Welcome to the latest edition of HWL Ebsworth Cyber Bytes.
Once again, it has been an eventful few months in cyber security and related legal and policy developments. We have seen a number of high profile cyber incidents as well as regulatory and legislative responses to the growing cyber threat. In this edition we provide some brief snapshots of recent cyber news as well as a number of more in-depth articles.
The long awaited mandatory data breach notification legislation was introduced into the Senate on 19 October 2016. As we previously reported (here), an earlier draft of the legislation, titled the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, was released as an exposure draft in late 2015. After a consultation period (submissions available here),the legislation has now been modified and retitled as the Privacy Amendment (Notifiable Data Breaches) Bill 2016. We provide an overview of the current Bill here.
Following the release of its inaugural threat report last year (which we reported on here), the Australian Cyber Security Centre (ACSC) released its 2016 Threat Report on 12 October 2016. The report contains information on trends in malicious cyber activity, what actions organisations should take to prevent and respond to cyber threats and an interesting discussion on appropriate use of cyber risk terminology. Read more in our article here.
Following an investigation into last year’s notorious data breach of the extra-marital affair website Ashley Madison, the Office of the Australian Information Commissioner (along with the Privacy Commissioner of Canada) released its findings in August 2016. We report on those findings, and some of the implications for cyber risk management, in our article here.
We summarised the Federal Government’s Cyber Security Strategy in our last edition. We provide a brief update on developments since then in the implementation of that strategy. See our article here.
While not the result of cyber hacking per se, the recent Red Cross Blood Service data breach is nevertheless a good reminder of the ramifications of inadvertently placing sensitive data on public webservers as well as highlighting some of the key steps involved in incident response. Read our article here.
News in Brief
The last few months have seen many reminders as to the variety of forms that cyber incidents can take. Here’s a brief snapshot of some recent cyber risk news items:
- Internet of Things DDoS attack: A large DDoS (distributed denial of service) attack on 21 October 2016 against Dyn, a domain name services provider in the United States, impacted numerous popular websites including Netflix, AirBnB, Reddit, Twitter and the New York Times. The DDoS attack appears to have been launched by the hijacking of millions of malware-infected devices connected to the internet, including webcams and digital video recorders, highlighting the potential cyber risk inherent in the Internet of Things;
- Hacking an election: The already eventful US Presidential election campaign had an additional layer of drama with accusations of Russian hacking of Democratic National Committee emails aimed at interfering in the election process, highlighting the ongoing potential for state-sponsored cyber hacking;
- Inquiry into 2016 Census: Closer to home, the Senate Economics References Committee inquiry into the 2016 Census recently held public hearings seeking to get to the bottom of what went wrong with Australia’s first attempt at conducting an online census. While the public had been concerned about one form of cyber threat (namely, their personal data being accessed by foreign hackers), the cyber threat that seems ultimately to have materialised was nervousness over DDoS attacks, ultimately leading to the census site being shut down on census night. The Senate Committee is due to deliver its findings by 24 November 2016 and no doubt the report will make for interesting reading; and
- Regulatory oversight of cyber resilience: We have reported previously on ASIC’s assessment of ASX Group and Chi-X and their management of cyber resilience. The Reserve Bank of Australia also, in collaboration with ASIC, has a regulatory interest in monitoring cyber resilience, noting in its recent “2015/16 Assessment of ASX Clearing and Settlement Facilities” that it saw cyber resilience as “a key priority in its supervision of ASX’s CS facilities, as well as other financial market infrastructures (FMIs)“. The RBA noted in its report that it has adopted the international Guidance on Cyber Resilience for FMIs released jointly by the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSC) in June this year.
We trust you find this edition of our Cyber Bytes newsletter to be interesting and useful. Our cyber team has worked with a number of clients to assist them to prepare their cyber security strategy and develop a plan for managing incidents and we could help your organisation. Please contact a member of our team if you require assistance in relation to preparing or responding to this increasingly common and challenging Australian business risk.
Read our previous editions of HWL Ebsworth Cyber Bytes:
If you know someone who may be interested in subscribing to future editions, they can subscribe here.
This edition was edited by Andrew Miers with contributions by Sarah Harrison, James Moore, Katherine Hooper, Matthew Hunter, Daniel Kiley and Desiree Dyer.