E-Security By Leif Gamertsfelder Senior Associate Deacons leif.gamertsfelder@deacons.com.au Phone: 02 9330 8448 Introduction • E-security and liability issues • Evidence and computer forensic issues • Extraterritorial issues “Firewall” E-Security Issues “Service provider supplies online procurement services to manufacturers” Internet “Firewalls” “Manufacturers” E-Security Issues ‒ Cybercrime issues ‒ Corporations Act ‒ Trade Practices Act ‒ Privacy Act ‒ Contract ‒ Negligence ‒ ASX Listing Rule 3.1 ‒ Evidence Issues Proceedings against hackers • Civil or criminal proceedings can be brought against hackers. • Possible civil proceedings include actions under contract, privacy, confidentiality or tort (eg, trespass) law. • Possible criminal actions include the specific computer related offences under Federal or State law. • Is it worth it? Proceedings against hackers (cont) • While it is important to consider each case on its merits to determine whether a hacker should be prosecuted, the matter may be a distraction in the majority of cases. • Generally, more important liability issues are a company’s own liability if a hacker penetrates security architecture and ability to recover loss or damage from vendors, its consultants or networked parties. Proceedings against others • A company may be able to recover losses from: vendors of security products or security service consultants other companies (eg sharing an extranet link) • A company’s ability to do so will largely be determined by the contract they enter with each of these parties and consideration of: exclusion clauses disclaimers limitation of liability Downstream liability is a more important issue Proceedings against others (cont) Warranties/indemnities Insurance clauses The enforceability of these clauses The type of obligation that the other company actually assumes, ie: reasonable steps? a higher obligation? what representations were made? Cybercrime • New offences relating to propagation of viruses, Denial of Service (DoS), unauthorised access to data etc • Criminal Code applies to body corporates in addition to individuals • Fault elements may be attributed to body corporate • Intention, knowledge or recklessness Authorisation/permission express, tacit or implicit authorisation or permission to commit the offence authorisation may be proven where a corporate culture existed within a body corporate that directed, encouraged, tolerated/led to non-compliance with relevant provision Cybercrime (cont) • NB – a “corporate culture’ in this context means an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities take place • Possible applicable offences – unauthorised access to data, propagation of viruses • “Reasonable steps” will be a touchstone in these cases Corporations Act • If an e-security breach has occurred due to a failure by a company to take reasonable steps to implement robust esecurity architecture, ASIC/shareholders may want to know what steps (if any) the directors took to prevent the breach of network security • Under the Corporations Act, Directors and officers have a duty to exercise reasonable care and due diligence in exercising their duties (s180) Business Judgment Rule – 180(2) Director or other officers have a defence under Corporations Act and at common law and equity where: • judgment is made in good faith and for a proper purpose • they do not have a material personal intent in the subject matter of the judgment • inform themselves about the subject matter of the judgment to the extent they reasonably believe to be appropriate • rationally believe that the judgment is in the best interests of the corporation Corporations Act In order to comply with their obligations under the Corporations Act, directors and officers need to ensure that they take reasonable steps to (among other things): familiarise themselves with the general security issues facing the company and the importance of security to business lines guide and monitor management in respect to security issues/monitor implementation Corporations Act (Cont) obtain appropriate information to make informed decisions (including duty to obtain expert advice) participate in meetings about security policy/strategy and make informed decisions Consider ROI issues Limiting liability – reliance on others • Directors (not officers) who: rely on information given or prepared by: – – – – an employee whom the director believes on reasonable grounds to be reliable and competent; a professional adviser/expert in relation to certain matters; another director or officer in relation to certain matters; or a Committee of directors in relation to certain matters Limiting Liability - reliance on others (cont) Reliance was in good faith after making an independent assessment of the information having regard to the director’s knowledge of the corporation and the complexity of its structure and operations The director’s reliance on the information will be taken to be reasonable Limiting liability – reliance on others Delegation - s198D & s190 Director is liable unless director reasonably believes that the delegate will act in accordance with the Corporations Act and the Constitution AND Director believed on reasonable grounds and in good faith and after making proper inquiries that delegate was a reliable and competent person to discharge the relevant powers General points • Director’s or officers must make a “judgment” • “reasonable steps” is the relevant touchstone • Penalties up to $200,000, compensation orders and/or disqualification • Issues are determined on the balance of probabilities Privacy Act • From 21 December 2001 • Organisations must take reasonable steps to, among other things, protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure • Note the possible impact of the TPA in this area Case Study – Murdoch University An offshore Malaysian spoofed an email from one lecture to another Requested exam scrips for upcoming exam • Authenticating only in the basis of the email header information the relevant lecturer sent the exam scripts Student shared info with other students Trade Practices Laws • A party may sue a company if that company makes a false representation regarding their e-security practices • Need to look at relevant provisions of the commonwealth trade practices act and the fair trading acts of the various states and territories Trade Practices Laws (cont) • A party may make a claim for a breach of s 52 in relation to representations a company or its employees have made in relation to the e-security of the company. In limited circumstances a well drafted exclusion clause may protect a company from a s 52 claim • Where a company makes a general representation about its esecurity, a strong defence may be that the company took reasonable steps in light of current industry standards to protect the system from penetration • Need to ensure tight control over “representations” Trade Practices Laws (cont) • In this context two types of cases could arise: Consumer cases eg statements about B2C transactions Corporate cases eg extranet/VPN/DMZ issues • NB Important role of s51A here Case Study – Eli Lilly Pharmaceutical company collected personal info on its website, including email addresses Subscribers received individualised medication reminders by email Eli Lilly decided to cease reminders and sent global notice to all 669 subscribers FTC “even the unintentional release of sensitive medical information is a serious breach of consumers’ trust” Case Study – Eli Lilly Eli Lilly’s claims of privacy and confidentiality was deceptive because it failed to implement internal measures appropriate under the circumstances, namely: - no training for employees re privacy and information security - did not provide oversight or assistance to employee who sent out the email - no appropriate checks or monitoring Settlement with FTC contained provision addressing these flaws in e-security NB interrelationship with TPA, authentication protocols and internal policies Case Study – Ziff Davis November 2001, Ziff Davis ran website promotion offering free subscriptions Contestants had to submit name, address, email information and credit card number Ziff Davis’ online policy stated that: “[We] use reasonable precautions to keep the personal information you disclose to both our magazine and website secure and to only release this information to third parties we believe share our commitment to privacy.” • 12,000 individual records were openly accessible via the internet and credit card details were obtained remotely and used fraudulently Case Study – Ziff Davis The Attorneys General of Vermont, New York and California alleged Ziff Davis had breached various laws which prohibit “unlawful, unfair or fraudulent business practices and untrue or misleading advertising” and commenced an investigation The AGs and Ziff Davis entered into an assurance of discontinuance containing the following core terms: • pay $500 to each consumer who provided credit card details • encrypt sensitive data during transmission from consumers • control file access through user authentication and application controls • monitor and control service activity • review applications prior to implementation • implement risk identification and response protocols • establish management oversight and employee training programs Contract • Entities that have contractual relationships with a company which suffers a breach of computer security may sue for breach of contract if it incurs loss or damage as a result • This will largely depend on the wording of the relevant contract. Need to consider: Is there an implied or express e-security clause? - What obligation was assumed, ie: reasonable steps? a higher obligation? NB Interrelationship with TPA Negligence • If, as a result of the vulnerability in an information system of a company, another party suffers loss or damage, this may give rise to an action in negligence. • Employers may also be vicariously liable for the security breaches of their employees if those breaches result in loss to a third party. • For example, assume that a procurement hub is owned and operated by an IT company which has a contract with a service company E-Security Issues “Firewall” “Service provider supplies online procurement services to manufacturers” Internet “Firewalls” “Manufacturers” Negligence (Cont) • The service company in turn contracts with 4 major vehicle manufacturers who actually use the procurement hub • The 4 manufacturers have no direct contractual relationship with the IT company, but may sue under negligence if the procurement hub is hacked due to poor e-security and results in a denial of service • The 4 manufacturers may suffer huge losses if this causes disruption to their just-in-time production processes • A strong defence to such claims will be at hand if the IT company took reasonable steps in light of current industry standards to protect the data/system from penetration ASX listing rules • Under ASX listing rule 3.1 a listed company has certain reporting obligations – this is a strict obligation • If the reasonable person would consider information as having an impact of the share price, the company must disclose the information to the ASX • Note that recent proposals under CLERP 9 seek to increase continuous disclosure obligations for listed companies. Indeed, one proposal is that market operators should require listed entities to respond to externally generated speculation in circumstances where the operator determines that this is having a significant impact on the market for their securities. • Criminal and civil penalties apply Workplace Relations Issues • • • • • Cannot discipline an employee if unjust, unfair or unreasonable Must also provide a workplace free of harassment etc Some reasonable steps need to be taken to implement policies Effective policies must be in place Features of an effective policy are as follows: clear well promulgated (avoid ‘one-shot’ policy launches) reissued (eg, incorporate in logon procedure) regularly reviewed and updated – information/education sessions held on the policy What are “reasonable steps” How the organisation stores/holds information Size of the organisation Should be proportional to risks faced by the particular organisation (eg cost/benefit issues) Existence of an e-security strategy Management buy-in What are “reasonable steps” Objective, floating standard Court will consider numerous factors including: Security policy mandated (and understood) by directors and officers Policy effectively implemented and monitored by organization Prevailing industry standards such as AS17799: - generally accepted industry practice - OECD Guidelines for the Security of Information Systems and Networks Harm likely to be suffered as a result of a breach of esecurity Audit • Identify critical/non-critical systems and assets on the network • Identify critical vulnerabilities • Identify business operations at risk Summary flowchart Monitor Plan • Changes to network configuration • Compliance with policies • System misuse Security Risk Management Cycle Implementation • Product and custom solutions • Configuration management • Patches • Authentication, access controls etc • Draft security policies • Draft technical security designs • Draft incident response/continuity plans Evidence Issues Currently very few standards exist Code of practice for Legal Admissibility and Evidential Weight of Information Stored Electronically DISC PD 0008:1999, British Standards Institution Cth AG is currently seeking input from a working group to develop a standard which would encourage more businesses to seek damages for breaches of IT security of other parties and this become a drive for better IT security and generally corporate evidence collection in cybercrime matters Commissioner Ryan’s Future Directions Report Handling Digital Evidence • • • • • Electronic evidence is the keystone of any security incident whether it is allegedly perpetrated by insiders or outsiders Management needs to ensure that ‘chain of custody’ issues are addressed Chain of custody = forensic computing Elements of forensic computing: • ID of digital evidence • preservation of digital evidence • analysis of digital evidence • presentation of digital evidence During this process company must ensure minimum handling of original, account for any change, compliance with rules of evidence & experts do not exceed their knowledge Handling Digital Evidence Rook v Maynard – Unauthorised access and viewing of personal files on DSS system – Trace placed by management – Trace logged each use of defendant’s machine to obtain information in the Dept’s information systems – Output of the trace program was crucial prosecution evidence – Defence argued that trace output was inaccurate as it was incomplete – Court held that output was incomplete but accurate to the extent it could be compared to data on the information systems Handling Digital Evidence Rook v Maynard • Interesting to note that both lower and higher courts made trips to DSS to view the manner in which the relevant information system and trace operated • Clearly demonstrates digital evidence can often be a fragile element of any case. Internal protocols must be followed if breaches of rules governing the use of information systems are to be dealt with successfully The End