security regulatory framework
Post on 20-May-2015
545 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Anthony Wong MACS CPPresident, Australian Computer Society
Chief Executive, AGW Consulting
2
About Australian Computer Society (ACS)
Founded in 1966, over 19,000 members The recognised association for those working in ICT in
Australia ACS is a strong advocate on advancement of
professional excellence of ICT, skills and its proper use The ACS plays an active role in developing Australia’s
ICT workforce ensuring it stays highly skilled and globally competitive by:
Certifying ICT professionals Accrediting Australia’s University ICT courses Developing world-class post graduate education Providing professional development and networking opportunities to members Conducting research and policy development
3
Cloud Computing
Potential to transform the way we live, work and interact Shapes the ICT sector and
the way enterprises provide
and use IT services Helps to level the playing
field by minimising up-front
investment in technology Changes business agility through “pay-as-you-use” for
access to bandwidth and technology functionality
4
Examples of Cloud Computing
Source: NBN Co
5
Reasons for adopting cloud computing
Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption
of new technologies Access to special expertise Desire to reduce costs
6
Security Regulatory Framework of Cloud Computing
Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges:
– Recent Security Incidents– Data protection, rights and usage– Protection of Electronic Information– Security Regulatory Framework including
• Cybercrime• Privacy and security• Cross-border issues
7
Recent Security Incidents
8
Phone-hacking scandal
The 168 year history of the British tabloid News of the World has ended with a phone-hacking scandal that has shocked even the most hardened of media analysts
Prime Minister David Cameron hinted that more heads would roll, saying that there had been “some illegal and utterly unacceptable practices at the News of the World and possibly elsewhere”
Alleged that employees routinely made payments to police officers, believed to total more than £100,000 ($A148,000) for information
SMH Raphael Satter July 10, 2011
9
Phone-hacking scandal
News Corp and directors could facing prosecution under Regulation of Investigatory Powers Act 2000 (UK), which outlaws interception of communications where the offence was committed with their
“consent or connivance” or was “attributable to any neglect on their part”
SMH Dominic Rushe and Jill Treanor July 10, 2011
10
Telecommunications not to be intercepted
Section 7(1) Telecommunications (Interception) Act 1979 (Cth):
A person shall not:
a) intercept;
b) authorize, suffer or permit another person to intercept; or
c) do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system
11
Distribute.IT hacked
In June 2011 cyber-attack on and subsequent collapse of Melbourne hosting company, Distribute.IT
Hacker disabled and permanently wiped the contents of four key servers
Customers lost several years of transactional and customer information since they were backups of data
Concept of legal responsibility in the law of negligence may develop to new social conditions and standards
12
Half of second-hand mobilephones contain personal data
Private personal data remains on discarded mobile phones, with intimate photos and credit card numbers and pins
Half of 50 handsets bought from second-hand resellers on eBay contained personal messages or photos, according to exclusive research from the mobile and forensics experts Disklabs
"Data is more portable, more accessible, more widely disseminated and more numerous than ever before," said Ferguson. "We tend to place our faith in the technology that we use to access our data, we believe that when we hit delete the data is gone, and we believe that if we restrict the audience we share with that the data will not go any further. These beliefs are often misplaced - as that story testifies."
SMH October 13, 2010 - 11:56AM
13
Evidence from recovered data
14
Legal risk and admissibility of electronic documents and records
critical to establish a thorough records management system
necessary to provide documentary evidence if there is a business dispute
also to satisfy statutory requirements regarding the retention of records
are electronic documents sufficient?
15
Section 48 Australian Evidence Act 1995 (Cth) –original document rule (Best Evidence Rule) abolished and copies are as good as the originals but must keep evidence of integrity of process used to produce the copy
Best Evidence Rule expunged in Federal, ACT, Tasmania, Victoria and NSW
Generally, Australian Electronic Transactions Act 1999 (Cth) production of documents– Section 11 Requirement to produce a document is met if the person produces
an electronic form of the document provided the conditions that a reliable means of assuring the integrity and ready accessibility and useability for subsequent reference are met
Electronic Evidence
16
Canberra on alert for WikiLeaks
WikiLeaks to release classified diplomatic cables
Leak will include millions of classfied documents
Cables could be about War in Iraq, Guantanamo
Saudi king urged US to attack Iran
WikiLeaks reveals Iraqi torture, deaths
WikiLeaks: China directed Google hacking
The Australian November 26, 2010
17
Sony PlayStation Networkuser data stolen
77 million electronic records compromised from Sony Electronics' PlayStation Network between April 17 and April 19 2011
Breach of accounts with names, addresses, email address, birthdates, usernames, passwords, logins, security questions and other personal data
credit card details encrypted but not personal data
18
Other Recent Social Media controversies
Collection and use of private data by corporations like Google and Facebook
Increasing public concern about changes to Facebook's privacy settings - for making it difficult for users to put limits on how far the information they upload is shared
Google's collection of wireless connection data it gathered while compiling images for its Street View service
Government plans to monitor web users’ internet communications
19
Data protection, rights and usage
Monetisation of Data Assets – is this the new currency of the future?
Customer participation and information/data are valuable assets, for example:
Recent sale of Skype (400+ million users) for $8.5 billion
Doubling of LinkedIn’s (100+ million members) share price
Successful business models including Facebook and other social media companies
20
Protection of Electronic Information
The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information
Electronic information is now pervasive if not vital for the essential operation of a modern day organisation
IT Departments have increasing accountability for integrity and consistency of information within the organisation
To secure information effectively, it needs to be secured from all perceivable threats
21
Protection of Electronic Information
From From Unauthorised Unauthorised AccessAccess
From Unauthorised From Unauthorised Use & DisclosureUse & Disclosure
From InterceptionFrom Interception
From Piracy From Piracy & & CopyingCopying
From Unauthorised From Unauthorised ModificationModification
(alteration, deletion(alteration, deletion or addition)or addition)
22
Impact of the Misuse of Electronically Stored Information
Has a range of consequences that depends on the sensitivity and nature of the information
CybercrimeCybercrime
23
Protection of Electronic Information
Using Technical & Physical Means Using Technical & Physical Means & Security Standards& Security Standards
24
Protection of Electronic Information
Using Regulatory FrameworkUsing Regulatory Framework
25
Protection of Electronic Information
UsingUsingPrivacy LawsPrivacy Laws
Using Technical & Using Technical & Physical MeansPhysical Means
UsingUsingCommon LawCommon Law
Using Using Copyright & Other IP Copyright & Other IP
LawsLaws
Using Cybercrime Using Cybercrime TelecommunicatioTelecommunicatio
nnInterception Interception
Spam Spam
LawsLaws
26
Security Regulatory Framework
There is no global ‘Law of Cyberspace’ or ‘Law of the Internet’, however, in Australia, there are a number of specific laws that apply:
Cybercrime Act 2001 (Cth) Telecommunications (Interception) Act 1979 (Cth) Spam Act 2003 Privacy Act 1988 & Privacy Amendment (Private Sector) Act
2000 (Cth) Electronic Transactions Acts Copyright Amendment (Digital Agenda) Act 2000 (Cth) -
intellectual property
27
Cybercrime Legislation
There are at least 13 Federal Acts which have some relevance to cybercrime
States and territories have their own legislation which is not uniform, either in offence provision or in penalties
The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier
The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)
28
Cybercrime Legislation
Generally, the Australian provisions make it an offence for a person to do or attempt to do the following:
unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and
communication impeding access to computers; and possession of data with intent to commit
serious offence
29
Spam Act 2003
Australian Spam Act 2003 came into effect 11 April
An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm
30
Privacy Regulatory landscape
Privacy Regulatory landscape in Australia presents a fractured and imperfect picture. It is a mixture of:
Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth)
Equitable and common law duties regarding confidential information
State privacy legislation (State laws) and health privacy laws
Security and Information Management Standards and Practices
Other Codes of Conduct, Industry Standards and Guidelines
31
Australian Federal Privacy Laws
The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government
It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not
It only protects “Personal Information” and NOT Commercial Information
32
Australian wide Private Sector Privacy Laws
There are 10 National Privacy Principles (NPPs) of application in the private sector:
NPP 1 – collection, the purpose of collection, that the person can get access to their personal information
NPP2 – the use and disclosure of personal information NPP 3 –data quality NPP 4 – data security; where reasonable steps to protect personal
information from misuse and loss and unauthorised access, modification or disclosure
NPP 5 – openness NPP 6 – access and correction NPP 7 – prohibit the use of Federal government identifiers in the private
sector eg. Tax File Number NPP 8 – anonymity NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual
racial, political or religious beliefs, health, membership etc)
33
Australian wide Private Sector Privacy Laws
The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal
information NPP 4 – data security; where reasonable steps to
protect personal information from misuse and loss and unauthorised access, modification or disclosure
NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number
NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive
information (about individual racial, political or religious beliefs, health, membership etc)
34
Cross-border issues
Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries
Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive
Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if:
the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles
the individual consents to the transfer the transfer is necessary for the performance of the contract between the
individual and the organisation or for the benefit of the individual
35
Cross-border issues
In a dispute or a conflict situation, which country’s court system will settle the dispute?
Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality
Local laws may override contractual agreements between cloud provider’s and customers
Location of servers may not be apparent from the provider’s terms of service
Consider the situation where Data may be stored in multiple locations (countries) at the same time
When do conflicts of laws occur?
36
Cross-border issues
Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority
extends to compel disclosure of records held by cloud providers
Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances
37
Cross-border issues
Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to
geographical boundaries or territories Premise that each state or country has absolute
power to control persons and things located within its boundaries or territories
Internet challenges these territorially based principles
The law in regards to jurisdiction in cyberspace is unsettled
38
Consider Case Scenario:• Identifying the location of the offence/breach • Identifying the location where the harm resulted (e.g. victim’s location or computer’s location)• Deciding which sovereign nation and court should have jurisdiction over the dispute
Cross Border Jurisdiction Issues
Customer and User
Server breached & compromised
39
Cross-border issues
In order for a court to adjudicate in a case, the court must have authority over:
the subject matter in dispute (subject matter jurisdiction); and
parties before the court (personal jurisdiction)
40
Security Regulatory Frameworkfor the Cloud
Legal requirements for organisations to consider: Have you reviewed your corporate governance and industry
regulation requirements? Are you able to comply with mandatory disclosures and
financial reporting? Are there special standards and compliance for your industry? Can you comply with data retention requirements and
eDiscovery request during litigation?
Burden is on you to understand your compliance obligations
41
Security Regulatory Framework for the Cloud
Example of regulated industry Financial services companies must first notify Australian
Prudential Regulatory Authority (APRA) of data offshore transfer
Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and
meet core obligations, following a loss of cloud computing services
confidentiality and integrity of sensitive (e.g. customer) data/information
compliance with legislative and prudential requirements
42
Privacy and security
Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud
Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data
Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”
43
Privacy and security
Not all types of cloud services raise the same privacy and confidentiality risks:
Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks
Risks vary with the terms of service and privacy policy established by your provider
Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting
processing and transfer of data offshore? Should your agreement restricts services and data storage to
agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary
depending on the nature of your business
44
Privacy and security
Things to consider: Whose privacy policy will apply at different stages of the
data transfer? What security mechanisms are in place to manage data
transfers between parties? What are the consequences of security and privacy
breaches? How will you know if there is a breach? Is your cloud service provider required to provide
assistance in the investigation of security breaches? Is there an audit trail for data?
45
Privacy and security
Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s
privacy protection 2008: ALRC report released, For Your Information: Australian
Privacy Law and Practice 2009: Government’s released its position on 197 of the
ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers
and functions 2010: exposure draft of the new Privacy Act was released by
the Government
46
Conclusion
There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services
should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks
associated with cloud computing and adopt a risk-mitigation approach to cloud adoption
Service agreements need to specify those areas the cloud provider is responsible for
Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the
governing law of the cloud computing agreement
47
Conclusion
Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow
You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability
Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level
For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate
48
Thank You
“A global approach is the only way to deal with the Internet”
Francis Gurry, Head of the World Intellectual Property Organisation (WIPO)
and so for Cloud Computing…
Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011
www.acs.org.auanthonywong@acslink.net.au
www.linkedin.com/in/wonganthony
This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.
top related