ACMA launches webcast to deal with Malware

November 26, 2014 |

This Friday ACMA is conducting a webcast as part of its Australian Internet Security Initiative (AISI) portal to fight against Malware.

It is trite to say that Malware is a very significant and ongoing challenge to maintaining proper data security.  Just a few days ago Symantec in a post on its website highlighted a serious problem associated with sophisticated malware programs in Regin: Top-tier espionage tool enables stealthy surveillance and accompanying white paper.  It is imprudent for an organisation which suffers a data breach because of a malware attack to claim, ipso facto, there was nothing that could be done.  Conversely a malware infection does not of itself constitute non compliance with regulatory obligations.  There is no strict liability under the Privacy Act.  In fact APP 11 and the associated guidelines make it clear that it is a weighing and evaluating process that the Privacy Commissioner will undertake.  The process is further complicated by the Privacy Commissioner’s guide to regulatory action which is currently being released in draft form, in tranches, for public comment.  Chapters 1, 3, 4, 7 – 9 have been released.  The most relevant chapters for the purpose of data security and breaches are chapters 3 (data breach incidents), chapter 4 (Enforceable undertakings) and Chapter 7(civil penalties).

In the UK the Information Commissioner has made it clear that organisations must maintain proper on line security against common forms of on line attack.  In ‘Organisations must act now to avoid oldest hackers’ trick in the book’ says ICO  the Information announced that he had fined Worldview Limited £7,500  for failing to remedy a weakness on its site and remove an online vulnerability.  That flaw allowed for an online attack by SQl injection which resulted in access to payment card details of 3,814 customers.  Further details are found in the media release which provides:

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack – known as SQL injection.

The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.

The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – was stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment.

The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and have invested in improving their IT security systems.

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Simon Rice, ICO Group Manager for Technology, said:

“It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over three thousand customers to be compromised.

“Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”

APP 11.1 requires an APP entity to take such steps as are reasonable in the circumstances to protect the information…   The guidelines are drafted in the broad, somewhat amorphous, terms relevantly providing regarding reasonable steps as:

Taking reasonable steps

11.7 The ‘reasonable steps’ that an APP entity should take to ensure the security of personal information will depend upon circumstances that include:

  • the amount and sensitivity of the personal information. More rigorous steps may be required as the quantity of personal information increases, or if the information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature
  • the nature of the entity. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity
  • the possible adverse consequences for an individual. More rigorous steps may be required as the risk of adversity increases
  • the entity’s information handling practices, such as how it collects, uses and stores personal information. This includes whether personal information handling practices are outsourced to third parties, and whether those third parties are subject to the Privacy Act.[3] If a third party is not subject to the Privacy Act, it may be reasonable for the entity to take steps to ensure the third party meets the entity’s obligations under the Privacy Act, for example through specific privacy obligations in contracts and mechanisms to ensure these are being fulfilled
  • the practicability, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
  • whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12)).

11.8 Reasonable steps could including taking steps and implementing strategies to manage the following:

  • governance
  • ICT security
  • data breaches
  • physical security
  • personnel security and training
  • workplace policies
  • the information life cycle
  • standards
  • regular monitoring and review.

11.9 For further discussion of the relevant considerations, and examples of steps that may be reasonable for an APP entity to take, see the Office of the Australian Information Commissioner’s Guide to information security: ‘reasonable steps’ to protect personal information (OAIC Information Security Guide).

The revised security guide (consultation draft) is also drawn in broad terms, relevantly providing:

Steps and strategies which may be reasonable to take

Appropriate security safeguards and measures for protecting personal information need to be fully considered in relation to all of the entity’s acts and practices. This should include taking steps and implementing strategies to manage the following:

  • Managing the information life-cycle
  • governance
  • ICT security
  • access security
  • data breaches
  • physical security
  • personnel security and training
  • destruction and de-identification
  • internal practices, procedures and systems
  • standards

This section outlines examples of key steps and strategies an entity should take in order to protect personal information and satisfy the security obligations in the Privacy Act. Although it may not be necessary for all entities to take all the steps and strategies outlined below, the OAIC will refer to this guide when assessing an entity’s compliance with its security obligations in the Privacy Act.

The steps and strategies vary in ease of implementation and the impact that they will have on users. What is reasonable in the circumstances may vary between entities. What is reasonable may also change over time, for example, as a result of technological change or if an entity becomes aware that security measures which previously protected information are no longer adequate or if the entity handles information in a new way.

Entities should consider undertaking a PIA and an information security risk assessment for new projects that involve the handling of personal information or when a change is proposed to information handling practices, in order to inform the steps and strategies they will take to secure personal information (see ‘Privacy by design’ above and ‘Managing the information life cycle’ below).

The steps and strategies outlined below are not intended to be exhaustive. Entities should also consult relevant standards and guidance on information security, including any which are particular to their sector or industry (see ‘Standards’ and ‘Information security resources’ below).

The OAIC expects that entities will regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information (see ‘Regular monitoring and review’ section below).

Entities should be fully aware of all the personal information they handle, where it is kept and the risks associated with that information. Entities could undertake robust information asset management by developing and maintaining a register which provides a high level description of all the personal information handled by the entity. This will ensure that the entity’s information security measures are comprehensive.

and, in relation to software security (which refers to malware):

ICT security

Effective ICT security requires protecting both computer hardware (the physical devices that make up a computer system) as well as the data (including personal information) that the computer hardware holds from misuse, interference, loss, unauthorised access, modification and disclosure. However, ICT security measures should also ensure that the hardware and the information stored on it remain accessible and useful to legitimate users.

Entities are expected to consider ICT security measures and the protection of personal information as part of their decision to use, purchase, build or upgrade ICT systems rather than attempting to address privacy later, for example after a privacy breach has occurred.

It is also expected that entities regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. This includes regularly applying patches (see ‘Software security’ section below) for known flaws in a timely fashion or using up to date software when previous versions are known to be flawed.

There is an expectation that entities which provide online customer services or engage in electronic commerce, such as online retail businesses, will utilise ICT security measures to ensure that their website, along with smart phones, mobile device applications (apps), terminals, kiosks and other environments that may be connected to a network are secure and that they provide a safe environment for individuals to make payments or provide their banking and personal information. 

ICT security measures help mitigate the risks of external attackers and the damage caused by malicious software (or malware), computer viruses and other harmful programs. These programs can be used to gain unauthorised access to computer systems in order to disrupt or disable their operation and steal any personal information stored on those systems.

APP 6 outlines when an APP entity may use or disclose personal information. ‘Unauthorised access’ by a third party is a separate concept from ‘disclosure’. For example, an APP entity is not taken to have disclosed personal information under APP 6 where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. However, failure by the entity to take reasonable steps under APP 11 to prevent unauthorised access such as a cyber-attack or a theft, including where the third party then makes personal information available to others outside the entity, may be a breach of APP 11. The OAIC has previously found, after investigation, that entities were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.

ICT security measures can also guard against unauthorised use or disclosure of personal information stored on a computer system while the system is being legitimately used. Such accessibility issues and unauthorised use or disclosure can occur as a result of:

  • human error (for example, the misplacing of hardware components and peripheral devices such as laptops and data storage devices, noting that encryption and password protection can mitigate this risk)
  • hardware or software malfunctions
  • power failure
  • system failure caused by natural disasters such as earthquakes, floods, and extreme weather conditions.

Without guidance from the courts as to what weight should be placed on the various factors the guidelines list the default should be what is best industry practice.

One Response to “ACMA launches webcast to deal with Malware”

  1. ACMA launches webcast to deal with Malware | Australian Law Blogs

    […] ACMA launches webcast to deal with Malware […]

Leave a Reply