Legal Obligations of CIOs - July 20_ 2009

Document Sample
Legal Obligations of CIOs - July 20_ 2009 Powered By Docstoc
					July 20, 2009
Legal Obligations of a CIO
Strategic Security Summit
Richard Smith
Senior Associate
DLA Phillips Fox
What legal issues should a CIO be aware of?




 • Privacy and Data Breach Notifications
 • Privacy and Security Obligations
 • Australian Corporations Law
 • APRA Requirements
 • Outsourcing Considerations




             3   Legal Obligations of a CIO   July 20, 2009
Privacy

•   The Privacy Act 1988 regulates the collection, use and transfer of
    personal information.

•   It sets out ten National Privacy Principles (NPPs) governing issues
    such as security, transparency and sending personal information
    offshore.

•   It is likely that Privacy Laws will be tightened following the release
    by the ALRC of the report “For your Information Australian Privacy
    Laws and Practice” which recommends sweeping changes to
    Australian privacy laws.




                4    Legal Obligations of a CIO                     July 20, 2009
Privacy - Data Breach Notification

•   Data Breach Notification is mandatory in many jurisdictions
    including California and the majority of US States.

•   Many other jurisdictions are moving towards mandatory standards
    for data breach notification.

•   Australian privacy law does not expressly impose an obligation to
    notify the individuals whose data is affected by security breaches.




               5     Legal Obligations of a CIO                   July 20, 2009
Data Breach Notification



•   While not mandatory (yet) in Australia, breach notification may
    constitute good privacy practice.

•   This is as:
    • Notification can be a reasonable security safeguard
    • Notification demonstrates openness about privacy practices

•   Financial Services licence holders may be required to notify in
    respect of certain breaches (Corporations Law s912D)




                6     Legal Obligations of a CIO                      July 20, 2009
Data Breach Notification



• The Privacy Commissioner has recently released the “Guide to
  Handling Personal Information Security Breaches” to assist
  organisations in responding to personal information security breaches.

• The Guide highlights the importance of taking preventative measures
  as part of a holistic security plan.




               7     Legal Obligations of a CIO                  July 20, 2009
Guide to Handling Personal Information
Security Breaches

4 Step Process
   1. Contain the breach and initiate preliminary assessment.

   2. Evaluate the risks.

   3. Consider promptly notifying concerned individual and third
      parties eg police.

   4. Prevent future breaches.




              8     Legal Obligations of a CIO                  July 20, 2009
Future of data breach notification in Australia?

 •   ALRC Recommendation 51 is that data breach notification should be
     mandatory in Australia.

 •   Individuals need to know when their personal information has been
     put at risk to mitigate potential identity fraud damages.

 •   Business to notify Privacy Commissioner and affected individual of
     data security breaches where there is a real risk of serious harm to
     any affected individual.




                 9     Legal Obligations of a CIO                   July 20, 2009
Privacy and Data Security


• National Privacy Principle 4.1

 “An organisation must take reasonable steps to protect the personal information it holds
 from misuse and loss and from unauthorised access, modification or disclosure”

• Compliance with NPP 4.1 may require:
    –   Physical security eg locks, alarms
    –   Computer and network security eg passwords, audits, virus checking
    –   Communications eg encrypting data, pin numbers, passwords
    –   Personnel Security eg staff training, supervision




                   10    Legal Obligations of a CIO                              July 20, 2009
Privacy and Data Security


• ALRC Recommendation 58 recommends that the Privacy
  Commissioner publish the reasonable security steps that businesses
  should take to prevent the misuse and loss of personal information.

• Business judgment should be used in developing these reasonable
  steps. Factors to be taken into account include:

   –   the likelihood and severity of harm threatened;
   –   the sensitivity of the information; and
   –   the cost of implementation and privacy infringements that could result.




                  11     Legal Obligations of a CIO                              July 20, 2009
Directors and Officers Obligations

•   Section 180 of the Federal Corporations Act 2001 states:

    ‘Care and diligence--directors and other officers
    (1) A director or other officer of a corporation must exercise their powers and
       discharge their duties with the degree of care and diligence that a reasonable
       person would exercise if they:
         (a) were a director or officer of a corporation in the corporation’s circumstances;
             and
         (b) occupied the office held by, and had the same responsibilities within the
             corporation as, the director or officer.

•   'Officers' include persons who

    'make or participate in making decisions that affect the whole or a substantial part of
      the business of the corporation'.

•   Business judgment rule

                    12     Legal Obligations of a CIO                               July 20, 2009
Australian Prudential Regulation Authority (APRA)
Prudential Practice Guide Draft (PPG 234)


   •   APRA has recently released Prudential Practice Guide Draft
       (PPG 234) – Management of IT Security Risk

   •   Once final version is released, compliance will be mandatory for
       those organisations regulated by APRA eg banks, financial
       institutions, superannuation institutions, general insurance
       companies.

   •   Main Provisions:
       –   overarching IT framework and security management policy;
       –   ongoing security training, awareness and education programs for staff;
       –   Identification, access and authorisation controls
       –   effective monitoring and incident management
       –   regular security reporting and metrics

                      13     Legal Obligations of a CIO                             July 20, 2009
Outsourcing

•   Outsourcing - Particular concerns:
    –   Privacy issues
    –   Security issues
    –   Management and control
    –   Legal or political risks


•   Outsourcing may transfer the performance obligation but it will not
    transfer the compliance responsibility which will remain with the
    company and management!




                     14    Legal Obligations of a CIO              July 20, 2009
Outsourcing


•   Prudential Standards applicable to outsourcing
    –   Banking – APS 231
    –   Life Insurance – LPS 231
    –   Insurance – GPS 231
    –   Superannuation – SGN 130


•   If the standards apply, the outsourcing agreement must cover
    specific matters including:
    –   Scope of services;
    –   Commencement and end dates;
    –   Pricing and fee structure;
    –   Audit and monitoring;
    –   Subcontracting; and
    –   Confidentiality, privacy and security of information.


                      15     Legal Obligations of a CIO            July 20, 2009
Other Obligations


• Document retention and destruction obligations

• Protection and Use of Intellectual Property

• Employee surveillance

• SPAM

• Trade Practices Act / Tort – Negligence and Duty of Care

• Sarbanes Oxley Legislation


                16   Legal Obligations of a CIO              July 20, 2009
Conclusion



• CIOs as officer of companies, can have personal obligations and
  personal liability

• Prevention is better than the cure!

• “I was only following orders from head office” is not a defence!

• Outsourcing may transfer the service performance responsibility but it
  does not transfer the compliance responsibility!




                17    Legal Obligations of a CIO                     July 20, 2009
Strategic Security Summit




                         Richard Smith
                        Senior Associate
                        DLA Phillips Fox
          richard.smith@dlaphillipsfox.com




            18   Legal Obligations of a CIO   July 20, 2009

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:1/26/2011
language:English
pages:18