E-Security By Leif Gamertsfelder Senior Associate Deacons

advertisement
E-Security
By Leif Gamertsfelder
Senior Associate
Deacons
leif.gamertsfelder@deacons.com.au
Phone: 02 9330 8448
Introduction
• E-security and liability issues
• Evidence and computer forensic issues
• Extraterritorial issues
“Firewall”
E-Security Issues
“Service provider
supplies online
procurement services
to manufacturers”
Internet
“Firewalls”
“Manufacturers”
E-Security Issues
‒ Cybercrime issues
‒ Corporations Act
‒ Trade Practices Act
‒ Privacy Act
‒ Contract
‒ Negligence
‒ ASX Listing Rule 3.1
‒ Evidence Issues
Proceedings against hackers
• Civil or criminal proceedings can be brought against hackers.
• Possible civil proceedings include actions under contract,
privacy, confidentiality or tort (eg, trespass) law.
• Possible criminal actions include the specific computer related
offences under Federal or State law.
• Is it worth it?
Proceedings against hackers (cont)
• While it is important to consider each case on its merits to
determine whether a hacker should be prosecuted, the matter
may be a distraction in the majority of cases.
• Generally, more important liability issues are a company’s own
liability if a hacker penetrates security architecture and ability to
recover loss or damage from vendors, its consultants or
networked parties.
Proceedings against others
• A company may be able to recover losses from:
 vendors of security products or security service
consultants
 other companies (eg sharing an extranet link)
• A company’s ability to do so will largely be determined by the
contract they enter with each of these parties and consideration
of:
 exclusion clauses
 disclaimers
 limitation of liability
 Downstream liability is a more important issue
Proceedings against others (cont)
 Warranties/indemnities
 Insurance clauses
 The enforceability of these clauses
 The type of obligation that the other company actually
assumes, ie:
 reasonable steps?
 a higher obligation?
 what representations were made?
Cybercrime
• New offences relating to propagation of viruses, Denial of
Service (DoS), unauthorised access to data etc
• Criminal Code applies to body corporates in addition to
individuals
• Fault elements may be attributed to body corporate
• Intention, knowledge or recklessness Authorisation/permission
 express, tacit or implicit authorisation or permission to
commit the offence
 authorisation may be proven where a corporate culture
existed within a body corporate that directed, encouraged,
tolerated/led to non-compliance with relevant provision
Cybercrime (cont)
• NB – a “corporate culture’ in this context means an attitude,
policy, rule, course of conduct or practice existing within the
body corporate generally or in the part of the body corporate in
which the relevant activities take place
• Possible applicable offences – unauthorised access to data,
propagation of viruses
• “Reasonable steps” will be a touchstone in these cases
Corporations Act
•
If an e-security breach has occurred due to a failure by a
company to take reasonable steps to implement robust esecurity architecture, ASIC/shareholders may want to know
what steps (if any) the directors took to prevent the breach of
network security
•
Under the Corporations Act, Directors and officers have a
duty to exercise reasonable care and due diligence in
exercising their duties (s180)
Business Judgment Rule – 180(2)
Director or other officers have a defence under Corporations Act
and at common law and equity where:
• judgment is made in good faith and for a proper purpose
• they do not have a material personal intent in the subject
matter of the judgment
• inform themselves about the subject matter of the judgment to
the extent they reasonably believe to be appropriate
• rationally believe that the judgment is in the best interests of the
corporation
Corporations Act
In order to comply with their obligations under the
Corporations Act, directors and officers need to ensure that
they take reasonable steps to (among other things):

familiarise themselves with the general security
issues facing the company and the importance of
security to business lines

guide and monitor management in respect to
security issues/monitor implementation
Corporations Act (Cont)
 obtain appropriate information to make informed decisions
(including duty to obtain expert advice)
 participate in meetings about security policy/strategy and make
informed decisions
 Consider ROI issues
Limiting liability – reliance on others
• Directors (not officers) who:
 rely on information given or prepared by:
–
–
–
–
an employee whom the director believes on
reasonable grounds to be reliable and competent;
a professional adviser/expert in relation to certain
matters;
another director or officer in relation to certain matters;
or
a Committee of directors in relation to certain matters
Limiting Liability - reliance on others
(cont)

Reliance was in good faith after making an independent
assessment of the information having regard to the director’s
knowledge of the corporation and the complexity of its
structure and operations

The director’s reliance on the information will be taken to be
reasonable
Limiting liability – reliance on others
 Delegation - s198D & s190
 Director is liable unless director reasonably believes that the
delegate will act in accordance with the Corporations Act and
the Constitution
AND
 Director believed on reasonable grounds and in good faith and
after making proper inquiries that delegate was a reliable and
competent person to discharge the relevant powers
General points
• Director’s or officers must make a “judgment”
• “reasonable steps” is the relevant touchstone
• Penalties up to $200,000, compensation orders and/or
disqualification
• Issues are determined on the balance of probabilities
Privacy Act
• From 21 December 2001
• Organisations must take reasonable steps to, among other
things, protect the personal information it holds from misuse
and loss and from unauthorised access, modification or
disclosure
• Note the possible impact of the TPA in this area
Case Study – Murdoch University
 An offshore Malaysian spoofed an email from one lecture to
another
 Requested exam scrips for upcoming exam
• Authenticating only in the basis of the email header information
the relevant lecturer sent the exam scripts
 Student shared info with other students
Trade Practices Laws
• A party may sue a company if that company makes a false
representation regarding their e-security practices
• Need to look at relevant provisions of the commonwealth trade
practices act and the fair trading acts of the various states and
territories
Trade Practices Laws (cont)
• A party may make a claim for a breach of s 52 in relation to
representations a company or its employees have made in relation
to the e-security of the company. In limited circumstances a well
drafted exclusion clause may protect a company from a s 52 claim
• Where a company makes a general representation about its esecurity, a strong defence may be that the company took
reasonable steps in light of current industry standards to protect
the system from penetration
• Need to ensure tight control over “representations”
Trade Practices Laws (cont)
• In this context two types of cases could arise:
 Consumer cases
eg statements about B2C transactions
 Corporate cases
eg extranet/VPN/DMZ issues
• NB Important role of s51A here
Case Study – Eli Lilly
 Pharmaceutical company collected personal info on its website,
including email addresses
 Subscribers received individualised medication reminders by
email
 Eli Lilly decided to cease reminders and sent global notice to all
669 subscribers
 FTC “even the unintentional release of sensitive medical
information is a serious breach of consumers’ trust”
Case Study – Eli Lilly
 Eli Lilly’s claims of privacy and confidentiality was deceptive
because it failed to implement internal measures appropriate
under the circumstances, namely:
- no training for employees re privacy and information security
- did not provide oversight or assistance to employee who
sent out the email
- no appropriate checks or monitoring
 Settlement with FTC contained provision addressing these flaws
in e-security
 NB interrelationship with TPA, authentication protocols and
internal policies
Case Study – Ziff Davis



November 2001, Ziff Davis ran website promotion offering free
subscriptions
Contestants had to submit name, address, email information and credit
card number
Ziff Davis’ online policy stated that:
“[We] use reasonable precautions to keep the personal information
you disclose to both our magazine and website secure and to only
release this
information to third parties we believe share our commitment to
privacy.”
•
12,000 individual records were openly accessible via the internet and
credit card details were obtained remotely and used fraudulently
Case Study – Ziff Davis


The Attorneys General of Vermont, New York and California alleged Ziff
Davis had breached various laws which prohibit “unlawful, unfair or
fraudulent business practices and untrue or misleading advertising” and
commenced an investigation
The AGs and Ziff Davis entered into an assurance of discontinuance
containing the following core terms:
• pay $500 to each consumer who provided credit card details
• encrypt sensitive data during transmission from consumers
• control file access through user authentication and application controls
• monitor and control service activity
• review applications prior to implementation
• implement risk identification and response protocols
• establish management oversight and employee training programs
Contract
• Entities that have contractual relationships with a company which
suffers a breach of computer security may sue for breach of
contract if it incurs loss or damage as a result
• This will largely depend on the wording of the relevant contract.
Need to consider:
Is there an implied or express e-security clause?
- What obligation was assumed, ie:
 reasonable steps?
 a higher obligation?
NB Interrelationship with TPA
Negligence
• If, as a result of the vulnerability in an information system of a
company, another party suffers loss or damage, this may give
rise to an action in negligence.
• Employers may also be vicariously liable for the security
breaches of their employees if those breaches result in loss to
a third party.
• For example, assume that a procurement hub is owned and
operated by an IT company which has a contract with a service
company
E-Security Issues
“Firewall”
“Service provider
supplies online
procurement services
to manufacturers”
Internet
“Firewalls”
“Manufacturers”
Negligence (Cont)
•
The service company in turn contracts with 4 major vehicle
manufacturers who actually use the procurement hub
•
The 4 manufacturers have no direct contractual relationship with the
IT company, but may sue under negligence if the procurement hub is
hacked due to poor e-security and results in a denial of service
•
The 4 manufacturers may suffer huge losses if this causes disruption
to their just-in-time production processes
•
A strong defence to such claims will be at hand if the IT company took
reasonable steps in light of current industry standards to protect the
data/system from penetration
ASX listing rules
• Under ASX listing rule 3.1 a listed company has certain reporting
obligations – this is a strict obligation
• If the reasonable person would consider information as having an
impact of the share price, the company must disclose the
information to the ASX
• Note that recent proposals under CLERP 9 seek to increase
continuous disclosure obligations for listed companies. Indeed,
one proposal is that market operators should require listed entities
to respond to externally generated speculation in circumstances
where the operator determines that this is having a significant
impact on the market for their securities.
• Criminal and civil penalties apply
Workplace Relations Issues
•
•
•
•
•
Cannot discipline an employee if unjust, unfair or unreasonable
Must also provide a workplace free of harassment etc
Some reasonable steps need to be taken to implement policies
Effective policies must be in place
Features of an effective policy are as follows:
 clear
 well promulgated (avoid ‘one-shot’ policy launches)
 reissued (eg, incorporate in logon procedure)
 regularly reviewed and updated
– information/education sessions held on the policy
What are “reasonable steps”
 How the organisation stores/holds information
 Size of the organisation
 Should be proportional to risks faced by the particular
organisation (eg cost/benefit issues)
 Existence of an e-security strategy
 Management buy-in
What are “reasonable steps”
 Objective, floating standard
 Court will consider numerous factors including:
 Security policy mandated (and understood) by directors and
officers
 Policy effectively implemented and monitored by
organization
 Prevailing industry standards such as AS17799:
- generally accepted industry practice
- OECD Guidelines for the Security of Information Systems
and Networks
 Harm likely to be suffered as a result of a breach of esecurity
Audit
• Identify critical/non-critical systems and
assets on the network
• Identify critical vulnerabilities
• Identify business operations at risk
Summary flowchart

Monitor
Plan
• Changes to network configuration
• Compliance with policies
• System misuse
Security Risk
Management
Cycle
Implementation
• Product and custom solutions
• Configuration management
• Patches
• Authentication, access controls etc
• Draft security policies
• Draft technical security designs
• Draft incident response/continuity
plans
Evidence Issues
 Currently very few standards exist
 Code of practice for Legal Admissibility and Evidential Weight of
Information Stored Electronically DISC PD 0008:1999, British
Standards Institution
 Cth AG is currently seeking input from a working group to
develop a standard which would encourage more businesses to
seek damages for breaches of IT security of other parties and
this become a drive for better IT security and generally
corporate evidence collection in cybercrime matters
 Commissioner Ryan’s Future Directions Report
Handling Digital Evidence
•
•
•
•
•
Electronic evidence is the keystone of any security incident
whether it is allegedly perpetrated by insiders or outsiders
Management needs to ensure that ‘chain of custody’ issues are
addressed
Chain of custody = forensic computing
Elements of forensic computing:
• ID of digital evidence
• preservation of digital evidence
• analysis of digital evidence
• presentation of digital evidence
During this process company must ensure minimum handling
of original, account for any change, compliance with rules of
evidence & experts do not exceed their knowledge
Handling Digital Evidence
Rook v Maynard
– Unauthorised access and viewing of personal files on DSS system
– Trace placed by management
– Trace logged each use of defendant’s machine to obtain
information in the Dept’s information systems
– Output of the trace program was crucial prosecution evidence
– Defence argued that trace output was inaccurate as it was
incomplete
– Court held that output was incomplete but accurate to the extent it
could be compared to data on the information systems
Handling Digital Evidence
Rook v Maynard
•
Interesting to note that both lower and higher courts made
trips to DSS to view the manner in which the relevant
information system and trace operated
•
Clearly demonstrates digital evidence can often be a
fragile element of any case. Internal protocols must be
followed if breaches of rules governing the use of
information systems are to be dealt with successfully
The End
Download