ONE YEAR ON, ARE WE ANY SAFER?

ONE YEAR ON, ARE WE ANY SAFER?

AUSTRALIA'S privacy laws turned one this week but the technology we use the most is still governed by a law from its dark ages.

There is now an audience backing calls by a former United States Homeland Security Department secretary for a major overhaul of rules on internet jurisdiction.

Bond University Law professor Dan Svantesson and Virtual Legal founder and CEO Katie Richards say there is a need for innovative ways to solve the considerable problems caused by overlapping claims of jurisdiction on the internet.

Svantesson says current laws are based on the Harvard Research Draft Convention on Jurisdiction and Respect to Crime (Harvard Draft).

This convention was written in 1935, decades before the internet existed and when clouds could only be found in the sky.

"We have allowed the Harvard Draft principles to become a cementation of 1930's thinking of the world," he says.

"Eight year old principles of a different world are governing us and restricting our thinking today.

"As an unsurprising consequence, the principles found in the Harvard Draft are no longer part of the solution, they have become part of the problem."

Richards, whose law firm is hinged on cloud services, says the issue is now all-encompassing and equally concerns business and legal as it does IT.

Since March 2014, all business with turnovers above $3 million have had to comply with the Australian Privacy Principles (APP) and reveal any cross-border disclosure of personal information and name the countries data is held where possible. Penalties of up to $1.7 million can be administered for companies in breach of these principles. 

"This has to come from the top at the partner and director level to make sure there is a thorough understanding about who is being contracted with," says Richards.

"For law firms for example, an understanding of the legal work is no longer enough - there also needs to be an understanding about how the cloud is working so information being provided by clients and returned to them is safeguarded.

"Australia does a good job at monitoring what happens here but the second the data enters and is stored in another country, that's when we have issues.

"There is a common saying among security professionals that you have 'either been data breached or you just don't know you have been data breached'."

Richards says it's a complicated sovereign issue.

"It is a sovereignty issue," she says.

"There needs to be a global governing body and some sort of convention that has a base set of requirements for all countries and the opportunity to opt in or opt out of others.

"There is a lot to consider in constructing the international protocol - what's necessary and the risk level required - and who would get the final signoff on this."

Svantesson agrees that a "paradigm shift" is necessary which will "no doubt be associated with some controversy and opposition".

He says three core legal principles should be at the heart of the new legal framework covering the internet.

"Jurisdiction may only be exercised where: one, there is a substantial connection between the matter and the state seeking to exercise jurisdiction.

"Two, the state seeking to exercise the jurisdiction has a legitimate interest in the matter.

"And three, the exercise of jurisdiction is reasonable given the proportionality between the state's legitimate interests and other competing (state) interests.

"In any case, a change in thinking is needed as the current situation is nonsensical and the time has surely come to start over."

Virtual Legal's top tips for safeguarding your business

  1. Purchase cyber liability insurance cover (CLIC) if you are dealing with data in any capacity to help alleviate some of the costs if something goes wrong. This has existed for around 10 years but few people have considered its need or are aware of its existence.
  2. Reassess your software provider. Even Virtual Legal - whose core business is on the cloud - has had issues with data storage with a legal software provider which were only made known once a transfer of the data was required.  
  3. Perform due diligence into timeliness and extent of vendor support, vendor's incident response plan, training of vendor's employees, notification of security incidents, your access of logs, security incident compensation and how data spills are managed. 
  4. Ensure the leadership team within your entire organisation has a thorough understanding of where data is being stored, how the cloud technologies they have implemented are being used and have a business continuity/disaster recovery plan in place.
Subscribe Now!
Four time-saving tips for automating your investment portfolio
Partner Content
In today's fast-paced investment landscape, time is a valuable commodity. Fortunately, w...
Etoro
Advertisement

Related Stories

HMC Capital enters private credit market with $127.5m purchase of Payton Capital

HMC Capital enters private credit market with $127.5m purchase of Payton Capital

After more than a year of due diligence and amidst plans to lift it...

Cost of living elevates salaries and perks as key drivers of employee retention in 2024

Cost of living elevates salaries and perks as key drivers of employee retention in 2024

The cost of living is making salaries and perks just as important a...

Enterprise roll-out "one of the biggest launches in Canva's history" as ARR hits $2.2b

Enterprise roll-out "one of the biggest launches in Canva's history" as ARR hits $2.2b

Sydney-headquartered graphic design and visualisation tool giant Ca...

Bond University awards highest alumni recognition to esteemed lawyer Derek Cronin

Bond University awards highest alumni recognition to esteemed lawyer Derek Cronin

Bond University has recognised the achievements and community contr...