1/12/2023
Privacy + CyberSecurity Law1/12/2023
Privacy + CyberSecurity LawBy way of background, this blog article was written as an initial draft in preparation for publishing 2 articles for the APAC GlobalSign blog.
It is quite lengthy, so if you don't have the time to dig into the details (TL;DR) then I recommend you head straight to the contents that are of interest to you or even better, you can head straight to the finished products here:
CyberSecurity is a Top-Priority Boardroom Agenda Item
CyberSecurity, CyberCrime & CyberSafety: What Companies Can Do To Prepare
GlobalSign ➲ Blog Author Profile
⌛️ It's too late after the Data Breach ➲ Your Ship has Sunk!
⭐️ Call for CyberSecurity to be a Global Top- Priority Boardroom Agenda Item
1️⃣ CyberCrime
▶️ Free CyberSecurity Training & Certification^
💡 Use your Biometric Data + a Digital Certificate + Security Keys to Lockdown Online Account Access
✅ CyberSecurity Certifications
🔥 Client Cybersecurity Alert Letter
⬇️ FREE CyberSecurity Download
The boardroom of every business, charity & social enterprise globally need to urgently add agenda items so that they can spend the time required to seriously consider the real risk of CyberSecurity existential-level cyber incidents and what they can do to cost-effectively mitigate or avoid this risk, as well as ensuring they understand the evolving legal landscape and their compliance obligations related to CyberCrime, CyberSafety & CyberWarfare (if any).
Whilst there has been much media attention directed at the constant stream of headline grabbing data breaches it appears to me that CyberSecurity to date has been pigeon-holed as a problem for the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or IT Department (if any) to solve on their own.
The crux of the problem is that CyberSecurity is not currently getting the level of attention it deserves in the boardroom.
Whilst small organisations may not be legally regulated^ to protect client or customer data or to report data breaches in the event of a CyberSecurity incident or data breach, once word of a cyber incident spreads it is almost certain that they will struggle to survive in the longer term.
The evidence to date indicates that a high percentage of smaller organisations go out of business shortly after encountering a CyberSecurity incident.
Place yourself in the shoes of a Client or Customer who has recently been notified that their data has fallen into the hands of a third-party with criminal intent, and ask yourself whether you would continue to do business with your operation, or take your business elsewhere?
All organisations, especially organisations with a more recognisable brand, and larger footprint face at least the following 4 threats:
1️⃣ Ever-increasing regulatory fines & penalties for data breaches*; as well as the
2️⃣ Long public relations nightmare that accompanies reporting a data breach, and the huge potentially unrecoverable costs of investigating the root cause and rebuilding public confidence that it will not happen again;
3️⃣ The possibility that their brand might be spoofed or impersonated by cybercriminals to swindle or scam personal data or money from their innocent clients or customers; and
4️⃣ The possibility that the weakest link in your operations supply chain (with whom your operation stores or shares client or customer data) has a cyber incident or data breach.
When considering the last 2 threats, even the most internally cybersecure organisation can be affected.
Therefore large organisations need to have an increased awareness of the potential techniques that might be employed by cybercriminals to use their brand to attempt to hoodwink the public and what they can do on a cost effective basis to reduce or limit the risks.
The following discussion regarding the General Counsel & the CTO/CISO's task of reporting to the boardroom about CyberSecurity Risks has been loosely extracted from the GlobalSign blog article Digital Australia: A Cyber Security Culture dated 21 Feb 2023 by Carla Mendoza:
A CyberSecurity Board Report is a detailed summary of an organisation’s cyber security risks.
The CyberSecuirty Board Report helps the board understand potential cyber threats so they can take a proactive approach to mitigating the risks.
The objective is to explain to the board why investment in CyberSecurity is a vital component to the organisation’s survival and continued success. The report highlights the threats that matter most to the organisation. It contains a CyberSecurity plan, a risk quantification with potential costs of security breaches, pertinent legal compliance and regulatory issues, and any necessary technology solutions or additional security resources.
Historically, many CyberSecurity breaches have been traced back to three root causes:
1️⃣ Failure to prioritise CyberSecurity;
2️⃣ Failure to funnel resources towards CyberSecurity; and
3️⃣ Failure to execute on CyberSecurity initiatives.
The challenge was in getting senior management to understand how imperative it is to strategise and take action – and in engaging employees towards organisational change.
General Counsel and Chief Information Security Officer's (CISO's) can achieve higher levels of boardroom buy-in for CyberSecurity by connecting cybersecurity plans to business objectives which involve:
➲ Cohesive storytelling,
➲ Prioritising existential security threats; and
➲ Ensuring C.A.R.E. (Consistent, Adequate, Reasonable, and Effective Security Controls).
Further reading:
Phishing Scams that lead to Data Breaches + Identity Theft ➲ Business Brand + Personal Protection
^ For example, in Australia (at least for now) most organisations (aside from those in specific industries handling sensitive personal data such as medical and financial records) with an annual turnover of less than $3 million AUD are generally exempt from the application of both the Privacy Act and the Data Breach Reporting Scheme. It is currently optional to opt-in to being regulated. The majority of Australians small businesses may decide to publish a privacy policy, but do not go so far as to opt-in to being regulated by the Australian Privacy & Data breach legislation.
* Due to the severity and scale of the most recent round of data breaches, the Australian Parliament recently passed legislation significantly increasing maximum penalties for serious or repeated data privacy breaches to rise from $2.22 million AUD to the greater of $50 million AUD, 30 per cent of the company's turnover in the relevant period, or three times the value of any benefit gained from the stolen data.
Further reading: Significantly larger privacy breach fines pass Parliament. Companies face $50m fines for repeated or serious data breaches. By Denham Sadler on Nov 29 2022 12:15 PM in the ACS Information Age.
All Directors have a duty to exercise their powers and duties with the care and diligence of a reasonable person.
A Board of Directors who do not set their corporate agenda to carefully consider CyberSecurity and related matters (that is, how to protect, mitigate, manage & respond to a CyberSecurity incident) are most likely going to be in breach of their Directors' Duties.
Directors in Australia need to take personal responsibility and dig deep to question & understand advice about CyberSecurity and examine for themselves whether it is being implemented.
In contrast, Directors in the USA may rely on the Directors' defence of total reliance on the recommendations of reasonably qualified external experts which is available under the US interpretation of the Business Judgment Rule.
Regardless of the legal position, it is incumbent on all top level executives to come to grips with CyberSecurity (it isn't just a matter for the CTO/CISO/IT Department).
Given the continued woeful performance of top level executives around the world (the current global trend of data breaches is showing no signs of abatement) it would appear that now is the time to reset your boardroom agenda making CyberSecurity and related items a top priority.
Further reading:
The Business Judgment Rule for Directors [Australia v. U.S.A.]
Clarence Ling's LinkedIn Post is "On Point"
Notable Law Firm Data Breaches
In Australia, the Australian Cyber Security Centre received 76,000 cybercrime reports in the 2021-22 financial year, equating to a cybercrime being reported every 7 minutes.
This represents an increase of nearly 13% and this has occurred after high-profile data breaches at Optus, Medibank and real estate agency Harcourts.
It is clear from the recent uptick that the data breaches are only the start of the story.
Once the personal data has been made available to criminals they are using it to commit all kinds of cybercrimes including identity theft.
The success of hacking attempts encourages more of the same, each time with increased sophistication.
CyberCrime is now a sophisticated transnational threat that operates on a significant scale and has become an increasingly important issue for the global community.
In Australia CyberCrime describes both crimes directed at computers or other information communications technologies (ICTs) such as hacking and denial of service attacks, as well as traditional crimes where computers or ICTs are an integral part of the offence such as online fraud, money laundering and identity theft.
The online distribution of child exploitation material is also a very prevalent form of offending.
There are specific Commonwealth computer offences relating to the unauthorised access and modification of data and the impairment of electronic communications.
Key legislation
Criminal Code
Main offences
s.478.1(1) Criminal Code—unauthorised access to, or modification of, restricted data;
s.477.3(1) Criminal Code—unauthorised impairment of electronic communication;
s.474.17 Criminal Code—using a carriage service to menace, harass or cause offence.
Penalties
The maximum penalty for unauthorised access to, or modification of, restricted data is 2 years’ imprisonment;
The maximum penalty for unauthorised impairment of electronic communication is 10 years’ imprisonment;
The maximum penalty for using a carriage service to menace, harass or cause offence is 3 years’ imprisonment.
Online businesses are responsible for the eSafety of their website or app visitors.
Australia has introduced eSafety legislation, which is enforced by the eSafety Commissioner.
eSafety is Australia's independent regulator for online safety. We educate Australians about online safety risks and help to remove harmful content such as cyberbullying of children, adult cyber abuse and intimate images or videos shared without consent.
The reality of the future of war is that much of the damage can be inflicted without soldiers ever having been deployed through CyberWarfare.
Increasingly, CyberWarfare (including industrial espionage) operations are ongoing matters that are becoming commonplace and are occurring under the radar without anyone knowing it is happening.
By way of example, Australia recently expanded its list of 4 critical infrastructure industries to 11.
The following summary of the changes has been extracted from the Legislative information and Reforms page - Critical Infrastructure of the Cyber and Infrastructure Centre:
The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry.
The SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the SOCI Act applies to, and to introduce new obligations.
Click on the fact sheets to learn more about your obligations.
CISC Factsheet - Cyber Incident Response Government Assistance Measures (464KB PDF)
CISC Factsheet - Cyber Security Incident Reporting (414KB PDF)
CISC Factsheet - Register of Critical Infrastructure Assets (413KB PDF)
CISC Factsheet - Security Legislation Amendment (Critical Infrastructure) Act 2021 (336KB PDF)
In the SOCI Act we have developed, in conjunction with industry, definitions that outline each of the 11 critical infrastructure sectors. We have also worked with industry to develop definitions to clearly articulate what would constitute a critical infrastructure asset within each of these sectors.
The new requirements may apply to owners and operators of critical infrastructure assets and those businesses who have a direct interest in the critical infrastructure asset.
If you are not sure whether you are an owner or operator, or are a direct interest holder of a critical infrastructure asset, refer to CI assets captured under the Act.
Although your business may be captured by SOCI Act, not all of the obligations in the SOCI Act may be applicable to your business.
However, it is important for you to know if you are captured by the SOCI Act and that additional responsibilities may apply to your business in future.
In March 2022, additional amendments to the SOCI Act introduced the following key measures:
A new obligation for responsible entities to create and maintain a critical infrastructure risk management program (the Minister for Home Affairs will consult with industry before the rules are made setting out the requirements for a risk management program), and a new framework for enhanced cyber security obligations required for operators of systems of national significance (SoNS), Australia’s most important critical infrastructure assets (the Minister for Home Affairs will consult with impacted entities before any declarations are made).
These reforms seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.
Other countries will no doubt introduce their own measures to protect critical infrastructure in both the public and private domain.
During the period that I have been writing this blog article for the Globalsign Blog I have completed the ISC2 free online self-study course and taken and passed the free exam to earn the Certified in CyberSecurity credential.
I encourage everyone to do the same.
The biggest impact we can have on cybersecurity can be made by encouraging everyone to upskill and increase their CyberSecurity awareness and training.
Please read my below blog article How to Earn (ISC2)'s 'CC' ➲ Certified in CyberSecurity Credential for Free^ for more information.
This blog article explains how to earn (ISC)2's ➲ Certified in CyberSecurity Credential for free^ by taking full advantage of the current (ISC)2 initiative to sponsor '1 Million to be Certified in Cybersecurity' due to the massive global skills shortage in CyberSecurity. The International Information Systems Security Certification Consortium, more commonly known as (ISC)2, is the world's leading member association for CyberSecurity with more than 500,000 members, candidates & associates.
Your own Biometric Data + a Digital Certificate can be used to verify that you are the person seeking to login from one of your devices.
If the online service is not presented with the correct Biometric Data + Digital Certificate together with your personal private encryption key then no login is permitted.
It is also possible to combine the use of Biometric Data + a Digital Certificate with the implementation of Security Keys (refer below) for maximum security.
When CyberSecurity measures such as these are taken, there is no need to use a password, Voice or SMS, or a Authenticator generated One-Time Code to login to an online account.
In fact, best practice once the implementation is working seamlessly, is to turn off the ability to enter a password, or use a Voice/SMS or a One-TIme Code altogether.
This is also know as going 'phishless' as there is no way your login credentials can be phished by a third-party hacker.
According to Verizon’s 2022 DBIR, 82% of data breaches involved a human element and 20% of breaches involved phishing, with another 40% involving stolen credentials.
Recent targeted phishing attacks against Twilio, Cloudflare and other companies reinforce the need for companies to adapt phishless forms of Multi-factor Authentication (MFA).
In these targeted attacks, the phishing kit would immediately relay any captured username and passwords to the attacker, in addition to any provided Time-based One-Time Password (TOTP) MFA codes.
The attacker would then quickly leverage the stolen credentials and TOTP codes before they expired.
It is difficult to understand given the ease of implementation of Biometric, Digital Certificates and Security Keys for online account access that they have not yet become standard practice for everyone.
Yes, that includes you!
The only limitation is that some online service providers (for example Banks) do not currently offer the ability to use this level of CyberSecurity measure.
Due to the seriousness of the problem of phishing and its effects such as Data Breaches, Identity Theft and Cybercrime, it should only be a matter of time before such CyberSecurity measures become universally available.
"Google's investment in giving USB security keys to all employees has been paying off. The employees haven't reported any takeovers of work-related accounts since 2017, when the new policy was introduced."
Our online searches indicate that Google has continued to maintain this secure position (zero hacks of Google work-related accounts using Security Keys) until the current day [being 27 April, 2023].
Further reading: To Stop Phishing, Google Gave Security Keys to All Employees by Michael Kan [PC Mag article dated July 23, 2018]
Google is giving free physical USB security keys to 10,000 users at high risk of being hacked - such as politicians and human rights activists.
Further reading: Google gives security keys to 10,000 high-risk users [BBC.com article dated October 11, 2021]
Like locking your car, house or office many people are simply unaware that they can easily add a Security Key to prevent unauthorised access to their online accounts.
In the event that a hacker obtains your password and the means to use it, for example, by impersonating you using a sophisticated identity theft technique enabling them to take control of your SIM card or gain access to your MFA codes by stumbling across your backup recovery codes on your network ... without physical possession of your physical Security Key they would still have no hope to hack your Online Accounts.
"Strongest Security: Setting up physical two-factor authentication, aka a Security Key, creates a single unique access point that can’t be duplicated. In order for you or anyone else to access your connected accounts, you’ll need your password as well as the physical key—something even the best hacker can’t work around."
Organisations that have adopted Security Keys as standard practice have seen their cybersecurity incidents quickly reduce to zero and stay there.
"Security keys are so good they’ll even prevent you from entering your information on a spoofed website, so even if a hacker manages to fool you, they won’t fool your security key. This bit of hardware acts as your digital bodyguard, keeping unwanted users away from your information."
Further reading: What is a USB Security Key, and Should You Use One? by Suzanne Humpries [article dated December 8, 2020].
Leading 19 from 22 global Certificate Authorities (CA), and 4 major consumers (Apple, Mozilla, rundQuadrat, Zertificon) have recently agreed to new baseline verification standands required prior to issuance of S/MIME Digital Certificates (effective from September 2023).
Email offers convenience and benefits, but also poses some risks.
Hackers are savvy at targeting organizations via email, including intercepting messages to get at sensitive information or email spoofing with the intent of pushing to phishing sites or triggering malicious downloads.
Using S/MIME certificates to digitally sign and encrypt emails mitigates these risks.
Digitally signing and encrypting your emails ensures message privacy, keeps sensitive data from falling into the wrong hands, and assures the recipient that emails actually are coming from you and haven't been altered since they were sent.
By way of example, our Digital Asset Safe Custody Vault platform provider The Prepared Company has attained both GDPR (the EU Global Data Protection Regulation) and a SOC 2 Security Attestation by an independent chartered accountant and is continuously monitored using Vanta.com.
Vanta is the leading automated security and compliance platform. Vanta helps your business get and stay compliant by continuously monitoring your people, systems and tools to improve your security posture.
You can access the latest Vanta Trust Report for The Prepared Company here.
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
All our new Clients are encouraged to generate our FREE Client CyberSecurity Alert Letter.
We also send you this link or a copy of the "Together we can help Prevent Cyber Fraud" brochure published by the NSW Law Society and LawCover (also available to download from our brochures page at any time).
However, we understand that attachments can always be overlooked or ignored.
In an abundance of caution, we recommend you take the time required to engage with our onlin process to step through what you need to know in detail to generate your FREE Client CyberSecurity Alert Letter so that you are fully aware of how best to protect your funds when transferring them to or from our bank account.
How Blue Ocean Law Group Help You Protect Your Privacy & Trade Secrets
How to Protect your Reputation + Copyright Online ➲ 24/7 Active Monitoring + TakeDown Notice Options
Identity Theft Protection ➲ Smart List
Verification of Identity (VOI) [Authentic or Fake] ➲ Smart List
Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity
Social Sharing Image: Courtesy of Jason Blackeye on Unsplash
Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US CC | Principal Solicitor, Blue Ocean Law Group℠.
Important Notice:
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.
Your comment has been received and we will approve it shortly.