In this month's wrap-up of relevant news for insurers, brokers and their customers doing business in Australia and New Zealand in the cyber, tech and data fields, we look at cyber issues, including the treatment of COVID-related data, ransomware developments, insurance premium trends, significant cases, and government and regulatory cyber-related activity in Australia and New Zealand. We also share some tips to help IT providers avoid or minimise liability following cyber incidents.
New OAIC Guidance -Retention and deletion of data collected in response to COVID-19
During the pandemic, many organisations have collected information they wouldn't normally have about employees (e.g. COVID-19 vaccine certificates) or about customers or visitors (e.g. contact tracing information).
New guidance issued by the Office of the Australian Information Commissioner (OAIC) suggests organisations may now need to delete that information or risk being in breach of the Australian Privacy Principles (APPs).
The OAIC's guidance does not represent a new legal development; it highlights the ongoing obligations of organisations subject to the APPs. Specifically, under APP 11.2, an APP entity must destroy or de-identify information held about an individual if:
- the entity no longer needs the information for any purpose for which it was collected (for example, if it was collected to comply with public health orders that no longer exist)
- the information is not contained in a Commonwealth record, and
- the entity is not required to keep the information under an Australian law, or by order of a court or tribunal.
Under APP 11.2, APP entities are also required to take reasonable steps to protect personal information they hold from misuse, interference, loss, unauthorised access, modification or disclosure.
While the APPs and these specific obligations apply broadly, COVID-related information provides a clear illustration of the principles. For example, in its guidance, the OAIC recommends that organisations should:
- consider whether there is an ongoing need or legal basis for the continued collection or retention of COVID-related personal and sensitive information –this may require entities to check whether there are still public health orders or other laws in place that provide a basis for the collection or retention of information
- consider whether the information is reasonably necessary for their functions or activities –this may include considering workplace laws and contractual obligations
- if there is no requirement to retain the information, take reasonable steps to destroy or de-identify the information held, and
- if the information is required to be retained for a period of time, ensure that they have systems and processes in place to regularly review whether retention is still necessary.
In practice, different sets of information may need different treatments and ongoing review. Compliance may be complicated by the fact that some organisation-specific or industry-specific public health orders, while no longer strictly required, have not been withdrawn by the issuing agencies.
Organisations' data is often held by service providers under cloud-based arrangements. This means that as part of their 'post COVID' data tidy-up, organisations will need to consider their outsourced arrangements, including terms dealing with data access, storage and deletion, as well as risk allocation provisions.
The OAIC's guidance has not changed 'what good looks like' in this space. The key mitigation for minimising the risk of privacy breach (as called out by the OAIC) and avoiding regulatory scrutiny, as well as minimising the risk and 'blast zone' of data breach and cyber incidents, remains for organisations to regularly review and understand their data storage and retention arrangements.
Ransomware Q2 roundup
According to Coveware'slatest report: report:
- While the average ransom payment increased +8% from Q1 2022 (being pulled up by several outliers), the median ransom payment actually decreased51% from Q1 2022. Covewarehas attributed this downward trend to two factors:
- a shift of RaaS affiliates and developers towards the mid-market (where the risk to reward profile of attack is more consistent and less risky than high profile attack), and
- "an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts".
- Exfiltration of data remains prolific (occurring in approximately 86% of ransomware cases), and payment of ransom seldomly results in exfiltrated data being destroyed by threat actors.
- Professional services has emerged as the leading industry impacted by ransomware attacks, which is consistent with the W+K cyber team data.
Cyber insurance premiums continue to rise
According to an Insurance News article about a recent S&P report, the global cyber cover premium pool is set to increase 25% a year, reaching $US22.5b ($32.49b) by 2025. However, the S&P report predicts profitability in the insurance line will continue to be a challenge.
According to the report, cyber premium prices will fluctuate going forward due to new risk differentiation models, emerging cybersecurity standards and improvements in cybersecurity systems. S&P further comments: "clear policies with precise wording are key to developing a sustainable cyber insurance market, requiring a deeper understanding of how ransomware drives losses, improvements in scenario modelling, better management of risk accumulation and disciplined underwriting".
Australia joins the Global Cross-Border Privacy Rules Forum
In a joint statement, the Attorney General Mark Dreyfus and Australia's Trade Minister recently announced that Australia has joined the Global Cross-Border Privacy Rules (Global CBPR) Forum. The forum was established in April 2022 with the aim to "support the free flow of data and effective data protection globally" and to "establish an international certification system that will help companies demonstrate compliance with internationally recognised data privacy standards."
TikTok trigger sees Government put strengthening privacy laws back on the table
The Australian Government has again put strengthening Australia's federal privacy laws back on the agenda by recently announcing that privacy laws in Australia should give Australians confidence that their personal information and data is protected, as well as empower them to understand how their data is being used by digital platforms.
Proposed amendments to the Privacy Act 1988(Cth) have been part of the Government's ongoing review of the Australian privacy law framework since 2019. This was on the back of the UK parliament declaring the Chinese-owned social media platform TikTok to be a "data harvester" and subsequently deleting its official account in late July 2022. TikTok has recently faced a flurry of negative press after it was disclosed that some of its staff could access data from overseas users, including those in Australia.
The Australian Signals Directorate (Australia's cyber intelligence agency) also advised some Australian MPs that they should (generally speaking) have a second mobile phonefor social media apps, in light ofthe extensive data collection practices undertaken by these apps.
Further, in early August 2022, Internet 2.0 (a Canberra-based cybersecurity and intelligence firm) suggested that TikTok engages in questionable and excessive data practices (such as checking its users' location at least hourly), under broad privacy settings enabled by users. On this basis, Internet 2.0 stressed that TikTok should be more open and transparent about its data practices, and that users should review their privacy settings intermittently. In response, the OAIC is considering Internet 2.0's report as part of its regulatory action policy.
Throughout 2021, the OAIC focused its attention on large organisations' privacy practices and non-compliance with the APPs. Its orders have ranged from the implementation of data destruction and deletion policies, and information security and incident response plans, to the destruction of personal information and ceasationof practices that breach the APPs. These determinations highlight the need for all organisations doing business in Australia –whether based in Australia or not –to comply with the APPs and commit to good privacy practices.
Directors and cybersecurity: where will the RI Advice proceedings take us?
In August 2020, in the first case of its kind, ASIC commenced proceedings against RI Advice Group Pty Ltd (RI Advice) for alleged breaches of its statutory obligations as an Australian financial services licensee for failures surrounding adequacy of its cybersecurity. We reported in more detail on the implications of the RI Advice proceedings in this article.
Following an out-of-court settlement between ASIC and RI Advice, on 5 May 2022, the Federal Court delivered its judgment. It made declarations of contraventions of section 912A(1)(a) and (h) of the Corporations Act 2001(Cth) (Corporations Act) and ordered RI Advice to conduct a cybersecurity audit and to pay a contribution of $750,000 towards ASIC's costs. As the judgment relied on the facts agreed between ASIC and RI Advice as part of the settlement, relatively little weight can be placed on the findings. It remains to be seen what cybersecurity standards courts will look to when proceedings like this reach trial.
ASIC released its new Corporate Plan this month which places cybersecurity at the forefront, including intentions to take enforcement action against companies for cybersecurity failings.
The spectre of further regulatory activity by ASIC as it pursues its Corporate Plan, combined with the absence of regulatory or judicial guidance in respect of minimum cybersecurity standards, makes this a challenging area for directors and officers. This is particularly the case when ASIC has shown a propensity in the past to use a company's breach as a 'stepping stone' to establishing personal breaches of care against directors and officers. This uncertainty inevitably creates risk and is an issue insurers and insureds should be alive to so it can be appropriately managed.
"This uncertainty inevitably creates risk and is an issue insurers and insureds should be alive to so it can be appropriately managed."
Google $60m penalty decision illustrates heightened risk climate for data collection in Australia
On 12 August 2022, Justice Thawleyof the Federal Court of Australia ordered that Google LLC and Google Australia Pty Ltd (Google) pay $60m in damages for misrepresentations about the collection, use and storage of location information gathered from users of android mobile devices1.
The Google case illustrates the high penalties and alternative means of prosecution available to Australian regulators for inadequate disclosure of data collection and handling practices. It is also evidence of the heightened regulatory and risk environment around data and management of privacy obligations generally.
Read our discussion of the implications of the Google case for organisations that collect data and their insurers here.
1 Australian Competition and Consumer Commission v Google LLC & Anor (No. 4)  FCA 942.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.