Welcome to the third issue of our quarterly Digital Governance newsletter.

In our recent article, Inadequate cybersecurity contravenes AFSL obligations, we look at the landmark decision of Australian Securities and Investments Commissions v RI Advice Group Pty Ltd [2022] FCA 496, in which the Federal Court incorporated agreed terms of settlement prior to a hearing to find that there had been inadequate cybersecurity risk management systems and cyber resilience constituted a contravention of AFSL obligations under section 912A(1)(a) and (h) of the Corporations Act 2001 (Cth).

We have included our usual roundup of recent digital governance news* and developments in Australia and around the world:

AUSTRAC records 318% increase in reporting of suspicious activity

Measured from a five-year period ending 30 June 2021, AUSTRAC CEO noted that there had been a 318% increase in the reporting of suspicious financial activity and a 63% increase in International Funds Transfer Instruction (IFTI) reports received.

IBM has released its 17th annual data breach costs report

IBM has confirmed that data breach costs have increased 13% from 2020 to 2022. Key take aways include that breaches at organisations leveraging AI cost US$3.05 million less than organisations missing these tools. IBM also noted that companies utilising extended detection technology saved an average of 29 days in breach response time.

USA

 Aerojet Rocketdyne to settle allegations of Cybersecurity violations

Aerojet Rocketdyne Inc has agreed to pay $9 million to settle claims it misrepresented its compliance with cybersecurity requirements in US Federal Contracts. An employee of Aerojet, Brian Markus, filed a lawsuit under whistleblower provisions, entitling the employee to a portion of the settlement sum. US Attorney Philip Talbert commented that "The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act."

Two laws passed for cybersecurity

The Biden Government has introduced two new cyber Bills aimed to assist federal agencies. The Federal Rotational Cyber Workforce Program Act 2021 empowers cybersecurity professionals to work across multiple federal support agencies, hoping to bolster local government response. The State and Local Government Cybersecurity Act 2021 has been enacted to improve the coordination between Homeland Security and local governments on cybersecurity.

Draft American Data Privacy and Protection Act

The value of data continues to be a topic of discussion in the US. There have been multiple attempts in the US to introduce data privacy legislation. In June, Congress got a step closer to enacting the American Data Privacy and Protection Act, which, if introduced, calls for a national approach to how companies gather and store individuals' data.

EUROPE and UK

British NCSC issues recommendation to the Law Society and Bar Council to not pay ransoms

The British National Cyber Security Centre has communicated to the UK Law Society and Bar Council a request that practices affected by ransomware attacks to not pay the ransom. This request comes off the back of a survey (as reported in this article by Lawyers Weekly) of 40 UK law firms which indicated that 75% had been victims of a cyber attack with bad actors making off with over £4 million in client funds.

EU laws seek to fortify critical sectors

Critical infrastructure continues to be at the forefront of legislation regarding cyber security. Following Australia enacting amendments to its own critical infrastructure legislation in December 2021, the EU is now taking steps to focus on and increase cyber security requirements for banks, the energy sector, telecommunications and transport with mandated audit cyber security response plans, reporting within 24 hours and prevention mechanisms.

Europeans face social media blackout

As a consequence of the Schrems decisions, the Irish Data Protection Commission informed the EU that it intends to push forward with blocking META, owner of Facebook, from operating within the EU, seeking to stem the flow of user data being sold to the US. Ireland is in charge of regulating META's data practices as the company's EU headquarters are in Dublin. The EU and US are discussing a new data-transfer agreement to allow the transfer of data across borders. Read more about the EU's General Data Protection Regulation in our 16 November 2020 article, Does the EU’s General Data Protection Regulation have extra-territorial effect?.

Data Protection - Stadler v Currys Group Ltd [2022] EWHC 160 (QB) (31 January 2022)

The case centred around personal information stored on a Smart TV that was put in for repair and a claim under Article 82, as supplemented by section 168 of the Data Protection Act 2018 UK for damages. Furthering the precedent set by Lloyd v Google, which requires evidence of pecuniary loss and distress for damages, the case discusses the evidentiary bar to claims for damages pursuant to the UK General Data Protection Regulation.

Data Breach - Smith & Ors v TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB) (27 May 2022)

The High Court struck out the claim for misuse of private information following data breaches at TalkTalk in 2014 and 2015. The Court rejected the claim saying that an allegation of misuse of private information must be viewed as a matter of substance and practical reality. It is not enough that there was an omission.

HONG KONG

The Law Reform Commission of Hong Kong has issued a consultation paper covering 'Cyber-Dependent Crimes and Jurisdictional Issues' seeking to address the changing landscape of cybercrime in Hong Kong, particularly after Secretary for Justice v Cheng KA Yee & 3 Others found that section 161 of the Crimes Ordinance did not have effect where someone is using their own computer or smartphone.

CRYPTOCURRENCY

G20 - Further crypto proposals expected

The Financial Stability Board are poised to make recommendations that may drastically alter current regulatory measures governing crypto assets.in a report prepared for the G20 in October, which will address "regulatory and supervisory approaches to stable coins and other crypto-assets".

Consultation paper for proposed regulation and licensing for crypto assets

The Australian Federal Government released a consultation paper guiding their approach to the proposed licensing and regulation of crypto asset secondary service providers (CASSPrs). The paper addressed actual or perceived gaps in the current system and proposes licensing for all CASSPrs, as well as mandatory custody obligations to safeguard private keys held by CASSPRs.

NFTs

EU crackdown on NFTs

A lack of regulation for NFTs and other digital assets has been likened to the emergence of a digital wild west. EU regulators are poised to tackle this area in an effort to curb the rise of bad actors and money launderers by debating the inclusion of digital assets into the proposed MiCA (Markets in Crypto-Assets).

'MetaBirkins' lawsuit set to move ahead

The question of how trademark infringement operates within the world of NFTs is set to be considered in the case of Hermes International v Rothschild. Hermes sued Rothschild in January over his 'MetaBirkins', which feature the Hermes' trademark Birkin bags as an NFT. Rothschild used the Birkin image without permission for a profit of over $1 million.

World's largest NFT marketplace suffers a data breach

OpenSea, the world's largest NFT marketplace with more than 1.5 million customers, has warned of phishing attacks after a data breach by a third party exposed user email addresses. An employee of OpenSea's email company Customer.io downloaded and shared email addresses with an unidentified third party.

Cryptoverse: The bonfire of the NFTs

Analytics from OpenSea saw a mere $700 million in sales this June, down from January's peak of nearly $5 billion. Collapsing alongside cryptocurrencies, which are explicitly linked to the NFT market, uncertainty looms on the horizon for the future of the NFT market.