cyber security- a legal perspective anthony lee 12 march 2014
DESCRIPTION
Cyber Security- A legal perspective Anthony Lee 12 March 2014. OUTLINE. Cyber security in the news The key legal considerations On the horizon. IN THE NEWS. Prism, Dishfire and all that High profile denial of service (DDOS) attacks Sony Playstation platform hacked - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/1.jpg)
1
Cyber Security- A legal perspective Anthony Lee
12 March 2014
![Page 2: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/2.jpg)
2
OUTLINE
Cyber security in the news
The key legal considerations
On the horizon
![Page 3: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/3.jpg)
3
IN THE NEWS
Prism, Dishfire and all that
High profile denial of service (DDOS) attacks
Sony Playstation platform hacked
Lulzsec hackers handed jail sentences
Cybercriminals using botnets to round up fridges
Hacker takes control of a Japanese smart toilet
![Page 4: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/4.jpg)
4
THE PACE OF CHANGE
Cloud computing
Smart devices
Internet of Things / Machine to Machine (M2M)
![Page 5: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/5.jpg)
5
THE LINES OF ATTACK
Organised crime
Cyber espionage
Hacktivism (mischievism)
Insider threat
![Page 6: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/6.jpg)
6
THE KEY LEGAL CONSIDERATIONS
The law will always be playing catch up
Criminal laws
Civil laws
Changes in the pipeline
![Page 7: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/7.jpg)
7
CRIMINAL LAWS
Computer Misuse Act 1990
Data Protection Act 1998
Fraud Act 2006
![Page 8: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/8.jpg)
8
CIVIL LAWS
Confidentiality
Human Rights Act 1998
Data Protection Act 1998
Sector specific laws (e.g. financial services, health)
![Page 9: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/9.jpg)
9
THE DATA PROTECTION ACT 1998
The eight data protection principles
Key definitions
Rights of data subjects
Enforcement / sanctions
![Page 10: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/10.jpg)
10
THE DATA PROTECTION ACT CONTINUED….
Data sharing
Data security
Data export
![Page 11: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/11.jpg)
11
THE EIGHT PRINCIPLES
Personal data must:
Be processed fairly and lawfully (and in accordance with the fair processing conditions)
Be processed only for specified purpose(s)
Be adequate, relevant and not excessive
Be accurate and up to date
Be retained only for so long as is necessary
Be processed in accordance with the data subject’s right
Be kept secure
Not transferred outside the EEA unless there is adequate equivalent protection
![Page 12: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/12.jpg)
12
KEY DEFINITIONS
“data”
“personal data”
“sensitive personal data”
“data controller”
“data processor”
“data subject”
“processing”
![Page 13: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/13.jpg)
13
PROCESSING INCLUDES
PROCESSING
Keeping / storing data
Altering / adapting / combining data
Disclosure of data
Organising data
Retrieving dataUsing data
Destroying / erasing data
Blocking data
Obtaining data
![Page 14: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/14.jpg)
14
RIGHTS OF DATA SUBJECTS
Access to personal data
Stop damaging processing
Stop direct marketing
Object to automatic decisions
Correction / deletion
Compensation from the data controller
Request assessment by the ICO
![Page 15: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/15.jpg)
15
ENFORCEMENT / SANCTIONS
Information Commissioner’s Office
Enforcement notices
Fines
Criminal offences
Failure to comply is an offence
Other laws / sanctions
![Page 16: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/16.jpg)
16
DATA SHARING
Data sharing is a form of processing
First principle - process fairly and lawfully
Six conditions
Special conditions for sensitive personal data
Additional laws
![Page 17: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/17.jpg)
17
DATA SECURITY
Seventh principle
Appropriate technical and organisational measures
Against unauthorised or unlawful processing of personal data
Against accidental loss, destruction of, or damage to, personal data
Arrangements with data processors / sub processors
Prevention is better than a cure
![Page 18: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/18.jpg)
18
PREVENTION OF SECURITY BREACH
Robust processes and working practices
Security policy and staff training
Tight controls over access
Tracking unusual activity
Due diligence on suppliers / strong contracts
![Page 19: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/19.jpg)
19
THE CULPRITS
![Page 20: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/20.jpg)
20
WHAT TO DO IT THERE IS A BREACH OF DATA SECURITY
Notification
Data subjects
ICO
Police
Industry body
Customers
Remedial action
![Page 21: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/21.jpg)
21
DATA EXPORT
Eighth principle
Must not transfer outside EEA
Unless adequate level of protection in place
Approved countries
Contract / binding corporate rules
USA safe harbour / Patriot Act
![Page 22: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/22.jpg)
22
CLOUD COMPUTING
![Page 23: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/23.jpg)
23
THE CLOUD
Internet-based IT Services
Contractual arrangements / sub-contractors
Security (Seventh principle)
Location (Eighth principle)
Audit Rights
![Page 24: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/24.jpg)
24
ACPO GUIDELINES ON DIGITAL EVIDENCE
Principle 1 - do not change data which may be used as evidence in court
Principle 2 - only a competent person should access the original data and give evidence
Principle 3 - maintain a clear audit trail of the processes used to analyse digital evidence
Principle 4 - person in charge of the investigation has responsibility for ensuring the law and these principles are adhered to
![Page 25: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/25.jpg)
25
COOKIES
Used by almost all websites
Downloaded onto visitor’s device
Can track habits and preferences
Session cookies / permanent cookies
Third party cookies
Informed consent required
Privacy and Electronic Communications Regulation 2003 (as amended)
![Page 26: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/26.jpg)
26
WHAT IS ON THE HORIZON?
The draft General Data Protection Regulation
Proposal for a Network and Information Security Directive
Snooping laws and increased police powers
![Page 27: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/27.jpg)
27
THE DRAFT DATA PROTECTION REGULATION
Heavier burden of compliance on controllers
Statutory obligations on processors
Data personal if identifiable by any person (not just the controller) e.g. IP addresses
More onerous obligations in relation to data security (e.g. controller's veto over sub-processing)
Obligation to notify security breaches and inform individuals concerned
![Page 28: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/28.jpg)
28
THE DRAFT DATA PROTECTION REGULATION
Where consent is required, it must be explicit
Legitimate interests condition preserved, but greater transparency
Regular data protection audits and privacy assessments
Increased fines - a percentage of global turnover
![Page 29: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/29.jpg)
29
THE PROPOSED CYBER SECURITY DIRECTIVE
Will improve network and information security standards across the EU
Will require notification of potential security risks
Will require notification of actual incidents
Will enable a cooperation network between member states to share information
![Page 30: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/30.jpg)
30
SQUARING UP TO THE CHALLENGE
The law needs updating
Technology will continue to outpace the law
Cyber security is on the map
Privacy by design
![Page 31: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/31.jpg)
31
WRAP UP
Keep it secure
Keep it secure
Keep it secure
![Page 32: Cyber Security- A legal perspective Anthony Lee 12 March 2014](https://reader030.vdocuments.us/reader030/viewer/2022013122/56813abe550346895da2cb11/html5/thumbnails/32.jpg)
32
Thank you
Any questions?