Lecture 03 - Legal, Ethical & Professional-3
Lecture 03 - Legal, Ethical & Professional-3
A lawsuit against Zurich Insurance Group has been launched by Mondelez in a bid
to seek a reported $100 million in damages after an insurance claim was not paid
out in relation to a NotPetya cyberattack.
Source: NetPetya and Act of War
Five senior executives, including the CEO, were fined for their role in
Singapore's most serious security breach, which compromised personal data of 1.5
million SingHealth patients. In addition, two employees were sacked relating to the
breach. A lead in the team and the response manager were found to be negligent.
Source: Employees sacked, CEO fined in SingHealth security breach
Law and Ethics in Information Security
Introduction to IT
Legal and Ethical issues
Security Management
We’ll come back to this later in the unit. “Oh, we’re on the detour?”
What is a policy?
Dissemination (Distribution)
Review (Reading)
Comprehension (Understanding)
Compliance (Agreement)
Uniform (Enforcement)
Legislation and Law
International
Around the world…
• A Directive on attacks against information systems (2013) to tackle large-scale
cyber-attacks
Europe • A Directive on combating the sexual exploitation of children online and child pornog
raphy
(2011) addresses new developments in the online environment, (grooming -
offenders posing as children to lure minors for the purpose of sexual abuse)
• ePrivacy Directive (2002) providers of electronic communications services must
ensure the security of their services and maintain the confidentiality of client
information;
• Framework Decision on combating fraud and counterfeiting (2001) of non-cash
means of payment, which defines the fraudulent behaviours that EU States need to
consider as punishable criminal offences.
• General Data Protection Regulation (GDPR)
USA
USA (So, so many laws... see textbook!)
Around the world… (cont.)
USA (so, so many laws... see textbook!)
General Data Protection Regulation - GDPR
High tech crime offences are defined in Commonwealth legislation within Part 10.7 -
Computer Offences of the Criminal Code Act 1995.
These include:
computer intrusions e.g. malicious hacking
unauthorised modification of data, including destruction of data
denial-of-service (DoS) attacks
distributed denial of service (DDoS) attacks using botnets
the creation and distribution of malicious software, e.g. viruses, worms, and trojans.
In Australia, each State and Territory has its own legislated computer-related offences
(similar to the Commonwealth legislation).
Australia’s Cybercrime Legislation Amendment Act
2012…
Cybercrime Legislation Amendment Act 2012
Aims to
• empower Australia's law enforcement and intelligence agencies
to compel carriers to preserve the communication records of
persons suspected of cyber-based crimes.
• facilitates international cooperation through the cross-border
sharing of communication records
• Addresses data preservation, accessing stored
communications, international co-operation, and cybercrime
offences
Telecommunications (Interception and Access)
Amendment (Data Retention) Act 2015
Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 amends
Telecommunications (Interception and Access) Act 1979
Telecommunications Act 1997
Purpose is to establish procedures for law enforcement officers to obtain warrants, emergency
authorisations and tracking device authorisations for the installation and use of surveillance devices in
relation to criminal investigations and establish procedures for law enforcement to obtain warrants for the
installation and use of surveillance devices.
• A separate new power is to be inserted in the Surveillance Devices Act 2004 to give agencies the ability to
search electronic devices and access content on those devices.
• These warrants are distinct from surveillance device warrants whereby agencies will be allowed to use
software to monitor inputs and outputs from devices.
• Investigators would be able to enter a premises, access devices, copy data (or take the device themselves)
and conceal their tracks.
• The warrants can be issued by either a judge or “AAT [Administrative Appeals Tribunal] members”.
Identity-Matching Services Bill 2019
Aims to facilitate the secure, automated exchange of identity information between the federal, state
and territory governments to meet to the objectives of the Intergovernmental Agreement on
Identity Matching Services(IGA)
Under the IGA, the Commonwealth and all states and territories agreed to preserve or introduce
legislation to support the collection, use and disclosure of facial images and related identity
information among the entities via a set of identity matching services in order to support national
security and reduce terrorism and crime
Aims to amend the Surveillance Devices Act 2004, the Crimes Act 1914 and associated legislation.
Introduces:
• a data disruption warrant which enables the AFP and the ACIC to access data on one or more computers
and perform disruption activities for the purpose of frustrating the commission of criminal activity;
• a network activity warrant to enable the AFP and the ACIC to collect intelligence on criminal networks
operating online;
• an account takeover warrant to allow AFP and the ACIC to takeover a person's online account the purposes
of gathering evidence of criminal activity, and;
• minor amendments to the controlled operations regime, to ensure controlled operations can be conducted
effectively in the online environment.
Other legislation
Extradition (Cybercrime) Regulation 2013
implements Australia's extradition obligations under the Council of Europe
Convention on Cybercrime
The Privacy Act is Australian law that regulates the handling of personal
information about individuals.
The Privacy Act includes thirteen Australian Privacy Principles (APPs). The APPs set
out standards, rights and obligations for the handling, holding, use, accessing and
correction of personal information (including sensitive information)
There are exemptions to the Privacy Act
Most small business do not need to comply if the annual turnover is less than $3
million
Local councils
State or territory governments
Various government agencies
Privacy – Australian Privacy Principles
The 13 APPs are contained in schedule 1 of the Privacy Act 1988
APP 1 — Open and transparent management of personal information
• Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly
expressed and up to date APP privacy policy.
APP 2 — Anonymity and pseudonymity
• Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited
exceptions apply.
APP 3 — Collection of solicited personal information
• Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the
collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
• Outlines how APP entities must deal with unsolicited personal information.
.
Privacy – Australian Privacy Principles
Agencies and organisations regulated under the Australian Privacy Act (1988) need
to comply with recent amendment, the Notifiable Data Breach Scheme (NDB),
enforced on February 22, 2018.
The NDB scheme sets out obligations for notifying affected individuals and the
Australian Information Commissioner (OAIC) about data breach that could result in
serious harm to an individual.
Serious harm can be psychological, emotional, physical, reputational, or other forms of harm. Understanding whether
serious harm could occur requires an evaluation of the context of the data breach. For instance, unauthorised access to
sensitive medical data or financial information.
OAIC https://www.oaic.gov.au
Optus Breach
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for
privacy and freedom of information in Australia. The OAIC claim to uphold rights to access government-held
information and have ensure personal information is protected.
Compromised customer data includes’ names, dates of birth, phone numbers, email addresses, and, for a
subset of customers, addresses, ID document numbers such as driver's license or passport numbers.
The complaint alleges that Optus breached privacy laws by failing to adequately protect the personal
information of its current and former customers.
International Law and Australia ….
Telecommunications Legislation Amendment (International Production Orders) Bill 2020
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has commenced a review into the
effectiveness of the Bill
The bill aims to amend the Telecommunications (Interception and Access) Act 1979 to:
• provide a framework for Australian agencies to obtain independently-authorised international production orders for
interception, stored communications and telecommunications data directly to designated communications
providers in foreign countries with which Australia has a designated international agreement
• amend the regulatory framework to allow Australian communications providers to intercept and disclose electronic
information in response to an incoming order or request from a foreign country with which Australia has an
agreement
• make amendments contingent on the commencement of the proposed Federal Circuit and Family Court of Australia
Act 2020; and
• remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants.
Maintain the privacy and confidentiality of information obtained in the course of their duties
unless disclosure is required by legal authority
Such information shall not be used for personal benefit or released to inappropriate
parties
Maintain competency in their respective fields, and agree to undertake only those activities
that they can reasonably expect to complete with professional competence
Inform appropriate parties of the results of work performed, revealing all significant facts
known to them
Support the professional education of stakeholders in enhancing their understanding of
information systems security and control
ISSA also promotes a code of ethics, similar to those of (ISC)2, ISACA, and the ACM,
“promoting management practices that will ensure the confidentiality, integrity, and
availability of organizational information resources.”
Source: Management of Information Security, 5th Edition - © Cengage Learning
Major IT Professional organisations