We are more interconnected than ever before. Not only do we use the internet to stay connected, informed, and involved, it’s an integral part of our daily lives. Whether you use online banking services or receive electricity supplies, our reliance on technology is increasing. Businesses also take advantage of opportunities for economic development through increased use of information technology and internet connections locally and overseas, however, for all its advantages, increased connectivi
ty brings increased risk of crime, thus rendering cyber security an important issue worldwide.
Cyber security is a particularly important issue for retailers. It won’t be long before Australian retailers face the challenges posed by cyber crime which is mushrooming across the globe.
Crimes (ie, fraud, scams, and harassment) can be enacted via technology.
Cyber crimes falling under this category are often referred to as high tech crime. Cybercrime encompasses crimes committed directly against computers and systems; and the use of technology to facilitate the commission of traditional crimes.
High tech crime offences are defined in Commonwealth legislation within Part 10.7 – Computer Offences of the Criminal Code Act 1995 (Cth) and include:
• Computer intrusions (eg, malicious hacking)
• Unauthorised modification of data (eg. destruction of data)
• Denial of service (DoS) attacks
• Distributed denial of service (DDoS) attacks using botnets; and
• The creation/distribution of malicious software (eg. viruses, worms, trojans).
Target US
US retailer, Target, was victim to one of the biggest credit card breaches on record, with almost 110 million people affected.
The breach began in November 2013 and lasted 19 days over the peak Thanksgiving holiday shopping season, resulting in the theft of around 40 million credit card records and 70 million other records containing customer data.
After the attack, sales dropped significantly and Target began a major public relations effort to apologise to customers.
Sony Playstation
In January 2013, British regulators fined Sony £250,000 pounds (A$377,017) for failing to prevent a 2011 cyber attack on its PlayStation network that put millions of users’ personal information at risk, including names, addresses, birth dates, and account passwords.
Officials said the attack could have been prevented if software was up to date and passwords were secure.
A class action over the breach held parties needed to show damage had been suffered.
In May 2011, Sony estimated financial losses from cyber attacks at around $171 million.
The legal position: Australia
Commonwealth and state and territory laws provide legislative sanctions against computer crimes.
In November 2010, Australia acceded to the Council of Europe Convention on Cyber crime (CE Convention). The CE Convention came into force for Australia on March 1, 2013, as did Australia’s new cyber crime law.
The aim of the cyber crime law is to provide Australia’s law enforcement and intelligence agencies with the power to compel carriers to preserve the communication records of persons suspected of cyber-based crimes.
The new law also expands the scope of existing Commonwealth cyber crime offences and facilitates international cooperation between state parties to the CE Convention through cross-border sharing of communication records.
Businesses in Australia may owe a general duty of care to consumers to protect their data. From March 2014, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amending Act) will impose new obligations on the private sector.
The key reforms in the Amending Act are:
• An obligation to report serious data breaches;
• Empowering the Australian Information Commissioner to direct an entity to notify affected individuals, or the public, of a data breach, or exempt an entity from the notification requirements;
• To require notification for a serious data breach: if an entity fails to do so, the Commissioner has the power to investigate further, make determinations, seek enforceable undertakings, require personal and private apologies, order compensation payments, and, in cases of serious or repeated non-compliance, seek civil penalties of up to $1.7 million; and
• To require Australian entities to report overseas entity breaches.
Obligations of retailers
The Australian Privacy Principles (APPs) require businesses to take reasonable steps to ensure personal information they collect is protected at all levels. Personal information must be protected from loss, misuse, unauthorised access, or interference.
The Privacy Commissioner has the power to apply to the Federal Court for civil penalty orders for serious or repeated breaches of the APPs.
Australian businesses must also take reasonable steps to ensure personal information disclosed to an overseas recipient is managed in accordance with the APPs (ie. the proper management of information – including storage of information – requires an organisation to take steps to influence the practices of third parties and to ensure the recipient doesn’t breach the APPs) include requiring the recipient to contract with the business to manage personal information in accordance with the APPs (and monitoring compliance with that contractual obligation).
Alternatively, a business may rely on one of two exceptions:
(a) The business reasonably believes the recipient is bound to adhere to privacy obligations regarding the management of personal information that are substantially the same as the APPs; or
(b) The business has informed the client that the:(i) Management of personal information disclosed to the recipient will not be governed by the Privacy Act 1988 (Cth) (Act); (ii) Client won’t have recourse under the Act for a breach of their privacy (including a breach of the APPs); and (iii) Client has consented to the disclosure. Businesses must consider
revising the privacy clauses in any agreements with overseas entities to ensure that any breach of the APPs will be remedied.
Given the nature of the subject matter (ie, confidential information), contractual remedies should include both pecuniary and non-pecuniary measures. Compliance with the APPs is much broader than simply protecting against unauthorised disclosure.
Therefore, privacy obligations and data management issues should be dealt with in appropriate detail and distinguished from the management of confidential information more generally (which often focuses on use and disclosure and usually doesn’t impose specific requirements regarding storage and protection of information).
Australian businesses also have a separate and distinct obligation to ensure the personal information they collect, store, use, and disclose is protected from authorised access, alteration, interference, amendment and disclosure;
• Contracts with third party data storage providers should be scrutinised to ensure the organisation’s agents comply with the Act.
• We recommend establishing incident reporting procedures and periodical critical review of policies/protocols/procedures.
Protecting your company
It’s crucial to ensure appropriate internal steps are taken, and processes and procedures are established to ensure your business provides appropriate security for any personal data held.
Breaches should be identified and notified to someone within the organisation who is responsible for compliance with the privacy laws (eg. a data privacy officer). In the event of a breach occurring, the relevant data and affected individuals must be identified, and the risk of harm assessed and notification requirements are met. To protect your business from internal and external data theft:
• Secure your business by undertaking a risk analysis. Consider what data your business holds (ie. personal and financial details of customers. Take into account how sensitive that data is, where and how it is stored and who has access to it)
• Keep software up to date by installing current patches. Programs that haven’t updated with a current patch are vulnerable to external threats. Ensure that remote access and wireless services are secure. Disable remote access where it’s not required
• You can prevent internal data breaches by creating individual user accounts for all staff so management can control access to data and monitor individuals using the network. Employee accounts should be restricted from installing software or making changes to system settings. Access to data should only extend to what is necessary for each employee to perform his or her role.
• Consider installing software that disables USB ports or monitors and restricts copying of data to USB devices to prevent inadvertent/ intentional data theft
• It’s also advisable to develop clear policies for staff so all employees are aware of protocols for accessing or using sensitive data. Take the policies seriously and ensure there are consequences for breaches of the policy
• Report any incident to the police and request an investigation.You should also report any incident to CERT Australia.
• Finally, consider taking out a cyber insurance policy to protect yourself.
Protecting your website
Many ways exist to protect your company website.You should contact your internet service provider for more information.
To a certain degree, companies can combat potential wrongdoers via technology, however, it’s impossible to block all unauthorised access.
Companies should employ certain best practices to put them in the best position possible to take advantage of legal remedies should they become the target of a harmful attack.
Best practices include:
• Incorporating well drafted terms and conditions of use on your website
• Incorporating an instruction expressly telling scrapers and others with malicious intent to keep out; and
• Sending cease and desist letters to known violators, enclosing your website terms and conditions of use.
Available legal remedies
If preventative measures fail, website owners do have legal options:
• Breach of contract of your website’s terms and conditions of use; and
• Other remedies (ie. copyright infringement for stolen copyrighted information)
Additionally, perpetrators of cyber crimes are likely to have committed criminal offences under Part 10.7 of the Criminal Code Act 1995 (Cth). Part 10.7 prohibits unauthorised access of a computer or computer network – and unauthorised modification or data destruction.
In Larkin v the Queen [2012], two men installed malware in the computer network of the Department of Health. The software was designed to give the appellants undetected remote access to the network.
The trial judge found the men had breached the Criminal Code and sentenced them to terms of imprisonment.
The impact
It’s essential to enact these preventative measures due to the impact of a breach on a client’s trust.
Many companies globally (not just Target and Sony Playstation), have faced public relations crises overseas. Cyber attacks and other cybercrimes will soon reach Australian shores, if they haven’t already.
Nearly every company is at cyber risk. With cyberattacks on the rise worldwide, addressing and mitigating cyber risk is top of mind among companies globally.
Cyber attacks are on the rise with unprecedented frequency, sophistication, and scale – and they’re pervasive across industries and geographical boundaries.
Amid increased exposure to such risks, businesses need legal assistance in handling security breaches and preventing future cyber security threats.
It’s timely for all Australian companies, including retailers, to become more aware of cyber risks and how they can prevent cyber crime from affecting their own businesses and consumers.
For more information on how cyber security can affect your business, please contact John Hutchings, partner, corporate and commercial at Cornwall Stodart on (03) 9608 2245 or j.hutchings@ cornwalls.com.au or Jacinta Atkinson, Associate, commercial litigation, on (03) 9608 2107 or j.atkinson@cornwalls.com.au.
This article first appeared in Inside Retail Magazine February/March 2014 edition .