As experts say the number of cyber attacks being directed at Australia have reached a disturbing level, it can now be revealed that Chinese hackers came within minutes of shutting down two Queensland power stations . Had the attack been successful it could have been lights out for some 3 million homes.
A blog relating to Internet legal issues by Professor John Swinson, University of Queensland
Adsense HTML
Showing posts with label cybersecurity. Show all posts
Showing posts with label cybersecurity. Show all posts
Chinese cyberattacks
Is cybersecurity insurance worth the risk?
A good source of information about cybersecurity risks is the Information Security Forum (ISF).
For example, ISF recently published an interesting report regarding cybersecurity insurance. Is cybersecurity insurance worth the risk? See Report.
Cyber Insurance
An excellent paper on Cyber Insurance in Australia: "Underwritten or Oversold". Well worth reading.
From the CSCRC (the Cyber Security Cooperative Research Centre).
Ransomware and class action lawsuits
A good article on class action lawsuits in the United States that come after a ransomware attack:
"“Companies with good security sometimes have lapses,” Solove said. There isn’t a unified legal standard laying out what sort of security a company needs to have to protect it from liability if it loses its customers’ information or suffers a ransomware attack.
“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”
That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue."
I wrote a short article on the topic of cybersecurity lawsuits at the beginning of this year. See
Uber Interfered With Privacy of Australians
The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.
The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.
Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
See Decision
Giving the Government Power to Disrupt
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 has been subject to criticism It allows the government to hack into computers of people they think are bad people. Could innocent bystanders be impacted, just like when Microsoft did protective hacking about 8 years ago? See https://www.csoonline.com/article/2449572/microsoft-hammers-no-ip-collateral-damage-includes-hacking-teams-legal-malware.html
Details of the Bill are here:
The Law Council has released a 150 page criticism of the Bill.
Take care if you pay the ransom
In response to the proliferation of ransomware attacks over the last five years, a series of United States Executive Orders and statutes have come to include cyberterrorists amongst the list of banned individuals with whom U.S. persons cannot conduct financial transactions. This impacts payments to cybercriminals for ransomware attacks.
There is a detailed article from a U.S. law firm here, that sets out when payment of a ransom could lead to breach of U.S. law. See https://www.friedfrank.com/siteFiles/Publications/NYLJ_03.05.21_Kleinman.pdf
Critical Infrastructure Reforms in Australia
The Australian Government is implementing "Critical Infrastructure reforms". The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.
The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.
At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.
Key points
- The Bill is not anticipated to pass until mid-2021 – while not all industry-specific rules may be finalised at that stage, consultation should be almost complete by then.
- Consultation with industry is happening on sequential basis – Electricity and Gas sectors are to start consultation in late March/early April 2021, and then other industries will each have a consultation period one after another.
- The consultation timeline will be quite aggressive – the governance rules are in consultation this week for publication in late March.
- The obligations will not activate immediately on enactment of the Bill, and are instead taking a ‘switch on’ approach. The CIC is vague on what the triggers for ‘switching on’ will be and it is not clear if it was an industry-wide event, whether it was incident-based or whether it would occur from a certain point.
An Australian Computer Law Journal
The most recent issue of the Journal of the Australian Society for Computers and the Law is available here: http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html
This journal includes articles on privacy law and cybersecurity law.
Landmark White data breach court case
About two years ago, Landmark White (a property valuation firm in Australia) was subject to a number of cyber security incidents. Justice moves slowly.
Landmark White’s cyber security standards will come under the spotlight this week, as the trial kicks off of an IT contractor accused of stealing customer data from the firm and putting it on the dark web.
See https://www.afr.com/property/commercial/landmark-white-data-breach-trial-begins-20210304-p577sx
APRA's focus on cybersecurity
APRA speech by Geoff Summerhayes in late 2020 on APRA’s current focus on cybersecurity: https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services
APRA's cybersecurity strategy
APRA is stepping up its focus on CPS234 in 2021. This is not a surprise. The Australian government has a strong focus on cybersecurity (and Defence, and foreign influence).
Fraudulent Invoice Scams
A Sydney hedge fund has collapsed after a cyber attack saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices. Scammed by a fake Zoom invite.
The scam, the latest in a series of strikes by offshore criminal gangs against Australian fund managers, has also ensnared ANZ after the bank failed to stop almost $800,000 being withdrawn from an account linked to the cyber criminals.
Subscribe to:
Posts (Atom)
Facebook Sued for $150 billion by Rohingya refugees
Rohingya refugees are suing Facebook over its own admitted failure to stop the spread of hate speech that contributed to violence in Myanma...
-
The United Nations intellectual property agency (WIPO) is the latest front in the US-China trade war. http://www.theage.com.au/world/sad-am...
-
Finally, what is called direct registration of domain names is coming to Australia. See https://www.auda.org.au/statement/australias-interne...
-
The Australian Privacy Commission made an award compensating individuals for non-economic loss for a privacy law breach. This was a first ...