Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie Developments in Security Regulation
Agenda Introduction PM & C Cybersecurity Review Mandatory Data Retention Legislation Overview Telecommunications Sector Security Reform Overview Questions and discussion
About Baker & McKenzie: Our global reach Baker & McKenzie covers the world over. With our expansive global footprint, our clients tell us they rely on our ability to provide a deep level of local expertise while ensuring a global perspective to their business and legal needs. Baker & McKenzie facts 77 offices in 47 countries More than 4,200 lawyers admitted to practice in over 250 jurisdictions and fluent in 75+ languages We are in markets that matter 37 of the world s 50 largest economies 13 of the top 15 global financial centers 12 of the 15 most resource-rich markets Geographic initiatives Africa Drawing upon our global Africa expertise, regional African offices and long-standing local counsel relationships, we are able to service our clients across the entire African continent Asia In addition to our decades on the ground in key jurisdictions across Asia, we have well established initiatives to support clients on projects and opportunities in India
Security and Data Breach Specialists policies and contracts legal advice and guidance remedial action: preliminary discovery to identify the intruder civil search and seizure to recover the evidence preparation briefing to law enforcement civil action to recover damages Patrick Fair Partner, ITC and data security specialist +61 2 8922 5534 patrick.fair@bakermckenzie.com Paul Forbes Partner, Dispute resolution and security specialist +61 2 8922 5346 paul.forbes@bakermckenzie.com
Australian Government Cyber Security Infrastructure (April 2015: Please advise corrections/developments to Patrick.Fair@bakermckenzie.com) PRIME MINISTER Department of the Prime Minister and Cabinet (Cyber Security Policy) Inspector General of Intelligence & Security Office of National Assessments Independent National Security Legislation Monitor Finance Minister Communications Minister Attorney General Defence Minister Foreign Affairs Minister Department of Finance Department of Communications Attorney General s Department Communications Access Coordinator Department of Defence Department of Foreign Affairs Australian Government Information Management Office = Person = Body = Program / Forum Red = Reporting Blue = Education = Outside Cth INDUSTRY CA Codes - icode Education Awareness Raising Family Friendly Filter CREST (Aust) Ltd The Council of registered Ethical Security Testers Version 2.2 OECD Working Party on Information Security and Privacy APEC Cyber Security Study Security and Prosperity Working Groups International Telecommunication Union NBN Children s E- Safety Commissioner Budd:e Cybersecurity Education Stay Smart Online/Alert Service Easy Guide to Socialising Online Online Safety ACMA Australian Internet Security Initiative Cyber Smart SPAM Protect Yourself Online CERT TISN CrimTrac Australian Cybercrim e Online Reporting Network -APP11 OAIC -Guide to Securing Personal Information C/W DPP Asia Pacific CERT ASIS Defence Intelligence Organisation Australian Geospatial-Intelligence Organisation ASIC Report 429 Cyber resilience: Health check ASIO Australian Crime Commission AFP Think U Know ACCC SCAM WATCH ANZ Policing Advisory Agency OnSecur e Australian Signals Directorate Cyber Security Operation s Centre Australian Cyber Security Centre STATES ASEAN Forum East Asia Summit Law and Justice Agencies State and Territories Policy Limits ACORN All Australian police agencies ACC AG s Department ANZ Policing Advising Agency ACCC ACMA CrimTrac
PM&C Cyber Security Review A review of Australia s cyber security policies and strategies Panel of experts comprising: o Jennifer Westacott, CEO of the Business Council of Australia; o John Stewart, Chief Security and Trust Officer at Cisco Systems in the United States; o Mike Burgess, Chief Information Security Officer at Telstra; and o Dr Tobias Feakin, Director of the International Cyber Policy Centre at the Australian Strategic Policy Institute Report to be delivered mid-2015
Anticipated Outcomes Update the Government s cyber security priorities; Provide a view on the cyber threats and risks Australia faces; Clarify the Government s role in cyber security for Australia, including how this contributes to the protection of critical infrastructure; Describe how Government and industry can best team up to defend ourselves jointly from those who want to harm us in cyber space; Outline an improved approach on Australia s engagement with international cyber security forums, to further Australia s interests and cement our leadership on cyber security; and Recommend practical initiatives to improve Australia s cyber security, for Government consideration.
Mandatory Data Retention Amendments: primarily to the Telecommunications (Interception and Access) Act 1979 (TIA Act) also to the Telecommunications Act 1998 (Telco Act), others TIA Act currently: requires a warrant for a message or stored message permits extensive list and open ended list of enforcement agencies to access metadata by notice. does not require any metadata be retained.
What is Metadata? Specified by 187AA. Subject headings are: subscriber of, accounts, services, devices and other relevant services relating to, the relevant service. source of a communication destination of a communication date, time and duration of a communication type of a communication or service used the location of the equipment or line used. in relation to a session but not browsing history. excludes immediate circle and same location unless the Minister declares otherwise whether or not the information is currently retained
What is required? Some information must be kept until two years after the relevant account is closed. All information must be kept for two years. All metadata must be encrypted Requirement comes into force six months from 13 April 2015 (Date of Royal Assent). Implementation and exceptions may be permitted if an Implementation Plan is lodged
Who is subject to the requirement? Licenced carriers and carriage service providers Internet service providers as defined in schedule 5 of the Broadcasting Services Act 1992 Any person operating a service that has been declared by the Minister to be subject to the law; Provided: They own or operate in Australia any line or equipment used to facilitate communications across telecommunications network that enables the service.
Who can get access? An enforcement agency if it is reasonably necessary for the enforcement of criminal law. A spy agency if the disclosure is in connection with the performance by the agency of its functions. the data subject under the Privacy Act 1968. the range of enforcement agencies is reduced. Minister has power to add agencies
Financial Assistance to Carriers and ISPs The Commonwealth may make a grant of financial assistance to assist a service provider in complying with the requirements. Terms and conditions are to be set out in a written agreement.
Journalists! t Notices cannot be issued in relation to particular persons who are journalists or the employers of journalists if: the purpose would be to identify someone known or reasonably believed to be a source; and a journalist information warrant is not in force. Journalist information warrants can be issued if the public interest in issuing the warrant outweighs the public interest in the confidentiality of the identity of the source having regard to certain matters
t Journalists information warrants For a spy agency a JIW can be issued by the Minister, certain other Ministers and or the head of the agency if the Minister is not available. For an enforcement agency a JIW can be issued by a legal officer or judge appointed by the Minister. When deciding whether to issue a JIW certain matters must be had regard to including the submissions of a Public Interest Advocate. It is a crime to mention the application for, currency, expiry or absence of a JIW. (2 years in prison)
Use of Metadata in civil cases The Telco Act is amended so that Part 13 (prohibition on use and access) applies to metadata required or authorised by subpoena, notice of disclosure or order of a court in civil proceedings. But only if: The information is kept solely for the purpose of complying with the TIA Act. The information is not be used or disclosed for an purpose other than a mandatory data retention purpose.
Also of interest Oversight of the law enforcement bodies by the Commonwealth Ombudsman Some review of JIW by the PJCIS The list of Ministerial discretions is long covering who is subject to the law and what the law covers but constrained to 40 sitting days by which time the Minister should have been able to propose legislative change. Mandatory data breach notification to be introduced before the end of 2015!
Also in the wind Legislation implementing Telecommunications Security Sector Reform expected any day Greens have given notice of intention to propose on soil requirement for all data. On 19 March ASIC released its Cyber resilience: Health Check A consultation is also underway in relation to 313 fo the Telco Act.
TSSR compliance challenges Investment planning: Building in concepts of competent supervision and effective control Impacts notification, time periods, uncertainty, impacts on program design (e.g. turnkey projects) Governance Comparison between old informal and proposed new formal process of liaison with AGD
About Patrick Fair, Partner, ITC and Data Security Specialist Email: patrick.fair@bakermckenzie.com Phone: +61 2 8922 5534
Questions? QUESTIONS & DISCUSSION