1

Allens is an independent partnership operating in alliance with Linklaters LLP.

Cybersecurity in convention centres: Understanding and managing the riskMichael ParkPartner

4 July 2017

Allens is an independent partnership operating in alliance with Linklaters LLP.

2

1. The global cyber battlefield

2. Common external and internal threats

3. The cost of cyber incidents

4. Global cyber attack trends

5. Australian legal landscape

6. Preparing for and managing a breach

7. Key learnings

Overview of today’s session

3

Allens is an independent partnership operating in alliance with Linklaters LLP.

The global cyber battlefield

4

Allens is an independent partnership operating in alliance with Linklaters LLP.

5

Allens is an independent partnership operating in alliance with Linklaters LLP.

6

Allens is an independent partnership operating in alliance with Linklaters LLP.

7

• 42,068 reported security

incidents in 2016

• 1,935 confirmed data

breaches in 2016

Source:

Verizon 2017 Data Breach Investigation Report

Security incidents far exceed data breaches

Image extracted from Verizon 2017 Data Breach Investigation Report

8

Trends

75% of

breaches

perpetrated

by

outsiders

Majority of

breaches

are

detected by

an external

party

Delayed

detection

Hacking is

the leading

type of

breach

Source: Verizon 2017 Data Breach Investigation Report

9

• Volume of digitised data has increased

• Cyber-attacks are becoming

increasingly sophisticated

• Regulatory requirements to retain data

Why have we seen an increase in cyber incidents and data breaches?

10

Allens is an independent partnership operating in alliance with Linklaters LLP.

Common external and internal threats

11

Why phishing scams keep working

12

• Phishing emails/websites – rely on vulnerable staff and customers

• Distributed denial of service attacks (DDoS)

• Malware targeted at mobile devices (still mainly Android)

• Malware that gathers or intercepts passwords

• Online account hacking

• Ransomware (eg Cryptolocker, WannaCry)

• Global espionage campaigns

Some common external threats

13

• Password protocol

• Corporate laptops containing confidential information without encryption (or sometimes even password control)

• Loss of laptops, tablets, phones, USB drives

• Staff revealing password to phishing fraudsters

• Transfer of computer viruses and malware from poorly secured home computers (often usually via USB drive sharing)

• Improper destruction of corporate records

Typical internal threats

14

0

10

20

30

40

50

60

70

80

90

100

Number of incidents

Hackers

Accidentally made public

Theft or loss of computer/device

Insider theft

Unknown

Fraud

Internal threats remain important

Symantec: Internet Security Threat Report

15

Allens is an independent partnership operating in alliance with Linklaters LLP.

The cost of cyber incidents

16

Typical costs

BusinessesUS$4 million

Average cost of a data breach

Reputational29% increase in

recent years

Individuals Administrative nightmare

Identity theft Indirect consequences

17

Typical costsExternal security

consultants

Repair or replacement of

systems and data

Downtime while system is fixed

Crisis team management

Notification and audit services

Litigation and third party costs

Brand damage

Management distraction

Loss of IP

Loss of goodwill

18

• Most common cybercrimes in Australia

▪ Denial of service

▪ Malicious insiders

▪ Malicious code

• Most common costs

▪ Business disruption

▪ Costs to repair information loss

Ponemon ‘Cost of Cybercrime Study’

19

Allens is an independent partnership operating in alliance with Linklaters LLP.

Global cyber attack trends

20

• Top three industries: Healthcare, Public Sector, Retail

▪ Where personally identifiable information is commonly held

• Key threat actions: RAM scraping and use of credentials

▪ Remain hidden on average 229 days until discovery of breach

• Multi-tiered attacks: phishing, DDoS, then breach

▪ Ransomware dramatically on the rise in 2017

• Breach victims increasingly getting on front foot to manage PR

• Data breaches often arise from breach of your supplier’s systems

▪ So supplier cyber-risk management programmes and contractual obligations are critical

Cyber attack trends

21

• Small and medium business commonly attacked

▪ Common vulnerabilities exploited

▪ Social engineering and phishing attacks employed

▪ Automated and scaled attacks (often with hacker tools)

• Highly organised and efficient marketplace for monetising information, with organised crime becoming more involved

• Class action litigation very common in the US

▪ driven largely by mandatory data breach notification

▪ settlement value often small per plaintiff, but significant in total

▪ Australia could head the same way with mandatory data breach notification

• Take up of cyber-risk insurance increasing, but is it creating the market for litigation?

Cyber attack trends

22

Allens is an independent partnership operating in alliance with Linklaters LLP.

Australian legal landscape

23

Legal ramifications of data breaches

Data security breach

Privacy laws

Sector-specific

regulations

Competition &

Consumer Act

Business

interruption

impact and

losses

Reputational

risk

Civil actions

by individuals

Director’s

duties

Disclosure

obligations

under listing

rules

24

Australian Privacy Act 1988 (Cth)

APP 11.1

If an APP entity holds personal

information, the entity must take such

steps as are reasonable in the

circumstances to protect the

information:

(a) from misuse, interference

and loss; and

(b) from unauthorised access,

modification or disclosure.

APP 1.2(a)

An APP entity must take such steps as

are reasonable in the

circumstances to implement

practices, procedures and systems

relating to the entity's functions or

activities that:

(a) will ensure that the entity

complies with the Australian

Privacy Principles and a

registered APP code (if any) that

binds the entity;

25

Enforcement action

Commenced 17

investigations

Made 7 determinations

Received

107

voluntary

data breach

notifications

Worked on 21 assessments

In 2015 – 2016 the OAIC…

26

• APP 11.1

▪ Must take reasonable steps to protect personal information held from misuse, interference, loss and unauthorised access, modification or disclosure

Australian Privacy Act: where we are now

• 2015 OAIC Guide to securing personal information: ‘reasonable steps’ to protect personal information

▪ What is reasonable will vary depending ono nature of the entity holding personal information

o sensitivity of personal information

o harm likely to result to individuals from disclosure

o how organisation stores, processes and transmits personal information

o ease with which security measures can be implemented

▪ Steps and strategies which may be reasonable to take includeo staff training – security awareness and education

o technological measures monitoring

27

• Privacy Act

▪ Currently no requirement to notify if misused or lost personal information

• 2014 OAIC Data breach notification – A guide to handling personal information security breaches

▪ Notification of a data breach supports good privacy practices

▪ If a data breach involves real risk of serious harm, individuals and OAIC should be notified (but not currently required by Privacy Act)

▪ Four recommended steps in responding to a data breacho Step 1: Contain the breach and do a preliminary assessment

o Step 2: Evaluate the risks associated with the breach

o Step 3: Notification

o Step 4: Prevent future breaches

Australian Privacy Act: where we are now

28

• Privacy Amendment (Privacy Alerts) Bill 2013 – failed to gain majority support

• Privacy Amendment (Privacy Alerts) Bill 2014 – failed to gain majority support

• February 2015: Parliamentary Joint Committee on Intelligence and Security’s report on metadata retention recommends mandatory data breach notification

• Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 – exposure draft released for comment

• Privacy Amendment (Notification of Serious Data Breaches) Bill 2016 – introduced to Parliament

• Privacy Amendment (Notifiable Data Breaches) Act 2017 – finally passed

• February 2018: Notifiable Data Breaches (NDB) scheme goes into effect, which amends Privacy Act to introduce mandatory data breach notification

Mandatory data breach notification – the journey

29

Mandatory data breach notification laws

What is an

eligible data

breach?

‘Serious harm’

the likely

result

Remedial

action

exception

Commissioner

declarations

30

Allens is an independent partnership operating in alliance with Linklaters LLP.

Preparing for and managing a breach

31

• Cyber insurance

• Governance, culture and

training

• Internal practices,

procedures and systems

• ICT security

• Access security

• Vendor due diligence and

contract management

• Data breach response plan

Minimising the fallout…when, not if, it happens

32

• Confidential information

• Security

• Access

• Notification

• Cooperation and compliance

with directions

• Audits

• Indemnities

Contractual obligations and indemnities

33

• Practical, up-to-date and easy-to-follow

• Consider different scenarios

▪ type of breach

▪ internal vs external detection

• Appoint a data breach response team

• Key person risk

• Appoint a PR team and have a comms plan

• External legal breach coach =

cloak breach with legal professional privilege

Data breach response plan

Who?

What?

When?

How?

34

Responding to a breach

Step 1: Contain the breach and undertake a preliminary assessment

Step 2: Evaluate the risk

Step 3: Consider whether notification is appropriate

Step 4: Prevent further breaches

35

Responding to a breach

Step 1: Contain the breach and undertake a preliminary assessment

Step 2: Evaluate the risk

Step 3: Consider whether notification is appropriate

Step 4: Prevent further breaches

36

Responding to a breach

Step 1: Contain the breach and undertake a preliminary assessment

Step 2: Evaluate the risk

Step 3: Consider whether notification is appropriate

Step 4: Prevent further breaches

37

Step 3: Notification

Step 1: Contain the breach and undertake a preliminary assessment

Step 2: Evaluate the risk

Step 3: Consider whether notification is appropriate

Step 4: Prevent further breaches

38

Responding to a breach

Step 1: Contain the breach and undertake a preliminary assessment

Step 2: Evaluate the risk

Step 3: Consider whether notification is appropriate

Step 4: Prevent further breaches

39

Engagement with the privacy regulator

40

Allens is an independent partnership operating in alliance with Linklaters LLP.

Key learnings

41

• Cybersecurity is not just an IT issue▪ impacts commercial, legal, HR, compliance,

privacy and insurance

▪ all staff should be trained and vigilant

• Lapses of security

loss of customer trust

and reputation

loss of business

• Cyber arms race▪ continuing escalation of threat and

countermeasure – hackers one step ahead

▪ not a question of it, but when, you will suffer a data breach – so be prepared

• Two key aspects of becoming breach-ready▪ have in place a data breach response plan

▪ Actively manage vendor cyber-risk – due diligence and contract management

Minimising the threat

42

Key learnings

Have a

functional and

up-to-date data

breach

response plan,

and test it

regularlyPrepare now

for mandatory

data breach

notification by

changing

processes and

contracts

Design

systems with

cybersecurity

in mind and not

as an

afterthought

Consider

taking out

cyber

insurance

Do due

diligence on

and have

contractual

protections

with third

parties

43

Michael ParkPartnerT +61 3 9613 8331M +61 419 049 811Michael.Park@allens.com.au

Questions

Cyber Security Tip Sheet:https://www.allens.com.au/pubs/pdf/Cybersecuritypresentationflyer_A3_v3a.pdf

44Allens is an independent partnership operating in alliance with Linklaters LLP.