1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Cybersecurity is referred to as ‘information security' in Australia and is addressed in:
- the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs);
- tax file number (TFN) legislation, in particular the Privacy (Tax File Number) Rule 2015 (Cth);
- the Corporations Act 2001 (Cth), which imposes general obligations on directors of all companies in Australia, including with respect to security;
- sector-specific legislation and requirements discussed in question 1.3, such as:
- the Security of Critical Infrastructure Act 2018 (Cth);
- the Telecommunications (Interception and Access) Act 1979 (Cth); and
- obligations on financial services providers (eg, Australian Prudential Regulation Authority (APRA) requirements); and
- the Telecommunications Act 1997 (Cth), which applies to the telecommunications sector but also includes broader requirements for ‘designated communication providers'; and
- data security provisions under state/territory privacy legislation that primarily relate to state/territory government agencies.
Data protection – or ‘privacy', as it is referred to in Australia (specifically, the handling of ‘personal information') – is addressed in the Privacy Act and, for state/territory public sector agencies, the relevant state/territory privacy legislation.
Cybercrime (including hacking, unauthorised access, denial of service (DoS) attacks, phishing, identity theft and cyber fraud) is addressed in the Criminal Code Act 1995 (Cth). There is also some state/territory legislation that targets cybercrime (eg, cyber harassment, cyber bullying, cyber fraud and computer offences).
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Privacy: The Privacy Act applies to ‘organisations' (broadly, any individual, corporation, partnership, unincorporated association or trust ‘carrying on business' in Australia with annual turnover exceeding A$3 million or, otherwise, who ‘deal' in information) and federal public sector ‘agencies' (collectively, ‘APP entities') in respect of ‘personal information'. ‘Personal information' includes a broad range of information (including opinions and incorrect information) that could (by itself or in combination with other reasonably available information) reasonably identify an individual.
APP 11 requires that APP entities take ‘reasonable steps' to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure (ie, a data breach). In effect, an APP entity must have adequate cybersecurity measures in place to protect all personal information it holds or is responsible for (eg, where a third party is engaged to process the information). In the event of a data breach that is likely to cause ‘serious harm', the Privacy Act requires an APP entity to notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals.
The Competition and Consumer Act 2010 (Cth) was amended in 2019 to incorporate a new bundle of rights for consumers to exercise greater control over their data held by providers in the key sectors of banking, energy retailing and telecommunications. This regime is to be expanded to other sectors, starting with telecommunications and energy. The ‘Consumer Data Right' includes 13 ‘privacy safeguards' over consumer data which operate in parallel to the Privacy Act obligations in respect of personal information.
Cybercrime: The Criminal Code (mainly Parts 10.7 and 10.8) creates offences for certain activities and has the effect of criminalising hacking into computer systems, DoS attacks, phishing, identity theft and other computer-related fraud, the distribution of malicious software and electronic theft. These offences are generally couched in technology-neutral terms and include:
- unauthorised impairment of electronic communication;
- unauthorised access to, or modification of, restricted data;
- unauthorised impairment of data held on a computer disk and so on; and
- dealing in identification information that involves use of a carriage service.
Encryption: Under Part 15 of the Telecommunications Act, a ‘designated communication provider' (broadly defined to include any device, product or service that is connected to or can be used with a carriage service) may be required, on request, to provide assistance to law enforcement and intelligence agencies without the need for a warrant. This assistance could take the form of:
- removing electronic protections over communications (eg, encryption);
- providing technical information about the technology used; and/or
- installing technology on behalf of the enforcement/intelligence agency.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (e.g. critical infrastructure, national security, financial services, healthcare)?
Yes. Sector-specific requirements are, briefly, as follows.
Critical infrastructure: The Security of Critical Infrastructure Act seeks to manage national security risks such as sabotage, espionage and coercion posed by foreign involvement in Australian critical infrastructure assets. It includes gathering powers allowing the secretary of the Department of Home Affairs to compel owners and operators of critical infrastructure assets (eg, electricity, gas and water) to report ‘operational information' and ‘interest and control information'.
Public sector and national security: National security is managed by the Department of Defence and its supply chain (eg, defence contractors and, in turn, their vendors and service providers), which are generally required to comply with the Australian Government Information Security Manual, the Protective Security Policy Framework and the ‘Essential Eight' cyber mitigation maturity model.
Financial services: Organisations with an Australian financial services licences are required under the Corporations Act to have adequate resources, including technological resources, to enable them to maintain client records and data integrity and protect confidential and other information (see ASIC RG 104 for guidance).
Financial services providers regulated by APRA must comply with Prudential Standard CPS 234 on Information Security, which requires them to:
- clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- maintain information security capability that is commensurate with the size and extent of threats to information assets, and that enables the continued sound operation of the entity (including in relation to third-party service providers);
- implement information security controls to protect its information assets and undertake systematic testing and assurance regarding the effectiveness of those controls;
- have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
- notify APRA of material information security incidents.
Healthcare: Health information is ‘sensitive information' (a subset of ‘personal information') for the purposes of the Privacy Act. As a consequence, the security measures required to protect this information are increased to a higher standard.
Providers to state/territory public sector organisations (eg, public hospitals in Australia) are also required to comply with the relevant state/territory information privacy legislation, such as the Health Records Act 2001 (Vic) and the Health Records and Information Privacy Act 2002 (NSW). These create similar obligations around information security of health information.
Telecommunications: Under the Telecommunications Act, ‘carriage service providers' must prevent facilities and networks from being used to commit cyber-related criminal activities. The act also obliges telecommunications providers to collect and retain certain telecommunications metadata for law enforcement and national security purposes.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal information: An APP entity must take reasonable steps to protect all personal information it holds from misuse, interference, loss, unauthorised access, modification or disclosure. Where there is unauthorised access, disclosure of loss of personal information likely to cause ‘serious harm' this must be notified to the OAIC and all affected individuals (see question 5). Personal information must be destroyed or permanently de-identified when no longer required for the notified purposes for which it was collected.
Sensitive information: Sensitive information is personal information about an individual's race, political opinions, religion, trade union membership, sexual orientation or criminal record. Health information, genetic information and biometric information are also types of sensitive information.
An APP entity must usually take more steps, to a higher standard, to protect the security of sensitive information.
Health information: Health information is information or an opinion about an individual's health, disability or the provision of health services and is treated as ‘sensitive information'.
Credit information: Credit information is information that identifies an individual and details the amount an individual has borrowed, repayments and defaults. Because of the nature of credit reporting information, an APP entity will be held to a higher standard in relation to data security.
TFN information: TFN information is any information that connects a person's tax file number to the person's identity. Pursuant to the Privacy (Tax File Number) Rule 2015, any person in possession or control of TFN information must:
- take reasonable steps to protect TFN information "from misuse and loss, and from unauthorised access, use, modification or disclosure"; and
- ensure that access to TFN information is "restricted to individuals who need to handle that information for taxation law, personal assistance law or superannuation law purposes" and for no other purpose.
Official information: Commonwealth government information may be designated ‘Official', ‘Official: Sensitive', ‘Protected', ‘Secret' or ‘Top Secret'. Organisations that handle commonwealth government information are likely to be subject to contractual obligations as to the protection of such information, including obligations in the event of information compromise.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Privacy Act: An entity operating outside Australia will be subject to obligations under the Privacy Act if it is ‘carrying on business' and/or collects or holds personal information in Australia. For the Privacy Act, ‘carrying on business' includes targeting and/or advertising to any persons resident in Australia, even if the company has no presence in Australia.
Criminal Code: The Criminal Code offences described in question 1.2 have extraterritorial application and will be crimes prosecutable in Australia if committed:
- partly in Australia;
- wholly outside of Australia by an Australian citizen; or
- wholly outside of Australia by an entity incorporated in Australia.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
In relation to the prosecution of international cybercrime, Australia is a signatory to the Council of Europe Convention on Cybercrime (CETS No 185). This provides a framework in international law for cooperation between Australian authorities and those elsewhere in the enforcement of cybercrime offences through ‘mutual assistance requests'.
In relation to the national security and military intelligence, Australia cooperates with other nation states on cybersecurity, cyber resilience and advanced computer security operations as a member of the Five Eyes, the International Computer Network Defense Coordination Working Group and signatory to the Australia, New Zealand, United Stated Security Treaty.
Australia is a signatory to the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, which both address individuals' interests in privacy and the Asia-Pacific Economic Cooperation Privacy Framework, which includes security safeguards to be adopted by signatory states.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
General: Criminal penalties for telecommunications cybercrime include the following:
- up to 10 years' imprisonment where a carriage service is used to make a threat (eg, to kill) or for a hoax threat;
- up to five years' imprisonment for manufacturing, advertising, selling or possessing an interception device;
- up to three years' imprisonment where a carriage service is used to menace, harass or cause offence;
- up to two years' imprisonment for:
- interference with telecommunications facilities;
- modification of a telecommunications device identifier;
- possession or control of data or a device with intent to modify a telecommunications device identifier;
- production, supply or procurement of data or a device with the intent to modify a telecommunications device identifier;
- copying of subscription-specific secure data;
- supply, production, possession or control of data or a device with intent to copy an account identifier; and
- up to one year's imprisonment for wrongful delivery of communications.
Hacking (including to steal confidential information/trade secrets): Criminal penalties include:
- up to 10 years' imprisonment for:
- unauthorised modification of data to cause impairment; and
- unauthorised impairment of electronic communication;
- up to three years' imprisonment for:
- possession or control of data with intent to commit a computer offence; and
- production, supply or procurement data with intent to commit a computer offence;
- up to two years' imprisonment for:
- unauthorised access to, or modification of, restricted data; and
- unauthorised impairment of data held on a computer disk and so on; and
- where there is unauthorised access, modification or impairment with the intent to commit a serious offence, the same penalty as the applicable serious offence applies.
Financial information and scamming: Criminal penalties include:
- up to five years' imprisonment for dishonestly obtaining or dealing in personal financial information; and
- up to three years' imprisonment for possession or control of thing with intent to dishonestly obtain or deal in personal financial information or importation of a thing with intent to dishonestly obtain or deal in personal financial information.
States/territories also have general offences that cover scamming (eg, obtaining financial advantage by deception, which can apply to cyber activities such as phishing).
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Privacy Act: The Privacy Act is administered and enforced by the Office of the Australian Information Commissioner (OAIC) on behalf of the Australian privacy/information commissioner. The OAIC has powers to:
- investigate privacy matters following a privacy complaint or of its own motion;
- conduct inquiries;
- commence legal proceedings against an APP entity;
- make ‘determinations';
- seek injunctions; and
- apply to the court for a civil penalty order for a breach of a civil penalty provision.
Penalties will generally be imposed on the APP entity itself (ie, the company rather than an employee). However, directors may also be liable on account of their statutory directors' duties under the Corporations Act. The OAIC has the power to enforce the Privacy Act where there is an ‘Australian link', but can also work in partnership with privacy regulators in other jurisdictions.
Criminal Code: The Criminal Code is enforced by the Australian Federal Police, which have broad-ranging policing powers over federal criminal law (eg, the Criminal Code). Following prosecution and successful conviction in court, the applicable penalties can be handed down. Sentences can be given to companies, directors, officers and the individual employee involved in the illegal activity.
Consumer Data Right: The Competition and Consumer Act, which includes the Consumer Data Right regime, is administered by the Australian Competition and Consumer Commission.
Directors' duties and Australian financial services licence requirements: Breaches of Australian financial services licence requirements and directors' duties under the Corporations Act are enforceable by the Australian Securities and Investments Commission.
Financial services: Requirements on financial services providers under Australian Prudential Regulation Authority (APRA) standards such as CPS 234 are enforced by APRA. APRA ordinarily takes what it describes as a ‘non-formal' approach to enforcement. That is, APRA will work cooperatively with an entity to help it identify and rectify breaches before taking the entity to court or imposing penalties.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Where an APP entity has breached the Privacy Act, the aggrieved party may lodge a complaint against that APP entity with the OAIC and the OAIC may determine/decide on the complaint, which may result in compensation to the successful complainant.
An individual has ‘standing' (ie, the right) to sue (for damages) an entity that has breached that individual's rights under the Consumer Data Right regime.
Where a failure to protect data constitutes a breach of confidential information, a party that has suffered harm may also bring a direct action for breach of confidence in equity.
2.3 What defences are available to companies in response to governmental or private enforcement?
Privacy Act: While there is no statutory defence against a breach of APP 11, it is not the case that every data breach equates to a breach of APP 11. That is, if the security measures in place to protect the security of personal information were adequate (ie, ‘reasonable steps' had in fact been taken) in the circumstances then, despite a data breach occurring, no breach of APP 11 will have occurred.
Criminal Code: The criminal offences described in questions 1.2 and 1.6 above each require some degree of intention, knowledge or recklessness. It is a defence to a charge for one of these cybercrimes to demonstrate that the intention, knowledge or recklessness (as applicable) element was not present.
Consumer Data Right: There are no ‘defences' where a company has breached of one or more of the 13 privacy safeguards under the Consumer Data Right regime (eg, Privacy Safeguard 12, which relates to the security of consumer data). However, it may be possible to argue that there was in fact no breach of the relevant privacy safeguard along the lines noted above in relation to APP 11.
Directors' duties: Broadly, there are three key ‘defences' for a breach of directors' duties (discussed in question 4.3):
- the ‘business judgement rule' (essentially, that the director did in fact exercise due care and diligence);
- reliance on others (ie, that the director was acting on advice prepared by a person who was reliable and competent); and
- use of a delegated power (ie, another individual was ultimately responsible for exercising due care and diligence).
Financial services: The obligation to ensure the requirements of CPS 234 are met falls on the directors of APRA-regulated companies. There are no ‘defences' to breaches of CPS 234 requirements per se; instead the directors/board remains responsible for the information security of the entity and subject to APRA's direction.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
Privacy Act: There have been no landmark matters in relation to the enforcement of APP 11. However, at the time of writing there is a landmark matter before the Federal Court of Australia. The Office of the Australian Information Commissioner (OAIC) is seeking to impose civil penalties on Facebook Inc and Facebook Ireland Limited (collectively, ‘Facebook') for alleged serious and/or repeated interferences with privacy, including in contravention of APP 11, arising from the Cambridge Analytica scandal.
The significance of this proceeding is that it will clarify the OAIC's approach to calculating and imposing civil penalties. This case signals that the OAIC may seek to impose a civil penalty in respect of each of the individuals affected by the serious and/or repeated interference with privacy (including a breach of APP 11).
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Recent cyber incidents of interest in Australia include the following:
- P&N Bank was subject to a cyberattack resulting in unauthorised access to personal (including sensitive) information in its customer relationship management system.
- The National Australia Bank suffered a data breach involving the personal information of 11,500 customers.
- Westpac Banking Corporation's PayID system was subject to a cyberattack exposing the personal information of bank customers.
- The Australian National University was subject to a cyberattack on the personal information of students, visitors and faculty via a phishing email.
- The 2016 Australian Census, which was conducted electronically, was claimed to be subject to a distributed denial-of-service (DDoS) attack causing the website to crash on the night of the census. It is unclear whether a DDoS attack occurred or if the server infrastructure was simply overloaded.
The OAIC recently found against Facebook in connection with the Australians affected by the Cambridge Analytica scandal (approximately 311,000) that, among other things, Facebook failed to take ‘reasonable steps' to protect the personal information of Australian Facebook users, which was disclosed to the This is Your Digital Life app.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
Organisations in Australia broadly follow international industry standards and best practice in relation to cyber compliance.
Industry best practice is best summed up in the National Institute of Standards and Technology's (NIST) Cybersecurity Framework. This framework sets out activities under the five concurrent and continuous functions of ‘Identify', ‘Protect', ‘Detect', ‘Respond' and ‘Recover'.
The emerging default industry standard is comprised in ISO/IEC 27001 (Information Security), ISO/IEC 27002 (Security Controls) and ISO/IEC 27701 (Privacy Information Management).
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
The Information Security Manual is the primary government-issued guidance on the issue of proactive cyber compliance. It provides a cybersecurity framework for organisations to apply, using a risk management framework, to protect their information and systems from cyber threats.
The NIST Cybersecurity Framework is endorsed by the Australian Securities and Investments Commission (ASIC), the Australian corporate regulator, in ASIC Report 429.
Other helpful guidance includes:
- the Australian Signals Directorate's Strategies to Mitigate Cyber Security Incidents (which includes the ‘Essential Eight'), which is a "prioritised list of mitigation strategies to assist all organisations in protecting their systems against a range of adversaries";
- the Australian Government Cyber Security Principles, which provide strategic guidance on how organisations can protect their systems and information from cyber threats. These cyber security principles are grouped into four key activity areas: govern, protect, detect and respond; and
- the Protective Security Policy Framework, which sets out the framework for the management of official information and provides assistance to Australian government entities and their contracts in protecting people, information and assets, domestically and internationally.
With respect to complying with the notifiable data breach scheme, all APP entities should have a data breach response plan in place and train all staff in relation to and on such.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
In Australia, the directors of a corporate entity have statutory obligations known as directors' duties. In particular, directors have a duty to exercise their powers with due care and diligence, and a duty to exercise their powers in good faith in the best interests of the company. ASIC has regularly commented that board members should "be actively thinking about whether cyber security should be assessed more regularly than other risks", and should "think about lifting their capability" in the area. The Australian Prudential Regulation Authority (APRA) also holds the directors of an entity ultimately responsible for compliance with APRA requirements.
Where a company fails to implement proactive cyber compliance, the directors may be considered to be in breach of their directors' duties if they have failed to exercise due care and diligence in respect of the cyber preparedness of their company. Cyber security and resilience has been emphasised by ASIC as an important aspect of directors' and boards' responsibility to manage risk.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
In addition to the directors' duties under the Corporations Act, corporations that are listed on the Australian Securities Exchange (ASX) must abide by the ASX Listing Rules, which include an obligation of continuous disclosure. The general rule is set out in Listing Rule 3.1, which states that "once an entity is or becomes aware of any information concerning it that a reasonably person would expect to have a material effect on the price or value or the entity's securities, the entity must immediately tell ASX that information".
Data breaches and breach incidents that are reasonably expected to have a material effect on the price of a listed entity's securities must therefore be disclosed to ASX. Numerous Australian and international examples of data breaches show that a data breach of other failure to respond to a cyber threat can wipe millions of dollars from a company's share price.
The Listing Rule requirement to notify the ASX will in some circumstances be subject to a shorter timeframe (ie, ‘immediately') for notification compared to the NDB scheme requirement (ie, ‘as soon as practicable').
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There is no legal prohibition on the sharing of actual or potential cybersecurity threats or other cyber-intelligence information per se. The Australian Signals Directorate encourages the voluntary reporting of cybercrime to the Australia Cyber Security Centre via its ReportCyber function. However, in practice, this has not occurred nearly as much as it should.
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
The notifiable data breach (NDB) scheme, part of the Privacy Act, applies to all APP entities and requires that the APP entity notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals where there is unauthorised access, disclosure or loss of personal information (ie, a data breach) that is likely to cause ‘serious harm' (‘eligible data breach').
‘Serious harm' is more likely where sensitive information, documents used for identity fraud, financial information or when a combination of types of personal information have been compromised in a data breach.
The NDB scheme also applies to all tax file number (TFN) information (a TFN being the identifier associated with an individual and used for interactions with the Australian Taxation Office) which is subject to a data breach, even if it occurs to other than an APP entity.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
For all eligible data breaches, notification obligations include preparing a statement (including certain prescribed information) about the eligible data breach. An entity must:
- notify the OAIC; and
- take reasonable steps to notify all affected individuals.
Notification must occur as soon as practicable. Notification must be made via the method the APP entity normally communicates with the individual; if this is impracticable, then one can look to publication on the website or elsewhere.
However, where the APP entity takes ‘remedial action' (ie, effective steps to mitigate serious harm) and as a result, and before any harm has actually occurred, the data breach is unlikely to result in serious harm, there is no requirement to notify individuals or the OAIC.
Where two or more entities holding the same record of personal information have experienced a breach, which both have an obligation to notify, only one need comply with the NDB scheme's assessment and notification requirements.
The OAIC may also direct APP entities to notify an eligible data breach where the OAIC believes an eligible data breach has occurred.
Where an APP entity does not notify the OAIC and the affected individuals of a data breach, the OAIC can bring an action for the imposition of fines of up to A$2.1 million for corporations or A$420,000 for individuals. However, as noted in question 3.1 in relation to the action against Facebook, these amounts may be sought to be imposed in respect of each affected individual.
5.3 What steps are companies legally required to take in response to cyber incidents?
The mandatory steps that APP entities are legally required to take in response to a cyber incident involving personal information or TFN information are set out in question 5.2 (ie, notification).
However, on a more practical level, APP entities are advised by the OAIC to take the steps to address the eligible data breach:
- Contain the data breach to prevent any further compromise of personal information;
- Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm;
- Notify individuals and the OAIC if it is an eligible data breach; and
- Review the incident and consider what actions can be taken/changes made to processes to prevent future breaches.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Please see questions 2.1 and 4.3.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Yes – while not as popular as in the United States or the European Union, there is growing interest and uptake in this area. Uptake has been slow in Australia and there are concerns that the extent of some insurance coverage available in the market is inadequate vis-à-vis the losses covered (eg, coverage for amounts payable by directors personally for breaches of directors' duties; referral by the Australian Securities Exchange (ASX) to the Australian Securities and Investments Commission of breaches of the ASX Listing Rules; and consequential losses), size of fines and payouts associated with a cyber incident. We expect renewed interest in cyber insurance arising from the Facebook action mentioned in question 3.1, especially if the civil penalty of up to A$2.1 million is levied per individual impacted.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
Overall, we anticipate awareness and action on cyber compliance to continue to increase. We expect that the COVID-19 pandemic and resulting increased reliance on digital technologies to keep businesses in motion will accelerate an already fast-paced elevation of cyber risk to a board-level issue. Some key trends we expect to continue over the next 12 months include the following.
Consumer Data Right: The Consumer Data Right (to start in banking and quickly move to energy retailing and telecommunications) empowers customers of these sectors to exercise greater control over data that these providers hold about them. Affected companies must ascertain:
- whether any data they hold is ‘consumer data' (which is different from ‘personal information' under the Privacy Act); and
- which of the three ‘hats' they wear as an organisation at any time, what obligations arise (including with respect to the new ‘privacy safeguards', which operate in parallel with the Privacy Act) and how to ensure they fulfil these obligations.
Digital resilience: Digital resilience can be thought of as embodying the rapid convergence of:
- cybersecurity of (protection against threats to) digital assets;
- business continuity planning (preparedness to maintain critical business functions in the event of a disruption); and
- digital governance, risk and compliance, which enables companies to keep digital machinery ‘on track' and aligned with corporate objectives.
An overarching trend in cybersecurity (we expect hastened by the impacts of the COVID-19 pandemic) is a transition to a more holistic view and treating cybersecurity as part of an organisation's overall digital strategy. This is particularly important in the context of an increasingly uncertain and volatile business environment. We will see boards becoming much more actively involved in ensuring digital resilience is built into their companies.
Privacy Act penalties: To align penalties under the Privacy Act with those in other Australian legislation overseas jurisdictions, such as the European Union, the federal government will soon enact changes to the Privacy Act that will increase maximum finds to the greater of:
- A$10 million;
- three times the value of any ‘benefit' that was gained by the company through misusing the personal information; and
- 10% of the company's annual domestic turnover.
When effective, these changes reflect a significant increase in the civil penalties available and should hasten the implementation of measures by all companies to protect the security of personal information.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
De-identification: APP 11.2 requires that APP entities either destroy or permanently de-identify personal information when it is no longer required for the notified purposes for which it was collected. A common challenge for companies is effective de-identification. De-identification is the process of removing the ability to identify the individual from the information, including actively managing the risk of re-identification. Active management of this risk is required because changes in the data ‘environment' can give information that appears to be de-identified the quality of ‘personal information' once again. We recommend applying Data61's De-Identification Decision-Making Framework and engaging external expertise to ensure effective de-identification.
Demonstrating proactive cyber compliance to regulators and stakeholders: Increasingly, customers are aware of their own privacy and it is becoming an essential part of good ‘corporate citizenship' to protect and secure networks and data assets. Cybersecurity is an essential component of this. Regulators, including those in Australia, are also elevating their demands on companies and expect to see more proactive cyber compliance. Often, cyber compliance obligations overlap. Companies therefore need ‘signals' or ways of demonstrating to their key stakeholders – including the regulators –their commitment to robust policies and practices.
The best way to demonstrate a commitment to proactive cyber compliance is to develop and adopt an enterprise-wide digital resilience strategy and/or data governance framework. Once implemented, this demonstrates compliance from IT systems to training and from processes to board-level governance.
Commensurate cybersecurity measures: Unfortunately, and despite regulator guidance to the contrary, many companies in Australia do the minimum as regards cybersecurity and believe that ‘one size fits all'. A multitude of factors affect the standard or level of information security that constitutes ‘reasonable steps' in any given situation. Also, as the context changes, the standard expected will change. In particular, it is necessary to regularly conduct an audit of what information/data your organisation holds and how that information/data flows internally and externally.
Different levels of cybersecurity will be required for different types of information/data – the more personal information held or the more sensitive it is, the stronger and more robust the security measures that are required to be implemented and assured.
Cybersecurity in the dynamic environment in which businesses operate is therefore an ongoing obligation, and many companies fall short either because of a shortfall in growing or adapting their cyber capability and capacity for managing proactive security, or because the cybersecurity measures they put in place two to four years ago are now hopelessly out of date or do not actually align with their current business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.