[Insert image here to match your presentation – contact Meg in BD to

obtain images]

Cyber Security in the Interconnected World

Craig Subocz, Senior Associate

8 March 2016

##Insert FileSite Doc ID

The information contained in this presentation is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the presenter directly.

Disclaimer

2

> What is cyber security?> Current and future threats> Legal ramifications> The Victorian Privacy Data Security

Standards

Agenda

3

> Cyber security comprises active steps taken to:> safeguard an IT environment

from unauthorised access; and > to ensure that information

contained on the IT environment is not accessed, used or disclosed without authorisation

What is Cyber Security?

4

> Federal Government refers to “cyber adversaries”

> A cyber adversary is “an individual or organisation that conducts cyber espionage, crime or attack”

> Adversaries include:> Foreign state-owned adversaries;> Organised crime> Issue-motivated groups or individuals with

personal grievancesSource: Australian Cyber Security Centre, 2015 Threat Report (July 2015)

Current and Future Threats

5

Current and Future Threats

6

Current and Future Threats

7

> Cyber intrusion> Spear phishing and social engineering

> Remote Access Tools> Watering-hole Techniques

> Compromised legitimate website hosts malware

> Malware/Ransomware> Distributed Denial of Service

Current and Future Threats

8

> Potential breach of statutory obligations of privacy> Failure to take reasonable steps to

secure personal information

> Possible breach of director’s duties> Possible breach of contract

> Disruption to business continuity

> Possible breach of duty (negligence)

Legal Ramifications

9

> Many businesses bound by the Privacy Act 1988 (Cth)

> Australian Privacy Principle 4> An organisation must take

‘reasonable steps’ to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure

Breach of Privacy

10

> ‘Reasonable steps’ depends on the circumstances> Example: IT network vulnerability allows personal

information to be harvested:> If vulnerability could have been addressed relatively

inexpensively and/or quickly, then may not have taken ‘reasonable steps’

> Example: Malware detection software detects suspicious activity but IT department takes no action> Privacy Commissioner may conclude that reasonable

steps were not taken

Breach of Privacy

11

> Directors must act with a reasonable degree of care, diligence and skill (Corporations Act 2001 (Cth), s 180(1))> Corporation suffers an information security breach

incident causing significant disruption to its business> Did the directors adequately plan for and oversee cyber

security?> If not, did they discharge their duty?

> March 2015: ASIC released REP 429 “Cyber Resilience: Health Check”> Expressly highlighted cyber security as a focus for entities

regulated by ASIC

Director’s Duties

12

> May 2013: Target installed anti-malware software> Thanksgiving 2013: Malware installed on Target

servers> 12 December 2013: US Govt warned Target of an

attack> 15 December 2013: Target confirmed it had

removed malware> 19 December 2013: Target acknowledged breach> May 2014: Target CEO resigned

Target Hack

13

> Target allegedly could have prevented the theft of their customers’ credit cards> Allegedly ignored warnings from its software

> Sales in the 2013 holiday period were 3-4% lower than in previous years

> Up to 70 million customers were affected> August 2015: Target US settled lawsuits with

VISA > March 2016: Litigation continues

Target Hack

14

> Cyber security breaches may disrupt your business continuity and may adversely affect your capacity to deliver goods/services to your customers> Will a force majeure clause to excuse non-

compliance?

> Can you plan anticipated delivery dates to implement a fallback if your business is interrupted by a cyber security breach (either to your business or a supplier’s business)?

Contract Issues

15

> Look at your key supplier contracts to see if they address cyber security> Are there provisions dealing with privacy?> Are there provisions dealing with service

unavailability and your rights?> Do your suppliers have the appropriate security

certifications?> Do their regularly test their readiness?> What rights do you have against a supplier if their

system is undone by a cyber security breach?

Contract Issues

16

> Framework developed to address issues in Victorian Government cyber resilience

> Applies to 2000+ Victorian Govt agencies (though Councils are exempt)

> Establishes Victorian Protective Data Security Standards (VPDSS)

> VPDSS currently in draft form> Expected to commence in 2016

Victorian Protective Data Security Framework

17

> VPDSS comprises 20 high level mandatory requirements + supporting material in the form of non-mandatory guidance> Guidance notes still being prepared

> Standards include Security Management Framework and Contracted Service Providers Standards

> Security Management Framework compels board and executive buy-in to implement security management internally

> Contracted Service Providers Standard requires agencies to address security management in contracts in an enforceable manner

Victorian Protective Data Security Standards

18

> Cyber threats evolving> Cyber security requires board and executive attention

> Use resources such as ASIC Report 429 as a means of informing the board to set a strategy for improving cyber resilience

> Review engagements with suppliers to determine whether and to what extent cyber security is addressed> If appropriate, discuss what suppliers will do in relation to cyber

security and seek to embed their undertakings in contract documents

> Monitor communications from relevant regulators, eg. Privacy Commissioner

> Seek external assistance, if required

Summary

19

20

Please Contact

Craig Subocz

Senior Associate

(03) 9609 1646

csubocz@rk.com.au

rk.com.au

Thanks

Level 12, 469 La Trobe Street, Melbourne, VIC 3000 P: +61 3 9609 1555Level 8, 28 University Avenue, Canberra, ACT 2601 P: +61 2 6171 9900

Liability limited by a scheme approved under Professional Standards Legislation