farook.

Apple’s CEO Tim Cook responded to the order with an open letter to customers discussing the privacy and security implications of the order and calling for public discussion on the issue.

Read Apple’s Customer Letter here.

Access the Court Order here.

Privacy concerns over Westfield’s ticketless parking system

By Cameron Abbott, Meg Aitken and Shirley Chen

Westfield has sidelined the SMS feature of its ticketless parking system this week due to concerns it breached Australian privacy laws.

Westfield’s newfangled ticketless parking system attempted to make parking quicker and easier for shoppers by scanning car number plates on entry and exit of their carparks, and sending an SMS notification to registered parkers recording their entry time and an alert message when their free parking time was nearly up. To register for the service, users were merely required to provide a name, license plate number and phone number (with no verification).

Privacy experts raised the alarm that any person could register false details and track another person’s physical location via the SMS notifications. This was a particular worry for those in domestic violence situations and could also potentially enable stalking or thieves to determine when homeowners had left their houses. The feature’s Terms and Conditions failed to address any of these issues.

The SMS service is currently suspended as internal investigations are conducted, though the rest of the ticketless parking system and app continue to operate.

Learn more about the ticketless parking system here.

Read the ITNews report on the issue here.

 

Australian Prudential Regulation Authority (APRA) paper

by Jim Bulling and Julia Baldi

APRA has released an information paper on outsourcing involving shared computing services, including cloud. The paper discusses risks for outsourcing shared services and ways in which APRA regulated entities may seek to minimise these risks.

See the information paper here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.