Cyber security affects all businesses and industries and is a Board level agenda item.
Our quarterly eBulletin provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA and Canada.
- Update on the EU Network and Information Security Directive
- Update on the EU General Data Protection Regulation
- Update on the EU Directive on Attacks against Information Systems
- UK Government report on cost of cyber breaches
- Cyber Insurance in the UK: Its importance is rising
- UK GCHQ publishes guidance on passwords
- Threat of cyber attacks used as blackmail against financial services organisations
- Car infotainment systems found to be cyber security risk
- French media TV5 Monde under cyber attack
- French Government launches new national cybersecurity strategy
- Singapore's Personal Data Protection Commission issues guidance to organisations over securing personal data
- Hong Kong Monetary Authority issues Circular on Cybersecurity Risk Management
- China's National People's Congress publishes draft cyber security law
- Australian telcos required to store customer metadata for two years
- Mandatory reporting of data breaches on the horizon in Australia
- Australia rising to the challenge of cyber security
- Australian Threat Report - The defence against cyber adversaries
- US Court upholds FTC's authority to pursue data breach enforcement actions
- US court ruling requiring Microsoft (US) to produce customer e-mails stored in EU receives appellate scrutiny
- Individual US states take action to bolster cyber security
- US and China engage in discussions regarding cyber security
- Ashley Madison cyber attack continues to have repercussions
1. Update on the EU Network and Information Security Directive
The EU Network and Information Security Directive (the so-called "Cyber Security Directive") appears to be a step closer to adoption after the European Council announced at the end of June that it had reached an understanding with the Parliament and the European Commission on the main principles to be included in the Directive.
One of the key sticking points in negotiations had been in relation to the treatment of information society services under the Directive. It has reportedly now been agreed that such services will be treated in a different manner from essential services. Although there is no clarity at the moment as to what this will mean, it suggests that information society services will still fall within the scope of the Directive in some way.
Following agreement, the main principles will need to be turned into a full draft text. Although the overall timing for adoption is still unclear, once adopted, Member States are likely to have 18 months in order to implement the Directive into national legislation.
2. Update on the EU General Data Protection Regulation
In June 2015, the Council of Ministers of the European Union (the "Council") finally agreed a general approach on the proposed EU General Data Protection Regulation (the "GDPR"), paving the way for negotiations to commence between the European institutions to agree a final version of the new GDPR.
One of the key new obligations under the GDPR looks likely to be the obligation upon data controllers to report data security breaches to their national regulatory authority. The Council have sought to impose a materiality threshold and restrict this notification requirement to breaches which are likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of data protected by professional secrecy, or any other significant economic or social disadvantage.
The Council has also amended the draft text to require any data security breach notification to be made within 72 hours. The Commission's original text proposed a 24 hour deadline, and the Parliament's proposal required notification without undue delay.
The adoption by the Council of its position marks a key step in the legislative process. However, whilst the process may start to gain a little momentum now, it is clear from the three texts available (the Commission's initial draft, the Parliament's position, and the Council's position) that the institutions remain conceptually far apart on a number of key aspects to the GDPR.
For further information, please see our eBulletin, available here.
3. Update on the EU Directive on Attacks against Information Systems
The beginning of September saw the deadline for transposition into national law of the Directive on attacks against information systems (the "Directive"), which came into force on 24 August 2013. This Directive forms part of the EU’s continuing efforts to keep pace in its fight against the ever evolving nature of cybercrime, and in particular, the increasingly sophisticated and large-scale forms of attack against information systems. It updated (and replaced) minimum rules, established by the Council Framework Decision 2005/222/JHA (the "Framework Decision"), relating to the definition of relevant criminal offences and sanctions across Member States and the improved cooperation between competent authorities.
By and large most Member States had already brought their national criminal regimes into line with both the Framework Decision and the Cybercrime Convention. Accordingly, relatively few legislative changes were required to be ready for the transposition deadline.
The UK, for example, introduced a small number of changes through the Serious Crime Act 2015, which came into force on 5 May 2015 and amended certain provisions of the Computer Misuse Act 1990.
For further information please see our blog post, available here.
4. UK Government report on cost of cyber breaches
The UK Government has published its 2015 Information Security Breaches Survey, which is carried out annually by PWC, in conjunction with the Department for Business, Innovation and Skills.
The report shows that there has been an increase in the number of both large and small organisations experiencing breaches, with 90% of large organisations reporting that they had suffered a security breach this year (up from 81% in 2014).
The average cost of the worst single breach suffered by organisations surveyed has also gone up sharply for all sizes of business. For companies with more than 500 employees, the average cost of the most severe breach is now between £1.46 million and £3.14 million, whilst for small and medium sized businesses, the average cost of the worst breach is between £75,000 and £310,800.
Staff-related breaches also feature notably in this years' report. Three quarters of large organisations suffered a staff-related breach and nearly one third of small organisations had a similar occurrence. When questioned about the single worst breach suffered, half of all organisations attributed the cause to inadvertent human error.
To view a copy of the report, please click here.
5. Cyber Insurance in the UK: Its importance is rising
September 2015 saw the publication of two reports – one by PwC and the other by Allianz Global Corporate & Specialty – both of which discuss the upward trajectory of the cyber insurance market and forecast that cyber insurance premiums are to grow exponentially over the next ten years.
The take-up of stand-alone cyber insurance policies is currently relatively low outside the US. The reasons for this include a lack of understanding amongst organisations of: (1) the cyber risks they face; and (2) the cyber cover available in the market - including how this fits with the relatively limited cover available under traditional policies.
However, legislative change is afoot in a number of jurisdictions which is likely to be a key driver of growth. Organisations are getting a better handle on the nature and severity of the risk and what insurance can do for them. Consistent with this, the Allianz report predicts that the nature of cyber insurance risk will evolve beyond data breaches and privacy matters. It identifies business interruption in particular as a key risk within the next five to ten years.
To view a copy of the Allianz report, please click here.
To view a copy of the PwC report, please click here.
6. UK GCHQ publishes guidance on passwords
GCHQ has published guidance containing advice for system owners responsible for determining password policy.
It advocates a dramatic simplification of the current approach at a system level, rather than asking users to recall unnecessarily complicated passwords.
The guidance advocates seven key tips in relation to passwords: (i) change all default passwords; (ii) help users cope with password overload; (iii) understand the limitations of user-generated passwords; (iv) understand the limitations of machine-generated passwords; (v) prioritise administrator and remote user accounts; (vi) use account lockout and protective monitoring; and (vii) don’t store passwords as plain text.
To view a copy of the guidance, please click here.
7. Threat of cyber attacks used as blackmail against financial services organisations
A report published by content delivery network and cloud service provider firm Akamai Technologies Inc, has highlighted an increase in the number of cyber attacks orchestrated by a group known as DD4BC. According to the report, 114 DD4BC attacks have been identified since April 2015, with the focus primarily on the financial services industry.
In the attacks, DD4BC threatens organisations with a Distributed Denial of Service ("DDoS") attack unless a ransom is paid. The payments demanded by the group have ranged from 25 to 50 bitcoins (around £4,000 - £8,000). Failure to pay could result in a DDoS attack involving up to 56 gigabits of data per second being directed towards the victim organisation, far more than most companies can cope with. In addition, DD4BC has allegedly threatened to post messages on social networks to embarrass and humiliate organisations if they do not pay the ransom.
8. Car "infotainment" systems found to be a cyber security risk
It was reported in July that the UK information security company NCC Group had found a way to control vehicles' brakes and other systems by sending data via digital audio broadcasting radio signals.
NCC reported to the BBC that it had been able, in an off-road environment, to simulate a DAB-based attack. The attack works because infotainment systems process DAB data to display text and pictures on car dashboard screens. However, the NCC maintains that an attacker could send code that would let them take over the system.
The approach has so far only been attempted on equipment in the company's building as NCC maintain that it would be illegal and unsafe to try it on the road. However, the approach is similar to that seen in the US recently which allowed hackers to take control of a Jeep Cherokee after sending data to its entertainment and navigation systems via a mobile phone.
9. French media TV5 Monde under cyber attack
In April 2015, French media TV5 Monde suffered the biggest ever cyber attack of a French media company.
The attack led to broadcast and information systems going down for several hours, as pirates took control of TV5's internal network, broadcasting network, social media accounts and website at the same time.
The French National Agency for Information Systems Security ("ANSSI"), now in charge of protecting "vital importance players" in France, handled the investigations following the attack, secured the network of TV5 Monde and led a national information campaign aimed at media firms, in order to help them protect their networks against such attacks.
10. French Government launches new national cyber security strategy
On 18 June 2015, the French Prime Minister introduced a national digital orientation plan, including a national cyber security strategy section covering large grounds.
The main focus of the strategy is defence and the security of vital French infrastructures, to be handled in cooperation with the National Agency for Information Systems Security and private industry players (starting later this year).
The second main goal is to foster confidence in digital transition, including the creation of a national assistance programme for victims of cyber attacks, aimed at private individuals, local authorities and companies. The programme will include a platform for easier complaint filing and orientation towards local actors able to quickly provide the most appropriate technical support (being introduced in 2016).
Finally, a public/private investment fund dedicated to cyber security will be created to foster cyber security innovation, support new industry players and promote French cyber security products and services (at the end of 2015).
To view a copy of the digital orientation plan, please click here.
11. Singapore's Personal Data Protection Commission issues guidance to organisations over securing personal data
The Personal Data Protection Commission ("PDPC") is responsible for enforcing the Personal Data Protection Act 2012 (the "Act"), which protects the use of individuals' personal data by organisations in Singapore. In partnership with the Cyber Security Agency of Singapore ("CSA"), the PDPC has recently issued guidance to organisations on securing personal data in electronic form, and on how to manage data breaches should they occur.
The guidance on data security sets out a checklist of good practices and enhanced practices for the protection of personal information from malicious or accidental disclosure, along with detailed further explanation. The practices include ICT security training and policies, appropriate standards of authentication and authorisation of users, encryption of information, proper (physical and electronic) disposal of redundant information, and policies on the use of personal devices, portable storage and networks.
The guidance on managing breaches of personal data privacy reminds organisations of their obligation under the Act to make reasonable security arrangements for the protection of personal data within their control. The guidance sets out a suggested approach to a data breach management plan, covering containing, reporting and evaluating the breach. The PDPC states that the adequacy of an organisation's management plan, and the promptness and detail in their notification of the breach to the PDPC, will affect the PDPC's judgment on whether the organisation has fulfilled its obligations under the Act.
To view a copy of the data security guidance, please click here.
To view a copy of the data breach guidance, please click here.
12. Hong Kong Monetary Authority issues Circular on Cyber Security Risk Management
On 15 September 2015, the Hong Kong Monetary Authority ("HKMA") issued a circular ("Circular") to Authorised Institutions ("AI") supervised by the HKMA, drawing attention to the importance of, and providing general guidance in relation to, proper cyber security risk management.
The Circular acknowledges that while AIs should already have in place controls and processes to manage technology risks in general, cyber security risk warrants special attention, and different risk management measures may be needed to deal with some types of potential cyber attacks. The Circular makes it clear that the board and senior management of AIs are expected to play a proactive role in ensuring effective cyber security risk management, covering at least the areas of risk ownership and management accountability, periodic evaluations and monitoring of cyber security controls (having regard to emerging cyber threats and a credible benchmark of cyber security controls, with guidance on determining an appropriate benchmark set out in an annex to the Circular), industry collaboration and contingency planning, and regular independent assessments and tests.
The board and senior management of AIs are expected to strengthen their oversight in those areas where there may be gaps or weaknesses so that some concrete progress is evidenced in the remaining meetings of the board in 2015 or early 2016. The Circular indicates that if there is a need, the HKMA will request institutions to submit specific deliverables for it to assess the output or progress of the work.
13. China's National People's Congress publishes draft cyber security law
On 6 July 2015, China's National People's Congress published a draft cyber security law aimed at safeguarding China's "cyber sovereignty" and protecting personal information.
The draft law has also addressed some of the national security concerns that prompted the National Security Law that became effective on 1 July 2015. The draft law contains provisions requiring the core networks and information technology, critical infrastructure and information systems and the data of important sectors in China to be "secure and controllable". The draft law was open for comment until 5 August 2015.
As it stands, the draft law would impact anyone who constructs, operates, maintains or uses networks in China. Particularly affected are: (i) hardware and software manufacturers, who would be subject to greater supervision over compliance and national security reviews; (ii) cross-border cloud-completing and data-processing services, who would need to be cautious about transmitting personal data out of China; and (iii) all network operators who would need to censor certain information.
For further information, please see our eBulletin, available here.
14. Australian telcos required to store customer metadata for two years
In April 2015, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) ("Data Retention Act") received assent. The legislation mandates that, in general, telecommunication companies and internet service providers must store their customers’ metadata for a period of two years from the date of its creation.
Service providers include: licensed carriers, carriage service providers and internet service providers. Under the Data Retention Act, these service providers must keep a limited set of metadata which is information about the circumstance of a communication for two years. Importantly, it is not the content of the communication that must be retained under the Act and web-browsing history is also specifically excluded from the scheme. The legislation also requires service providers to secure the stored data by encrypting it and taking other steps to prevent unauthorised access. The implication of the new scheme places further responsibilities on service providers with Part 5-1A requiring all service providers that collect and retain telecommunications data under the data retention scheme to comply with the Privacy Act in relation to that data.
The Government has estimated the upfront capital cost of the regime to all of business to be between $188.8 million and $319.1 million.
15. Mandatory reporting of data breaches on the horizon in Australia
In March this year, Attorney-General George Brandis and the then federal Communications Minister Malcolm Turnbull released a joint statement indicating that the federal government intends to introduce a mandatory data breach notification scheme by the end of 2015. The statement came in the Government’s response to a report by the Parliamentary Joint Committee on Intelligence and Security. The report mainly dealt with Australia’s proposed "data retention" laws, which grant the Government controversial new powers to collect and retain metadata for terrorism and criminal investigation purposes.
At present, while there are obligations in the Privacy Act 1999 (Cth) to keep personal information secure, notification of a personal data breach is voluntary and companies are simply encouraged to follow the Office of the Australian Information Commissioner's guidance.
Any mandatory reporting scheme will not be limited to telecommunications service providers and will represent a significant new compliance burden on all businesses. The changes will undoubtedly see an increase to the overall cost to companies when handling data security incidents.
16. Australia rising to the challenge of cyber security
Prior to his ousting, then Australian Prime Minister, Tony Abbott, held the inaugural Cyber Security Summit in Canberra attended by leaders from Australia’s largest blue chip companies. The attendees’ list points to the status and prioritisation of cyber security at the highest levels of business and government in Australia.
The Summit came on the back of the Government’s ongoing Cyber Security Review, which commenced in November last year, with recommendations from the Summit to be released in the coming months followed closely by a national Cyber Security Strategy (the first of its kind since 2009).
The Cyber Security Strategy is unlikely to be directive but will be largely focused on facilitating business to adopt practical and realistic cyber security measures; the Australian Government is a strong advocate for the multi-stakeholder model of cyber governance. Then Prime Minister Abbott has indicated that there is a need for business and government to come together, to collaborate in creating a secure cyberspace, with the government holding the view that a state-dominated governance model would stifle innovation and economic potential. The preferred model places greater emphasis on joint collaboration between the private sector and government in a bid to tackle cyber security.
17. Australian Threat Report - The defence against cyber adversaries
On 29 July 2015, the Australian Cyber Security Centre ("ACSC") released its first unclassified report. The aptly named "Threat Report" was the product of a collaborative effort between the private and public sectors, with leaders from the Australian Crime Commission, the Australian Federal Police, the Australian Security Intelligence Organisation, and the Computer Emergency Response Team forming a super hub of government intelligence. More than 500 strategic private sector businesses were also involved, including those operating in the energy, banking and finance, communications, defence and transport sectors.
The ACSC opened in November 2011 as an Australian Government initiative to ensure that Australian networks are amongst the most difficult in the world to breach. The centre's co-ordinator, Clive Lines, said the Threat Report proved the threat to Australian organisations was "undeniable, unrelenting and continues to grow".
The Threat Report provides a snap shot of the very real threat cybercrime poses to the Australian economy. The document breaks down the technological jargon to explain what cybercrime is and how the threats manifest. The report also outlines the ways in which cyber adversaries breach data security and provides details of four urgent alerts issued by the ASCS in 2014.
Organisations and their users will ultimately need to take greater responsibility for the security of their networks and information. The Threat Report urges businesses and individuals alike to educate themselves and take preventative measures in order to avoid being the next cybercrime statistic.
18. US Court upholds FTC's authority to pursue data breach enforcement actions
A US federal appellate court has affirmed the authority of the US Federal Trade Commission ("FTC") to bring civil enforcement suits against companies whose allegedly deficient cyber security policies fail to protect consumer data from cyber attacks (see FTC v Wyndham Worldwide Corp, et al., No. 14-3514 (3d Circuit 2015)).
In a case of first impression, the court found that certain companies' alleged failure to protect customer data from hackers, despite earlier public assurances that they had instituted several layers of data privacy measures, could constitute unfair business practices for which the FTC has regulatory, and enforcement, authority.
The ruling marks the first time that a federal appellate court has determined that the FTC has legal authority to sue companies that suffer a data breach for "unfair" business practices. Its authority having thus been validated, the FTC will surely now be emboldened to pursue enforcement actions in the data privacy arena with even greater vigour.
For further details, please see our eBulletin, available here.
19. US court ruling requiring Microsoft (US) to produce customer e-mails stored in EU receives appellate scrutiny
A US federal appellate court heard argument on 9 September 2015 in a closely-watched dispute between the US Government and Microsoft. The case arises from Microsoft's opposition to a search warrant obtained by US law enforcement authorities that sought production, in the United States, of Microsoft customer e-mails stored on a server in Ireland.
Microsoft contended on appeal that, just as US courts cannot issue search warrants for physical property located outside the US, such courts also lack authority to issue a warrant requiring seizure of electronic data where that data is physically stored outside the US. In contrast, US authorities, who seek the e-mails as part of a drug-trafficking investigation, argued that the warrant was valid because Microsoft can access, and otherwise has control over, the data in the US, such that no search or seizure would take place until Microsoft downloads the e-mails in its US offices.
Last year, a lower federal court rejected Microsoft's argument, ruling that the warrant was valid under the US Stored Communications Act. (Our contemporaneous analysis of that decision is available here) A ruling, from the US Court of Appeals for the Second Circuit, is expected relatively soon, and may have important implications regarding the extent to which US authorities can reach data stored outside the US, which in turn may influence how personal data is handled and how US technology companies will do business with non-US customers, particularly in the data storage or cloud arenas.
20. Individual US states take action to bolster cyber security
On 31 August 2015, governors from two states issued executive orders aimed at strengthening cyber security measures. California Governor Jerry Brown called for the creation of the California Cybersecurity Integration Center ("Cal-CSIC") under the state's Office of Emergency Services ("OES"). The new cyber security center will coordinate the government's cyber security activities and serve as an information sharing hub for local, state and federal agencies, tribal governments, utilities and other service providers, academic institutions and non-governmental organisations.
A Cyber Incident Response Team will also be established to serve as the primary unit in responding to cyber threats in California, and will assist law enforcement with cyber-related investigations. A spokesperson for the OES indicated that the executive order is aimed at strengthening communication between cyber-intelligence agencies and law enforcement to better prepare for and prevent future cybercrimes.
Similarly, Virginia Governor Terry McAuliffe asked the Virginia Information Technologies Agency ("VITA") to review the state's risk management stance and provide recommendations for strengthening the state's cyber security profile. The agency will be responsive for taking a complete inventory of all state systems and the associated data by 15 October 2015. This will include a determination of the sensitivity and criticality of the data systems, risk prioritisation, and development of a risk-based approach to enhance cyber defences.
The agency is also required to provide recommendations on strategies to strengthen cyber security profiles by 15 October 2015. Recommendations should include security audits and development of risk mitigation and remediation plans. A status report on the implementation of the strategies and associated plans are due to the Governor and the Secretaries of Technology and Finance by 1 October 2016.
It is anticipated that other states will follow suit, implementing their own cyber security infrastructure and regulations.
21. US and China engage in discussions regarding cyber security
Four days of cyber security meetings between senior Chinese and US officials concluded on 12 September 2015. According to a statement from the White House, US national security adviser Susan Rice had a "frank and open exchange about cyber issues" in her meetings with Meng Jianzhu, the secretary of the Central Political and Legal Affairs Commission of the Chinese Communist Party. A major Chinese newspaper also reports that an "important consensus" was reached during the meetings and both parties agreed that it is "vital" to cooperate in the fight against hacking and the theft of corporate secrets online.
These meetings precede a visit by Chinese President Xi Jinping later in September, during which cyber security issues will also be addressed. In fact, President Obama confirmed during a town hall speech on 11 September that he intends to discuss "some basic rules of the road" regarding cyber security practices. This is most likely in light of allegations that the Chinese government has been sponsoring or enabling hackers who have stolen billions of dollars' worth of data and undermined national security.
Insider sources report that the White House may also be considering economic sanctions against China as a response to the alleged cyberattacks. If so, this will be the administration's first use of an executive order passed this April that gave Obama the right to impose sanctions "on individuals or entities that engage in certain significant, malicious cyber-enabled activities." The focus of the order is on addressing activities that pose a significant threat to the national security, foreign policy, economic health or financial stability of the US.
22. Ashley Madison cyber attack continues to have repercussions
In July 2015, a group calling itself "The Impact Team" compromised the online dating website Ashley Madison. The Ashley Madison site specifically targeted married people, with the tag line "Life is short. Have an affair". It is run by Canadian company Avid Life Media, which operates a portfolio of similarly niche and controversial dating sites, including Cougar Life (for older women seeking younger men) and Established Men ("Connecting young, beautiful women with interesting men"). The hackers copied personal information about the site's user base, and threatened to release users' names and personally identifying information if Ashley Madison was not immediately shut down. On 18 and 20 August, the hackers then leaked more than 25 gigabytes of company data, including user details of approximately 36 million users. The hackers claim to have over 300GB of material in total, including users' photos and the entire source code of the site itself.
Since news of the breach broke, there have been a number of interesting developments. Ashley Madison had employed one of the more secure password hashing functions, bcrypt, to scramble the passwords in its database. However, since the source code of the site was available, an amateur password cracking group called Cynosure Prime were able to crack almost 12 million Ashley Madison passwords in a matter of weeks by exploiting errors in how the password hashing had actually been implemented. Interestingly, of the roughly 11.7m passwords used on the site, only 4.9m were unique. This shows how commonly users will use the same, simple, passwords for accessing sites.
Unsurprisingly, the breach has resulted in legal action. Multiple class-action lawsuits have been filed in the US and Canada, which are so far in total are seeking over US$1 billion. The lawsuits argue that Ashley Madison failed to properly protect their client’s data.
At the time of writing, it is still not known who was behind the attack, and Avid Life Media have offered a CAN$500,000 reward to anyone providing information that leads to the identification, arrest, and prosecution of the person or persons responsible for the leak of the Ashley Madison database.