Security Regulatory Framework


Published on

Presentation to University of South Australia IT Security Research Winter School 2011

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Of all the trends currently shaping the ICT sector, Cloud Computing has the greatest potential to change the way we live, work and interact Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications Now, we can exploit a wide range of online functionality; academics and researchers can access the platforms they need to perform highly complex computations; and companies of all sizes can utilise systems and platforms in a cost effective manner Before it was the largest corporations or government agencies that can afford high performance infrastructure or sophisticated applications
  • Requirement to produce a document              (1)  If, under a law of the Commonwealth , a person is required to produce a document that is in the form of paper, an article or other material, that requirement is taken to have been met if the person produces, by means of an electronic communication , an electronic form of the document, where:                      (a)  in all cases--having regard to all the relevant circumstances at the time of the communication, the method of generating the electronic form of the document provided a reliable means of assuring the maintenance of the integrity of the information contained in the document; and   (b)  in all cases--at the time the communication was sent, it was reasonable to expect that the information contained in the electronic form of the document would be readily accessible so as to be useable for subsequent reference; and                      (c)  if the document is required to be produced to a Commonwealth entity , or to a person acting on behalf of a Commonwealth entity , and the entity requires that an electronic form of the document be produced, in accordance with particular information technology requirements , by means of a particular kind of electronic communication --the entity's requirement has been met; and                      (d)  if the document is required to be produced to a Commonwealth entity , or to a person acting on behalf of a Commonwealth entity , and the entity requires that particular action be taken by way of verifying the receipt of the document--the entity's requirement has been met; and                      (e)  if the document is required to be produced to a person who is neither a Commonwealth entity nor a person acting on behalf of a Commonwealth entity --the person to whom the document is required to be produced consents to the production, by means of an electronic communication , of an electronic form of the document.
  • Proprietary and Confidential
  • Proprietary and Confidential
  • Microsoft will buy internet phone service Skype for the grand total of US$8.5 billion Buying Skype gives Microsoft access to a user base of people who log in to Skype every month, using the Internet and Skype usernames as a complement to the traditional phone network and its phone numbers Shares of social network LinkedIn more than doubled in price after launching on the New York Stock Exchange in a tech stock feeding frenzy reminiscent of the infamous dot-com boom. Shares of the online professional social networking company closed at $US94.25, 109 per cent above their $US45 initial public offering price. They rose as high as $YS121.97, in their first day of trading LinkedIn brings together people online to cultivate and manage their careers and business networks. It has more than 100 million members in over 200 countries and territories, with 44 million in the United States -SMH May 20, 2011
  • Our laws today are essentially geographical and tied to national interests and boundaries
  • Given that the internet is not bound by geographical boundaries, the issue of offshore transfers of personal information has special relevance to cloud computing. EU Data Protection Directive generally restrict the transfer of personal data to a country outside the European Union (EU) unless certain requirements are met: the other country ensures an 'adequate' level of data protection; the parties have an appropriate contractual relationship; or the individual has given consent Australian Privacy Act does not meet the EU “adequate level of protection” , primarily because of the small business, employee records and direct marketing exceptions European Union’s Data Protection Directive offers an example of the importance of location on legal rights and obligations
  • Data is never anywhere, but always somewhere
  • Complexity arises where “data is in motion” as it winds its way across the internet transitioning through a number of servers located in different countries – which countries’ laws apply? conflict of laws may occur
  • Risks assessment include the specific arrangements underlying the services offered the service provider the location from which the services are to be provided criticality and sensitivity of the IT assets involved Also Example - Commonwealth of Australia Government Contract for IT Services expressly prohibits suppliers from transmitting or storing their customer data outside of Australia
  • Draft revised privacy legislation The Australian Government's draft legislative changes, reflecting its response to the ALRC's privacy inquiry, are currently being considered by the Senate Finance and Public Administration Committee with a final reporting date of 1 July 2011. The draft legislation is to be released and subject to the Committee's scrutiny in 4 stages: The Australian Privacy Principles provisions (released June 2010) Credit reporting provisions Health and research provisions Provisions relating to the powers of the privacy powers of the Australian Information Commissioner
  • Cover Report “Protecting the Brand …” "IP's new role in the knowledge economy“ Asia Today International April/May 2011
  • Security Regulatory Framework

    1. 1. Anthony Wong MACS CP President, Australian Computer Society Chief Executive, AGW Consulting
    2. 2. About Australian Computer Society (ACS) <ul><li>Founded in 1966, over 19,000 members </li></ul><ul><li>The recognised association for those working in ICT in Australia </li></ul><ul><li>ACS is a strong advocate on advancement of professional excellence of ICT, skills and its proper use </li></ul><ul><li>The ACS plays an active role in developing Australia’s ICT workforce ensuring it stays highly skilled and globally competitive by: </li></ul><ul><ul><li>Certifying ICT professionals </li></ul></ul><ul><ul><li>Accrediting Australia’s University ICT courses </li></ul></ul><ul><ul><li>Developing world-class post graduate education </li></ul></ul><ul><ul><li>Providing professional development and networking opportunities to members </li></ul></ul><ul><ul><li>Conducting research and policy development </li></ul></ul>
    3. 3. Cloud Computing <ul><li>Potential to transform the way we live, work and interact </li></ul><ul><li>Shapes the ICT sector and </li></ul><ul><li>the way enterprises provide </li></ul><ul><li>and use IT services </li></ul><ul><li>Helps to level the playing </li></ul><ul><li>field by minimising up-front </li></ul><ul><li>investment in technology </li></ul><ul><li>Changes business agility through “pay-as-you-use” for access to bandwidth and technology functionality </li></ul>
    4. 4. Examples of Cloud Computing Source: NBN Co
    5. 5. Reasons for adopting cloud computing <ul><li>Outsource services to cloud suppliers </li></ul><ul><li>Ability to up and down scale when required </li></ul><ul><li>Reduction of internal technical support constraints </li></ul><ul><li>Outsource technical management </li></ul><ul><li>Provide more options and flexibility </li></ul><ul><li>Deployment and adoption </li></ul><ul><li>of new technologies </li></ul><ul><li>Access to special expertise </li></ul><ul><li>Desire to reduce costs </li></ul>
    6. 6. Security Regulatory Framework of Cloud Computing <ul><li>Cloud computing as a new sourcing and delivery model, shares many common legal issues with existing delivery models, but poses new legal challenges: </li></ul><ul><ul><ul><ul><li>Recent Security Incidents </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Data protection, rights and usage </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Protection of Electronic Information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Regulatory Framework including </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cybercrime </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Privacy and security </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Cross-border issues </li></ul></ul></ul></ul></ul>
    7. 7. Recent Security Incidents
    8. 8. Phone-hacking scandal <ul><li>The 168 year history of the British tabloid News of the World has ended with a phone-hacking scandal that has shocked even the most hardened of media analysts </li></ul><ul><li>Prime Minister David Cameron hinted that more heads would roll, saying that there had been “some illegal and utterly unacceptable practices at the News of the World and possibly elsewhere” </li></ul><ul><li>Alleged that employees routinely made payments to police officers, believed to total more than £100,000 ($A148,000) for information </li></ul>SMH Raphael Satter July 10, 2011
    9. 9. Phone-hacking scandal <ul><li>News Corp and directors could facing prosecution under Regulation of Investigatory Powers Act 2000 (UK), which outlaws interception of communications </li></ul><ul><ul><li>where the offence was committed with their “consent or connivance” or was “attributable to any neglect on their part” </li></ul></ul>SMH Dominic Rushe and Jill Treanor July 10, 2011
    10. 10. Telecommunications not to be intercepted <ul><ul><li>Section 7(1) Telecommunications (Interception) Act 1979 (Cth): </li></ul></ul><ul><ul><li>A person shall not: </li></ul></ul><ul><ul><ul><li>intercept; </li></ul></ul></ul><ul><ul><ul><li>authorize, suffer or permit another person to intercept; or </li></ul></ul></ul><ul><ul><ul><li>do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system </li></ul></ul></ul>
    11. 11. Distribute.IT hacked <ul><li>In June 2011 cyber-attack on and subsequent collapse of Melbourne hosting company, Distribute.IT </li></ul><ul><li>Hacker disabled and permanently wiped the contents of four key servers </li></ul><ul><li>Customers lost several years of transactional and customer information since they were backups of data </li></ul><ul><li>Concept of legal responsibility in the law of negligence may develop to new social conditions and standards </li></ul>
    12. 12. Half of second-hand mobile phones contain personal data <ul><li>Private personal data remains on discarded mobile phones, with intimate photos and credit card numbers and pins </li></ul><ul><li>Half of 50 handsets bought from second-hand resellers on eBay contained personal messages or photos, according to exclusive research from the mobile and forensics experts Disklabs </li></ul><ul><li>&quot;Data is more portable, more accessible, more widely disseminated and more numerous than ever before,&quot; said Ferguson. &quot;We tend to place our faith in the technology that we use to access our data, we believe that when we hit delete the data is gone, and we believe that if we restrict the audience we share with that the data will not go any further. These beliefs are often misplaced - as that story testifies.&quot; </li></ul>SMH October 13, 2010 - 11:56AM
    13. 13. Evidence from recovered data
    14. 14. Legal risk and admissibility of electronic documents and records <ul><li>critical to establish a thorough records management system </li></ul><ul><li>necessary to provide documentary evidence if there is a business dispute </li></ul><ul><li>also to satisfy statutory requirements regarding the retention of records </li></ul><ul><li>are electronic documents sufficient? </li></ul>
    15. 15. <ul><li>Section 48 Australian Evidence Act 1995 (Cth) –original document rule (Best Evidence Rule) abolished and copies are as good as the originals but must keep evidence of integrity of process used to produce the copy </li></ul><ul><li>Best Evidence Rule expunged in Federal, ACT, Tasmania, Victoria and NSW </li></ul><ul><li>Generally, Australian Electronic Transactions Act 1999 (Cth) production of documents– Section 11 </li></ul><ul><ul><li>Requirement to produce a document is met if the person produces an electronic form of the document provided the conditions that a reliable means of assuring the integrity and ready accessibility and useability for subsequent reference are met </li></ul></ul>Electronic Evidence
    16. 16. Canberra on alert for WikiLeaks <ul><li>WikiLeaks to release classified diplomatic cables </li></ul><ul><li>Leak will include millions of classfied documents </li></ul><ul><li>Cables could be about War in Iraq, Guantanamo </li></ul><ul><li>Saudi king urged US to attack Iran </li></ul><ul><li>WikiLeaks reveals Iraqi torture, deaths </li></ul><ul><li>WikiLeaks: China directed Google hacking </li></ul>The Australian November 26, 2010
    17. 17. Sony PlayStation Network user data stolen <ul><li>77 million electronic records compromised from Sony Electronics' PlayStation Network between April 17 and April 19 2011 </li></ul><ul><li>Breach of accounts with names, addresses, email address, birthdates, usernames, passwords, logins, security questions and other personal data </li></ul><ul><li>credit card details encrypted but not personal data </li></ul>
    18. 18. Other Recent Social Media controversies <ul><li>Collection and use of private data by corporations like Google and Facebook </li></ul><ul><li>Increasing public concern about changes to Facebook's privacy settings - for making it difficult for users to put limits on how far the information they upload is shared </li></ul><ul><li>Google's collection of wireless connection data it gathered while compiling images for its Street View service </li></ul><ul><li>Government plans to monitor web users’ internet communications </li></ul>
    19. 19. Data protection, rights and usage <ul><li>Monetisation of Data Assets – is this the new currency of the future? </li></ul><ul><li>Customer participation and information/data are valuable assets, for example: </li></ul><ul><ul><li>Recent sale of Skype (400+ million users) for $8.5 billion </li></ul></ul><ul><ul><li>Doubling of LinkedIn’s (100+ million members) share price </li></ul></ul><ul><ul><li>Successful b usiness models including Facebook and other social media companies </li></ul></ul>
    20. 20. Protection of Electronic Information <ul><li>The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information </li></ul><ul><li>Electronic information is now pervasive if not vital for the essential operation of a modern day organisation </li></ul><ul><li>IT Departments have increasing accountability for integrity and consistency of information within the organisation </li></ul><ul><li>To secure information effectively, it needs to be secured from all perceivable threats </li></ul>
    21. 21. Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)
    22. 22. Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information Cybercrime
    23. 23. Protection of Electronic Information Using Technical & Physical Means & Security Standards
    24. 24. Protection of Electronic Information Using Regulatory Framework
    25. 25. Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Laws Using Cybercrime Telecommunication Interception Spam Laws
    26. 26. Security Regulatory Framework <ul><li>There is no global ‘Law of Cyberspace’ or ‘Law of the Internet’, however, i n Australia, there are a number of specific laws that apply: </li></ul><ul><ul><li>Cybercrime Act 2001 (Cth) </li></ul></ul><ul><ul><li>Telecommunications (Interception) Act 1979 (Cth) </li></ul></ul><ul><ul><li>Spam Act 2003 </li></ul></ul><ul><ul><li>Privacy Act 1988 & Privacy Amendment (Private Sector) Act 2000 (Cth) </li></ul></ul><ul><ul><li>Electronic Transactions Acts </li></ul></ul><ul><ul><li>Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property </li></ul></ul>
    27. 27. Cybercrime Legislation <ul><li>There are at least 13 Federal Acts which have some relevance to cybercrime </li></ul><ul><li>States and territories have their own legislation which is not uniform, either in offence provision or in penalties </li></ul><ul><li>The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier </li></ul><ul><li>The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW) </li></ul>
    28. 28. Cybercrime Legislation <ul><li>Generally, the Australian provisions make it an offence for a person to do or attempt to do the following: </li></ul><ul><ul><ul><li>unauthorised access to a computer system </li></ul></ul></ul><ul><ul><ul><li>unauthorised access or modification of data </li></ul></ul></ul><ul><ul><ul><li>impairment of electronic data and communication </li></ul></ul></ul><ul><ul><ul><li>impeding access to computers; and </li></ul></ul></ul><ul><ul><ul><li>possession of data with intent to commit serious offence </li></ul></ul></ul>
    29. 29. Spam Act 2003 <ul><li>Australian Spam Act 2003 came into effect 11 April </li></ul><ul><li>An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on,39023749,39116020,00.htm </li></ul>
    30. 30. Privacy Regulatory landscape <ul><li>Privacy Regulatory landscape in Australia presents a fractured and imperfect picture. It is a mixture of: </li></ul><ul><ul><li>Legislation e.g. the Privacy Act 1988 (Cth) and the Privacy Amendment (Private Sector) Act 2000 (Cth) </li></ul></ul><ul><ul><li>Equitable and common law duties regarding confidential information </li></ul></ul><ul><ul><li>State privacy legislation (State laws) and health privacy laws </li></ul></ul><ul><ul><li>Security and Information Management Standards and Practices </li></ul></ul><ul><ul><li>Other Codes of Conduct, Industry Standards and Guidelines </li></ul></ul>
    31. 31. Australian Federal Privacy Laws <ul><li>The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government </li></ul><ul><li>It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not </li></ul><ul><li>It only protects “Personal Information” and NOT Commercial Information </li></ul>
    32. 32. Australian wide Private Sector Privacy Laws <ul><li>There are 10 National Privacy Principles (NPPs) of application in the private sector: </li></ul><ul><ul><li>NPP 1 – collection, the purpose of collection, that the person can get access to their personal information </li></ul></ul><ul><ul><li>NPP2 – the use and disclosure of personal information </li></ul></ul><ul><ul><li>NPP 3 –data quality </li></ul></ul><ul><ul><li>NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure </li></ul></ul><ul><ul><li>NPP 5 – openness </li></ul></ul><ul><ul><li>NPP 6 – access and correction </li></ul></ul><ul><ul><li>NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number </li></ul></ul><ul><ul><li>NPP 8 – anonymity </li></ul></ul><ul><ul><li>NPP9 – the transfer of data to another country </li></ul></ul><ul><ul><li>NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc) </li></ul></ul>
    33. 33. Australian wide Private Sector Privacy Laws <ul><li>The following are more pertinent to the “Protection of Electronic Information”: </li></ul><ul><ul><li>NPP2 – the use and disclosure of personal information </li></ul></ul><ul><ul><li>NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure </li></ul></ul><ul><ul><li>NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number </li></ul></ul><ul><ul><li>NPP9 – the transfer of data to another country </li></ul></ul><ul><ul><li>NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc) </li></ul></ul>
    34. 34. Cross-border issues <ul><li>Different levels of Data Privacy laws worldwide challenges trans-border dataflow across countries </li></ul><ul><li>Lack of consistency in privacy laws worldwide makes monitoring compliance and assessing risk difficult and expensive </li></ul><ul><li>Privacy Act 1988 National Privacy Principles(NPP) 9 (Transborder Data Flows) regulates transfers of personal information by an organisation to offshore location by permitting such transfers if: </li></ul><ul><ul><li>the organisation reasonably believes that the recipient is subject to a law, scheme or contract which upholds similar principles </li></ul></ul><ul><ul><li>the individual consents to the transfer </li></ul></ul><ul><ul><li>the transfer is necessary for the performance of the contract between the individual and the organisation or for the benefit of the individual </li></ul></ul>
    35. 35. Cross-border issues <ul><li>In a dispute or a conflict situation, which country’s court system will settle the dispute? </li></ul><ul><ul><li>Location of servers could trigger local laws even in the non-presence of cloud provider or customer in the locality </li></ul></ul><ul><ul><li>Local laws may override contractual agreements between cloud provider’s and customers </li></ul></ul><ul><ul><li>Location of servers may not be apparent from the provider’s terms of service </li></ul></ul><ul><ul><li>Consider the situation where Data may be stored in multiple locations (countries) at the same time </li></ul></ul><ul><ul><li>When do conflicts of laws occur? </li></ul></ul>
    36. 36. Cross-border issues <ul><li>Data stored in the U.S. is subject to U.S. law, for example: </li></ul><ul><ul><ul><li>US Patriot Act – US government’s authority extends to compel disclosure of records held by cloud providers </li></ul></ul></ul><ul><ul><ul><li>Mutual Assistance Treaty between US and Australia allows respective law enforcement agencies to gain access to data in the other jurisdiction in certain circumstances </li></ul></ul></ul>
    37. 37. Cross-border issues <ul><li>Jurisdiction is dependent on the sovereignty of a government </li></ul><ul><ul><li>Concept of jurisdiction evolved in relation to geographical boundaries or territories </li></ul></ul><ul><ul><li>Premise that each state or country has absolute power to control persons and things located within its boundaries or territories </li></ul></ul><ul><li>Internet challenges these territorially based principles </li></ul><ul><li>The law in regards to jurisdiction in cyberspace is unsettled </li></ul>
    38. 38. <ul><ul><ul><li>Consider Case Scenario: </li></ul></ul></ul><ul><ul><ul><li>Identifying the location of the offence/breach </li></ul></ul></ul><ul><ul><ul><li>Identifying the location where the harm resulted (e.g. victim’s location or computer’s location) </li></ul></ul></ul><ul><ul><ul><li>Deciding which sovereign nation and court should have jurisdiction over the dispute </li></ul></ul></ul>Cross Border Jurisdiction Issues Customer and User Server breached & compromised
    39. 39. Cross-border issues <ul><li>In order for a court to adjudicate in a case, the court must have authority over: </li></ul><ul><li>the subject matter in dispute ( subject matter jurisdiction ); and </li></ul><ul><li>parties before the court ( personal jurisdiction ) </li></ul>
    40. 40. Security Regulatory Framework for the Cloud <ul><li>Legal requirements for organisations to consider: </li></ul><ul><ul><li>Have you reviewed your corporate governance and industry regulation requirements? </li></ul></ul><ul><ul><li>Are you able to comply with mandatory disclosures and financial reporting? </li></ul></ul><ul><ul><li>Are there special standards and compliance for your industry? </li></ul></ul><ul><ul><li>Can you comply with data retention requirements and </li></ul></ul><ul><ul><li>eDiscovery request during litigation? </li></ul></ul><ul><ul><li>Burden is on you to understand your compliance obligations </li></ul></ul>
    41. 41. Security Regulatory Framework for the Cloud <ul><li>Example of regulated industry </li></ul><ul><ul><li>Financial services companies must first notify Australian Prudential Regulatory Authority (APRA) of data offshore transfer </li></ul></ul><ul><ul><li>Financial services companies to demonstrate appropriate risk management and governance procedures where potential to compromise: </li></ul></ul><ul><ul><ul><li>a financial institution’s ability to continue operations and meet core obligations, following a loss of cloud computing services </li></ul></ul></ul><ul><ul><ul><li>confidentiality and integrity of sensitive (e.g. customer) data/information </li></ul></ul></ul><ul><ul><ul><li>compliance with legislative and prudential requirements </li></ul></ul></ul>
    42. 42. Privacy and security <ul><li>Businesses are ultimately responsible for the protection of data/information that is stored and/or processed in the cloud </li></ul><ul><li>Management must maintain assurance that the security of the cloud service provider is adequate for their purpose: </li></ul><ul><ul><li>Privacy Act 1988 National Privacy Principle 4 (Data Security) provides that an organisation must &quot;take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure” </li></ul></ul>
    43. 43. Privacy and security <ul><li>Not all types of cloud services raise the same privacy and confidentiality risks: </li></ul><ul><ul><li>Review your supplier’s security policies and procedures – do they meet your requirements? Evaluate the risks </li></ul></ul><ul><ul><li>Risks vary with the terms of service and privacy policy established by your provider </li></ul></ul><ul><ul><li>Can your cloud provider change the terms and policies at will? </li></ul></ul><ul><ul><li>Do you have to comply with privacy legislation restricting processing and transfer of data offshore? </li></ul></ul><ul><ul><li>Should your agreement restricts services and data storage to agreed locations? </li></ul></ul><ul><ul><li>What are the rights of the supplier to operate in other locations? </li></ul></ul><ul><ul><li>Define the scope of your confidential information – which will vary depending on the nature of your business </li></ul></ul>
    44. 44. Privacy and security <ul><li>Things to consider: </li></ul><ul><ul><li>Whose privacy policy will apply at different stages of the data transfer? </li></ul></ul><ul><ul><li>What security mechanisms are in place to manage data transfers between parties? </li></ul></ul><ul><ul><li>What are the consequences of security and privacy breaches? </li></ul></ul><ul><ul><li>How will you know if there is a breach? </li></ul></ul><ul><ul><li>Is your cloud service provider required to provide assistance in the investigation of security breaches? </li></ul></ul><ul><ul><li>Is there an audit trail for data? </li></ul></ul>
    45. 45. Privacy and security <ul><li>Privacy Reform </li></ul><ul><ul><li>Privacy Act 1988 is being modernised to strengthen Australia’s privacy protection </li></ul></ul><ul><ul><li>2008: ALRC report released, For Your Information: Australian Privacy Law and Practice </li></ul></ul><ul><ul><li>2009: Government’s released its position on 197 of the ALRC’s recommendations, including: </li></ul></ul><ul><ul><ul><li>develop a single set of National Privacy Principles </li></ul></ul></ul><ul><ul><ul><li>strengthen and clarify the Privacy Commissioner’s powers and functions </li></ul></ul></ul><ul><ul><li>2010: exposure draft of the new Privacy Act was released by the Government </li></ul></ul>
    46. 46. Conclusion <ul><li>There is no one size fits all for cloud computing - laws are unsettled </li></ul><ul><li>Not all cloud services are created equal and not all cloud services should be subject to the same terms </li></ul><ul><li>Few legal precedents regarding liability in the cloud </li></ul><ul><li>Undertake due diligence as you need to fully understand the risks associated with cloud computing and adopt a risk-mitigation approach to cloud adoption </li></ul><ul><li>Service agreements need to specify those areas the cloud provider is responsible for </li></ul><ul><li>Read the fine print of the cloud computing agreement carefully </li></ul><ul><li>Specify locations for data storage and processing - know the governing law of the cloud computing agreement </li></ul>
    47. 47. Conclusion <ul><li>Ensure flexibility and additional rights, even if you have to pay for them, as your use of cloud services and sophistication are likely to grow </li></ul><ul><li>You need to clarify with your cloud service provider on matters pertaining to ownership of data stored at your provider’s facilities and responsibilities in relation to security and service availability </li></ul><ul><li>Cloud computing industry needs to adopt more transparent and clearer policies and practices, so users can better able gauge their risks comfort level </li></ul><ul><li>For those risks that cannot be addressed by changes in policies and practices, changes in laws may be appropriate </li></ul>
    48. 48. Thank You <ul><li>“ A global approach is the only way to deal with the Internet” </li></ul><ul><li>Francis Gurry, Head of the World Intellectual Property Organisation (WIPO) </li></ul><ul><li>and so for Cloud Computing… </li></ul>Source: &quot;IP's new role in the knowledge economy“ Asia Today International April/May 2011 [email_address] This short presentation only covers the main legal issues. In no way does the author wish to imply that the areas presented are the only worthy of consideration. Since every cloud service is different, readers should seek their own legal advice on matters specific to their circumstances. The views on this presentation are that of the author and not of the ACS.