Emerging legal and regulatory risks

Size: px

Start display at page:

Download "Emerging legal and regulatory risks"

Laura West
5 years ago
Views:

1 Emerging legal and regulatory risks Presentation for AusCERT2016 Matthew Pokarier and Ben Di Marco

2 Structure Regulatory risks Third-party liability Actions by affected individuals Actions by banks and other financial institutions Actions by shareholders What you can do? 1

3 ASIC as a cyber risk regulator November 2014 Boards should also be alive to the risk of a cyber-attack. - ASIC Chairman, Greg Medcraft March 2015 Release of report 429 Cyber Resilience: Health Check. August 2015 ASIC s Corporate Plan emphasis on cyber resilience and gatekeepers. March 2016 Assessment report on the cyber resilience of ASX and Chi- X companies. 2

4 ASIC s good practices from Report 468 Board engagement Conduct periodic reviews of cyber strategy and educate board members about cyber resilience Third-party risk management Develop risk-based assessment methods to ensure third-party providers comply with security standards Cyber awareness and training Board driven cultural focus on cyber, including the development of organisation-wide training programs and conducting random staff testing Implementing the Australian Signal Directorate s top four strategies These include application whitelisting, patch applications, patch operating system vulnerabilities, and restricting admin privileges 3

5 Office of the Australian Information Commissioner (OAIC) OAIC generally enforces the Privacy Act 1988 (Cth) Regulates how personal information is handled by government and private sector organisations OAIC has investigated a number of breaches, and issued guidelines to assist organisations in responding to a breach Also has the power to: Commence own motion investigations into breaches of the Act Conduct a privacy performance assessment Direct an agency to give the OAIC a privacy impact assessment Handle privacy related disputes and complaints Recent increase in the number of determinations made by the OAIC 4

6 The Privacy Act 1988 and the Australian Privacy Principles (APP) APP 6.1 An APP entity holding personal information about an individual can only use or disclose the information for the particular purpose for which it was collected. APP 11.1 An APP entity must take reasonable steps to protect personal information: a) from misuse, interference and loss; and b) from unauthorised access, modification or disclosure. APP 11.2 An APP entity must take reasonable steps to destroy personal information or ensure it is identified if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs. 5

7 Scope of the APP and the Privacy Act Applies to APP entities, being most entities with more than $3 million in annual turnover and some smaller businesses What is personal information? Section 6 : personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or rggsdllnot. Under section 5B the Privacy Act s jurisdiction extends to an act done or practice engaged in which has an Australian link HW and Freelancer International Pty Ltd [2015] AICmr 86 6

8 Applying the APP When is personal information disclosed in breach of APP 6.1? First State Super Trustee Corporation Own Motion Investigation Third party intrusion is not a disclosure Telstra Corporation Ltd Own Motion Investigation (2012) Making information accessible can be a disclosure What are reasonable steps under APP 11.1 and 11.2? What is reasonable depends upon (amongst other things) the resources available to that organisation, and the type information they hold Cupid Media Pty Ltd Own Motion Investigation Adobe Systems Software Ireland Ltd Own Motion Investigation 7

9 Penalties for breaching the Privacy Act The Office of the Privacy Commissioner can: 1. Order the respondent to take specified steps within a specified period to ensure that such conduct is not repeated or continued 2. Make a determination requiring the payment of compensation for damages or other remedies 3. Accept an enforceable undertaking 4. Seek civil penalties of up to (or apply for civil penalty orders of up to) $340,000 for individuals and $1.7m for companies 5. Seek an injunction regarding conduct that would contravene the Privacy Act 8

cycle may impact on this timing Over 40 industry submissions have now been received Draft legislation applies

10 Mandatory data breach notification in Australia Federal Government has released an exposure draft to introduce a mandatory data breach notification regime Proposing to pass the legislation by the end of 2016, election cycle may impact on this timing Over 40 industry submissions have now been received Draft legislation applies to APP entities, all credit reporting bodies, credit providers and organisations that utilise tax file information 9

11 When must you notify? When there are reasonable grounds to believe that there has been a data breach that will result in a real risk of harm Notification must be made as soon as practicable Investigations must be completed within 30 days of when the breach should have been identified The penalty provisions under the Privacy Act apply for breaches of the notification regime Maximum penalty is $340,000 for individuals and $1.7m for companies 10

12 How does an APP entity provide notification? Requires notification to both individuals and the regulator Notification should include: A description of the breach Information about the type of personal information involved Steps the company has taken Recommendations for individuals to mitigate any loss Contact details for information and assistance 11

APRA and ASX APRA has published guides relating to cyber issues, however they are limited mainly to outsourcing and the use of cloud providers APRA recently indicated they would be

13 APRA and ASX APRA has published guides relating to cyber issues, however they are limited mainly to outsourcing and the use of cloud providers APRA recently indicated they would be conducting a thematic review of superannuation funds cyber security Debate as to whether a cyber event would enliven the continuous disclosure obligations under the ASX listing rules 12

14 Breach at Home Depot litigation case study Home Depot compromised from April to September 2014 Approx 56 million unique payment card records and 53 million addresses stolen Intruders used a vendor s username and password to enter Home Depot s network and deploy custom malware on self-checkout systems In September 2015 Home Depot recorded US $63,000,000 in expenses related to the data breach 13

15 Litigation against Home Depot Financial Institution Claims Following the breach Home Depot faced: 22 financial institution class actions; Consumer Claims 35 consumer class actions; 7 US regulatory inquiries; and Regulatory Action 1 shareholder derivative action. 14

16 Home Depot litigation consumer claims Financial Institution Claims Consumer Claims Regulatory Action Class action seeking damages for fraud, mitigation costs, personal injury damages, aggravated damages, costs and equitable remedies Alleged Home Depot relied on outdated security measures, failed to notify customers, violated Federal and State laws and engaged in unfair business practices Home Depot paid US $19.5 M to settle the litigation 15

17 Home Depot litigation financial institution claims Regulatory Action Financial Institution Claims Brought by over 50 banks and credit unions Alleges negligence, failure to adopt adequate security standards and breaches of the PCI DSS Total damage estimated to be over US $250 M Consumer Claims 16

18 Home Depot litigation regulatory action Consumer Claims Regulatory Action Subject to investigations by the US House and Senate, the New York State Attorney General and a multistate group of Attorneys General Speculation US FTC will also investigate Financial Institution Claims 17

19 US data breach litigation by the numbers 2/230 Plaintiff wins in court 3x Decrease in likelihood of litigation if credit monitoring was provided 3.7% Proportion of data breaches litigated 6 times Increase in likelihood of litigation if financial information was compromised 52% Percentage of litigation settled 5.3 mil Average number of records compromised Adapted from analysis by Romanosky, Hoffman and Acquisti (2014) of 1,772 US data breaches. 18

20 Claims by individuals in Australia Aspects of Australia s negligence law is more favourable to plaintiffs Wider acceptance of when organisations owe a duty to protect third parties against pure economic loss Australian class action procedure is easier to satisfy as there only needs to be one substantial common issue between the plaintiffs Some challenges for plaintiffs however Proving negligence what reasonable steps should an organisation take? Proving causation what events lead to the identity fraud? Litigation is more likely where there is evidence of widespread fraud, or some physical harm resulting from a breach Mandatory data notification laws will increase the likelihood of claims 19

21 Claims by financial institutions in Australia FIs in Australia will incur the same losses as their US counter parts and will be motivated to pursue recovery Claims are likely to succeed where contractual remedies are available More unclear where negligence actions could succeed Are losses suffered by FIs too remote? Does public policy support a duty of care extending to FIs? Moderate risk of these claims in Australia 20

22 Shareholder actions in Australia Shareholder actions are more likely to succeed in Australia Growing signs Australia will accept fraud on the market Strong regulatory focus by ASIC highlighting directors role in cyber security Reasoning in cases like Centro support duties extending to cyber security Some risks however: It is not settled whether data breaches affect share prices Plaintiffs will have difficulty obtaining leave for derivative actions under section 236 of the Corporations Act 2001 We expect to see cautious development of these claims 21

23 Indemnification litigation Growing focus on the potential for actions against third parties to recover financial losses associated with a breach Limited case law but see Cotton Patch Cafe, Inc. v. Micros Sys where a server containing malicious software was installed and allowed hackers to access credit card data Future cases are likely to be against: Technology suppliers Service providers Interconnected venders 22

24 Response strategies - privilege Plaintiffs have demanded disclosure of forensic and internal documents prepared after data breaches (Target and Genesco) The test to establish privilege is Australia is the Dominant Purpose Test difficult to satisfy as during investigation there will be competing priorities, and purposes for why documents are created For organisations a privilege strategy should also be developed with solicitors to manage both third parties and internal documents that are generated 23

25 Response strategies - insurance Specialist Cyber Insurance Products and market developing in Australia to manage the losses caused by data breaches Traditional policies such as Property Damages, Crime, General Liability, Professional Indemnity and D&O may also respond to a breach Key insurance issues to consider: Sub-limits Retroactive dates Employee conduct exclusions Losses caused by third parties Disclosure provided on the company s information security 24

26 Conclusion International trends demonstrate growing legal risk for organisations that suffer data breaches particularly where financial and sensitive information is compromised Australia law is developing and there are signs litigation is likely to arise in the coming years Companies best protection is to ensure they are aware of current regulatory obligations and put in place good risk management and incident response systems 25

Contacts Matthew Pokarier Partner T: +61 (7) 3234 3001 E: matthew.pokarier@clydeco.com Benjamin Di Marco Senior Associate T: +61 (7) 3234 3009 E: ben.dimarco@clydeco.

He has extensive experience before the Supreme Court of Queensland and the Federal Court of Australia.

27 Contacts Matthew Pokarier Partner T: +61 (7) E: Benjamin Di Marco Senior Associate T: +61 (7) E: Matthew acts for Australian and international clients involved with the insurance, construction and financial services industries. He has extensive experience before the Supreme Court of Queensland and the Federal Court of Australia. He has also advised directors, corporations and insurers involved in commissions of inquiry and investigations by regulatory bodies. Ben Di Marco specialises in dispute resolution and acts in complex litigation on behalf of insurers, financial service providers, healthcare institutions and technology companies. Ben regularly presents on topics including cyber liability, insurance coverage and consumer law. 26

28 27

Cyber breaches: are you prepared?

Cyber breaches: are you prepared? Presented by Michael Gapes, Partner Overview What is cyber crime? What are the risks and impacts to your business if you are a target? What are your responsibilities do