E-Security By Leif Gamertsfelder Senior Associate Deacons [email protected] Phone:...
45
-
Upload
agatha-stevenson -
Category
Documents
-
view
213 -
download
0
Transcript of E-Security By Leif Gamertsfelder Senior Associate Deacons [email protected] Phone:...
Introduction
• E-security and liability issues
• Evidence and computer forensic issues
• Extraterritorial issues
E-Security Issues
“Manufacturers”
“Firewalls”
“Service provider supplies online
procurement services to manufacturers”
InternetInternet
“Firewall”
E-Security Issues
‒ Cybercrime issues
‒ Corporations Act
‒ Trade Practices Act
‒ Privacy Act
‒ Contract
‒ Negligence
‒ ASX Listing Rule 3.1
‒ Evidence Issues
Proceedings against hackers
• Civil or criminal proceedings can be brought against hackers.
• Possible civil proceedings include actions under contract,
privacy, confidentiality or tort (eg, trespass) law.
• Possible criminal actions include the specific computer related offences under Federal or State law.
• Is it worth it?
Proceedings against hackers (cont)
• While it is important to consider each case on its merits to determine whether a hacker should be prosecuted, the matter may be a distraction in the majority of cases.
• Generally, more important liability issues are a company’s own
liability if a hacker penetrates security architecture and ability to recover loss or damage from vendors, its consultants or networked parties.
Proceedings against others
• A company may be able to recover losses from:vendors of security products or security service
consultantsother companies (eg sharing an extranet link)
• A company’s ability to do so will largely be determined by the contract they enter with each of these parties and consideration of:
exclusion clauses disclaimers limitation of liability
Downstream liability is a more important issue
Proceedings against others (cont)
Warranties/indemnities
Insurance clauses
The enforceability of these clauses
The type of obligation that the other company actually assumes, ie:
reasonable steps?
a higher obligation?
what representations were made?
Cybercrime
• New offences relating to propagation of viruses, Denial of Service (DoS), unauthorised access to data etc
• Criminal Code applies to body corporates in addition to individuals
• Fault elements may be attributed to body corporate• Intention, knowledge or recklessness -
Authorisation/permission express, tacit or implicit authorisation or permission to
commit the offence authorisation may be proven where a corporate culture
existed within a body corporate that directed, encouraged, tolerated/led to non-compliance with relevant provision
Cybercrime (cont)
• NB – a “corporate culture’ in this context means an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities take place
• Possible applicable offences – unauthorised access to data, propagation of viruses
• “Reasonable steps” will be a touchstone in these cases
Corporations Act
• If an e-security breach has occurred due to a failure by a company to take reasonable steps to implement robust e-security architecture, ASIC/shareholders may want to know what steps (if any) the directors took to prevent the breach of network security
• Under the Corporations Act, Directors and officers have a duty to exercise reasonable care and due diligence in exercising their duties (s180)
Business Judgment Rule – 180(2)
Director or other officers have a defence under Corporations Act
and at common law and equity where:
• judgment is made in good faith and for a proper purpose
• they do not have a material personal intent in the subject
matter of the judgment
• inform themselves about the subject matter of the judgment to
the extent they reasonably believe to be appropriate
• rationally believe that the judgment is in the best interests of the
corporation
Corporations Act
In order to comply with their obligations under the Corporations Act, directors and officers need to ensure that they take reasonable steps to (among other things):
familiarise themselves with the general security
issues facing the company and the importance of
security to business lines
guide and monitor management in respect to
security issues/monitor implementation
Corporations Act (Cont) obtain appropriate information to make informed decisions
(including duty to obtain expert advice)
participate in meetings about security policy/strategy and make
informed decisions
Consider ROI issues
Limiting liability – reliance on others
• Directors (not officers) who:
rely on information given or prepared by:
– an employee whom the director believes on reasonable grounds to be reliable and competent;
– a professional adviser/expert in relation to certain matters;
– another director or officer in relation to certain matters; or
– a Committee of directors in relation to certain matters
Limiting Liability - reliance on others (cont)
Reliance was in good faith after making an independent
assessment of the information having regard to the director’s
knowledge of the corporation and the complexity of its
structure and operations
The director’s reliance on the information will be taken to be
reasonable
Limiting liability – reliance on others
Delegation - s198D & s190 Director is liable unless director reasonably believes that the
delegate will act in accordance with the Corporations Act and the Constitution
AND Director believed on reasonable grounds and in good faith and
after making proper inquiries that delegate was a reliable and competent person to discharge the relevant powers
General points
• Director’s or officers must make a “judgment”
• “reasonable steps” is the relevant touchstone
• Penalties up to $200,000, compensation orders and/or
disqualification
• Issues are determined on the balance of probabilities
Privacy Act
• From 21 December 2001
• Organisations must take reasonable steps to, among other things, protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure
• Note the possible impact of the TPA in this area
Case Study – Murdoch University
An offshore Malaysian spoofed an email from one lecture to another
Requested exam scrips for upcoming exam• Authenticating only in the basis of the email header information
the relevant lecturer sent the exam scripts Student shared info with other students
Trade Practices Laws
• A party may sue a company if that company makes a false representation regarding their e-security practices
• Need to look at relevant provisions of the commonwealth trade practices act and the fair trading acts of the various states and territories
Trade Practices Laws (cont)
• A party may make a claim for a breach of s 52 in relation to representations a company or its employees have made in relation to the e-security of the company. In limited circumstances a well drafted exclusion clause may protect a company from a s 52 claim
• Where a company makes a general representation about its e-security, a strong defence may be that the company took reasonable steps in light of current industry standards to protect the system from penetration
• Need to ensure tight control over “representations”
Trade Practices Laws (cont)
• In this context two types of cases could arise:
Consumer cases
eg statements about B2C transactions
Corporate cases
eg extranet/VPN/DMZ issues
• NB Important role of s51A here
Case Study – Eli Lilly
Pharmaceutical company collected personal info on its website, including email addresses
Subscribers received individualised medication reminders by email
Eli Lilly decided to cease reminders and sent global notice to all 669 subscribers
FTC “even the unintentional release of sensitive medical information is a serious breach of consumers’ trust”
Case Study – Eli Lilly
Eli Lilly’s claims of privacy and confidentiality was deceptive because it failed to implement internal measures appropriate under the circumstances, namely:- no training for employees re privacy and information security- did not provide oversight or assistance to employee who
sent out the email- no appropriate checks or monitoring
Settlement with FTC contained provision addressing these flaws in e-security
NB interrelationship with TPA, authentication protocols and internal policies
Case Study – Ziff Davis November 2001, Ziff Davis ran website promotion offering free
subscriptions Contestants had to submit name, address, email information and credit
card number Ziff Davis’ online policy stated that:
“[We] use reasonable precautions to keep the personal informationyou disclose to both our magazine and website secure and to only release thisinformation to third parties we believe share our commitment to privacy.”
• 12,000 individual records were openly accessible via the internet and credit card details were obtained remotely and used fraudulently
Case Study – Ziff Davis
The Attorneys General of Vermont, New York and California alleged Ziff Davis had breached various laws which prohibit “unlawful, unfair or fraudulent business practices and untrue or misleading advertising” and commenced an investigation
The AGs and Ziff Davis entered into an assurance of discontinuance containing the following core terms:
• pay $500 to each consumer who provided credit card details
• encrypt sensitive data during transmission from consumers
• control file access through user authentication and application controls
• monitor and control service activity
• review applications prior to implementation
• implement risk identification and response protocols
• establish management oversight and employee training programs
Contract
• Entities that have contractual relationships with a company which suffers a breach of computer security may sue for breach of contract if it incurs loss or damage as a result
• This will largely depend on the wording of the relevant contract. Need to consider:
Is there an implied or express e-security clause?
- What obligation was assumed, ie: reasonable steps? a higher obligation?
NB Interrelationship with TPA
Negligence
• If, as a result of the vulnerability in an information system of a company, another party suffers loss or damage, this may give rise to an action in negligence.
• Employers may also be vicariously liable for the security breaches of their employees if those breaches result in loss to a third party.
• For example, assume that a procurement hub is owned and operated by an IT company which has a contract with a service company
E-Security Issues
“Manufacturers”
“Firewalls”
“Service provider supplies online
procurement services to manufacturers”
InternetInternet
“Firewall”
Negligence (Cont)
• The service company in turn contracts with 4 major vehicle manufacturers who actually use the procurement hub
• The 4 manufacturers have no direct contractual relationship with the IT company, but may sue under negligence if the procurement hub is hacked due to poor e-security and results in a denial of service
• The 4 manufacturers may suffer huge losses if this causes disruption to their just-in-time production processes
• A strong defence to such claims will be at hand if the IT company took reasonable steps in light of current industry standards to protect the data/system from penetration
ASX listing rules
• Under ASX listing rule 3.1 a listed company has certain reporting obligations – this is a strict obligation
• If the reasonable person would consider information as having an impact of the share price, the company must disclose the information to the ASX
• Note that recent proposals under CLERP 9 seek to increase continuous disclosure obligations for listed companies. Indeed, one proposal is that market operators should require listed entities to respond to externally generated speculation in circumstances where the operator determines that this is having a significant impact on the market for their securities.
• Criminal and civil penalties apply
Workplace Relations Issues
• Cannot discipline an employee if unjust, unfair or unreasonable
• Must also provide a workplace free of harassment etc• Some reasonable steps need to be taken to implement policies• Effective policies must be in place• Features of an effective policy are as follows:
clear well promulgated (avoid ‘one-shot’ policy launches) reissued (eg, incorporate in logon procedure) regularly reviewed and updated– information/education sessions held on the policy
What are “reasonable steps”
How the organisation stores/holds information
Size of the organisation
Should be proportional to risks faced by the particular organisation (eg cost/benefit issues)
Existence of an e-security strategy
Management buy-in
What are “reasonable steps” Objective, floating standard Court will consider numerous factors including:
Security policy mandated (and understood) by directors and officers
Policy effectively implemented and monitored by organization
Prevailing industry standards such as AS17799:- generally accepted industry practice- OECD Guidelines for the Security of Information
Systems and Networks Harm likely to be suffered as a result of a breach of e-
security
Summary flowchart
• Identify critical/non-critical systems and assets on the network• Identify critical vulnerabilities• Identify business operations at risk
Audit
Security RiskManagement
Cycle
• Draft security policies• Draft technical security designs• Draft incident response/continuity plans
Plan
• Product and custom solutions• Configuration management • Patches• Authentication, access controls etc
Implementation
• Changes to network configuration• Compliance with policies• System misuse
Monitor
Evidence Issues
Currently very few standards exist Code of practice for Legal Admissibility and Evidential Weight of
Information Stored Electronically DISC PD 0008:1999, British Standards Institution
Cth AG is currently seeking input from a working group to develop a standard which would encourage more businesses to seek damages for breaches of IT security of other parties and this become a drive for better IT security and generally corporate evidence collection in cybercrime matters
Commissioner Ryan’s Future Directions Report
Handling Digital Evidence
• Electronic evidence is the keystone of any security incident whether it is allegedly perpetrated by insiders or outsiders
• Management needs to ensure that ‘chain of custody’ issues are addressed
• Chain of custody = forensic computing• Elements of forensic computing:
• ID of digital evidence• preservation of digital evidence• analysis of digital evidence• presentation of digital evidence
• During this process company must ensure minimum handling of original, account for any change, compliance with rules of evidence & experts do not exceed their knowledge
Handling Digital Evidence
Rook v Maynard– Unauthorised access and viewing of personal files on DSS system– Trace placed by management– Trace logged each use of defendant’s machine to obtain
information in the Dept’s information systems– Output of the trace program was crucial prosecution evidence – Defence argued that trace output was inaccurate as it was
incomplete– Court held that output was incomplete but accurate to the extent it
could be compared to data on the information systems
Handling Digital Evidence
Rook v Maynard
• Interesting to note that both lower and higher courts made trips to DSS to view the manner in which the relevant information system and trace operated
• Clearly demonstrates digital evidence can often be a fragile element of any case. Internal protocols must be followed if breaches of rules governing the use of information systems are to be dealt with successfully
The End
