Cyber Security- A legal perspective Anthony Lee 12 March 2014
description
Transcript of Cyber Security- A legal perspective Anthony Lee 12 March 2014
1
Cyber Security- A legal perspective Anthony Lee
12 March 2014
2
OUTLINE
Cyber security in the news
The key legal considerations
On the horizon
3
IN THE NEWS
Prism, Dishfire and all that
High profile denial of service (DDOS) attacks
Sony Playstation platform hacked
Lulzsec hackers handed jail sentences
Cybercriminals using botnets to round up fridges
Hacker takes control of a Japanese smart toilet
4
THE PACE OF CHANGE
Cloud computing
Smart devices
Internet of Things / Machine to Machine (M2M)
5
THE LINES OF ATTACK
Organised crime
Cyber espionage
Hacktivism (mischievism)
Insider threat
6
THE KEY LEGAL CONSIDERATIONS
The law will always be playing catch up
Criminal laws
Civil laws
Changes in the pipeline
7
CRIMINAL LAWS
Computer Misuse Act 1990
Data Protection Act 1998
Fraud Act 2006
8
CIVIL LAWS
Confidentiality
Human Rights Act 1998
Data Protection Act 1998
Sector specific laws (e.g. financial services, health)
9
THE DATA PROTECTION ACT 1998
The eight data protection principles
Key definitions
Rights of data subjects
Enforcement / sanctions
10
THE DATA PROTECTION ACT CONTINUED….
Data sharing
Data security
Data export
11
THE EIGHT PRINCIPLES
Personal data must:
Be processed fairly and lawfully (and in accordance with the fair processing conditions)
Be processed only for specified purpose(s)
Be adequate, relevant and not excessive
Be accurate and up to date
Be retained only for so long as is necessary
Be processed in accordance with the data subject’s right
Be kept secure
Not transferred outside the EEA unless there is adequate equivalent protection
12
KEY DEFINITIONS
“data”
“personal data”
“sensitive personal data”
“data controller”
“data processor”
“data subject”
“processing”
13
PROCESSING INCLUDES
PROCESSING
Keeping / storing data
Altering / adapting / combining data
Disclosure of data
Organising data
Retrieving dataUsing data
Destroying / erasing data
Blocking data
Obtaining data
14
RIGHTS OF DATA SUBJECTS
Access to personal data
Stop damaging processing
Stop direct marketing
Object to automatic decisions
Correction / deletion
Compensation from the data controller
Request assessment by the ICO
15
ENFORCEMENT / SANCTIONS
Information Commissioner’s Office
Enforcement notices
Fines
Criminal offences
Failure to comply is an offence
Other laws / sanctions
16
DATA SHARING
Data sharing is a form of processing
First principle - process fairly and lawfully
Six conditions
Special conditions for sensitive personal data
Additional laws
17
DATA SECURITY
Seventh principle
Appropriate technical and organisational measures
Against unauthorised or unlawful processing of personal data
Against accidental loss, destruction of, or damage to, personal data
Arrangements with data processors / sub processors
Prevention is better than a cure
18
PREVENTION OF SECURITY BREACH
Robust processes and working practices
Security policy and staff training
Tight controls over access
Tracking unusual activity
Due diligence on suppliers / strong contracts
19
THE CULPRITS
20
WHAT TO DO IT THERE IS A BREACH OF DATA SECURITY
Notification
Data subjects
ICO
Police
Industry body
Customers
Remedial action
21
DATA EXPORT
Eighth principle
Must not transfer outside EEA
Unless adequate level of protection in place
Approved countries
Contract / binding corporate rules
USA safe harbour / Patriot Act
22
CLOUD COMPUTING
23
THE CLOUD
Internet-based IT Services
Contractual arrangements / sub-contractors
Security (Seventh principle)
Location (Eighth principle)
Audit Rights
24
ACPO GUIDELINES ON DIGITAL EVIDENCE
Principle 1 - do not change data which may be used as evidence in court
Principle 2 - only a competent person should access the original data and give evidence
Principle 3 - maintain a clear audit trail of the processes used to analyse digital evidence
Principle 4 - person in charge of the investigation has responsibility for ensuring the law and these principles are adhered to
25
COOKIES
Used by almost all websites
Downloaded onto visitor’s device
Can track habits and preferences
Session cookies / permanent cookies
Third party cookies
Informed consent required
Privacy and Electronic Communications Regulation 2003 (as amended)
26
WHAT IS ON THE HORIZON?
The draft General Data Protection Regulation
Proposal for a Network and Information Security Directive
Snooping laws and increased police powers
27
THE DRAFT DATA PROTECTION REGULATION
Heavier burden of compliance on controllers
Statutory obligations on processors
Data personal if identifiable by any person (not just the controller) e.g. IP addresses
More onerous obligations in relation to data security (e.g. controller's veto over sub-processing)
Obligation to notify security breaches and inform individuals concerned
28
THE DRAFT DATA PROTECTION REGULATION
Where consent is required, it must be explicit
Legitimate interests condition preserved, but greater transparency
Regular data protection audits and privacy assessments
Increased fines - a percentage of global turnover
29
THE PROPOSED CYBER SECURITY DIRECTIVE
Will improve network and information security standards across the EU
Will require notification of potential security risks
Will require notification of actual incidents
Will enable a cooperation network between member states to share information
30
SQUARING UP TO THE CHALLENGE
The law needs updating
Technology will continue to outpace the law
Cyber security is on the map
Privacy by design
31
WRAP UP
Keep it secure
Keep it secure
Keep it secure
32
Thank you
Any questions?