1 / 33

Cyber Security- A legal perspective Anthony Lee 12 March 2014

Cyber Security- A legal perspective Anthony Lee 12 March 2014. OUTLINE . Cyber security in the news The key legal considerations On the horizon. IN THE NEWS. Prism, Dishfire and all that High profile denial of service (DDOS) attacks Sony Playstation platform hacked

davina
Download Presentation

Cyber Security- A legal perspective Anthony Lee 12 March 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security- A legal perspective Anthony Lee 12 March 2014

  2. OUTLINE • Cyber security in the news • The key legal considerations • On the horizon

  3. IN THE NEWS • Prism, Dishfire and all that • High profile denial of service (DDOS) attacks • Sony Playstation platform hacked • Lulzsec hackers handed jail sentences • Cybercriminals using botnets to round up fridges • Hacker takes control of a Japanese smart toilet

  4. THE PACE OF CHANGE • Cloud computing • Smart devices • Internet of Things / Machine to Machine (M2M)

  5. THE LINES OF ATTACK • Organised crime • Cyber espionage • Hacktivism (mischievism) • Insider threat

  6. THE KEY LEGAL CONSIDERATIONS • The law will always be playing catch up • Criminal laws • Civil laws • Changes in the pipeline

  7. CRIMINAL LAWS • Computer Misuse Act 1990 • Data Protection Act 1998 • Fraud Act 2006

  8. CIVIL LAWS • Confidentiality • Human Rights Act 1998 • Data Protection Act 1998 • Sector specific laws (e.g. financial services, health)

  9. THE DATA PROTECTION ACT 1998 • The eight data protection principles • Key definitions • Rights of data subjects • Enforcement / sanctions

  10. THE DATA PROTECTION ACT CONTINUED…. • Data sharing • Data security • Data export

  11. THE EIGHT PRINCIPLES Personal data must: • Be processed fairly and lawfully (and in accordance with the fair processing conditions) • Be processed only for specified purpose(s) • Be adequate, relevant and not excessive • Be accurate and up to date • Be retained only for so long as is necessary • Be processed in accordance with the data subject’s right • Be kept secure • Not transferred outside the EEA unless there is adequate equivalent protection

  12. KEY DEFINITIONS • “data” • “personal data” • “sensitive personal data” • “data controller” • “data processor” • “data subject” • “processing”

  13. PROCESSING INCLUDES Keeping / storing data Altering / adapting / combining data Obtaining data Blocking data PROCESSING Disclosure of data Destroying / erasing data Organising data Using data Retrieving data

  14. RIGHTS OF DATA SUBJECTS • Access to personal data • Stop damaging processing • Stop direct marketing • Object to automatic decisions • Correction / deletion • Compensation from the data controller • Request assessment by the ICO

  15. ENFORCEMENT / SANCTIONS • Information Commissioner’s Office • Enforcement notices • Fines • Criminal offences • Failure to comply is an offence • Other laws / sanctions

  16. DATA SHARING • Data sharing is a form of processing • First principle - process fairly and lawfully • Six conditions • Special conditions for sensitive personal data • Additional laws

  17. DATA SECURITY • Seventh principle • Appropriate technical and organisational measures • Against unauthorised or unlawful processing of personal data • Against accidental loss, destruction of, or damage to, personal data • Arrangements with data processors / sub processors • Prevention is better than a cure

  18. PREVENTION OF SECURITY BREACH • Robust processes and working practices • Security policy and staff training • Tight controls over access • Tracking unusual activity • Due diligence on suppliers / strong contracts

  19. THE CULPRITS

  20. WHAT TO DO IT THERE IS A BREACH OF DATA SECURITY • Notification • Data subjects • ICO • Police • Industry body • Customers • Remedial action

  21. DATA EXPORT • Eighth principle • Must not transfer outside EEA • Unless adequate level of protection in place • Approved countries • Contract / binding corporate rules • USA safe harbour / Patriot Act

  22. CLOUD COMPUTING

  23. THE CLOUD • Internet-based IT Services • Contractual arrangements / sub-contractors • Security (Seventh principle) • Location (Eighth principle) • Audit Rights

  24. ACPO GUIDELINES ON DIGITAL EVIDENCE • Principle 1 - do not change data which may be used as evidence in court • Principle 2 - only a competent person should access the original data and give evidence • Principle 3 - maintain a clear audit trail of the processes used to analyse digital evidence • Principle 4 - person in charge of the investigation has responsibility for ensuring the law and these principles are adhered to

  25. COOKIES • Used by almost all websites • Downloaded onto visitor’s device • Can track habits and preferences • Session cookies / permanent cookies • Third party cookies • Informed consent required • Privacy and Electronic Communications Regulation 2003 (as amended)

  26. WHAT IS ON THE HORIZON? • The draft General Data Protection Regulation • Proposal for a Network and Information Security Directive • Snooping laws and increased police powers

  27. THE DRAFT DATA PROTECTION REGULATION • Heavier burden of compliance on controllers • Statutory obligations on processors • Data personal if identifiable by any person (not just the controller) e.g. IP addresses • More onerous obligations in relation to data security (e.g. controller's veto over sub-processing) • Obligation to notify security breaches and inform individuals concerned

  28. THE DRAFT DATA PROTECTION REGULATION • Where consent is required, it must be explicit • Legitimate interests condition preserved, but greater transparency • Regular data protection audits and privacy assessments • Increased fines - a percentage of global turnover

  29. THE PROPOSED CYBER SECURITY DIRECTIVE • Will improve network and information security standards across the EU • Will require notification of potential security risks • Will require notification of actual incidents • Will enable a cooperation network between member states to share information

  30. SQUARING UP TO THE CHALLENGE • The law needs updating • Technology will continue to outpace the law • Cyber security is on the map • Privacy by design

  31. WRAP UP • Keep it secure • Keep it secure • Keep it secure

  32. Thank you Any questions?

  33. Contact details: Anthony Lee Partner Mobile: 07802 283990 Email: anthonylee@bdb-law.co.uk

More Related