ONE YEAR ON, ARE WE ANY SAFER?

AUSTRALIA'S privacy laws turned one this week but the technology we use the most is still governed by a law from its dark ages.

There is now an audience backing calls by a former United States Homeland Security Department secretary for a major overhaul of rules on internet jurisdiction.

Bond University Law professor Dan Svantesson and Virtual Legal founder and CEO Katie Richards say there is a need for innovative ways to solve the considerable problems caused by overlapping claims of jurisdiction on the internet.

Svantesson says current laws are based on the Harvard Research Draft Convention on Jurisdiction and Respect to Crime (Harvard Draft).

This convention was written in 1935, decades before the internet existed and when clouds could only be found in the sky.

"We have allowed the Harvard Draft principles to become a cementation of 1930's thinking of the world," he says.

"Eight year old principles of a different world are governing us and restricting our thinking today.

"As an unsurprising consequence, the principles found in the Harvard Draft are no longer part of the solution, they have become part of the problem."

Richards, whose law firm is hinged on cloud services, says the issue is now all-encompassing and equally concerns business and legal as it does IT.

Since March 2014, all business with turnovers above $3 million have had to comply with the Australian Privacy Principles (APP) and reveal any cross-border disclosure of personal information and name the countries data is held where possible. Penalties of up to $1.7 million can be administered for companies in breach of these principles. 

"This has to come from the top at the partner and director level to make sure there is a thorough understanding about who is being contracted with," says Richards.

"For law firms for example, an understanding of the legal work is no longer enough - there also needs to be an understanding about how the cloud is working so information being provided by clients and returned to them is safeguarded.

"Australia does a good job at monitoring what happens here but the second the data enters and is stored in another country, that's when we have issues.

"There is a common saying among security professionals that you have 'either been data breached or you just don't know you have been data breached'."

Richards says it's a complicated sovereign issue.

"It is a sovereignty issue," she says.

"There needs to be a global governing body and some sort of convention that has a base set of requirements for all countries and the opportunity to opt in or opt out of others.

"There is a lot to consider in constructing the international protocol - what's necessary and the risk level required - and who would get the final signoff on this."

Svantesson agrees that a "paradigm shift" is necessary which will "no doubt be associated with some controversy and opposition".

He says three core legal principles should be at the heart of the new legal framework covering the internet.

"Jurisdiction may only be exercised where: one, there is a substantial connection between the matter and the state seeking to exercise jurisdiction.

"Two, the state seeking to exercise the jurisdiction has a legitimate interest in the matter.

"And three, the exercise of jurisdiction is reasonable given the proportionality between the state's legitimate interests and other competing (state) interests.

"In any case, a change in thinking is needed as the current situation is nonsensical and the time has surely come to start over."

Virtual Legal's top tips for safeguarding your business

1. Purchase cyber liability insurance cover (CLIC) if you are dealing with data in any capacity to help alleviate some of the costs if something goes wrong. This has existed for around 10 years but few people have considered its need or are aware of its existence.
2. Reassess your software provider. Even Virtual Legal - whose core business is on the cloud - has had issues with data storage with a legal software provider which were only made known once a transfer of the data was required.  
3. Perform due diligence into timeliness and extent of vendor support, vendor's incident response plan, training of vendor's employees, notification of security incidents, your access of logs, security incident compensation and how data spills are managed. 
4. Ensure the leadership team within your entire organisation has a thorough understanding of where data is being stored, how the cloud technologies they have implemented are being used and have a business continuity/disaster recovery plan in place.