InfoSec Legal Risks II

Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.

Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.

Some of the points that came out of his presentation** that I found rather interesting follow:
  • Most InfoSec-related cases are brought under the tort of negligence
  • Damages cannot be recovered under negligence for pure economic loss
  • No cases have yet been tried in Australia for under the tort of Negligence for InfoSec breaches ~ although cases have been settled before going to court
  • The highest privacy breach payout in Australia is around $8000 ~ leaving privacy breaches more damaging to reputation than financially (barring lost revenue from reputational damage of course!)
  • The Trade Practices Act Section 52 is the key area to pay attention to for Australian InfoSec professionals when verifying legal liability ~ it has less hurdles that proving negligence and can be 'creatively' applied by the courts.
  • The ALRC has recommended a new tort of "serious invasion of privacy" and recommended compulsory disclosure laws in Australia.
Nick also referenced an intersting quote from the FTC paper on Identity Theft [pdf]:
The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent them
The formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.

Nick gave a great talk, and I do recommend his book.

**Any errors or omission of information in this post are my fault and not Nick's. I am no lawyer! So go seek your legal advice from someone who is!

0 comments:

Post a Comment