At a glance.
- CISA issues ransomware guidance.
- Australia’s Ransomware Payments Bill.
- Beijing moves on industry cybersecurity, data protection.
CISA issues ransomware guidance.
SearchSecurity has an account of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) new ransomware resource, “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches,” which can be found on the Agency’s “Stop Ransomware” site. In addition to “strongly discourage[ing] paying a ransom,” the document outlines measures organizations should take to prevent breaches, protect data, and respond to attacks. SearchSecurity notes an apparent point of contention regarding response best practices between CISA and NSA fellow Josiah Dykstra, who argued at this year’s Black Hat cybersecurity conference against powering down affected networks, contra CISA’s guidance.
Australia’s Ransomware Payments Bill.
Lexology describes Canberra’s proposed Ransomware Payments Bill 2021. The Bill would require public and private organizations, besides charities and small businesses, to disclose ransomware payments to the Australian Cyber Security Centre (ACSC) in a timely fashion when the impacted data, device, or user is located in Australia, on penalty of a fine. The disclosure would be inadmissible in criminal proceedings unrelated to providing false information, would be published only for enforcement purposes—or informational purposes on an anonymized basis—and would need to contain details about the victim, attack, attacker, and payment. Australian organizations are subject to other reporting requirements under laws such as the Privacy Act 1988 and Crimes Act 1900.
Like CISA, ACSC discourages ransomware payments. CrowdStrike found in 2020 that sixty-seven percent of Aussie organizations were hit by ransomware in the span of a year. Organizations paid up in a third of cases.
Beijing moves on industry cybersecurity, data protection.
The Register says the Cyberspace Administration of China (CAC) is concerned about attacks on critical information infrastructure, and has issued broad regulations covering “all Chinese enterprises whose operations depend on networks.” Organizations must craft crisis plans, run crisis drills, administer yearly assessments, report incidents, and stay tuned for future changes, or face penalties.
Beijing also passed its Personal Information Protection Law (PIPL) today, CNBC reports, bringing wide-ranging data protection, collection, processing, and transfer rules, and additional compliance burdens for an industry already confronting state scrutiny. The Wall Street Journal calls PIPL “one of the world’s strictest data-privacy laws,” drawing comparisons to the EU’s GDPR, but notes the legislation is not expected to temper CCP surveillance.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, offered a broadly favorable review of PIPL:
“Asia is a central place of rapidly evolving privacy and data protection legislation, spanning from leading data protection regimes like in Singapore to countries like India or Hong King that now consider major improvements of their privacy legislation to be consonant with the GDPR model. PIPL is long-awaited legislation in China that, in my opinion, will bring a lot of benefits both for Chinese companies and consumers.
"Many subtle details of PIPL are not yet fully clear, however, in general, it resembles other legislations in the region mandating transparency, accountability, fairness and data protection when processing personal data of Chinese residents. PIPL also grants individuals a wide spectrum of rights to control how their personal data is being stored or processed. Adequate data protection and security figure among the key PIPL requirements as well. Furthermore, a mandatory data breach notification regime is enacted by the law.
"Violations of PIPL may trigger harsh monetary penalties going up to 5% of the past year annual turnover, being even bigger than the GDPR ones. We will, of course, need to observe PIPL enforcement actions and nascent jurisprudence to compare China’s data protection regime with other countries.”