A couple of plugs for blogs of friends:

Fellow AISA member Steven Atcheson has recently started his own Information Security related blog blog called 'Keeping it Simple'.

Another friend, Tim Davoren of ENSTOR also has a blog largely based around storage, backup and disaster recovery called Dav's Disorder.

Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.

Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.

Some of the points that came out of his presentation** that I found rather interesting follow:

• Most InfoSec-related cases are brought under the tort of negligence
• Damages cannot be recovered under negligence for pure economic loss
• No cases have yet been tried in Australia for under the tort of Negligence for InfoSec breaches ~ although cases have been settled before going to court
• The highest privacy breach payout in Australia is around $8000 ~ leaving privacy breaches more damaging to reputation than financially (barring lost revenue from reputational damage of course!)
• The Trade Practices Act Section 52 is the key area to pay attention to for Australian InfoSec professionals when verifying legal liability ~ it has less hurdles that proving negligence and can be 'creatively' applied by the courts.
• The ALRC has recommended a new tort of "serious invasion of privacy" and recommended compulsory disclosure laws in Australia.
  

Nick also referenced an intersting quote from the FTC paper on Identity Theft [pdf]:

The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent them

The formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.

Nick gave a great talk, and I do recommend his book.

**Any errors or omission of information in this post are my fault and not Nick's. I am no lawyer! So go seek your legal advice from someone who is!

Looks like our govenment has decided to increase it's efforts in 'cyber-security' by retiring the old GovCERT and rolling the excellent AusCERT into the new CERT Australia (although they need a snappier name!).

It's encouraging to see the government making an effort to assist and encourage increased information security awareness, amongst both businesses and individuals. I can only hope it all works out better than the National Broadband Network and National Internet Filtering Scheme have so far...

Next week David Campbell, the Director of Australian Government Computer Emergency Readiness Team is speaking at the AISA Annual Seminar Day in Sydney, so I'm looking forward to hear what he has to say about this new body, it's mandate and goals.