The Council of Europe (‘CoE’) announced that the 22 Council of Europe Member States had signed the Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence (‘Second Additional Protocol to the Budapest Convention’). 

The Second Additional Protocol provides for:

• a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscriber information;
• effective means to obtain subscriber information and traffic data;
• immediate co-operation in emergencies;
• mutual assistance tools; and
• personal data protection safeguards.

Interestingly Second Additional Protocol was signed by the non-CoE Member States of Chile, Colombia, Japan, Morocco, and United States. But not Australia.  That is more than Read the rest of this entry »

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

• was:
  • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
  • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
• carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
• authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

• electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

• since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
• had 9 cybersecurity incidents between June 2014 and May 2020, being:
  • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
  • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
  • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
  • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
  • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
  • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
  • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
  • an unauthorised person used an AR Practice’s employee’s email address:
    • in August 2019 to send phishing emails to over 150 clients ; and
    • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

• computer systems not having up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including:
  • sharing of passwords between employees,
  • use of default passwords,
  • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

The National Institute of Standards and Technology today released its CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B.  it is a very technical document, even by NIST standards, coming in at 80 pages.

The publication amends NIST SP 800 – 140B by:

1. Defining a more detailed structure and organization for the Security Policy
2. Capturing Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
3. Building the Security Policy document as a combination of the subsection information
4. Generating the approved algorithm table based on lab/vendor selections from the algorithm tests

The abstract Read the rest of this entry »

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time Read the rest of this entry »

It is obvious to anyone practising in the privacy and data security area that reliable statistics about the incidence of cybercrime, the number of people or organisations affected and the cost of those criminal acts are hard to come by.  The causes are numerous, victims being unwilling to report crimes, organisations affected by hacks doing their best to keep the publicity to a minimum, differing definitions of certain crimes and the inefficient collation of what data there is.

It is therefore welcome that the US is regularising the collection of data realting to cyber crime and cyber enabled crime.  The Act Read the rest of this entry »

In the United States the states have traditionally been active in law reform, often leading the way until the Federal Government steps in and makes nationwide laws, to the extent permissible by the constitution.  There have been notable exceptions, such the New Deal legislation of the 1930s and the Lyndon Johnson’s frenetic legislative activity of the 1960s.  But with privacy the US states have lead the way, with the California Consumer Privacy Act of 2018 (CCPA) being the most comprehensive.

Australian States could legislate for proper privacy protections in Australia.  There is ample scope to provide greater protections and  but choose not to do so.

The US North Eastern State of Connecticut has passed a comprehensive privacy Act, S.B.6  AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE MONITORING.  With Connecticut’s Bill that will be the fifth state of the Union to have have a comprehensive privacy law.  It will take effect on 1 January 2023.

The official description of what the legislation, if signed by the Governor, is:

To: (1) Establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

The legislation applies to persons conducting business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut that :

• controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
• controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The legislation does not regulate:

• nonprofit organizations,
• institutions of higher education,
• financial institutions or data subject to the GLBA,
• HIPAA covered entities or business associates.
•  business-to-business and employee data. Consumer Rights
• certain personal information under the
  • Fair Credit Reporting Act,
  • Driver’s Privacy Protection Act of 1994,
  • Family Educational Rights and Privacy Act,

Under the Bill consumers have the right Read the rest of this entry »

The Federal Bureau of Investigation (“FBI”) has issued a public service announcement reporting that there were 241,206 domestic and international incidents involving a total loss of $43,312,749,946 arising from what is described as a Business Email Compromise.  

A business Email Compromise is defined as:

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.

The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.

Interestingly there was a 65% increase in global losses between July 2019 and December 2021. The FBI concludes that that is due to the COVID restrictions which caused more work and business virtually. 

With every scam there needs to be Read the rest of this entry »

The concept of Privacy by design has been in existence since the 1990.  It has been hugely influential and a very important set of principles for businesses and government in developing and maintaining an adequate privacy structure. It is described by the Australian Information Commissioner as:

‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This means building privacy into the design specifications and architecture of new systems and processes.

It’s more effective and efficient to manage privacy risks proactively, rather than to retrospectively alter a product or service to address privacy issues that come to light.

The CyberCX Privacy has awarded  Design Awards for organisations who have successfully implement privacy by design.  The awards for 2022have been announced. 

The results are:

CyberCx grouped organisations into 11 sectors being Read the rest of this entry »

Artificial Intelligence (“AI”) is becoming a significant issue for lawyers generally and regulators in particular.   Its impact on the law is apparent with the Full Bench, of 5 justices, ruling in Commissioner of Patents v Thaler [2022] FCAFC 62 last month that an inventor in terms of patent law must be a natural person, not AI.  This was an appeal from a decision of Justice Beach on 30 July 2021 in Thaler v Commissioner of Patents [2021] FCA 879 who relevantly ordered:

• The determination of the Deputy Commissioner that s 15(1) of the Patents Act 1990 (Cth) is inconsistent with an artificial intelligence system or device being treated as an inventor be set aside.
• The matter as to whether patent application no. 2019363177 satisfies the formalities under the Patents Regulations 1991 (Cth) and its examination be remitted to the Deputy Commissioner to be determined according to law in accordance with these reasons.

In its reasons the Full Court found  that identification of the “inventor” was central to the operation of the legislation. Under s 15, only the inventor or someone claiming through the inventor is entitled to a patent.

Thaler will probably make its way to the High Court. 

But the use of AI is more prosaic and ubiquitous than in inventing devices.  That is likely to be both a public good and a cause for concern.  At the moment the technology and its implementation is far outpacing the law and regulation.  That is a concern given the potential forseeable and unforseeable consequences.  In that regard I thoroughly recommend Machines Behaving Badly; the Morality of AI by Toby Walsh.   I attended a presentation by Professor Walsh organised by the Centre for Artificial Intelligence and Digital Ethics (CAIDE) last Wednesday. 

Regulators in the United Kingdom and Europe have been much more alive to the need for guidance and consideration of AI and its effect on privacy and data security than in Australia where the regulator takes a more languid approach and seems to be letting the ACCC to take the running on big tech issues.  In that vein the Information Commissioner’s Office (‘ICO’) announced, on 4 May 2022, that it had launched its updated AI and data protection risk toolkit. It is an important document for Read the rest of this entry »

The National Institute of Standards (“NIST”) and Technology today released the updated guidance Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. It was prepared in response to to Presidential Executive order 14028.  

It is a timely and valuable resource dealing with cyber security risks in supply chains.  Supply chain vulnerabilities is a chronic problem for organisations.  Given the relatively sparse material generated in Australia on this issue it should be used by those working in the cyber security and privacy sphere.

NIST’s summary of the Executive Order in so far as it is relevant to it provides:

The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity  issued on May 12, 2021, charges multiple agencies – including NIST – with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.

Section 4 directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines, which are ultimately aimed at federal agencies but which also are available for industry and others to use, include: 

• • criteria to evaluate software security,  
  • criteria to evaluate the security practices of the developers and suppliers, and 
  • innovative tools or methods to demonstrate conformance with secure practices. 

NIST is to consult with other agencies in producing some of its guidance; in turn, several of those agencies are directed to take steps to ensure that federal procurement of software follows that guidance.

The EO also assigns NIST to work on two labeling efforts related to consumer Internet of Things (IoT) devices and consumer software with the goal of encouraging manufacturers to produce – and purchasers to be informed about– products created with greater consideration of cybersecurity risks and capabilities.

The Guide is 326 pages long, extensive even for NIST.  

The abstract Read the rest of this entry »