Clifford Chance

Talking Tech

Data & Cybersecurity

What regulators are saying around the world

An interactive map

Read more
France
Back to map

France

CIIP LAW

France has focused on making its critical infrastructure more resilient to cyber attacks. The French military programming law on critical infrastructure information protection (CIIP Law) entered into effect on 20 December 2013 with a view to establishing minimum cyber security standards for operators of “vital importance,” defined by the French Defence Code as “public or private operators having or using plants or structures whose unavailability could strongly threaten the economical or military potential, the security or the resilience of the Nation”, or establishments where there is a risk of serious danger for people in the event of destruction or damage to these establishments (e.g. nuclear installations) (the OVIs).

The application of the CIIP Law is monitored by the ANSSI which also assists the French government and OVIs with respect to cyber security issues. A list of more than 200 OVIs has been created by the French authorities and is strictly confidential. These OVIs operate in 12 different sectors identified as “critical” – food, health, water, telecoms and broadcasting, space and research, industry, energy, transport, finance, civilian administration, military activities and justice. One of the OVIs’ main obligations contained in the CIIP Law consists of putting in place a specific protection plan (dealing with surveillance, alert and material protection issues) that must be approved by the ANSSI.

The CIIP Law also includes four different types of measures:

Measures relating to security rules

The ANSSI has set out technical and organisational rules to protect OVIs’ information systems. These rules are very detailed and technical and relate to the following categories: information systems security policy, security accreditation, security maintenance, security incident detection and handling, alert-processing, administration access control, information systems used for administration, segregation in systems and networks, traffic monitoring and filtering.

In addition, various specific rules have been enacted for each of the 12 critical sectors to take into account the specificities of each sector.

Measures relating to incident notifications

OVIs must notify the ANSSI of security incidents occurring on their critical information systems and include specific information, such as: a detailed explanation of the security incident; a detailed explanation of its consequences and the corrective measures; and the technical details to enable the ANSSI to determine the level of risk (e.g. whether the incident qualifies as a “major crisis”).

Measures relating to security inspections

OVIs’ information systems must be subject to controls in order to verify their level of security and their compliance with the CIIP Law. Those controls can be carried out by the ANSSI or by a service provider duly qualified as a “Trust Service Provider” by the ANSSI (e.g. cyber security audit service providers, incident detection service providers, electronic certification service providers, etc.).

Measures relating to management of “major crisis”

In the case of a “major crisis” (declared by the ANSSI), the ANSSI can impose specific measures on OVIs (e.g. steering and coordination of corrective measures, establishment of a business continuation plan, etc.).

The transposition of the EU NIS Directive into French law will benefit from the work already done under the CIIP Law (for instance, we understand from the ANSSI that security measures for OESs (as defined by the NIS Directive) will be drawn from the existing list of measures provided in the CIIP Law).

European Union
Back to map

European Union

GDPR, NIS DIRECTIVE AND PSD2

Cyber security is a strategic issue for European businesses which are increasingly gathering and monetising data but are at risk of significant cyber attacks. Such attacks have led to significant reputational damage, negative media coverage and diminished customer confidence and trust. European legislators are increasingly concerned with protecting the data of individuals and, in response, have introduced pan-European legislation – the General Data Protection Regulation.

The General Data Protection Regulation (GDPR)

The GDPR became effective on 25 May 2018. It represents the biggest change in EU data privacy law in a generation. There are very serious sanctions for breach, including fines which can be as high as four per cent of global turnover.

The following are some of the cyber security provisions of the GDPR:

  • Obligations on data processors: The previous regime did not directly regulate processors; under the GDPR, data processors will now be required to implement appropriate technical and organisational measures, be subject to breach notification requirements; and contracts between data controllers and processors will be required to contain mandatory provisions relating to data security.
  • Personal Data Breach Notification: Data controllers will now be required to report personal data breach to the relevant national data protection authority, generally “without undue delay” and within 72 hours of becoming aware. Data processors will be required to notify data controllers of security breaches affecting personal data.
  • Information security measures: Data controllers and processors are required to implement technical and organisational measures to ensure a level of security appropriate to the risk, including, for example: pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore availability of personal data following an incident; and processes for regularly testing, assessing and evaluating the effectiveness of measures for ensuring the security of data processing.

The GDPR has significantly extended the extra-territorial effect of the EU data protection regime, including the cyber security elements. Entities processing entirely outside the EEA will be within scope if the processing is carried out in order to offer goods and services to, or monitor the behaviour of, individuals within the EEA.

The Directive on security of network and information systems (NIS Directive)

As an EU Directive, the NIS Directive required member states to adopt and publish local laws necessary to comply with the Directive by 9 May 2018. The purpose of the Directive was to improve the overall level of cyber security across the EU. Sanctions for breach are to be determined by each member state; in the UK, for example, the government has indicated that it favours a sanctions regime mirroring that of the GDPR.

Member states will be required to identify operators of essential services (OESs), within the following sectors:

  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Water
  • Digital infrastructure

Operators of essential services will be required to take appropriate and proportionate technical and organisational measures to detect and manage the risks posed to networks and information systems and notify, without undue delay, the competent authority of incidents that have a significant impact on continuity of the core services provided. Additionally, digital service providers (DSPs), being broadly online search engines, online marketplaces and cloud computing services, will be required to implement similar technical and organisational measures and be required to comply with notification obligations. Of course, close attention should be paid to the local law implementation of the Directive, which will provide the detail of the obligations to be complied with. Even if entities are not within scope of the NIS Directive, many counterparties will expect compliance as “best practice”. By way of example, as at the present date, various jurisdictions have taken steps to implement the NIS Directive, including:

  • Italy: The Government has issued the legislative decree no. 65 of 18 May 2018 to implement the NIS Directive. National strategy on the security of network and information systems has not yet been adopted. The Ministry competent for the operator's business sector is the NIS competent authority. Penalties up to EUR 125,000 (up to EUR 150,000 for non-compliance with instructions specifically provided to an operator by the competent Ministry) will apply in case of non-compliance.
  • UK: The Network and Information Systems Regulations (NIS) 2018 came into force on 10th May 2018. The regulations identify the UK’s national competent authorities for Energy; Transport; Health; Drinking Water Supply and Distribution; and Digital Infrastructure subsectors. Whilst listed as sectors in the NIS Directive, the NIS regulations, in line with Recital 9 and Article 1(7) of the NIS Directive, do not set out any criteria for identifying and regulating those in the banking sector and the financial market infrastructures sector, as equivalent EU legislation - for example PSD2 - already applies. The regulations also set out the UK’s national NIS strategy; identify the UK’s single point of contact [GCHQ]; identify the UK’s Computer Security Incident Response Team [GCHQ]; identify the criteria in each subsector for identifying operators of essential services (OES); set out the duty to notify incidents; set out what digital service providers are and their requirement to notify cyber incidents; and set out the enforcement regime and penalties for failure to comply with the regulations. The OES will be regulated by Competent Authorities (CA) who will have the power to issue guidance, inspect organisations and take enforcement action (including imposing penalties of up to £17 million) where necessary.
  • France: The French NIS Directive implementing law has been published on 27 February 2018. It became applicable on 10 May 2018. However, the OESs will be designated by the French Prime Minister no later than 9 November 2018. Pursuant to this law, if an OES or a DSP does not comply with its obligation to notify severe security breaches which have (or, for an OES, which will likely have) a significant impact on the provision of the services, to the French National Agency for the Security of Information Systems (l’Agence Nationale de Sécurité des Sytèmes d’Information, the ANSSI), its managers could be personally subject to penalties of up to EUR 75,000 (in the case of an OES) and EUR 50,000 (in the case of a DSP).

The revised Payment Services Directive (PSD2)

Member states were required to transpose PSD2 into national laws and regulations by 13 January 2018. Member states have discretion regarding sanctions; for example, in the UK, the Financial Conduct Authority has a far-reaching sanctions regime with no upper limit on penalties. PSD2 requires payment service providers to comply with additional cyber security obligations, including in relation to:

  • Policies and procedures: Requirements for payment service providers to have a security policy, security control and mitigation measures, including maintenance of effective incident management procedures and a policy to detect and classify major operational or security incidents relating to payment services.
  • Major incident reporting: Requirement for payment service providers to notify the national regulator of major operational or security incidents within four hours of detection, with intermediate reports required at least every three days or whenever there is a new development and a final report to be submitted once root cause analysis has been carried out.
  • Customer notification of major incidents: Requirement for payment service providers to notify customers, directly and without undue delay, if a major operational or security incident might impact the financial interests of customers.
  • Annual risk assessments: Submission of annual assessments to the national regulator of the operational and security risks relating to the payment services they provide and the adequacy of the mitigation and control mechanisms implemented.
  • Strong customer authentication: Application of “strong customer authentication” when a payment service user accesses its account online, initiates an electronic payment transaction or carries out any other action through a remote channel that may imply a risk of payment fraud or other abuse.
United States
Back to map

United States

CYBER SECURITY REGULATION

In the US, cyber security enforcement authority is split between a number of state and federal agencies. While there is no single cyber security regulatory regime, several regulatory agencies have been increasingly active in this area in response to the steady stream of high-profile data breaches and cyber security incidents. Thus, most companies operating in the US will be subject to cyber security oversight by both state attorneys general, the Federal Trade Commission, and one or more sector-specific agencies such as the Securities and Exchange Commission and the New York Department of Financial Services.

Federal Cyber Security Enforcement

Two federal regulators – the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) – have taken a primary role in enforcing US cyber security standards.

The FTC is the selfdescribed “nation’s leading privacy enforcement agency” and has sought to hold companies accountable for breached cyber defenses and other violations based on its general authority to monitor “unfair or deceptive acts or practices in or affecting commerce’’ under Section 5 of the FTC Act. Initial FTC settlements typically do not include financial penalties because the FTC can only collect monetary penalties for knowing violations of its rules, consent orders or cease and desist orders. However, repeated or subsequent violations can lead to significant financial penalties.

Separately, the SEC has authority to bring enforcement actions against registered entities (e.g. investment advisers and broker-dealers) and public companies. Registered entities are obliged to protect their customers from cyber threats by Regulation S-P, which requires that they adopt policies that are reasonably designed to safeguard customers’ non-public personal information, protect that information against anticipated threats, and prevent unauthorized access and use of non-public material information that could result in significant harm to the customer. The SEC has brought enforcement actions against registered entities for violations of this rule.

The SEC has also recently focused on cyber security disclosures by public companies, stating “that it is critical that public companies take all required actions to inform investors about material cyber security risks and incidents in a timely fashion, including those companies that are subject to material cyber security risks but may not yet have been the target of a cyber-attack.” In February 2018, the SEC released updated guidance on cyber security market disclosure. The Guidance specifically references the requirements of Regulation S-K and Regulation S-X, which impose an obligation to disclose cyber security risks and incidents in the following manner:

  • Periodic Reports: Issuers are expected to provide timely and ongoing information in their reports regarding material cybersecurity risks and incidents that trigger disclosure obligations.
  • Securities Act and Exchange Act Obligations: Issuers should ensure they are providing adequate cyber security related disclosure in connection with Sections 11, 12, and 17 of the Securities Act and Section 10(b) and Rule 10b-5 of the Exchange Act.
  • Current Reports: Issuers are encouraged to utilize current reports in Form 8-K or Form 6-K to ensure their shelf registration statements remain current with regard to the costs and other consequences of material cyber security incidents.

Issuers are also expected to disclose “such further material information, if any, as may be necessary to make the required statements in light of the circumstances under which they are made, not misleading.” Omitted information about cyber security risks or incidents may be material depending on the nature, extent, and potential impact of the event. Finally, the guidance also “encourage companies to adopt comprehensive policies and procedures related to cybersecurity.”

SEC Cyber Enforcement Unit

Following the announcement of its own data breach, on 25 September 2017, the SEC announced a new enforcement initiative that will target cyber-related threats. The new Cyber Unit is part of the SEC’s Enforcement Division and will focus on conduct, including:

  • Spreading false information through electronic and social media to manipulate the market.
  • Hacking to obtain material non-public information.
  • Violations involving distributed ledger technology and initial coin offerings.
  • Intrusions into retail brokerage accounts.
  • Cyber-related threats to trading platforms and other critical market infrastructure

State Attorneys General

State governments are also key players in the US cyber security regulatory arena, through their attorneys general offices. These state regulators have pursued data breach actions under state unfair and deceptive trade practice statutes (often deemed “little FTC Acts”), or in some instances under dedicated privacy statutes and regulations. In addition, many state unfair and deceptive trade statutes permit a right of enforcement by private claimants, which is not available under Section 5 of the FTC Act, and provide for attorneys’ fees for successful litigants.

Most state statutes also include data breach notification requirements, requiring notification to affected individuals and/or state government agencies when a company suffers a data breach involving certain enumerated categories of personal identifying information (PII). These state statutes are triggered by the state(s) in which the affected data subjects reside.

The New York Department of Financial Services Cyber Security Regulation (NY Reg)

A particularly stringent cyber security regulation issued by the New York Department of Financial Services (NYDFS) requires insurance companies, banks and other covered entities who operate in New York State to maintain department-approved plans to deter cyber attacks, and report any significant attacks to the NYDFS within 72 hours of when they occur. Since promulgation of this regulation by the NYDFS, the National Association of Insurance Commissioners (NAIC) has adopted a similar model rule on 24 October 2017, signalling broader acceptance within the insurance regulatory community. So far this year, the model rule has been introduced by both Rhode Island and South Carolina in their respective state legislatures.

The NY Reg went into effect on 1 March 2017. Covered entities had 180 days to implement most requirements. The following are some of the key provisions of the rule:

  • Program, policies and procedures: Based on a risk assessment, entities are expected to establish written cyber security policies and procedures to protect their information systems (including in-house developed applications) and sensitive nonpublic data.
  • Periodic Risk Assessment: Entities must conduct a periodic risk assessment to address any changes in the entity’s information systems, non-public information or business operations.
  • Chief Information Security Officer (CISO): Each entity must designate a qualified individual to serve as the CISO, who is responsible for implementing, overseeing and enforcing the cyber security program and policy.
  • Notification of cyber events to NYDFS: Entities must notify NYDFS no later than 72 hours from a determination that a significant cybersecurity event has occurred.
Russia
Back to map

Russia

CRITICAL INFORMATION INFRASTRUCTURE LAW, PERSONAL DATA LAW, NATIONAL PAYMENT SYSTEM LAW, VPN LAW AND IM LAW

Cyber security issues have become more pressing in light of recent successful cyber attacks on Russian companies. The legislator has recognised the importance of cyber security and, in addition to existing fragmentary regulations in certain legal areas, has adopted new laws regulating general requirements of cyber security in most of the important spheres of the Russian economy.

Critical Information Infrastructure Law (CII Law)

The main purpose of the CII Law is to ensure that Russia’s critical information infrastructure (that consists of “critical information infrastructure facilities and telecommunications networks used for the interaction of such facilities”) is secure and stable in the face of cyber attacks. The CII Law came into force on 1 January 2018. Most of the regulations implementing the CII Law have already been adopted; however several regulations are still under development. Once the regulatory framework is fully in place, the majority of Russian companies will have to comply with various obligations envisaged by the CII Law.

The CII Law imposes certain obligations upon Russian entities and/or individual entrepreneurs (CII Operators) that own, lease or have other legal rights to critical information infrastructure facilities (such as information systems, information and telecommunications networks, and automated control systems) operating in the following areas: healthcare, science, transport, communications, energy, banking and other financial sectors, oil and gas, nuclear, defence, rocket and space, mining, metals and the chemical industry (CII Facilities).

The main obligation of any CII Operator is to inform the relevant federal authorities and the Central Bank of the Russian Federation, as the case may be, immediately of any “cyber incident”. The definition of the “cyber incident” is broad and does not necessarily mean a cyber attack, but includes “any malfunction or stoppage of a critical information infrastructure facility or telecommunications network used for the interaction of such facilities, and/or a breach of the security of the data processed by such facilities, including as a result of a cyber attack”.

In addition, the CII Law focuses on the security of what is called “important critical information infrastructure facilities”. Important CII Facilities will be determined by the CII Operators in accordance with specific regulations on the basis of various criteria of importance (such as social importance, political importance, economic importance, ecological importance and importance for national defence and law and order) and will be registered in a special register of important critical information infrastructure facilities. Any CII Operator whose CII Facility is on the register will have additional obligations under the CII Law. In particular, the CII Operator will be obliged to comply with specific security regulations for important CII Facilities and, in the case of a cyber incident, to respond to the cyber incident in accordance with special procedures.

CII Operators’ compliance with requirements under the CII Law will be monitored through scheduled and unscheduled audits. Scheduled audits will take place every three years. Unscheduled audits will be carried out in the circumstances specified in the CII Law (for example, in the event of a cyber incident with negative consequences for an important CII Facility). CII Operators’ officers may be criminally prosecuted for violations of the CII Law, if the violation has resulted in damage to the critical information infrastructure.

Personal Data Law

Personal Data Law concerns anyone that processes the personal data of individuals (the Personal Data Operators). “Personal data” is broadly defined and covers “any information relating to a, directly or indirectly, identified or identifiable individual”.

Personal Data Law requires any Personal Data Operator to apply all necessary legal, administrative and technical measures to protect the personal data from illegal or accidental access, destruction, modification, blocking, copying, transfer, dissemination or other illegal operations. In particular, they include, among others:

  • Detection of security threats.
  • Application of specific administrative and technical security measures stipulated by the personal data regulations for the purposes of compliance with the personal data security requirements.
  • Application of information security tools that have passed the compliance verification.
  • Evaluation of efficiency of the personal data security measures prior to the personal data information system being put into operation.
  • Adoption of the personal data access rules and recording of all operations with the personal data.
  • Security measures control.

In the event of a security breach, the Personal Data Operators may face damage claims from individuals whose personal data has been breached. In addition, the Personal Data Operators may be subject to administrative fines of up to RUB 15,000 that potentially may be multiplied by the number of the relevant individuals.

National Payment System Law

Money transfer operators, banking paying agents, payment system operators and payment infrastructure service providers (the Supervised Entities) have the relevant security obligations with respect to bank secrecy and other information in the payment system. In particular, they are obliged to comply with specific security requirements, including, among others:

  • Design and implementation of the security system.
  • Application of information security measures (encryption (cryptographic) tools, security measures from unauthorised access, antivirus protection, firewalling measures, intruder detection systems, protection control tools).
  • Detection of incidents regarding violations of security requirements.

The National Payment System Law also requires uninterrupted operation of money transfer and, therefore, money transfer operators are obliged to apply specific measures to provide uninterrupted operation of the money transfer that include, among others:

  • Collection, systematisation, accumulation of money transfer information by reducing the electronic money balance of the payer and increasing the respective balance of the receiver.
  • Prevention and, if an error has occurred, remedying of any malfunction of operational and technical facilities engaged in recording of information with respect to the electronic money balance and transfer.
  • Analysis of causes of malfunction.
  • Ongoing testing of operational and technical facilities.

In addition to the above, money transfer operators are required to adopt internal regulations that must contain, amongst other things, a response plan in case of malfunction of the operational and technical facilities. Sanctions for violation of the National Payment System Law depend on whether the operation of the money transfer was interrupted as a result of the violation. In case of interruption, the Russian Central Bank may limit or suspend operations of the relevant entity. In addition, fines of up to RUB 1,000,000 may be applied.

VPN Law

Federal Law No. 276-FZ of 29 July 2017 (the VPN Law) came into force on 1 November 2017. The owners of information and telecommunications networks and information resources that can be used to access restricted websites (VPN technology) are prohibited from providing users of VPN technology with support to access restricted websites. The use of VPN technology is not prohibited but the VPN Law imposes certain obligations on the owners of VPN technology, hosting providers and other persons providing for the distribution of VPN technology on the internet and the operators of internet search engines that publish advertisements for customers in Russia.

The Federal Agency for Communications, Information Technology and Mass Media (Roskomnadzor) is responsible for monitoring compliance with the VPN Law. To this end, it will maintain a federal state database of data resources and data and telecommunications networks, access to which is restricted in Russia.

The owners will be obligated to join the database no later than 30 days from receipt of a request from Roskomnadzor. Roskomnadzor can identify an owner by itself or through a request to the hosting provider. Upon a request from Roskomnadzor, the hosting provider has an obligation to disclose the details of the owner or notify the owner that it must disclose its details on its website. Search engine operators also must join the database. Once the owners or search engine operators are on the database, they must block users’ access to restricted websites within three days.

IM Law

Under Federal Law No. 241-FZ of 29 July 2017 (IM Law) starting from 1 January 2018, the anonymous use of instant messaging (IM) is prohibited and IM service providers will have certain obligations under the IM Law. The main obligation of IM Providers will be to identify IM users by their mobile numbers. For this purpose, IM Providers must enter into an agreement with mobile operators allowing IM users to be identified. Russian IM Providers are allowed to identify IM users without any assistance from mobile operators. IM Providers must store data relating to the identification of IM users’ mobile numbers in the Russian Federation only.

IM Providers are also obligated to:

  • Upon receiving a request from the relevant Russian authority, block messages of the relevant IM user that contain information; the distribution of which is prohibited in Russia or which is distributed in violation of provisions of Russian law.
  • Provide IM users with the technical ability to reject messages from other IM users.
  • Ensure the privacy of IM messages.
  • Allow messaging at the request of the Russian authorities under Russian law.
  • Block messages sent to IM users in the cases stipulated by, and in accordance with the procedures set down by, Russian law.

If IM Providers fail to perform their obligations under the IM Law, their IM applications may be blocked by a Russian court.

China
Back to map

China

CYBER SECURITY LAW OF THE PEOPLE’S REPUBLIC OF CHINA

The Cyber security Law of the People’s Republic of China came into force on 1 June 2017 with the aim of combating online fraud and protecting against internet security risks. The Law states that China will take steps to monitor, defend and address cyber security risks from within and outside China. The Law applies to everyone who operates networks in the PRC, particularly multinational corporations. It applies to the construction, operation, maintenance and use of networks as well as the regulation of cyber security within the PRC and applies to both the internet and individual intranets as long as there is any network-related activity taking place in the PRC.

Scope

The Law comprises 79 articles in seven chapters, dealing with:

  • Protection of personal information.
  • Network operators.
  • Critical information infrastructures.
  • Data export.
  • Certification of security products.

Protection of personal information

The Law contains strict requirements regarding the protection of personal information owned by organisations. Personal information protected under the Law includes all types of information recorded electronically or otherwise that may identify a person, including, for example, name, date of birth, telephone numbers and addresses.

Personal information can only be collected when individuals have been informed and have agreed to the aims and scope of the collection.

  • Network product and service providers that collect users’ information are required to inform and obtain consent from the users (Article 22).
  • Network operators are required to collect and use personal information in a legal and proper manner. They must gather and store personal information in accordance with the Law, applicable administrative regulations and their agreements with users (Article 41).
  • Network operators must not disclose, tamper with or destroy personal information they have collected (Article 42).
  • Individuals have the right to request the operator to delete personal information where it has been obtained in breach of the provisions of the Law (Article 43).
  • Personal information obtained must be kept confidential (Article 45).

Network operators

According to Article 76 of the Law, “network operators” refers to owners and administrators of networks and network service providers. Any person or entity in China who has access to a network may, by definition, be a network operator. In addition to traditional telecom and internet operators, network operators may also include financial institutions that provide online services, such as banks and insurance companies. Network operators must observe the following security requirements:

  • Technical and other necessary measures should be taken to safeguard network operations, respond effectively to cyber security incidents and prevent cybercrime. Operators should take care to maintain the integrity, confidentiality and accessibility of network data (Article 10).
  • Network operators must take care to safeguard networks from interference, destruction or unauthorised access, and to prevent network data from being leaked, tampered with or stolen (Article 21).
  • Network operators must take remedial action immediately, inform users and report the issue to relevant authorities upon discovering a security flaw. There should be regular maintenance carried out on products and services. Network operators and service providers must not set up malicious programmes (Article 22).
  • A “real-name registration” requirement requires network operators to ensure that their users provide their real identity information failing which the services must not be provided to them (Article 24).

Critical Information Infrastructures (CIIs)

The definition of CIIs refers to “information facilities that have an immediate bearing on national security, the national economy or people’s livelihoods such that, in the event of a data leakage, damage or loss of functionality, national security and public interest would be jeopardised”.

CIIs include information infrastructures for public communication and information services, energy, finance, transportation and public services, as well as other infrastructures that may cause serious damage to national security in case of a data breach (Article 31). They are required to evaluate potential risks at least once a year and report the results and proposed remediation measures to the authorities (Article 38).

Data storage and export

Personal information and important data collected and generated by CIIs must be stored domestically. Where information and data are to be transferred overseas, a security assessment will be conducted in accordance with measures jointly defined by China’s cyberspace administration bodies and relevant departments under the State Council (Article 37). These restrictions apply to both personal information and to non‑personal data that constitutes “important data.” Draft measures published in April 2017 suggest that all network operators (not only CIIs) will be subject to the requirements. The draft measures include:

  • Absolute prohibitions on overseas transfers in certain circumstances, such as where the data relates to state politics, the economy, national defence and security, social and public interests.
  • An absolute requirement for clear consent from individuals to the overseas transfer.
  • Prior regulatory notification and assessment where certain thresholds are met.

Certification of security products

Network operators and service providers can only sell critical network equipment, products or services after the products or services have been certified by a qualified establishment in compliance with national standards (Article 23). CIIs that purchase network products and services that might affect national security must pass a national security review by the Cyberspace Administration of China (CAC) (Article 35).

Penalties

There are financial penalties of between RMB 10,000 (US$1,500) and RMB 1 million (US$150,000) for companies, and RMB 5,000 (US$750) and RMB 100,000 (US$15,000) for individuals. Business licences may be revoked, websites shut down and offenders detained.

Regulation of social media and chat rooms

On 25 August 2017, the CAC issued two new regulations concerning internet forums and chat rooms: the Administrative Provisions on Internet Forum Community Services and the Administrative Provisions on Online Comment Threads Services. Both provisions took effect on 1 October 2017. The provisions complement the “real name registration” requirement and require providers of internet forums, community boards and chat rooms to verify the identity of the user. Only those who have their real names and identify information registered and checked are able to use these services and post comments. The provisions also impose requirements on service providers to:

  • Create a robust system for information censorship, real-time inspection, emergency responses, complaints and data privacy.
  • Provide necessary information and technical support to the authorities for inspection.
  • Dispose of illegal information in a timely fashion.
UAE
Back to map

UNITED ARAB EMIRATES (UAE)

CYBER CRIMES LAW

Cyber Crimes Law

The Cyber Crimes Law has been in force since 27 August 2012 and comprises 51 articles, most of which set out specific cyber crimes and prescribe the applicable penalty for each crime. The Cyber Crimes Law penalises hacking; phishing; unauthorised access to electronic sources including laptops and emails; obtaining/ intercepting communications (including emails) intentionally; unlawfully accessing banking details (including any form of electronic payment like PayPal) or secure details (such as passwords) using information technology; forging electronic documents or credit/debit cards; and capturing an asset, benefit or right through fraudulent means or by taking a false name or capacity via an electronic source.

Apart from these, the Cyber Crimes Law also penalises acts such as:

  • Using a Virtual Private Network (VPN) to commit a crime or prevent its discovery.
  • Inciting, tempting or assisting in committing prostitution or debauchery by using information technology (it is questionable if dating apps might fall foul of this).
  • Insulting another person or attributing an incident to a person via information technology that may make that person subject to contempt or punishment (akin to defamation).
  • Calling for donations or promoting the same using information technology without a license (e.g. raising monies for charities through the internet).
  • Crimes related to morality and public order committed through the internet including pornography, blackmail, gambling or materials prejudicing public morals, criticism of the State or its Rulers or insulting one of the monotheistic religions.

In addition to the Cyber Crimes Law, Article 29 of Federal Law No.1 of 2006 concerning e-transactions and e-commerce penalises the committing of a crime under any other applicable law by electronic means.

The Cyber Crimes Law is intended to penalise the perpetrators of the crime and does not place any obligations on individuals or entities to protect themselves from cybercrimes or penalise them for lack of such protection. However, Cabinet Resolution No. 21 of 2013 imposes requirements in respect of governmental information systems and on governmental employees to take various measures to prevent cyber crimes. In Dubai, the Government has created an Information Security Committee tasked with, amongst other things, developing a unified policy for information security in governmental information systems to protect against hacking and defining clearly the roles and responsibilities of governmental bodies and their employees regarding cyber security.

Penalties

All the crimes under the Cyber Crimes Law carry a penalty of imprisonment and/or a fine, with prison sentences ranging from temporary imprisonment to no minimum sentence and fines ranging from AED 100,000 to AED three million, subject to any more severe punishment that is applicable under any other law. An attempt to commit any of the cyber crimes enumerated by the Cyber Crimes Law is punishable by half the penalty prescribed for the relevant crime. Other measures the courts can take include confiscating devices, erasing information and closing sites, deporting convicted foreigners and supervising, controlling or prohibiting a convict’s use of electronic sources. The courts can reduce or waive prosecution of any individual who informs the authorities of a cyber crime relating to the security of the State (a list of which is included in Article 44) based on a request from the public prosecutor.

The UAE’s free zones – the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Markets (ADGM) – do not have specific cyber security laws. However, the DFSA (a regulator in the DIFC) and the ADGM have signed memorandums of understanding with the Telecommunications Regulatory Authority (TRA) to cooperate in the aim of preventing cyber crimes. In addition, the UAE Central Bank has recently announced that it will be setting up a department dedicated to cyber crime.

UAE data privacy

Under Article 31 of the UAE Constitution, the right of confidentiality of communication is entrenched. There is no federal data protection law in the UAE, and there is no single national data protection regulator. Instead, there are various UAE Federal Laws that contain provisions relating to privacy and protection of personal data including the Penal Code, the Cyber Crimes Law and some sector specific laws discussed below. The DIFC and ADGM have their own comprehensive data protection laws and data protection regulators. In addition, Dubai Healthcare City (another free zone) also maintains its own data protection system. The data protection regulations in these free zones are generally consistent with laws in other developed jurisdictions.

The Penal Code

The Penal Code sets out a number of defamation and privacy offences including; (a) publishing anything which could expose the victim to public hatred or contempt (Article 372); (b) false accusations that could dishonour or discredit a person (Article 373); (c) recording or publishing of any news, pictures or comments which may reveal the secrets of people’s private or family lives, even if the published material is in the public interest and true (Article 378); and (d) disclosing a secret that a person is entrusted with by reason of his profession or circumstance without consent unless permitted by law.

The Cyber Crimes Law

Article 21 of the law makes it an offence to “assault the privacy of a person” online by recording or transmitting communications, audio visual materials, pictures or electronic news or information even if they were correct and true. Social media posts, for example, might fall foul of the UAE’s privacy laws as they could theoretically constitute a breach of privacy, defamation and be an offensive publication all at once. We understand from media stories that people have been convicted for posting videos without consent of a friend sleeping, of road rage incidents and for posting a picture of an illegally parked car. These examples highlight the need for sensitivity to such laws. The TRA issues guidance on the appropriate usage of social media and online platforms which users should familiarise themselves with.

Sector-specific laws

Telecoms

On 10 January 2017, the TRA issued consumer protection regulations that require telecom companies in the UAE to take all reasonable measures to prevent the unauthorised disclosure or use of a subscriber’s information, including which includes their personal details, service usage, call/message records, payment history and credit rating. Disclosure is permitted where the subscriber has consented, or is required, to disclose to law enforcement agencies any such information which might aid criminal investigations. A subscriber’s consent can be recorded in their contract provided they have a right to subsequently opt-out.

Banking

The UAE Credit Information Law (Federal law No. 6 of 2010) requires commercial banks and financial institutions in the UAE to provide the Credit Bureau with credit information. Such information must be kept confidential and the data subject’s consent must be sought before any proposed disclosure of his/her information. The law imposes criminal sanctions on persons who disclose credit information without authorisation. On 1 January 2017, the UAE Central Bank issued regulations governing digital payment service providers (PSPs) who provide digital mediums for retail/government credit and debit payments, peer-to-peer payments and money remittances (such as e-wallets). PSPs are required to store within the UAE (but outside the free zones) for five years from the date of the original transaction all user identification data and transaction records. They are required to keep such information confidential with disclosure only permitted to the user, the UAE Central Bank, another regulatory authority with the UAE Central Bank’s consent or by a UAE Court order. PSPs shall not process or share users’ personal data unless necessary under anti-money laundering or anti-terrorism laws. The Cyber Crimes Law makes it a crime to disclose or damage confidential information relating to medical treatment without permission.

Enforcement

We understand that the UAE has appointed public prosecutors specifically tasked with prosecuting cyber crimes. Complaints in respect of cyber crimes would first need to be made to the relevant Emirate’s police department. Most Emirates have a designated cybercrimes department which will investigate such crimes and, based on its report, the public prosecutor then decides if a criminal case should be filed or not. As with cyber security, the unauthorised disclosure of private data attracts criminal sanctions and the data subject could lodge a complaint with the police in the relevant Emirate. Other bodies in the UAE with cyber security responsibilities include the: (a) National Electronic Security Authority, a federal authority; (b) TRA; (c) UAE Computer Emergency Response Team (aeCert), a subsidiary of the TRA; and (d) Dubai Electronic Security Centre. Article 274 of the UAE Penal Code requires any individual who has knowledge of a crime to report it to the competent authorities or risk a fine of up to AED 1,000. However, in practice, we understand that this might not be strictly applied. The victim of cybercrime or data breaches could also bring parallel civil proceedings against the perpetrator if they can prove that the crime caused them damage. If successful with a criminal complaint, there is a presumption of liability in the UAE civil proceedings.

Guidance for UAE companies

The restriction in Article 379 of the Penal Code could apply to personal data of employees. Where possible, companies should seek an employee’s consent prior to disclosure of his/her data. Law No.2 of 2015 concerning Commercial Companies requires directors and employees to act in their organisation’s best interests and with reasonable skill and care. In the DIFC and ADGM, entities are also obliged to implement adequate operating systems and controls. Failure to maintain adequate cyber security or to prevent unauthorised disclosure of data may constitute a breach of those duties, opening the doors to liability for compensation and regulatory sanctions against such persons. If the directors or employees of UAE companies were found guilty of cybercrimes or data privacy breaches while performing their duties, it might also expose the company to vicarious liability under UAE law. It is advisable for companies to adopt international best practices in relation to cyber security and data protection systems and instate adequate training for its personnel.

Japan
Back to map

Japan

JAPANESE CYBER SECURITY LAW

Japanese Cyber security law

The existing cyber security-related laws in Japan include the Basic Act on Cyber security, the Act on the Protection of Personal Information and the Act on the Prohibition of Unauthorised Computer Access. The regulator of financial institutions has also promulgated regulations to deal with cyber security issues in each of the financial sectors as part of its supervising activities. Certain cyber attacks are criminalised in Japan.

The Basic Act on Cyber security (Act No 104 of 2014) (the BAC)

The BAC was enacted in 2014 and came into force on 1 April 2016. The relevant regulator is the Ministry of Internal Affairs and Communications. Mandatory obligations are imposed on different categorises of entities: CII operators (operators of businesses that provide vital infrastructure), cyber space‑related business entities and other business entities.

The BAC stipulates the following responsibilities:

  • CII Operators are to make efforts to deepen their awareness and understanding of the critical value of cyber security, ensure cyber security voluntarily and proactively, and cooperate with the measures on cyber security taken by the national government or local government.
  • Cyber space-related business entities and other business entities are to make an effort to ensure cyber security voluntarily and proactively in their businesses and to cooperate with the measures on cyber security taken by the national government or local governments.

However, the BAC is enacted as a basic act indicating general government policy and it is not necessarily to cover specific activities and incidents related to cyber security. For example, any sanction for breach of the above-mentioned obligations is not stipulated under the BAC.

An Amendment Act to the BAC (the Amendment Act) was approved by the Cabinet and was submitted to the National Diet on 9 March 2018. If the Amendment Act is enacted, it will establish a Cyber Security Council involving governmental bodies, educational institutions and relevant service providers to improve communication between these parties and to enhance cyber security.

The Act on Protection of Personal Information (Act No.57 of 2003) (the APPI)

The APPI is the legislation in respect of protection of personal data in Japan and applies to all private sectors. Major amendments to the APPI came into force on 30 May 2017 in order to raise the level of protection of personal data to the same level as that in the EU. The relevant regulator is the Personal Information Protection Commission (PIPC) which was established on 1 January 2015 as the sole regulatory body under the APPI and now regulates and supervises all private industries, in cooperation with other regulators such as the Financial Services Agency (FSA).

All businesses that handle, collect or process personal information (such as information that can identify the specific individual by name, date of birth, certain kinds of biological information and ID numbers) would be subject to the regulations and the PIPA.

Various obligations will apply under the PIPA to secure the protection of personal information and some regulations and/or obligations would be relevant to cyber security, for example:

  • Information handlers shall specify the purpose of use of personal information as much as possible and shall not handle personal information of an individual without obtaining the prior consent from such individual, beyond the scope necessary to achieve the purpose of use.
  • The handlers principally shall not provide personal information to a third party without obtaining the prior consent of the individual.
  • The handlers shall promptly notify the PIPC and other relevant supervising authorities if the personal information has been disclosed or leaked (including in case of cyber attack by other parties and breach of cyber regulations by itself or relevant parties) to others in an unauthorised way.
  • The handlers shall take necessary and proper measures for security control of personal information, shall exercise necessary and appropriate supervision over the employees of the handler and outsourced entities to ensure the security control of personal data.
  • The handlers shall endeavour to appropriately and promptly process complaints about the handling of personal information.

Under the PIPA, if the Handler breaches the requirements under the PIPA and breaches the improvement order, criminal sanction of up to six months’ imprisonment or a fine of JPY 300,000 could be imposed on the handler. If the handler is a representative, an agent or an employee of a legal entity, such legal entity could also be imposed with the fine. In addition, if the handler files a false report, a criminal sanction up to JPY 300,000 could be imposed.

Sector-specific financial regulatory legislation relating to cyber security

In accordance with the implementation of the BAC, the FSA has adopted rigorous policies and measures to strengthen cyber security in the financial sector since 2015. The supervisory guidelines for commercial banks, securities firms, insurance companies and licensed moneylenders published by the JFSA have been updated in order to include check points on cyber security since February 2015. These require regulated financial institutions to take appropriate measures to protect customer data and to ensure cyber security.

In addition, the FSA organised financial industry-wide cyber security drills (so-called “Delta Wall”) in 2016 and 2017. Around 80-100 financial institutions have participated in these drills.

Criminalisation of cyber attacks

Under the Act on the Prohibition of Unauthorised Computer Access and the Penal Code, certain cyber-attacks may be subject to criminal sanction.

Hong Kong
Back to map

Hong Kong

HKMA AND SFC GUIDANCE

There is no overarching legal framework for cyber security in Hong Kong. Entities regulated by the Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission (SFC) must abide by the regulatory guidance issued, including the various guidelines and circulars concerning cyber risk management, resilience testing and management accountability. The Personal Data Privacy Ordinance, Cap. 486 (PDPO) addresses the security of personal data, including data storage and security measures. There are a number of offences under Hong Kong law targeting cyber security‑related crimes, including “unauthorised access to a computer by telecommunications” under the Telecommunications Ordinance, Cap. 106, and “access to a computer with criminal or dishonest intent”, and criminal damage under the Crimes Ordinance, Cap. 200.

The Hong Kong Monetary Authority

An HKMA Circular dated 14 October 2014, issued to all Authorised Institutions (“AI”), required a review of existing controls, compliance with the PDPO, and addressed reporting requirements and failure to report. The circular stated that AIs should implement “layers” of security controls (covering both IT and non-IT) to prevent and detect any loss or leakage of customer data. AIs should be prepared to implement additional stringent controls related to Bring-Your-Own-Device (BYOD) devices in accordance with their data classification and risk assessment results whenever there is a need to protect systems and networks. AIs should have in place effective incident handling and reporting procedures.

A later HKMA Circular, sent on 15 September 2015, dealt specifically with cyber risk management. It pinpointed areas of cyber risk management, including risk ownership and management accountability, periodic evaluations and monitoring of cyber security controls, increased industry collaboration and contingency planning and regular independent assessment and tests. It stated that senior management should evaluate periodically the adequacy of the AI’s cyber security controls, having regard to emerging cyber threats and a credible benchmark of cyber security controls endorsed by the Board.

In December 2016, the HKMA launched a Cyber Security Fortification Initiative and an Enhanced Competency Framework on cyber security. This is a certification programme for cyber security practitioners in the Hong Kong banking industry.

Securities and Futures Commission

Following a cyber security review commenced in the fourth quarter of 2016 (in which the SFC conducted inspections and deep dives into the industry practices and the benchmarking of its requirements against other major regulators), the SFC commenced a consultation in May 2017, in which it proposed the introduction of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the Guidelines). The purpose of the Guidelines is to (i) strengthen control practices to address known threats and vulnerabilities; (ii) standardise and codify common local cyber security control practices for their consistent adoption by internet brokers across the industry, and (iii) provide unambiguous and practical guidance to internet brokers with respect to the SFC’s expectations on cyber security controls.

The Guidelines set out 20 baseline requirements as minimum standards, covering preventive controls (to protect internet brokers’ internal networks and internet trading systems, as well as client accounts, from cyber-attacks), detective controls (to detect suspected hacking activities and alert internet brokers and clients on a timely basis to mitigate their impact and reduce financial losses) and internal governance-related controls (to strengthen overall cybersecurity governance and management of internet brokers and the cybersecurity awareness of both brokers and their clients).

On 27 October 2017, the SFC published the conclusions of the consultation and issued the Guidelines (with minor amendments resulting from the consultation) via a circular, requiring all licensed corporations engaged in internet trading to implement the 20 baseline requirements in the Guidelines to enhance their cyber security resilience and to reduce and mitigate hacking risks. One key control, the implementation of two factor authentication for clients to log in to their internet trading accounts, has taken effect on 27 April 2018, while all other requirements will take effect on 27 July 2018.

Personal Data (Privacy) Ordinance (PDPO)

The PDPO requires all practicable steps to be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to:

  • The nature of data and the damage that could result from unauthorised or accidental access, processing, erasure, loss or use.
  • The physical location where the data is stored.
  • Any security measures used for the equipment where the data is stored.
  • Any measures taken for ensuring the integrity, discretion and competence of persons having access to the data.
  • Any measures taken for ensuring the secure transmission of the data (Data Protection Principle 4(1)).

The Privacy Commissioner issued an information leaflet on BYOD in August 2016, highlighting the personal data privacy risks and best practices of which an organisation needs to be aware when it develops a BYOD policy, as well as a “Physical Tracking and Monitoring through Electronic Devices” information leaflet in May 2017 to draw attention to the possible risks of personal data privacy associated with physical tracking or monitoring through electronic devices.

The PDPO does not require that personal data security breaches be notified, either to data subjects or the Privacy Commissioner. While not a legal requirement, the Privacy Commissioner does encourage notification of breaches.

There are a range of criminal sanctions for breach of the PDPO. If a data user is found to have breached the Data Protection Principles of the PDPO, the Privacy Commissioner may issue an enforcement notice requiring the data user to take steps to rectify the contravention. A breach of the enforcement notice constitutes a criminal offence, punishable by a fine of up to HK$50,000 (doubled for any subsequent convictions) and imprisonment for up to two years. Contravention of other requirements of the PDPO is also an offence.

In addition, it is an offence for a person who obtains personal data from a data user without the data user’s consent and discloses that personal data with the intent to obtain a gain or cause loss to the data subject; or in circumstances where the disclosure causes psychological harm to the data subject. The offence is punishable by a fine of up to HK$1 million and up to five years’ imprisonment. Lesser contraventions of the PDPO are punishable by fines of up to HK$10,000 and up to six months’ imprisonment. In addition to criminal sanctions, a data subject who suffers a loss due to a breach of the PDPO is entitled to seek compensation from the data user through civil action, including for emotional distress.

Singapore
Back to map

Singapore

THE CYBERSECURITY ACT, THE PERSONAL DATA PROTECTION ACT AND THE COMPUTER MISUSE ACT

Cybersecurity ranks high on the Singapore Government’s agenda, and the seriousness with which it views cybersecurity threats can be seen in among others, the establishment of the Cyber Security Agency (“CSA”) of Singapore as the central agency to oversee and coordinate all aspects of cybersecurity for the nation. In October 2016, Singapore’s Cybersecurity Strategy, with the aim to create a resilient and trusted cyber environment for Singapore, was launched.

In February 2018, the Singapore Parliament passed a Cybersecurity Act which purports to be a broad omnibus cybersecurity law. The Cybersecurity Act will apply to organisations that are designated as operating “critical information infrastructure” in Singapore and would include organisations in the energy, telecoms, water, health, banking, transport and media sectors.

The Cybersecurity Act exists alongside other Singapore legislation that deal with information security such as the Personal Data Protection Act. Aside from that, the regulators of some sectors which are deemed to be critical information infrastructure sectors (e.g. financial services providers) have also promulgated regulations dealing with cybersecurity incidents.

The Cybersecurity Act

The Cybersecurity Act takes a holistic approach towards Singapore’s resilience against cyber-attacks and focuses on ensuring that the country is prepared and can respond effectively and promptly when an attack occurs. It seeks to establish a framework for the oversight and maintenance of national cybersecurity in Singapore, and empower the CSA to carry out its functions.

The Act has four objectives:

  • To provide a framework for the regulation of sectors considered critical information infrastructure (“CII”) sectors. This is with the intention of formalising the duties of owners of CII in ensuring the cybersecurity of their respective CIIs.
  • To provide CSA with powers to manage and response to cybersecurity threats and incidents. The intention is to enhance the existing powers related to cybersecurity which is provided for in the Computer Misuse and Cybersecurity Act, and to specifically vest the officers of the CSA with sitting powers.
  • To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information.
  • To establish a light-touch licensing framework for cybersecurity service providers.

Under the Cybersecurity Act, organisations who have been designated as CII owners will be subject to various duties including:

  • A duty to report certain cybersecurity incidents
  • A duty to disclose certain information.
  • A duty to undertake periodic cybersecurity audits and risks assessments, and could be further required to adhere to codes of practice or standards.
  • A duty to notify changes in legal or beneficial ownership of CII.

The Personal Data Protection Act (PDPA)

It is acknowledged that cybersecurity is related to personal data protection and in connection with that, the PDPA requires organisations to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

In July 2017, the Singapore Personal Data Protection (PDPC) launched a public consultation on the review of the PDPA, and proposed mandatory data breach notification. It was proposed that:

  • Organisations must notify affected individuals and the PDPC of a data breach that poses any risk of impact or harm to the affected individuals.
  • Even if the breach does not pose any risk of impact or harm to the affected individuals, organisations must notify the PDPC where the scale of the data breach is significant.

The Computer Misuse and Cybersecurity Act (CMCA)

The CMCA was enacted in 1993 to secure computer material against unauthorised access or modification. It was recently amended in April 2017 to address the changing nature of computer offences and the growing threat of cybercrime.

Under the CMCA, it is an offence to:

  • Use a computer to secure unauthorised access to any program or data held in any computer.
  • Cause an unauthorised modification of the contents of any computer.
  • To knowingly secure unauthorised access to any computer to obtain any computer service.
  • To obstruct the use of or prevent access to a computer without authority.
  • To knowingly and without authority, disclose any password, access code or any other means of gaining access to any program or data held in any computer for wrongful fain, any unlawful purpose or with the knowledge that it is likely to cause wrongful loss to any person.

In 2017, the Act was amended to criminalise the use of personal data obtained via an act in breach of the CMCA, where the person knows or has reason to believe that the personal information was so obtained. It is not an offence if the personal information was obtained or retained for a purpose other than for use in committing, or in facilitating the commission of any offence. It was clarified that this exception was created to allow journalists or researchers who use information derived from hacks for their news report or research, so long as they do not circulate the personal details that were disclosed through the hack.

The CMCA was also amended to:

  • Criminalise the act of obtaining and the act of dealing in tools which may be used to commit an offence under the CMCA.
  • Extend the territorial scope of offences under the CMCA to cover any offence committed by any person who was in Singapore at the material time, any offence where the computer, program or data was in Singapore at the material time, and any offence which causes or creates a significant risk of serious harm in Singapore.
  • Allow prosecutors to amalgamate cybercrime charges against a perpetrator instead of having to bring separate charges for each instance of a distinct act.

Following the passing of the Cybersecurity Act, the CMCA will be correspondingly amended to remove references to cybersecurity in its title and within the Act itself.

Australia
Back to map

Australia

CYBER SECURITY STRATEGY

The annual cost of identity crime in Australia is estimated to be $ 2.2 billion. As Australian businesses respond to an increasing risk of cyber security threats, the Australian Government has released its national “Cyber Security Strategy”, as a roadmap for protecting and advancing Australian Government and private sector interests online. With 5.1 per cent of Australian GDP attributable to the internet-based economy (and 7.3 per cent predicted by 2020), cyber security is an essential element of doing business in Australia.

Privacy Act 1988 (Cth)

The Privacy Act imposes some obligations in relation to cyber security:

  • Entities subject to the Australian Privacy Principles (APPs) (each an APP entity) must have a clearly expressed and up-to-date policy in relation to the management of personal information.
  • Entities that hold personal information (or credit reporting information) are required to implement appropriate measures to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
  • Recipients of individuals’ tax file numbers (TFNs) must take reasonable steps to protect TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensure that access to records containing TFN information is restricted to individuals who need to handle that information for taxation law, personal assistance law or superannuation law purposes.
  • Generally, if an entity holding personal information, credit reporting information or an individual’s TFN no longer requires the information, the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
  • An APP entity must take such steps as are reasonable in the circumstances to ensure that an overseas recipient of personal information from the entity does not breach the APPs in relation to the information (for example, through contractual provisions), unless an exception applies (such as where consent is given or the recipient of the information is subject to a law that has the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection).

It is also important to note that the extra-territorial effect of the EU’s GDPR will mean that certain Australian businesses will be subject to the GDPR in addition to local law requirements.

Notifiable Data Breaches Scheme (NDB Scheme)

The NDB Scheme came into effect on 22 February 2018, as an amendment to the Privacy Act.

The NDB Scheme will impose mandatory investigation and notification obligations on APP entities, credit reporting bodies, credit providers, and file number recipients in respect of eligible data breaches that occur on or after 22 February 2018. Under the NDB Scheme, an entity covered by the scheme which is subject to an eligible breach will be required to notify the Office of the Australian Information Commissioner (OAIC) and any individuals likely to be at risk of serious harm as a result of the breach. The notice must include:

  • The identity and contact details of the organisation.
  • A description of the data breach.
  • The kind of information that has been disclosed.
  • Recommendations about the steps individuals should take in response to the data breach.

Australian Prudential Regulation Authority (APRA)

In March 2018, APRA released a discussion paper entitled “Information security management: A new cross-industry prudential standard”, and a draft prudential Standard, “Prudential Standard CPS 234 Information Security (draft CPS 234)”. APRA proposes to apply the new Standard to authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees) and authorised or registered non-operating holding companies. The Standard aims to ensure that APRA-regulated entities are resilient against information security incidents (including cyber attacks) by requiring that each such entity maintains an information security capability that is commensurate with information security vulnerabilities and threats. The draft Standard requires, inter alia, that APRA-regulated entities have clearly defined information security related roles and responsibilities of the Board, senior management, governing bodies and individuals, and that APRA is notified of any material information security incidents. Current APRA standards and guidelines include:

  • APRA Prudential Standards – CPS 220 (Risk Management) and CPS 231 (Outsourcing)

    These Standards require APRA-regulated entities to have proper risk management strategies, including IT systems, and to ensure that they properly manage outsourcing risk in relation to material business activities.
  • APRA Prudential Practice Guides – CPG 234 (Management of Security Risk in Information and IT) and CPG 235 (Managing Data Risk)

    These Guides provide guidance to senior management, risk management and technical specialists (both management and operational) about data and security risks and specifically target areas where APRA continues to identify weaknesses as part of its ongoing and supervisory activities.

Australian Securities and Investments Commission (ASIC)

In addition to continuous disclosure obligations which may require a company to disclose a breach of data security, ASIC’s Cyber Resilience Health Check 2015 set out ASIC’s expectation that company Boards participate in cyber security issues, recommending that companies (i) adopt the US Department of Commerce’s National Institute of Standards and Technology Cyber Security Framework, (ii) engage with cyber security bodies, and (iii) involve directors and the Board in managing cyber security to foster a strong culture of cyber resilience.

Cybercrime Act 2001 (Cth)

This Act establishes offences that are consistent with those required by the Council of Europe Convention on Cybercrime. The provisions are drafted in technology-neutral terms to accommodate advances in technology. The Act establishes cybercrime offences, including serious offences which are defined as offences punishable by imprisonment for five years or more, including life sentences.

Download the report

Perfect for offline use

As cyber attacks increase around the globe, regulators are responding with new cyber and data laws. New audit powers and mandatory reporting requirements are putting businesses in the spotlight, and a serious attack could mean significant reputational and financial impact and loss of customers.

Cyber is not just a technology issue. This is now a major legal risk.

In this report, our experts discuss the new regulations taking effect globally, and how these will impact you now and in the future.

We are here to help.

DOWNLOAD NOW
Read more