What lessons should be learned from the Distribute.IT meltdown?

Now is a good time to look at Cloud compliance, SLAs and legal ramifications says the ACS

Australian Computer Society chief executive, Anthony Wong

Australian Computer Society chief executive, Anthony Wong

As Distribute.IT's server compromise and subsequent acquisition by Netregistry Group this week has shown, companies who are the subject of a hack attack can be taken out of business permanently. The scale of the Distribute.IT disaster raises issues both for customers who use hosting providers to store sensitive business information and for the providers themselves.

That the incident should happen when there is increasing hype around the use of Cloud services, with organisations either hosting assets in the Cloud or using hybrid private/public models, throws into stark relief the legal minefield enterprises face when they rely on another party to store their data.

While Distribute.IT's customers and remaining assets have been transferred, customer data on four servers, along with the backups, has been wiped — forever.

So what can hosting providers do to avoid a similar fate, and what can businesses do to safeguard data?

Australian Computer Society (ACS) chief executive, Anthony Wong, says the Distribute.IT case has some parallels with an incident in the US in 2009, when internet service provider Core IP Networks was raided by the FBI and a multi-tenant server from a data centre was taken to gather evidence in an investigation of an attempt to defraud $US15 million from Verizon and AT&T.

"Unfortunately this disrupted the businesses whose data and information was hosted on the same server," says Wong "One company called Liquid Motors went out of business because it no longer had a system to use."

He says customers should go through service level agreements (SLAs) with a fine tooth combs. "They [customers] need to review those service levels and look at those responsibilities," Wong says.

"Most standard agreements trigger a force majeure or Act of God clause that relieves the affected party of its obligations when disaster occurs. In this case, Distribute.IT could say it was an Act of God because someone hacked the system and it was beyond their control. A customer has to look at that clause because if the system is critical to their business operation; they should negotiate the SLA and contract."

There can be legal hurdles, particularly when using Cloud, such as compliance issues, SLAs and performance, cross-border issues, data protection, privacy and termination.

"There is no law for cyberspace or Cloud computing for the internet in Australia, however there are a number of specific laws that apply such as the Electronic Transactions Acts, Privacy Act 1988, the Cybercrime Act 2001 and the Spam Act of 2003," Wong said.

One issue that is pertinent in the Distribute.IT case is preservation and retention of data, because record retention requirements will not be the same for each organisation.

"It has been asserted there are over 450 separate Acts of Parliament in Australian that contain provisions dealing with retention of records," Wong said.

"Courts are not likely to be very understanding just because your data is in the Cloud."

For people running a business, he says there is an obligation to retain online records for tax purposes.

"In this case with Distribute.IT, it sounds like most of the customers used it for their websites as well as emails. I assume the records of all those transactions are gone due to the data being lost. If the backups are lost, how are they going to comply with data retention and preservation for business records?" he said.

According to Wong, companies needed to look at four key issues with legal compliance including a review of corporate governance and industry regulation requirements, compliance with mandatory disclosures and financial reporting, as well as checking if there were special standards and compliance for the particular industry and being able to comply with data retention requirements during litigation.

"One example is financial services companies must first notify Australian Prudential Regulatory Authority (APRA) before conducting an offshore data transfer," says Wong.

"Financial services companies must demonstrate appropriate risk management and governance procedures where is the potential to compromise such as confidentiality and integrity of sensitive data."

Another common issue faced by businesses when selecting a hosting provider or Cloud service is which country's court system would settle a dispute if the data is stored offshore.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydistribute.itcloud computing

More about AT&TAT&TAustralian Computer SocietyAustralian Computer SocietyFBIPrudentialVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place