This document is the February 2015 issue of the Australian banking and finance newsletter. It contains several articles related to banking and finance law. The main article discusses three tips for banking lawyers to securely use cloud technology and mobile devices: 1) change passwords regularly using complex passwords, 2) protect mobile devices with security solutions like mobile device management, and 3) create secure workflows when using unauthorized cloud services. Banking lawyers handle sensitive client information and data security is important to avoid breaches. While cloud technology increases productivity, it also increases security risks that lawyers must mitigate.
BYOD - Bringing Technology to work | Sending Data EverywhereJim Brashear
Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
The Threats Posed by Portable Storage DevicesGFI Software
In a society where the use of portable storage devices is commonplace, there is a real risk to business. The threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
The revelations of the Heartbleed vulnerability in April and the recent implementation of Australia’s new privacy regime in March have put data breaches firmly back in the limelight. Clare Coulson finds out more...
Security and Privacy: What Nonprofits Need to KnowTechSoup
The adage says, "You can't have privacy without security, but you can have security without privacy." What does that really mean, and how can you proactively address both for your organization? With privacy scandals and data breaches grabbing headlines daily, even the smallest organizations must take responsibility for lawful custodianship and protection of personal information. In this 60-minute webinar with Michael Standard, senior corporate counsel at Symantec, we will cover the key elements of privacy and security programs. You will learn
- How privacy and security concerns intersect and differ
- Risks to assess when evaluating your privacy program
- The definition of "personal information"
- Key privacy laws that may impact your organization
- The top three privacy and security threats and how to mitigate them
BYOD - Bringing Technology to work | Sending Data EverywhereJim Brashear
Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
The Threats Posed by Portable Storage DevicesGFI Software
In a society where the use of portable storage devices is commonplace, there is a real risk to business. The threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
The revelations of the Heartbleed vulnerability in April and the recent implementation of Australia’s new privacy regime in March have put data breaches firmly back in the limelight. Clare Coulson finds out more...
Security and Privacy: What Nonprofits Need to KnowTechSoup
The adage says, "You can't have privacy without security, but you can have security without privacy." What does that really mean, and how can you proactively address both for your organization? With privacy scandals and data breaches grabbing headlines daily, even the smallest organizations must take responsibility for lawful custodianship and protection of personal information. In this 60-minute webinar with Michael Standard, senior corporate counsel at Symantec, we will cover the key elements of privacy and security programs. You will learn
- How privacy and security concerns intersect and differ
- Risks to assess when evaluating your privacy program
- The definition of "personal information"
- Key privacy laws that may impact your organization
- The top three privacy and security threats and how to mitigate them
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...Authentic8
Law firms that establish a secure browsing environment without compromising data security, work culture or productivity gain a competitive advantage. This paper shows how successful law firms are optimizing on both axes: data security and user satisfaction.
Keep Student information protected while improving servicesCloudMask inc.
Increasingly, we are seeing instances of cloud use in universities and institutions of higher learning moving their applications to the cloud. Although the rate of movement is somewhat lower than the broader market, the trend is clearly visible. Universities are moving to the cloud for a large number of applications, including student engagement, learning, research, inter-university collaboration and routine management of university operations.
Mental Health and Crime
A PIL in the Supreme Court raises some complex questions, including how can culpability be assessed for sentencing those with mental illnesses By Professor Upendra Baxi
FTC Internet of Things Report
The report includes the following recommendations for companies developing Internet of Things devices:
build security into devices at the outset, rather than as an afterthought in the design process;
train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
http://www.cxounplugged.com
A research whitepaper published in November by Ovum and commissioned by Logicalis, revealed a great many interesting BYOD trends – many of which were highlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the most startling, however, was the very low proportion of ‘BYOD-ers’ who have signed corporate BYOD policies.
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
Omlis Data Breaches Report - An Inside Perspective Omlis
The rise in digital and mobile financial services has introduced an onset of increased data breaches over the last few years. The digital revolution has undermined the traditional framework used to regulate financial institutions, which has led to areas of vulnerability within their security systems.
In the report, Data Breaches: An Inside Perspective, Omlis conducted in-depth interviews with experienced cyber security professionals to understand why TFIs (traditional financial institutions) aren't adequately addressing security weaknesses.
In our research, the discussions centered on the types of security systems employed by TFIs, personal and industry-wide attitudes to security, and the types of security measures used to prevent breaches.
The findings indicate that TFIs current preference towards technology creates an increasingly complex system with associated vulnerabilities and ultimately it requires greater manual input for maintenance and updates.
There are also issues related to the attitudes of employees and difficulties implementing comprehensive and in-depth incident strategies.
Taking this into account, the report suggests a new direction for TFI's security systems to provide secure, innovative solutions.
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...Authentic8
Law firms that establish a secure browsing environment without compromising data security, work culture or productivity gain a competitive advantage. This paper shows how successful law firms are optimizing on both axes: data security and user satisfaction.
Keep Student information protected while improving servicesCloudMask inc.
Increasingly, we are seeing instances of cloud use in universities and institutions of higher learning moving their applications to the cloud. Although the rate of movement is somewhat lower than the broader market, the trend is clearly visible. Universities are moving to the cloud for a large number of applications, including student engagement, learning, research, inter-university collaboration and routine management of university operations.
Mental Health and Crime
A PIL in the Supreme Court raises some complex questions, including how can culpability be assessed for sentencing those with mental illnesses By Professor Upendra Baxi
FTC Internet of Things Report
The report includes the following recommendations for companies developing Internet of Things devices:
build security into devices at the outset, rather than as an afterthought in the design process;
train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
http://www.cxounplugged.com
A research whitepaper published in November by Ovum and commissioned by Logicalis, revealed a great many interesting BYOD trends – many of which were highlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the most startling, however, was the very low proportion of ‘BYOD-ers’ who have signed corporate BYOD policies.
Analyst Report: The Digital Universe in 2020 - ChinaEMC
This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.
Omlis Data Breaches Report - An Inside Perspective Omlis
The rise in digital and mobile financial services has introduced an onset of increased data breaches over the last few years. The digital revolution has undermined the traditional framework used to regulate financial institutions, which has led to areas of vulnerability within their security systems.
In the report, Data Breaches: An Inside Perspective, Omlis conducted in-depth interviews with experienced cyber security professionals to understand why TFIs (traditional financial institutions) aren't adequately addressing security weaknesses.
In our research, the discussions centered on the types of security systems employed by TFIs, personal and industry-wide attitudes to security, and the types of security measures used to prevent breaches.
The findings indicate that TFIs current preference towards technology creates an increasingly complex system with associated vulnerabilities and ultimately it requires greater manual input for maintenance and updates.
There are also issues related to the attitudes of employees and difficulties implementing comprehensive and in-depth incident strategies.
Taking this into account, the report suggests a new direction for TFI's security systems to provide secure, innovative solutions.
Solving the Encryption Conundrum in Financial ServicesEchoworx
Encryption has gone mainstream!
The encryption debate has captured the world’s attention. And coupled with the inevitability of another notable data breach, awareness of encryption as a tool to mitigate threat is at an all-time high. Still confidential financial statements, mortgage documents, and investment information are regularly sent unencrypted.
This white paper sets out some of the key rules, guidelines, best practices and associated risks for FINRA member firms and suggests ways that organizations can use encryption to protect themselves, their customers and representatives. In addition, it looks at some of the issues enterprises encounter when enabling email encryption technologies and ways to avoid them.
Quick Start Guide to IT Security for BusinessesCompTIA
IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.
Get The Information Here For Mobile Phone Investigation ToolsParaben Corporation
Mobile phone investigation tools are essential for uncovering crucial evidence stored within smartphones. These sophisticated software solutions meticulously analyze call logs, text messages, GPS data, and app usage, aiding law enforcement and corporate investigators alike in solving crimes and identifying security breaches. With their advanced capabilities, they ensure thorough scrutiny and effective resolution, contributing significantly to justice and security in the digital age.
Today’s online world brings new challenges to businesses, making the security of your businesses’ internal information extremely critical. As we are all connected to the Internet,
we all can become a victim of cyber-attacks.
So, what can you do to better protect your business and secure your internal data?
Data sovereignty issues: a 15 minute debrief for not-for-profitsrgtechnologies
The government has recently torn up a contract because a supplier was hosting their data overseas. This poses a threat to not-for-profit organisations across Australia, are you at risk of losing funding? In this 15 minute debrief for not-for-profit executives, we will explain all the important issues relating to data sovereignty.
Ensuring Data Security and Privacy: Best Practices for Debt Collection Agenci...Cedar Financial
Discover the stringent measures implemented by debt collection agencies in California to safeguard data security and ensure client privacy. This informative PDF outlines the comprehensive best practices and regulatory standards that these agencies adhere to, emphasizing their commitment to protecting sensitive consumer data. Gain valuable insights into the advanced cybersecurity protocols, encryption technologies, and compliance frameworks that enable these agencies to maintain the highest standards of data security and privacy. Explore the crucial role of data protection in the realm of debt management and learn how California-based agencies prioritize the confidentiality and integrity of client information to foster trust and uphold industry compliance.
Ensuring Data Security and Privacy in California: Best Practices for Debt Col...Cedar Financial
Discover the comprehensive measures employed by debt collection agencies in California, such as Cedar Financial, to ensure robust data security and privacy. Explore encryption techniques, compliance protocols, and cybersecurity strategies for enhanced protection.
Cashing in on the public cloud with total confidenceCloudMask inc.
Banks have always been targets for attack. The year 2011 appears to have been a critical tipping point for bank related cybercrime. Attacks grew at a rate of nearly 300 to 400% that year, and innovative attacks cost banks and customers a lot of money.
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (Feb 2015) copy
1. Contents
page 2 General Editor’s note
Karen Lee LEGAL KNOW-HOW
page 4 Financial System Inquiry: Part 1 — A lending
industry perspective on competition
Leonie Chapman LAWYAL SOLICITORS and Tim
Brown MORTGAGE AND FINANCE ASSOCIATION
OF AUSTRALIA
page 9 Encouraging and facilitating corporate turnarounds:
effective debt restructuring
Macaire Bromley DIBBSBARKER
page 14 The letter of credit, right of suit under a bill of
lading, and “debt” versus “damages”
Lee Aitken TC BEIRNE SCHOOL OF LAW,
UNIVERSITY OF QUEENSLAND
page 17 Closing the gap with branchless banking: Thousand
Islands leads the way with sustainable banking in
Indonesia
David Marcus BNP PARIBAS
page 21 Westpac Banking Corporation v Kekatos
David Richardson HWL EBSWORTH LAWYERS
page 24 Three tips for banking lawyers to avoid the stormy
cloud
Tania Mushtaq EFFERVESQ
General Editor
Karen Lee
Principal and Consultant, Legal
Know-How
Editorial Board
Mark Hilton
Partner, Henry Davis York, Sydney
David Richardson
Partner, HWL Ebsworth Lawyers,
Sydney
Bruce Taylor
Solicitor
David Turner
Barrister, Owen Dixon West
Chambers, Melbourne
Nicholas Mirzai
Barrister, Banco Chambers, Sydney
John Mosley
Partner, Minter Ellison, Sydney
David Carter
Partner, DibbsBarker, Sydney
Samantha Carroll
Special Counsel, Clayton Utz,
Brisbane
John Naughton
Partner, King & Wood Mallesons,
Perth
Leonie Chapman
Principal Lawyer and Director,
LAWYAL Solicitors
2015 . Vol 31 No 1
Information contained in this newsletter is current as at February 2015
2. Three tips for banking lawyers to avoid the
stormy cloud
Tania Mushtaq EFFERVESQ
As the legal industry embraces cloud and mobility, it
also inadvertently exposes itself to security risks such as
data leakage, data breaches, malicious apps, software
bugs and account hijacking, to name just a few. Lawyers
tend to be more concerned about getting the job done in
the most efficient billing timeframe, rather than worry-
ing about how safe it is to access the office servers to
download confidential client information and files. A
major portion of a banking lawyer’s job is based on
extensive searches and document sharing, which leaves
little or no time for complex security policies set by IT
departments. In the day-to-day matters, and in an envi-
ronment where higher outputs are demanded in shorter
timeframes, productivity takes precedence over security.
The latter is left to the IT departments and service
providers to tackle. However, in the age of the cloud,
there is another new practice of shadow IT (unsanctioned
use of the cloud) that takes IT departments out of the
picture, potentially exposing confidential and sensitive
information to significant risk. So, how can banking
lawyers ensure that they can achieve their productivity
goals while protecting corporate and sensitive client data
from security breaches without laborious and compli-
cated processes?
The disruptive paradigm shift
In the legal services sector, cloud technology is
creating a disruptive paradigm shift. Lawyers are finding
new ways to create differentiation in a highly competi-
tive industry with offshore firms, especially from the
United Kingdom and the United States, entering the
Australian markets via mergers and acquisitions. As the
cloud market matures, the concerns about the security of
cloud-hosted data either ease or are addressed by ven-
dors. This has helped the cloud foray into the more
conservative industry sectors, such as financial, legal
and government. The increasingly mobile lawyers are
now able to leverage software-as-a-service (SaaS) appli-
cations to enhance productivity, maximise billable hours
and increase client interaction, thereby adding value for
their clients. However, for banking lawyers, search and
discovery tasks make up a bulk of time that does not add
tangible value for their clients. The more innovative
lawyers are, therefore, exploring and utilising new tools
that facilitate agility, collaboration and productivity,
avoiding cumbersome IT department approvals, the
installation of hardware and the cost of constant upgrades.
Australians, in general, are becoming more mobile,
with 90% of the population using smartphones or tablets
by mid-2014.1
Mobile phones, especially smartphones,
are no longer used only for calls, text messages and
emails, but have become a means of collaboration,
research, networking and access to social media. In
March 2014, the LexisNexis Mobility Survey revealed
that eight out of 10 lawyers in Australia and New
Zealand are using mobile devices for work and nine out
of 10 rate their mobile phone as the most important item
they pack for their trip to the office, showing what an
integral part of a lawyer’s life mobile devices have
become.2
Given that mobile devices are mainly used for
content curation rather than content creation, and bank-
ing lawyers heavily focus on sharing and reviewing
documents, contract negotiations and extensive searches,
the reliance on mobile devices is no surprise.
Australian analyst firm Telsyte has reported that most
organisations are already using some variant of cloud
computing, with SaaS applications becoming prevalent
across industries.3
Even the most risk-averse players in
the financial services industry — the big four banks —
have been in the process of deploying private and hybrid
clouds since 2012. Smaller banks are also making the
bold move to cloud, with ING having recently moved its
entire production IT infrastructure to a private cloud.
Cost cutting, improvement in productivity and customer
engagement have been the main drivers of cloud adop-
tion across the banking and finance industry. In addition
to these drivers, lawyers are also using the cloud for easy
back-ups and faster access to information.
The risk of stormy cloud
While mobility and the cloud have fundamentally
changed the way banking lawyers work, they have also
brought to the fore issues about the protection and
security of data. The common misconception about
mobility is that mobility enables people to become more
mobile. The fact is that mobility enables people to
become more connected and more stationary while the
data becomes more mobile. Most financial institutions
australian banking and finance February 201524
3. are now demanding that lawyers take reasonable steps to
protect sensitive information in the face of rising threats.
The high profile breaches of 2014 have made even the
most complacent organisations review and enhance their
network security. The PricewaterhouseCoopers 2014
Global Economic Crime Survey for Australia ranked
cybercrime in the top three threats for organisations.4
In certain situations, data in motion is more vulner-
able to breaches than data at rest — that is, data stored
in servers protected by firewalls and stringent IT depart-
ment policies. When mobile lawyers connect to office
servers and download information from their network to
store on their devices, they have taken sensitive data out
of a secure environment. Unless proper measures have
been put in place to protect the mobile devices and data,
lawyers have exposed everything they have stored on
their phone to security risks. Just imagine leaving your
mobile device containing confidential emails with clas-
sified attachments in a café or taxi or on a plane. Telstra
reports that over 200,000 phones are lost or stolen every
year in Australia. The screen-lock passcode is not
enough protection to prevent hackers from getting access
to what is stored on your mobile device.
With the growth of internationalisation in the past
few years, banking lawyers are also increasingly engag-
ing in cross-border collaboration when advising on and
investigating extremely sensitive corporate information.
While the cloud services models comply with Austra-
lia’s privacy laws, banking lawyers need to be mindful
of the new Australian Privacy Principles (APPs), espe-
cially APP 8 (cross-border disclosure of personal infor-
mation) and APP 11.1 (security of personal information)
that put the onus of security on senders of information
and the organisations they represent. These APPs hold
Australian senders of information liable for the actions
of overseas recipients and require organisations to take
reasonable steps to protect personal information.5
Three simple steps to prevent the stormy
cloud
Change your passwords very regularly
The rising use of cloud applications and services has
created new opportunities for cybercriminals. Passwords
are no longer adequate protection for any mobile device
or for any cloud subscription service. Some of the major
high profile breaches of 2014 — including the eBay
hacking, where cybercriminals were able to steal mil-
lions of passwords — are evidence of how easy it is to
acquire passwords and how critical it is to ensure that
they are changed regularly. Hackers use a number of
ways to find out passwords, including the English
dictionary, names dictionaries and foreign words. In
addition to changing passwords regularly, it is recom-
mended that passwords:
• have 12 characters;
• include a combination of capital letters, numbers
and symbols such as exclamation marks, asterisks
or ampersands; and
• not be made of common words or names, or
representative of birthdays.
In a security breach where 38 million passwords of
Adobe accounts were leaked, analysts discovered that
the most commonly used password of those 38 million
was 123456.6
Protect your mobile device
Mobile devices are not secure by default. Many
people have the misconception that their mobile devices
are safe with the screen-lock passcode. This is not true.
The only way to protect a mobile device is to ensure that
some form of mobile security solution is installed. The
most commonly known secure mobility solution is
known as mobile device management (MDM). This
allows a device lockdown and remote wipe from the IT
department of an organisation in case the device is lost
or stolen, or the employee has left the firm. Most
telecom service providers also offer some type of MDM
solution for mobile devices and can provide advice on
what will best suit the needs of the individual user.
Another way to protect the corporate data on mobile
devices is containerisation. This means creating a parti-
tion between corporate data and the rest of the device.
Creating a partition allows lawyers more flexibility to
get on with using their personal apps and personal
emails while protecting and encrypting corporate data.
The container can be easily wiped out remotely without
impacting the rest of the apps and data on the device.
There are enterprise solutions available for small and
large firms from various vendors. Some cloud-based
containerisation solutions are available at very reason-
able per-user-per-month subscription costs that are well
worth the investment, given the extremely sensitive
nature of the data banking lawyers handle — especially
in cross-border communications.
Create secure workflows if shadowing
These days, there is an app for pretty much anything
— except, of course, one that can make us a cup of
coffee in the mornings. Most organisations are now
focused on building in-house apps to enhance customer
experience and allow customers to access their services
from mobile devices no matter where they are. Apps
such as those that allow us to annotate PDF documents
australian banking and finance February 2015 25
4. on our mobile devices, share files with our clients and
peers, video conference and invite people to participate
in meetings enable us to get on with our jobs from
anywhere, anytime. However, not all apps are secure and
it’s now always clear how the information stored in and
passing through these apps will be used and protected.
When lawyers use unauthorised cloud services —such
as Dropbox, Skype and Viber —to conduct their jobs, it
puts sensitive information at risk since IT departments
no longer have any control over monitoring the security
of the data passing through these apps. If there is a need
to use apps that are not built in-house, it is important to
conduct proper research to ensure that those apps are
secure and to implement two-factor authentication where
necessary.
While the cloud makes life easy and helps lawyers
increase efficiency, there is also an abundance of mali-
cious apps around. Cybercriminals are always on the
lookout for new and creative ways to get their hands on
sensitive information because such information is con-
sidered digital gold, selling on the black market for a
handsome sum. In addition, we are all human and losing
our mobile device or having it stolen can never be ruled
out as a possibility — no matter how careful we are.
Banking lawyers, in particular, are privy to corporate
secrets, major banking deals and sensitive financial
information that, once leaked, can cause major — and,
in some cases, irreversible — financial and reputational
damage. Therefore, in this era of growing cloud adop-
tion and the proliferation of apps, vigilance is the best
defence.
Tania Mushtaq
Director
Effervesq
effervesq@gmail.com
Twitter @tanmushi
About the author
Tania Mushtaq is the founder and director of Effervesq
Pty Ltd, a marketing communications consultancy for
the IT industry. Tania has worked and written exten-
sively in the space of IT, with specific focus on cybersecurity,
mobility, the cloud, information management and gen-
erational differences. She also ghost writes for senior IT
executives and has worked with clients across Asia
Pacific to develop business positioning and differentia-
tion strategies. Tania holds an MBA from the Macquarie
Graduate School of Management.
Footnotes
1. P Budde, K Wansink and H Lancaste “Australia — Mobile
Communications — Statistics and Forecasts” BuddeCom July 2014,
available at www.budde.com.au.
2. LexisNexis Pacific “The age of the mobile lawyer” SmartOf-
fice, available at www.lexisnexis.com.au.
3. R LeMay “SaaS apps now mainstream in Australia” Delimiter
13 December 2014, available at www.delimiter.com.au.
4. PricewaterhouseCoopers Corruption: From the Backroom to
the Boardroom — PwC’s 2014 Global Economic Crime Sur-
vey: The Australian Story 2014, available at www.pwc.com.au.
5. A Christie “Australia: cloud computing and the new Australian
privacylaw”Mondaq24September2013,availableatwww.mondaq.com.
6. N Goguen “9 easy ways to choose a safe and secure password”
No-IP 4 December 2013, available at www.noip.com.
australian banking and finance February 201526