Not that I'm in Australia at present, but I'm keeping an eye on things at home. Here is a nice little article from CSO.com,au on the ICT Security Controls Required by the Australian Privacy Principles.
So it looks like Australia may finally have a data breach notification law. It was back in 2011 when the Government started really discussing this again and at that time I wrote a little about it and posted to links to an interesting point/counterpoint as to whether these laws work. While I think the jury may still be out, I hope some law is better than no law and at the very least we get something reasonable that makes sense.
(am I setting the bar too high here?)
At the same time "China" is reported to have hacked the Australian Government, including stealing plans for the new ASIO Headquarters - but it seems we forgive them, so all is OK.
I wonder if/what the Government would have to report if the new laws were in place already?
Privacy is getting more and more attention in Australia, with the Privacy Commissioner recently stating:
"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects"
The Australian Attorney-General's office has released the long-awaited Australian Privacy Breach Notification discussion paper [pdf]
It seems to be generating interesting discussion both for and against.
I have commented previously on data breach legislation and haven't really changed my view. The only thing I'd add is that maybe the 'public shaming' fallout isn't as bad as it used to be, simply as the result of so many companies being hacked.
It is interesting that Information Security is back on the political agenda in Australia, as it is to in the United States with President Obama considering using an executive order to reinstate the "Cybersecurity" bill that was previously defeated in the US Senate. Probably not surprising though, as it is an election year....
I haven't read the AG's discussion paper in detail yet, but will hopefully get to it this weekend and provide my thoughts.
I've been quiet on the blog since relocating to Japan, and had started a bunch of posts that I never finished. Rather than finish them all, I'm going to start recapping on the stuff I found interesting over the last few months, and then move on to hopefully a more regular schedule.
It looks like data breach notification laws are back on the radar here in Australia. 2011, 'the year of the high-profile hack' has brought the need to better protect customer/consumer data back into sharp focus for our politicians.
Personally I think this is a good thing, at least in principle. How it works out in practice will depend, as always, on the details.
Other parts of the world have had data breach notification laws for some time now, and some research [pdf] has shown their impact to be limited. Security guru Bruce Schneier wrote an essay on the effect of the laws back in 2009 (and Marcus Ranum's counterpoints are here), and despite admitting that the effect may have been minimal, he believes the laws are a step in the right direction. As Bruce put it: "The laws rely on public shaming. It's embarrassing to have to admit to a data breach, and companies should be willing to spend to avoid this PR expense".
In the aftermath of the "Sownage" of earlier this year, I imagine more than one company began a security review to avoid that exact PR nightmare.
While doing some recent reading on Digital Foerensics I came across a particularly interesting older case where a Russian hacker was caught by the FBI and charged with computer intrusion and fraud. While this doesn't sound like anything too out of the ordinary what caught my attention was some of the details.
The FBI alleged that Ivanov and other international hackers gained unauthorized access into computers at CTS Network Services (an ISP) and used them to attack other e-commerce companies, including two credit card processors, where he stole customer financial information and used this information in the usual fraud schemes. Nothing too out of the ordinary so far.
Once the FBI had identified their culprit, in order to make the arrest they lured him and an accomplice to the US on the premise of offering a job as an IT security consultant. When the pair arrived, the FBI had them remotely connect to their machines back in Russia as a demonstration of their skills for the new prospective employer. But not all was as it seemed, as the FBI were keylogging the machines the Russians used in the US and used these captured credentials to connect to the Russian computers and extract the evidence they needed (without a search warrant) to prosecute Ivanov and his accomplice.
Do the ends justify the means? The Russian Federal Security Service, or FSB, didn't think so, started criminal proceedings against the FBI Agents for unauthorized access to computer information. Meanwhile back in the States, the Agents involved were awarded the director’s award for excellence as the case was the first in bureau’s history to “utilize the technique of extra-territorial seizure.”
The assistant US District attorney commented that he "wouldn't call it hacking" when discussing the Agent's actions and a federal judge agreed, rejecting motions filed that sought to suppress the evidence obtained from the computers with Ivanov eventually being sentenced to three years in prison.
Do, in this case, the ends justify the means? Or is it simply the beginning of a slipperly slope allowing state-sanctioned hacking in the name of justice?
This case is wan older one and was 'pre-9/11', so I wonder what effect the PATRIOT act has had in the intervening years...
Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.
Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.
Some of the points that came out of his presentation** that I found rather interesting follow:
The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent themThe formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.
I recently picked up a copy of Information Security: Managing the Legal Risks by Nick Gifford. What caught my attention is that it is written from an Australian point of view, which seems rare as most books that deal with the legal aspects of InfoSec are heavily US-centric.
I'll post a review once I have a chance to have a good read.
8:08 PM
Justin
, Posted in