SlideShare a Scribd company logo

Security Regulatory Framework

Download as PPT, PDF
A
anthonywong

The document discusses several topics related to cybersecurity and data protection in Australia including: - The role of the Australian Computer Society (ACS) in developing Australia's ICT workforce and advocating for professional excellence in ICT. - Examples of cloud computing and the reasons organizations adopt cloud technologies including cost reduction and flexibility. - Recent security incidents involving data breaches at companies like Sony and News of the World. - Australia's regulatory framework around cybercrime, privacy, electronic records, and data protection.

TechnologyBusiness
1 of 48
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Anthony Wong MACS CP President, Australian Computer Society Chief Executive, AGW Consulting
About Australian Computer Society (ACS) Founded in 1966, over 19,000 members The recognised association for those working in ICT in Australia ACS is a strong advocate on advancement of professional excellence of ICT, skills and its proper use The ACS plays an active role in developing Australia’s ICT workforce ensuring it stays highly skilled and globally competitive by: Certifying ICT professionals Accrediting Australia’s University ICT courses Developing world-class post graduate education Providing professional development and networking opportunities to members Conducting research and policy development
Cloud Computing Potential to transform the way we live, work and interact Shapes the ICT sector and the way enterprises provide and use IT services Helps to level the playing field by minimising up-front investment in technology Changes business agility through “pay-as-you-use” for access to bandwidth and technology functionality
Examples of Cloud Computing Source: NBN Co
Reasons for adopting cloud computing Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption of new technologies Access to special expertise Desire to reduce costs
Security Regulatory Framework of Cloud Computing Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges: Recent Security Incidents Data protection, rights and usage Protection of Electronic Information Security Regulatory Framework including Cybercrime Privacy and security Cross-border issues
Recent Security Incidents
Phone-hacking scandal The 168 year history of the British tabloid News of the World has ended with a phone-hacking scandal that has shocked even the most hardened of media analysts Prime Minister David Cameron hinted that more heads would roll, saying that there had been “some illegal and utterly unacceptable practices at the News of the World and possibly elsewhere” Alleged that employees routinely made payments to police officers, believed to total more than £100,000 ($A148,000) for information SMH Raphael Satter July 10, 2011
Phone-hacking scandal News Corp and directors could facing prosecution under Regulation of Investigatory Powers Act 2000 (UK), which outlaws interception of communications where the offence was committed with their “consent or connivance” or was “attributable to any neglect on their part” SMH Dominic Rushe and Jill Treanor July 10, 2011
Telecommunications not to be intercepted Section 7(1) Telecommunications (Interception) Act 1979 (Cth): A person shall not: intercept; authorize, suffer or permit another person to intercept; or do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system
Distribute.IT hacked In June 2011 cyber-attack on and subsequent collapse of Melbourne hosting company, Distribute.IT Hacker disabled and permanently wiped the contents of four key servers Customers lost several years of transactional and customer information since they were backups of data Concept of legal responsibility in the law of negligence may develop to new social conditions and standards
Half of second-hand mobile phones contain personal data Private personal data remains on discarded mobile phones, with intimate photos and credit card numbers and pins Half of 50 handsets bought from second-hand resellers on eBay contained personal messages or photos, according to exclusive research from the mobile and forensics experts Disklabs "Data is more portable, more accessible, more widely disseminated and more numerous than ever before," said Ferguson. "We tend to place our faith in the technology that we use to access our data, we believe that when we hit delete the data is gone, and we believe that if we restrict the audience we share with that the data will not go any further. These beliefs are often misplaced - as that story testifies." SMH October 13, 2010 - 11:56AM
Evidence from recovered data
Legal risk and admissibility of electronic documents and records critical to establish a thorough records management system necessary to provide documentary evidence if there is a business dispute also to satisfy statutory requirements regarding the retention of records are electronic documents sufficient?
Section 48 Australian Evidence Act 1995 (Cth) –original document rule (Best Evidence Rule) abolished and copies are as good as the originals but must keep evidence of integrity of process used to produce the copy Best Evidence Rule expunged in Federal, ACT, Tasmania, Victoria and NSW Generally, Australian Electronic Transactions Act 1999 (Cth) production of documents– Section 11 Requirement to produce a document is met if the person produces an electronic form of the document provided the conditions that a reliable means of assuring the integrity and ready accessibility and useability for subsequent reference are met Electronic Evidence
Canberra on alert for WikiLeaks WikiLeaks to release classified diplomatic cables Leak will include millions of classfied documents Cables could be about War in Iraq, Guantanamo Saudi king urged US to attack Iran WikiLeaks reveals Iraqi torture, deaths WikiLeaks: China directed Google hacking The Australian November 26, 2010
Sony PlayStation Network user data stolen 77 million electronic records compromised from Sony Electronics' PlayStation Network between April 17 and April 19 2011 Breach of accounts with names, addresses, email address, birthdates, usernames, passwords, logins, security questions and other personal data credit card details encrypted but not personal data
Other Recent Social Media controversies Collection and use of private data by corporations like Google and Facebook Increasing public concern about changes to Facebook's privacy settings - for making it difficult for users to put limits on how far the information they upload is shared Google's collection of wireless connection data it gathered while compiling images for its Street View service Government plans to monitor web users’ internet communications
Data protection, rights and usage Monetisation of Data Assets – is this the new currency of the future? Customer participation and information/data are valuable assets, for example: Recent sale of Skype (400+ million users) for $8.5 billion Doubling of LinkedIn’s (100+ million members) share price Successful b usiness models including Facebook and other social media companies
Protection of Electronic Information The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information Electronic information is now pervasive if not vital for the essential operation of a modern day organisation IT Departments have increasing accountability for integrity and consistency of information within the organisation To secure information effectively, it needs to be secured from all perceivable threats
Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)
Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information Cybercrime
Protection of Electronic Information Using Technical & Physical Means & Security Standards
Protection of Electronic Information Using Regulatory Framework
Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Laws Using Cybercrime Telecommunication Interception Spam Laws
Security Regulatory Framework There is no global ‘Law of Cyberspace’ or ‘Law of the Internet’, however, i n Australia, there are a number of specific laws that apply: Cybercrime Act 2001 (Cth) Telecommunications (Interception) Act 1979 (Cth) Spam Act 2003 Privacy Act 1988 & Privacy Amendment (Private Sector) Act 2000 (Cth) Electronic Transactions Acts Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property
Cybercrime Legislation There are at least 13 Federal Acts which have some relevance to cybercrime States and territories have their own legislation which is not uniform, either in offence provision or in penalties The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)
Cybercrime Legislation Generally, the Australian provisions make it an offence for a person to do or attempt to do the following: unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and communication impeding access to computers; and possession of data with intent to commit serious offence
Spam Act 2003 Australian Spam Act 2003 came into effect 11 April An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm
Privacy Regulatory landscape Privacy Regulatory landscape in Australia presents a fractured and imperfect picture. It is a mixture of: Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth) Equitable and common law duties regarding confidential information State privacy legislation (State laws) and health privacy laws Security and Information Management Standards and Practices Other Codes of Conduct, Industry Standards and Guidelines
Australian Federal Privacy Laws The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not It only protects “Personal Information” and NOT Commercial Information
Australian wide Private Sector Privacy Laws There are 10 National Privacy Principles (NPPs) of application in the private sector: NPP 1 – collection, the purpose of collection, that the person can get access to their personal information NPP2 – the use and disclosure of personal information NPP 3 –data quality NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 5 – openness NPP 6 – access and correction NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP 8 – anonymity NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
Australian wide Private Sector Privacy Laws The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal information NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
Cross-border issues Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if: the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles the individual consents to the transfer the transfer is necessary for the performance of the contract between the individual and the organisation or for the benefit of the individual
Cross-border issues In a dispute or a conflict situation, which country’s court system will settle the dispute? Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality Local laws may override contractual agreements between cloud provider’s and customers Location of servers may not be apparent from the provider’s terms of service Consider the situation where Data may be stored in multiple locations (countries) at the same time When do conflicts of laws occur?
Cross-border issues Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority extends to compel disclosure of records held by cloud providers Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances
Cross-border issues Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to geographical boundaries or territories Premise that each state or country has absolute power to control persons and things located within its boundaries or territories Internet challenges these territorially based principles The law in regards to jurisdiction in cyberspace is unsettled
Consider Case Scenario: Identifying the location of the offence/breach Identifying the location where the harm resulted (e.g. victim’s location or computer’s location) Deciding which sovereign nation and court should have jurisdiction over the dispute Cross Border Jurisdiction Issues Customer and User Server breached & compromised
Cross-border issues In order for a court to adjudicate in a case, the court must have authority over: the subject matter in dispute ( subject matter jurisdiction ); and parties before the court ( personal jurisdiction )
Security Regulatory Framework for the Cloud Legal requirements for organisations to consider: Have you reviewed your corporate governance and industry regulation requirements? Are you able to comply with mandatory disclosures and financial reporting? Are there special standards and compliance for your industry? Can you comply with data retention requirements and eDiscovery request during litigation? Burden is on you to understand your compliance obligations
Security Regulatory Framework for the Cloud Example of regulated industry Financial services companies must first notify Australian Prudential Regulatory Authority (APRA) of data offshore transfer Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services confidentiality and integrity of sensitive (e.g. customer) data/information compliance with legislative and prudential requirements
Privacy and security Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”
Privacy and security Not all types of cloud services raise the same privacy and confidentiality risks: Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks Risks vary with the terms of service and privacy policy established by your provider Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting processing and transfer of data offshore? Should your agreement restricts services and data storage to agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary depending on the nature of your business
Privacy and security Things to consider: Whose privacy policy will apply at different stages of the data transfer? What security mechanisms are in place to manage data transfers between parties? What are the consequences of security and privacy breaches? How will you know if there is a breach? Is your cloud service provider required to provide assistance in the investigation of security breaches? Is there an audit trail for data?
Privacy and security Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s privacy protection 2008: ALRC report released, For Your Information: Australian Privacy Law and Practice 2009: Government’s released its position on 197 of the ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers and functions 2010: exposure draft of the new Privacy Act was released by the Government
Conclusion There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks associated with cloud computing and adopt a risk-mitigation approach to cloud adoption Service agreements need to specify those areas the cloud provider is responsible for Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the governing law of the cloud computing agreement
Conclusion Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate
Thank You “ A global approach is the only way to deal with the Internet” Francis Gurry, Head of the World Intellectual Property Organisation (WIPO) and so for Cloud Computing… Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011 www.acs.org.au [email_address] www.linkedin.com/in/wonganthony This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.

More Related Content

PPT
Cyber Law
ihah
 
PPTX
Copyright Protection
GrittyCC
 
PDF
International Cybercrime (Part 1)
GrittyCC
 
PPTX
Introduction to cyber law.
PROF. PUTTU GURU PRASAD
 
PPTX
Cybertort Imp Slides For Pub. Internet
Prof. (Dr.) Tabrez Ahmad
 
PPTX
Internet Service Provider Liability
Andres Guadamuz
 
DOCX
Liability of ISP in case of Illegal Downloads
Raunaq Jaiswal
 
PPT
Introduction to cyber law.
PROF. PUTTU GURU PRASAD
 
Cyber Law
ihah
 
Copyright Protection
GrittyCC
 
International Cybercrime (Part 1)
GrittyCC
 
Introduction to cyber law.
PROF. PUTTU GURU PRASAD
 
Cybertort Imp Slides For Pub. Internet
Prof. (Dr.) Tabrez Ahmad
 
Internet Service Provider Liability
Andres Guadamuz
 
Liability of ISP in case of Illegal Downloads
Raunaq Jaiswal
 
Introduction to cyber law.
PROF. PUTTU GURU PRASAD
 

What's hot (20)

PPTX
Internet Intermediaries Liability
Cedric Manara
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
PDF
Cyber Law & Forensics
Harshita Ved
 
PPT
Cyber law final
Kanhaiya Kumar
 
PPT
Social Media and Legal Ethics
anthonywong
 
PPTX
Cyber Laws in Pakistan
Ayesha Majid
 
PDF
Cyber crime laws in Pakistan
Ayesha Majid
 
PPTX
Cyber law final
jaskiran_sahni
 
PPT
Business And The Law
RobbieA
 
PDF
An Introduction to Cyber World to a Newbie
Anuj Khandelwal
 
PPTX
Cyber crime legislation part 1
MohsinMughal28
 
PDF
The cyber law regime in India
Shankey Gupta
 
PDF
Chapter 5 - Developments in Multimedia and Internet Licensing - The Licensing...
Tim Hsieh
 
PDF
Cyber Law & Forensics
Harshita Ved
 
PPT
Policy Implications of the Digital Economy
Competitive Enterprise Institute
 
DOC
Cyber-Law and Cyber-Crime
Russ Dutcher, CBRM,CORM,CDPS
 
PPTX
electronic transactions law lecture series: lecture 1 introduction
Caroline B Ncube
 
PPTX
Online Crime and New Cyber Laws in Pakistan
Shahid Jamal Tubrazy
 
PDF
The Philippine Cybercrime Prevention Act of 2012
Jim Ayson
 
PDF
Uk wireless network hijacking 2010
CPPGroup Plc
 
Internet Intermediaries Liability
Cedric Manara
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Cyber Law & Forensics
Harshita Ved
 
Cyber law final
Kanhaiya Kumar
 
Social Media and Legal Ethics
anthonywong
 
Cyber Laws in Pakistan
Ayesha Majid
 
Cyber crime laws in Pakistan
Ayesha Majid
 
Cyber law final
jaskiran_sahni
 
Business And The Law
RobbieA
 
An Introduction to Cyber World to a Newbie
Anuj Khandelwal
 
Cyber crime legislation part 1
MohsinMughal28
 
The cyber law regime in India
Shankey Gupta
 
Chapter 5 - Developments in Multimedia and Internet Licensing - The Licensing...
Tim Hsieh
 
Cyber Law & Forensics
Harshita Ved
 
Policy Implications of the Digital Economy
Competitive Enterprise Institute
 
Cyber-Law and Cyber-Crime
Russ Dutcher, CBRM,CORM,CDPS
 
electronic transactions law lecture series: lecture 1 introduction
Caroline B Ncube
 
Online Crime and New Cyber Laws in Pakistan
Shahid Jamal Tubrazy
 
The Philippine Cybercrime Prevention Act of 2012
Jim Ayson
 
Uk wireless network hijacking 2010
CPPGroup Plc
 
Ad

Viewers also liked (11)

PDF
A Data Privacy and Security by Design Platform‐as‐a‐Service Framework
PaaSword EU Project
 
PDF
Web 2.0, Kenniswerker en ICT Beheer
Jan Krans
 
PPTX
ICT Challenges Facing Exporter
West Africa Trade Hub
 
PDF
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
PDF
EIT ICT Labs Idea challenge 2015
Francisco Ibañez Diez
 
PPTX
Challenge ICT
winner07
 
PPT
Mpict cloud computing and ict workforce 20110106 v8
home
 
PPT
Challenges Facing CIOs In Government in Africa
Goodnews News Cadogan
 
PPTX
Privacy in cloud computing
Ahmed Nour
 
PDF
ICT Laws & eHealth: Part 1 (August 11, 2016)
Nawanan Theera-Ampornpunt
 
PPT
Ethical Issues In ICT
kelly kusmulyono
 
A Data Privacy and Security by Design Platform‐as‐a‐Service Framework
PaaSword EU Project
 
Web 2.0, Kenniswerker en ICT Beheer
Jan Krans
 
ICT Challenges Facing Exporter
West Africa Trade Hub
 
No More Dark Clouds: A Privacy Preserving Framework for the Cloud
PaaSword EU Project
 
EIT ICT Labs Idea challenge 2015
Francisco Ibañez Diez
 
Challenge ICT
winner07
 
Mpict cloud computing and ict workforce 20110106 v8
home
 
Challenges Facing CIOs In Government in Africa
Goodnews News Cadogan
 
Privacy in cloud computing
Ahmed Nour
 
ICT Laws & eHealth: Part 1 (August 11, 2016)
Nawanan Theera-Ampornpunt
 
Ethical Issues In ICT
kelly kusmulyono
 
Ad

Similar to Security Regulatory Framework (20)

PPTX
14-Computer Privacy and Security Principles.pptx
wylobide
 
PPTX
OVERVIEW OF CYBER LAWS IN INDIA AND SECTIONS
anupama12369
 
PPT
Legal Perspective on Information Management “New Social Media – The New Recor...
anthonywong
 
PPT
Cyberlaw An Overview
Talwant Singh
 
PDF
The Threats Posed by Portable Storage Devices
GFI Software
 
PPTX
Cybercrime online presentation
sarahj6
 
PPT
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
PPTX
L12. Digital Forensics BS.pptx
talhajann43
 
PDF
Developments in the TMT Sector - Current trends & emerging legal issues
Martyn Taylor
 
PDF
PC213.L3.pdf
JohnRyanManual
 
PPT
Presentation ict3992
Areniym Lovelova
 
PPTX
The-Birth-and-Evolution-of-the-Internet (1).pptx
onlyone8815
 
PPT
Personal Data Privacy and Information Security
Charles Mok
 
PPTX
cyber crime in india and law related to cyber crime
SumedhaBhatt2
 
PPT
Policies and Law in IT
Anushka Perera
 
PPT
Infosec Law It Web (March 2006)
Lance Michalson
 
DOCX
Chapter-2.docx
Amir Khan
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
PDF
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
PDF
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 
14-Computer Privacy and Security Principles.pptx
wylobide
 
OVERVIEW OF CYBER LAWS IN INDIA AND SECTIONS
anupama12369
 
Legal Perspective on Information Management “New Social Media – The New Recor...
anthonywong
 
Cyberlaw An Overview
Talwant Singh
 
The Threats Posed by Portable Storage Devices
GFI Software
 
Cybercrime online presentation
sarahj6
 
Cyber-Crime-in- India at Present day and Laws
rajmohanjangid
 
L12. Digital Forensics BS.pptx
talhajann43
 
Developments in the TMT Sector - Current trends & emerging legal issues
Martyn Taylor
 
PC213.L3.pdf
JohnRyanManual
 
Presentation ict3992
Areniym Lovelova
 
The-Birth-and-Evolution-of-the-Internet (1).pptx
onlyone8815
 
Personal Data Privacy and Information Security
Charles Mok
 
cyber crime in india and law related to cyber crime
SumedhaBhatt2
 
Policies and Law in IT
Anushka Perera
 
Infosec Law It Web (March 2006)
Lance Michalson
 
Chapter-2.docx
Amir Khan
 
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 

Recently uploaded (20)

PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A Presentation on Touch Screen Technology
memembruh336
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 

Security Regulatory Framework

  • 1. Anthony Wong MACS CP President, Australian Computer Society Chief Executive, AGW Consulting
  • 2. About Australian Computer Society (ACS) Founded in 1966, over 19,000 members The recognised association for those working in ICT in Australia ACS is a strong advocate on advancement of professional excellence of ICT, skills and its proper use The ACS plays an active role in developing Australia’s ICT workforce ensuring it stays highly skilled and globally competitive by: Certifying ICT professionals Accrediting Australia’s University ICT courses Developing world-class post graduate education Providing professional development and networking opportunities to members Conducting research and policy development
  • 3. Cloud Computing Potential to transform the way we live, work and interact Shapes the ICT sector and the way enterprises provide and use IT services Helps to level the playing field by minimising up-front investment in technology Changes business agility through “pay-as-you-use” for access to bandwidth and technology functionality
  • 4. Examples of Cloud Computing Source: NBN Co
  • 5. Reasons for adopting cloud computing Outsource services to cloud suppliers Ability to up and down scale when required Reduction of internal technical support constraints Outsource technical management Provide more options and flexibility Deployment and adoption of new technologies Access to special expertise Desire to reduce costs
  • 6. Security Regulatory Framework of Cloud Computing Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges: Recent Security Incidents Data protection, rights and usage Protection of Electronic Information Security Regulatory Framework including Cybercrime Privacy and security Cross-border issues
  • 7. Recent Security Incidents
  • 8. Phone-hacking scandal The 168 year history of the British tabloid News of the World has ended with a phone-hacking scandal that has shocked even the most hardened of media analysts Prime Minister David Cameron hinted that more heads would roll, saying that there had been “some illegal and utterly unacceptable practices at the News of the World and possibly elsewhere” Alleged that employees routinely made payments to police officers, believed to total more than £100,000 ($A148,000) for information SMH Raphael Satter July 10, 2011
  • 9. Phone-hacking scandal News Corp and directors could facing prosecution under Regulation of Investigatory Powers Act 2000 (UK), which outlaws interception of communications where the offence was committed with their “consent or connivance” or was “attributable to any neglect on their part” SMH Dominic Rushe and Jill Treanor July 10, 2011
  • 10. Telecommunications not to be intercepted Section 7(1) Telecommunications (Interception) Act 1979 (Cth): A person shall not: intercept; authorize, suffer or permit another person to intercept; or do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system
  • 11. Distribute.IT hacked In June 2011 cyber-attack on and subsequent collapse of Melbourne hosting company, Distribute.IT Hacker disabled and permanently wiped the contents of four key servers Customers lost several years of transactional and customer information since they were backups of data Concept of legal responsibility in the law of negligence may develop to new social conditions and standards
  • 12. Half of second-hand mobile phones contain personal data Private personal data remains on discarded mobile phones, with intimate photos and credit card numbers and pins Half of 50 handsets bought from second-hand resellers on eBay contained personal messages or photos, according to exclusive research from the mobile and forensics experts Disklabs "Data is more portable, more accessible, more widely disseminated and more numerous than ever before," said Ferguson. "We tend to place our faith in the technology that we use to access our data, we believe that when we hit delete the data is gone, and we believe that if we restrict the audience we share with that the data will not go any further. These beliefs are often misplaced - as that story testifies." SMH October 13, 2010 - 11:56AM
  • 14. Legal risk and admissibility of electronic documents and records critical to establish a thorough records management system necessary to provide documentary evidence if there is a business dispute also to satisfy statutory requirements regarding the retention of records are electronic documents sufficient?
  • 15. Section 48 Australian Evidence Act 1995 (Cth) –original document rule (Best Evidence Rule) abolished and copies are as good as the originals but must keep evidence of integrity of process used to produce the copy Best Evidence Rule expunged in Federal, ACT, Tasmania, Victoria and NSW Generally, Australian Electronic Transactions Act 1999 (Cth) production of documents– Section 11 Requirement to produce a document is met if the person produces an electronic form of the document provided the conditions that a reliable means of assuring the integrity and ready accessibility and useability for subsequent reference are met Electronic Evidence
  • 16. Canberra on alert for WikiLeaks WikiLeaks to release classified diplomatic cables Leak will include millions of classfied documents Cables could be about War in Iraq, Guantanamo Saudi king urged US to attack Iran WikiLeaks reveals Iraqi torture, deaths WikiLeaks: China directed Google hacking The Australian November 26, 2010
  • 17. Sony PlayStation Network user data stolen 77 million electronic records compromised from Sony Electronics' PlayStation Network between April 17 and April 19 2011 Breach of accounts with names, addresses, email address, birthdates, usernames, passwords, logins, security questions and other personal data credit card details encrypted but not personal data
  • 18. Other Recent Social Media controversies Collection and use of private data by corporations like Google and Facebook Increasing public concern about changes to Facebook's privacy settings - for making it difficult for users to put limits on how far the information they upload is shared Google's collection of wireless connection data it gathered while compiling images for its Street View service Government plans to monitor web users’ internet communications
  • 19. Data protection, rights and usage Monetisation of Data Assets – is this the new currency of the future? Customer participation and information/data are valuable assets, for example: Recent sale of Skype (400+ million users) for $8.5 billion Doubling of LinkedIn’s (100+ million members) share price Successful b usiness models including Facebook and other social media companies
  • 20. Protection of Electronic Information The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information Electronic information is now pervasive if not vital for the essential operation of a modern day organisation IT Departments have increasing accountability for integrity and consistency of information within the organisation To secure information effectively, it needs to be secured from all perceivable threats
  • 21. Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)
  • 22. Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information Cybercrime
  • 23. Protection of Electronic Information Using Technical & Physical Means & Security Standards
  • 24. Protection of Electronic Information Using Regulatory Framework
  • 25. Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Laws Using Cybercrime Telecommunication Interception Spam Laws
  • 26. Security Regulatory Framework There is no global ‘Law of Cyberspace’ or ‘Law of the Internet’, however, i n Australia, there are a number of specific laws that apply: Cybercrime Act 2001 (Cth) Telecommunications (Interception) Act 1979 (Cth) Spam Act 2003 Privacy Act 1988 & Privacy Amendment (Private Sector) Act 2000 (Cth) Electronic Transactions Acts Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property
  • 27. Cybercrime Legislation There are at least 13 Federal Acts which have some relevance to cybercrime States and territories have their own legislation which is not uniform, either in offence provision or in penalties The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)
  • 28. Cybercrime Legislation Generally, the Australian provisions make it an offence for a person to do or attempt to do the following: unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and communication impeding access to computers; and possession of data with intent to commit serious offence
  • 29. Spam Act 2003 Australian Spam Act 2003 came into effect 11 April An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm
  • 30. Privacy Regulatory landscape Privacy Regulatory landscape in Australia presents a fractured and imperfect picture. It is a mixture of: Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth) Equitable and common law duties regarding confidential information State privacy legislation (State laws) and health privacy laws Security and Information Management Standards and Practices Other Codes of Conduct, Industry Standards and Guidelines
  • 31. Australian Federal Privacy Laws The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not It only protects “Personal Information” and NOT Commercial Information
  • 32. Australian wide Private Sector Privacy Laws There are 10 National Privacy Principles (NPPs) of application in the private sector: NPP 1 – collection, the purpose of collection, that the person can get access to their personal information NPP2 – the use and disclosure of personal information NPP 3 –data quality NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 5 – openness NPP 6 – access and correction NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP 8 – anonymity NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
  • 33. Australian wide Private Sector Privacy Laws The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal information NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
  • 34. Cross-border issues Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if: the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles the individual consents to the transfer the transfer is necessary for the performance of the contract between the individual and the organisation or for the benefit of the individual
  • 35. Cross-border issues In a dispute or a conflict situation, which country’s court system will settle the dispute? Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality Local laws may override contractual agreements between cloud provider’s and customers Location of servers may not be apparent from the provider’s terms of service Consider the situation where Data may be stored in multiple locations (countries) at the same time When do conflicts of laws occur?
  • 36. Cross-border issues Data stored in the U.S. is subject to U.S. law, for example: US Patriot Act – US government’s authority extends to compel disclosure of records held by cloud providers Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances
  • 37. Cross-border issues Jurisdiction is dependent on the sovereignty of a government Concept of jurisdiction evolved in relation to geographical boundaries or territories Premise that each state or country has absolute power to control persons and things located within its boundaries or territories Internet challenges these territorially based principles The law in regards to jurisdiction in cyberspace is unsettled
  • 38. Consider Case Scenario: Identifying the location of the offence/breach Identifying the location where the harm resulted (e.g. victim’s location or computer’s location) Deciding which sovereign nation and court should have jurisdiction over the dispute Cross Border Jurisdiction Issues Customer and User Server breached & compromised
  • 39. Cross-border issues In order for a court to adjudicate in a case, the court must have authority over: the subject matter in dispute ( subject matter jurisdiction ); and parties before the court ( personal jurisdiction )
  • 40. Security Regulatory Framework for the Cloud Legal requirements for organisations to consider: Have you reviewed your corporate governance and industry regulation requirements? Are you able to comply with mandatory disclosures and financial reporting? Are there special standards and compliance for your industry? Can you comply with data retention requirements and eDiscovery request during litigation? Burden is on you to understand your compliance obligations
  • 41. Security Regulatory Framework for the Cloud Example of regulated industry Financial services companies must first notify Australian Prudential Regulatory Authority (APRA) of data offshore transfer Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services confidentiality and integrity of sensitive (e.g. customer) data/information compliance with legislative and prudential requirements
  • 42. Privacy and security Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: Privacy Act 1988 National Privacy Principle 4 (Data Security) provides that an organisation must "take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure”
  • 43. Privacy and security Not all types of cloud services raise the same privacy and confidentiality risks: Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks Risks vary with the terms of service and privacy policy established by your provider Can your cloud provider change the terms and policies at will? Do you have to comply with privacy legislation restricting processing and transfer of data offshore? Should your agreement restricts services and data storage to agreed locations? What are the rights of the supplier to operate in other locations? Define the scope of your confidential information – which will vary depending on the nature of your business
  • 44. Privacy and security Things to consider: Whose privacy policy will apply at different stages of the data transfer? What security mechanisms are in place to manage data transfers between parties? What are the consequences of security and privacy breaches? How will you know if there is a breach? Is your cloud service provider required to provide assistance in the investigation of security breaches? Is there an audit trail for data?
  • 45. Privacy and security Privacy Reform Privacy Act 1988 is being modernised to strengthen Australia’s privacy protection 2008: ALRC report released, For Your Information: Australian Privacy Law and Practice 2009: Government’s released its position on 197 of the ALRC’s recommendations, including: develop a single set of National Privacy Principles strengthen and clarify the Privacy Commissioner’s powers and functions 2010: exposure draft of the new Privacy Act was released by the Government
  • 46. Conclusion There is no one size fits all for cloud computing - laws are unsettled Not all cloud services are created equal and not all cloud services should be subject to the same terms Few legal precedents regarding liability in the cloud Undertake due diligence as you need to fully understand the risks associated with cloud computing and adopt a risk-mitigation approach to cloud adoption Service agreements need to specify those areas the cloud provider is responsible for Read the fine print of the cloud computing agreement carefully Specify locations for data storage and processing - know the governing law of the cloud computing agreement
  • 47. Conclusion Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate
  • 48. Thank You “ A global approach is the only way to deal with the Internet” Francis Gurry, Head of the World Intellectual Property Organisation (WIPO) and so for Cloud Computing… Source: "IP's new role in the knowledge economy“ Asia Today International April/May 2011 www.acs.org.au [email_address] www.linkedin.com/in/wonganthony This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.

Editor's Notes

  • #4: Of all the trends currently shaping the ICT sector, Cloud Computing has the greatest potential to change the way we live, work and interact Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications Now, we can exploit a wide range of online functionality; academics and researchers can access the platforms they need to perform highly complex computations; and companies of all sizes can utilise systems and platforms in a cost effective manner Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications
  • #16: Requirement to produce a document              (1)  If, under a law of the Commonwealth , a person is required to produce a document that is in the form of paper, an article or other material, that requirement is taken to have been met if the person produces, by means of an electronic communication , an electronic form of the document, where:                      (a)  in all cases--having regard to all the relevant circumstances at the time of the communication, the method of generating the electronic form of the document provided a reliable means of assuring the maintenance of the integrity of the information contained in the document; and   (b)  in all cases--at the time the communication was sent, it was reasonable to expect that the information contained in the electronic form of the document would be readily accessible so as to be useable for subsequent reference; and                      (c)  if the document is required to be produced to a Commonwealth entity , or to a person acting on behalf of a Commonwealth entity , and the entity requires that an electronic form of the document be produced, in accordance with particular information technology requirements , by means of a particular kind of electronic communication --the entity's requirement has been met; and                      (d)  if the document is required to be produced to a Commonwealth entity , or to a person acting on behalf of a Commonwealth entity , and the entity requires that particular action be taken by way of verifying the receipt of the document--the entity's requirement has been met; and                      (e)  if the document is required to be produced to a person who is neither a Commonwealth entity nor a person acting on behalf of a Commonwealth entity --the person to whom the document is required to be produced consents to the production, by means of an electronic communication , of an electronic form of the document.
  • #18: Proprietary and Confidential
  • #19: Proprietary and Confidential
  • #20: Microsoft will buy internet phone service Skype for the grand total of US$8.5 billion Buying Skype gives Microsoft access to a user base of people who log in to Skype every month, using the Internet and Skype usernames as a complement to the traditional phone network and its phone numbers Shares of social network LinkedIn more than doubled in price after launching on the New York Stock Exchange in a tech stock feeding frenzy reminiscent of the infamous dot-com boom. Shares of the online professional social networking company closed at $US94.25, 109 per cent above their $US45 initial public offering price. They rose as high as $YS121.97, in their first day of trading LinkedIn brings together people online to cultivate and manage their careers and business networks. It has more than 100 million members in over 200 countries and territories, with 44 million in the United States -SMH May 20, 2011
  • #27: Our laws today are essentially geographical and tied to national interests and boundaries
  • #35: Given that the internet is not bound by geographical boundaries, the issue of offshore transfers of personal information has special relevance to cloud computing. EU Data Protection Directive generally restrict the transfer of personal data to a country outside the European Union (EU) unless certain requirements are met: the other country ensures an 'adequate' level of data protection; the parties have an appropriate contractual relationship; or the individual has given consent Australian Privacy Act does not meet the EU “adequate level of protection” , primarily because of the small business, employee records and direct marketing exceptions European Union’s Data Protection Directive offers an example of the importance of location on legal rights and obligations
  • #36: Data is never anywhere, but always somewhere
  • #37: Complexity arises where “data is in motion” as it winds its way across the internet transitioning through a number of servers located in different countries – which countries’ laws apply? conflict of laws may occur
  • #42: Risks assessment include the specific arrangements underlying the services offered the service provider the location from which the services are to be provided criticality and sensitivity of the IT assets involved Also Example - Commonwealth of Australia Government Contract for IT Services expressly prohibits suppliers from transmitting or storing their customer data outside of Australia
  • #46: Draft revised privacy legislation The Australian Government's draft legislative changes, reflecting its response to the ALRC's privacy inquiry, are currently being considered by the Senate Finance and Public Administration Committee with a final reporting date of 1 July 2011. The draft legislation is to be released and subject to the Committee's scrutiny in 4 stages: The Australian Privacy Principles provisions (released June 2010) Credit reporting provisions Health and research provisions Provisions relating to the powers of the privacy powers of the Australian Information Commissioner
  • #49: Cover Report “Protecting the Brand …” "IP's new role in the knowledge economy“ Asia Today International April/May 2011