A blog relating to Internet legal issues by Professor John Swinson, University of Queensland
Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits.
The Lawyers Weekly Show host Jerome Doraisamy speaks with Professor John Swinson, who teaches cyber security law and privacy law at The University of Queensland, about growing awareness of data and cyber security issues and subsequent legal claims.
An interesting detailed article about the Facebook data leak:
https://www.digitalshadows.com/blog-and-research/the-facebook-data-leak-explained/
The leak took place in 2019.
"Initially, attackers offered the data at quite a steep price. As the data began circulating in open and gated cybercriminal forums in 2020, a listing on Russian-speaking cybercriminal forum XSS in August 2020 advertised the sale of this data for “only” USD 25,000 (see Figure 2). Listings were identified across several other forums, such as Raidforums. The sheer size of the data leakage and the wide geography it covered (106 countries) made the data a gold mine for cybercriminals. Therefore, these listings often caught the interest of multiple threat actors."
As experts say the number of cyber attacks being directed at Australia have reached a disturbing level, it can now be revealed that Chinese hackers came within minutes of shutting down two Queensland power stations . Had the attack been successful it could have been lights out for some 3 million homes.
A good source of information about cybersecurity risks is the Information Security Forum (ISF).
For example, ISF recently published an interesting report regarding cybersecurity insurance. Is cybersecurity insurance worth the risk? See Report.
An excellent paper on Cyber Insurance in Australia: "Underwritten or Oversold". Well worth reading.
From the CSCRC (the Cyber Security Cooperative Research Centre).
A good article on class action lawsuits in the United States that come after a ransomware attack:
"“Companies with good security sometimes have lapses,” Solove said. There isn’t a unified legal standard laying out what sort of security a company needs to have to protect it from liability if it loses its customers’ information or suffers a ransomware attack.
“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”
That means the potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue."
I wrote a short article on the topic of cybersecurity lawsuits at the beginning of this year. See
The Australian Privacy Commissioner has determined that Uber interfered with the privacy of an estimated 1.2 million Australians.
The Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack starting in October 2016.
Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information that may have been accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
See Decision
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 has been subject to criticism It allows the government to hack into computers of people they think are bad people. Could innocent bystanders be impacted, just like when Microsoft did protective hacking about 8 years ago? See https://www.csoonline.com/article/2449572/microsoft-hammers-no-ip-collateral-damage-includes-hacking-teams-legal-malware.html
Details of the Bill are here:
The Law Council has released a 150 page criticism of the Bill.
In response to the proliferation of ransomware attacks over the last five years, a series of United States Executive Orders and statutes have come to include cyberterrorists amongst the list of banned individuals with whom U.S. persons cannot conduct financial transactions. This impacts payments to cybercriminals for ransomware attacks.
There is a detailed article from a U.S. law firm here, that sets out when payment of a ransom could lead to breach of U.S. law. See https://www.friedfrank.com/siteFiles/Publications/NYLJ_03.05.21_Kleinman.pdf
The Australian Government is implementing "Critical Infrastructure reforms". The consultation process for the new laws is being managed by the Critical Infrastructure Centre which is part of the Department of Home Affairs.
The CIC is currently assessing implementation of the governance rules to accompany the to-be-amended Security of Critical Infrastructure Act 2018 (Cth) at a broad, industry-neutral level. The CIC is intending these rules to provide an overview of the role industry will play in self-assessment and self-reporting, with the specific rules and obligations around assessment standards to come from later consultations.
At a high-level, materials made available by CIC set out CIC’s intention for the governance rules including a breakdown of the intention behind specific provisions in the draft Bill.
Key points
The most recent issue of the Journal of the Australian Society for Computers and the Law is available here: http://classic.austlii.edu.au/au/journals/ANZCompuLawJl/recent.html
This journal includes articles on privacy law and cybersecurity law.
About two years ago, Landmark White (a property valuation firm in Australia) was subject to a number of cyber security incidents. Justice moves slowly.
Landmark White’s cyber security standards will come under the spotlight this week, as the trial kicks off of an IT contractor accused of stealing customer data from the firm and putting it on the dark web.
See https://www.afr.com/property/commercial/landmark-white-data-breach-trial-begins-20210304-p577sx
APRA speech by Geoff Summerhayes in late 2020 on APRA’s current focus on cybersecurity: https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services
APRA is stepping up its focus on CPS234 in 2021. This is not a surprise. The Australian government has a strong focus on cybersecurity (and Defence, and foreign influence).
A Sydney hedge fund has collapsed after a cyber attack saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices. Scammed by a fake Zoom invite.
The scam, the latest in a series of strikes by offshore criminal gangs against Australian fund managers, has also ensnared ANZ after the bank failed to stop almost $800,000 being withdrawn from an account linked to the cyber criminals.
Listen to this podcast where I discuss how damages should be assessed in privacy and cybersecurity lawsuits. The Lawyers Weekly Show host J...