Security Regulatory Framework

1

Anthony Wong MACS CPPresident, Australian Computer Society

Chief Executive, AGW Consulting

2

About Australian Computer Society (ACS)

Founded in 1966, over 19,000 members The recognised association for those working in ICT in

Australia ACS is a strong advocate on advancement of

professional excellence of ICT, skills and its proper use The ACS plays an active role in developing Australia’s

ICT workforce ensuring it stays highly skilled and globally competitive by:

Certifying ICT professionals Accrediting Australia’s University ICT courses Developing world-class post graduate education Providing professional development and networking opportunities to members Conducting research and policy development

3

Cloud Computing

Potential to transform the way we live, work and interact Shapes the ICT sector and

the way enterprises provide

and use IT services Helps to level the playing

field by minimising up-front

investment in technology Changes business agility through “pay-as-you-use” for

access to bandwidth and technology functionality

4

Examples of Cloud Computing

Source: NBN Co

5

Reasons for adopting cloud computing

Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption

of new technologies Access to special expertise Desire to reduce costs

6

Security Regulatory Framework of Cloud Computing

Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges:

– Recent Security Incidents– Data protection, rights and usage– Protection of Electronic Information– Security Regulatory Framework including

• Cybercrime• Privacy and security• Cross-border issues

7

Recent Security Incidents

8

Phone-hacking scandal

The 168 year history of the British tabloid News of the World has ended with a phone-hacking scandal that has shocked even the most hardened of media analysts

Prime Minister David Cameron hinted that more heads would roll, saying that there had been “some illegal and utterly unacceptable practices at the News of the World and possibly elsewhere”

Alleged that employees routinely made payments to police officers, believed to total more than £100,000 ($A148,000) for information

SMH Raphael Satter July 10, 2011

9

Phone-hacking scandal

News Corp and directors could facing prosecution under Regulation of Investigatory Powers Act 2000 (UK), which outlaws interception of communications where the offence was committed with their

“consent or connivance” or was “attributable to any neglect on their part”

SMH Dominic Rushe and Jill Treanor July 10, 2011

10

Telecommunications not to be intercepted

Section 7(1) Telecommunications (Interception) Act 1979 (Cth):

A person shall not:

a) intercept;

b) authorize, suffer or permit another person to intercept; or

c) do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system

11

Distribute.IT hacked

In June 2011 cyber-attack on and subsequent collapse of Melbourne hosting company, Distribute.IT

Hacker disabled and permanently wiped the contents of four key servers

Customers lost several years of transactional and customer information since they were backups of data

Concept of legal responsibility in the law of negligence may develop to new social conditions and standards

12

Half of second-hand mobilephones contain personal data

Private personal data remains on discarded mobile phones, with intimate photos and credit card numbers and pins

Half of 50 handsets bought from second-hand resellers on eBay contained personal messages or photos, according to exclusive research from the mobile and forensics experts Disklabs

"Data is more portable, more accessible, more widely disseminated and more numerous than ever before," said Ferguson. "We tend to place our faith in the technology that we use to access our data, we believe that when we hit delete the data is gone, and we believe that if we restrict the audience we share with that the data will not go any further. These beliefs are often misplaced - as that story testifies."

SMH October 13, 2010 - 11:56AM

13

Evidence from recovered data

14

Legal risk and admissibility of electronic documents and records

critical to establish a thorough records management system

necessary to provide documentary evidence if there is a business dispute

also to satisfy statutory requirements regarding the retention of records

are electronic documents sufficient?

15

Section 48 Australian Evidence Act 1995 (Cth) –original document rule (Best Evidence Rule) abolished and copies are as good as the originals but must keep evidence of integrity of process used to produce the copy

Best Evidence Rule expunged in Federal, ACT, Tasmania, Victoria and NSW

Generally, Australian Electronic Transactions Act 1999 (Cth) production of documents– Section 11 Requirement to produce a document is met if the person produces

an electronic form of the document provided the conditions that a reliable means of assuring the integrity and ready accessibility and useability for subsequent reference are met

Electronic Evidence

16

Canberra on alert for WikiLeaks

WikiLeaks to release classified diplomatic cables

Leak will include millions of classfied documents

Cables could be about War in Iraq, Guantanamo

Saudi king urged US to attack Iran

WikiLeaks reveals Iraqi torture, deaths

WikiLeaks: China directed Google hacking

The Australian November 26, 2010

17

Sony PlayStation Networkuser data stolen

77 million electronic records compromised from Sony Electronics' PlayStation Network between April 17 and April 19 2011

Breach of accounts with names, addresses, email address, birthdates, usernames, passwords, logins, security questions and other personal data

credit card details encrypted but not personal data

18

Other Recent Social Media controversies

Collection and use of private data by corporations like Google and Facebook

Increasing public concern about changes to Facebook's privacy settings - for making it difficult for users to put limits on how far the information they upload is shared

Google's collection of wireless connection data it gathered while compiling images for its Street View service

Government plans to monitor web users’ internet communications

19

Data protection, rights and usage

Monetisation of Data Assets – is this the new currency of the future?

Customer participation and information/data are valuable assets, for example:

Recent sale of Skype (400+ million users) for $8.5 billion

Doubling of LinkedIn’s (100+ million members) share price

Successful business models including Facebook and other social media companies

20

Protection of Electronic Information

The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information

Electronic information is now pervasive if not vital for the essential operation of a modern day organisation

IT Departments have increasing accountability for integrity and consistency of information within the organisation

To secure information effectively, it needs to be secured from all perceivable threats

21


From From Unauthorised Unauthorised AccessAccess

From Unauthorised From Unauthorised Use & DisclosureUse & Disclosure

From InterceptionFrom Interception

From Piracy From Piracy & & CopyingCopying

From Unauthorised From Unauthorised ModificationModification

(alteration, deletion(alteration, deletion or addition)or addition)

22

Impact of the Misuse of Electronically Stored Information

Has a range of consequences that depends on the sensitivity and nature of the information

CybercrimeCybercrime

23


Using Technical & Physical Means Using Technical & Physical Means & Security Standards& Security Standards

24


Using Regulatory FrameworkUsing Regulatory Framework

25


UsingUsingPrivacy LawsPrivacy Laws

Using Technical & Using Technical & Physical MeansPhysical Means

UsingUsingCommon LawCommon Law

Using Using Copyright & Other IP Copyright & Other IP

LawsLaws

Using Cybercrime Using Cybercrime TelecommunicatioTelecommunicatio

nnInterception Interception

Spam Spam

LawsLaws

26

Security Regulatory Framework

There is no global ‘Law of Cyberspace’ or ‘Law of the Internet’, however, in Australia, there are a number of specific laws that apply:

Cybercrime Act 2001 (Cth) Telecommunications (Interception) Act 1979 (Cth) Spam Act 2003 Privacy Act 1988 & Privacy Amendment (Private Sector) Act

2000 (Cth) Electronic Transactions Acts Copyright Amendment (Digital Agenda) Act 2000 (Cth) -

intellectual property

27

Cybercrime Legislation

There are at least 13 Federal Acts which have some relevance to cybercrime

States and territories have their own legislation which is not uniform, either in offence provision or in penalties

The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier

The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)

28

Cybercrime Legislation

Generally, the Australian provisions make it an offence for a person to do or attempt to do the following:

unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and

communication impeding access to computers; and possession of data with intent to commit

serious offence

29

Spam Act 2003

Australian Spam Act 2003 came into effect 11 April

An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm

30

Privacy Regulatory landscape

Privacy Regulatory landscape in Australia presents a fractured and imperfect picture. It is a mixture of:

Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth)

Equitable and common law duties regarding confidential information

State privacy legislation (State laws) and health privacy laws

Security and Information Management Standards and Practices

Other Codes of Conduct, Industry Standards and Guidelines

31

Australian Federal Privacy Laws

The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government

It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not

It only protects “Personal Information” and NOT Commercial Information

32

Australian wide Private Sector Privacy Laws

There are 10 National Privacy Principles (NPPs) of application in the private sector:

NPP 1 – collection, the purpose of collection, that the person can get access to their personal information

NPP2 – the use and disclosure of personal information NPP 3 –data quality NPP 4 – data security; where reasonable steps to protect personal

information from misuse and loss and unauthorised access, modification or disclosure

NPP 5 – openness NPP 6 – access and correction NPP 7 – prohibit the use of Federal government identifiers in the private

sector eg. Tax File Number NPP 8 – anonymity NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual

racial, political or religious beliefs, health, membership etc)

33

Australian wide Private Sector Privacy Laws

The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal

information NPP 4 – data security; where reasonable steps to

protect personal information from misuse and loss and unauthorised access, modification or disclosure

NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number

NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive

information (about individual racial, political or religious beliefs, health, membership etc)

34

Cross-border issues

Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries

Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive

Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if:

the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles

the individual consents to the transfer the transfer is necessary for the performance of the contract between the

individual and the organisation or for the benefit of the individual

35

Cross-border issues

In a dispute or a conflict situation, which country’s court system will settle the dispute?

Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality

Local laws may override contractual agreements between cloud provider’s and customers

Location of servers may not be apparent from the provider’s terms of service

Consider the situation where Data may be stored in multiple locations (countries) at the same time

When do conflicts of laws occur?

36

Cross-border issues

Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority

extends to compel disclosure of records held by cloud providers

Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances

37

Cross-border issues

Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to

geographical boundaries or territories Premise that each state or country has absolute

power to control persons and things located within its boundaries or territories

Internet challenges these territorially based principles

The law in regards to jurisdiction in cyberspace is unsettled

38

Consider Case Scenario:• Identifying the location of the offence/breach • Identifying the location where the harm resulted (e.g. victim’s location or computer’s location)• Deciding which sovereign nation and court should have jurisdiction over the dispute

Cross Border Jurisdiction Issues

Customer and User

Server breached & compromised

39

Cross-border issues

In order for a court to adjudicate in a case, the court must have authority over:

the subject matter in dispute (subject matter jurisdiction); and

parties before the court (personal jurisdiction)

40

Security Regulatory Frameworkfor the Cloud

Legal requirements for organisations to consider: Have you reviewed your corporate governance and industry

regulation requirements? Are you able to comply with mandatory disclosures and

financial reporting? Are there special standards and compliance for your industry? Can you comply with data retention requirements and

eDiscovery request during litigation?

Burden is on you to understand your compliance obligations

41

Security Regulatory Framework for the Cloud

Example of regulated industry Financial services companies must first notify Australian

Prudential Regulatory Authority (APRA) of data offshore transfer

Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and

meet core obligations, following a loss of cloud computing services

confidentiality and integrity of sensitive (e.g. customer) data/information

compliance with legislative and prudential requirements

42

Privacy and security

Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud

Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data

Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”

43


Not all types of cloud services raise the same privacy and confidentiality risks:

Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks

Risks vary with the terms of service and privacy policy established by your provider

Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting

processing and transfer of data offshore? Should your agreement restricts services and data storage to

agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary

depending on the nature of your business

44


Things to consider: Whose privacy policy will apply at different stages of the

data transfer? What security mechanisms are in place to manage data

transfers between parties? What are the consequences of security and privacy

breaches? How will you know if there is a breach? Is your cloud service provider required to provide

assistance in the investigation of security breaches? Is there an audit trail for data?

45


Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s

privacy protection 2008: ALRC report released, For Your Information: Australian

Privacy Law and Practice 2009: Government’s released its position on 197 of the

ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers

and functions 2010: exposure draft of the new Privacy Act was released by

the Government

46

Conclusion

There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services

should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks

associated with cloud computing and adopt a risk-mitigation approach to cloud adoption

Service agreements need to specify those areas the cloud provider is responsible for

Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the

governing law of the cloud computing agreement

47

Conclusion

Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow

You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability

Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level

For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate

48

Thank You

“A global approach is the only way to deal with the Internet”

Francis Gurry, Head of the World Intellectual Property Organisation (WIPO)

and so for Cloud Computing…

Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011

[email protected]

www.linkedin.com/in/wonganthony

This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.

Security Regulatory Framework

Technology

Transcript of Security Regulatory Framework