Welcome to our first edition for 2016 of the HWL Ebsworth Cyber Bytes, our regular wrap up of key legal developments in cyber and data security.
We were pleased with the response to our inaugural edition which we launched in late 2015. If you know someone who may be interested in subscribing to future editions, they can subscribe here.
We thought a good way to begin a new year of Cyber Bytes would be to briefly recap on some key developments that occurred in the closing weeks of 2015 as everyone wound down for holidays, and to look forward to what’s on the horizon for 2016. These developments include new legislation, government policy initiatives and the latest facts and figures on cyber risk gleaned from industry surveys.
As with our last edition, our aim is to provide a snapshot with hyperlinks to take you to the source material where you can dig deeper if interested.
Draft data breach notification legislation
The big news on the legislative front in Australia at the end of 2015 was the arrival of the much anticipated draft mandatory data breach notification legislation. On 3 December 2015, the government released, for public consultation, an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.
Much of the draft Bill is similar to the Bill introduced by the last government in 2013 – in particular, the requirement to give notification to affected individuals and the Office of the Australian information Commissioner in the event of a “serious data breach“, that is, a breach that results in a real risk of serious harm to individuals.
However, it seems to us that the draft Bill is not just about what to do in the event of a data breach. It is also a means of encouraging and incentivising businesses to proactively put in place cyber security measures up front. This is because the draft Bill provides that, in weighing up whether or not any particular breach is likely to result in a real risk of serious harm, factors that businesses are to consider include whether the breached information was encrypted and whether the information was protected by certain security measures. In instances where such measures are in place, and depending on other circumstances, it may be that the requirement to give notification to affected individuals will therefore not be triggered.
The Attorney-General’s Department is seeking submissions on the draft legislation by 4 March 2016. Let us know if you would like assistance in this regard.
Cyber risk: the latest facts and figures
A number of surveys and reports released at the end of 2015 highlighted just how much cyber security is a major issue of concern in the business community.
The 2015 Cyber Security Survey: Major Australian Businesses, authored by the Australian Cyber Security Centre in conjunction with CERT (Computer Emergency Response Team) Australia and published on 14 December 2015, was based on a confidential survey completed by 149 respondents across 12 main industry sectors. It contains an interesting snapshot of the cyber security risk landscape, the major threats and the way in which businesses are responding to those threats.
Some of the statistics gleaned from that survey include the following:
- 50% of respondents had experienced at least one cyber incident in the previous year;
- Ransomware was the most common type of incident, being experienced by 72% of those experiencing an incident;
- As to the type of threat actors, 60% of respondents were most concerned about the “trusted insider” followed by 55% being concerned about “issue motivated groups or hacktivists”;
- 51% of respondents engaged in formal reporting of cyber security incidents (whether to CERT Australia, law enforcement agencies or regulators), while 43% did not report incidents at all;
- Of those not reporting incidents, 60% indicated this was because they perceived “no benefits of reporting” and 22% gave the reason as “negative publicity“; and
- In terms of the engagement of businesses with cyber security preparedness, 77% of respondents said they had cyber security incident response plans in place, 56% of respondents had increased expenditure on cyber security in the last 12 months and 82% used external IT security standards or frameworks.
The statistics on reporting of incidents are of particular interest in the current environment when, as outlined above, draft mandatory breach notification legislation is currently under consideration. Quite apart from any mandatory reporting regime, CERT Australia is in the meantime encouraging businesses to voluntarily report to CERT any cyber security incidents. CERT emphasises that this can be done on a confidential basis and is aimed at allowing CERT to form a more accurate view of the cyber security threat landscape and to provide the right help and advice to businesses.
The Association of Corporate Counsel also released a report, titled ACC Foundation: The State of Cybersecurity Report, which detailed the results of a global study of in-house counsel and their experience of cyber security issues. Some findings of the report specific to Australia and New Zealand include the following:
- 36% of in-house counsel have experienced a data breach at either their current or former company;
- 8% of in-house counsel say their legal department spend has increased due to the cyber security approach of their company, compared with 23% as the global average; and
- 25% of in-house counsel say their organisation has purchased cyber security insurance, compared with 47% as the global average.
The report emphasises the potential role of the in-house legal department in managing cyber risks and incidents, with 57% of respondents globally expecting their role in dealing with cyber matters to increase in the coming year.
Another key report to be released at the end of 2015 was the Australian Crime Commission’s report titled The Costs of Serious and Organised Crime in Australia 2013-14. This report covered a variety of criminal activities affecting businesses, but inevitably that included examining the impact of cybercrime. The report describes cybercrime as a “fast developing serious and organised crime threat” and quantifies the cost of it to Australian businesses as $1.1 billion. That figure is described by the Crime Commission as being an under-estimate. It is said to comprise the estimated expenditure on general defence against cybercrime such as antivirus protection, patching and ISP clean up and end-user clean up for both individuals and organisations. Consistent with the findings of the Cyber Security Survey noted above, the Crime Commission report also pinpoints malware and ransomware as particular examples that cause significant disruption to businesses.
As well as reporting specifically on the cost of cybercrime, the Crime Commission report also includes a separate estimate of a $1.2 billion cost attributable to identity crime, an area that has an obvious cross over with cyber risks. The Crime Commission describes identity crime as “one of the most pervasive crimes in Australia due to criminal exploitation of technology and our increase reliance on personal identity information for online services“.
Training cyber security professionals
With greater incentives for businesses to take cyber security measures, there is a growing need for the development of the cyber security industry and the recruiting and training of a new generation of cyber security professionals. Both the Federal Government and the private sector announced important initiatives at the end of 2015 aimed at doing just that.
The Turnbull Government’s Innovation Statement on 7 December 2015 included a commitment to establishing an industry led Cyber Security Growth Centre by mid 2016 aimed at growing and strengthening Australia’s cyber security industry. The Government noted that “[s]trong cyber security is essential to allow individuals and businesses to take advantage of the economic possibilities of the digital world“. The government will provide $30 million worth of funding for the Centre, which will aim to form a “cyber security innovation network” bringing together industry, researchers and governments coordinating research and innovation in the field and developing a national strategy for Australia’s cyber security industry to become a global leader.
Meanwhile, the private sector and educational institutions are also investing in the future of cyber security. On the same day as the government’s Innovation Statement was released, the Commonwealth Bank and the University of New South Wales announced a joint initiative to address the cyber skills shortage. UNSW, in part using funding from the Commonwealth Bank, will not only be creating a new Bachelor of Computer Science (Security Engineering), but also making some course content available to the public for free via a massive open online course (MOOC) covering key subjects including threat modelling, web application testing, incident response, digital forensics and malware reversal.
2016: What’s on the horizon
Here’s a quick snapshot of what lies ahead for 2016:
- Data breach notification legislation: Clearly, many will be keen to see the outcome of the government’s consultation on the draft data breach notification legislation and the final shape that legislation takes. Given the long gestation period for the legislation, there will be continued pressure on the government to have that legislation introduced into, and passed by, Parliament. Already, Greens Senator Scott Ludlam earlier this month called on the Government to explain why the legislation has not yet been introduced;
- Cyber Security Strategy: Having engaged in a classified Cyber Security Review, including consulting with experts and industry stakeholders, the Federal Government is expected to shortly release its public Cyber Security Strategy. The government has said that the strategy “will outline practical initiatives to promote security and growth for Australia online“. The already announced establishment of the Cyber Security Growth Centre, as reported above, has been described as the first initiative to be delivered under the forthcoming Cyber Security Strategy;
- Greater international dialogue: We expect cyber security to increasingly be on the agenda of dialogue and cooperative efforts between nations. Already this year we have seen the Prime Minister, during his recent visit to Washington, D.C., announce a strengthening of ties between Australia and the US on cyber security including an annual Australia-US Cyber Security Dialogue “to discuss common cyber threats, promote cyber security innovation and shape new business opportunities“. This month also witnessed the second Australia-China Cyber Policy Dialogue held in Canberra on 3 February 2016, with representatives of the two countries discussing matters that included “the development of norms of responsible state behaviour“;
- Greater regulatory scrutiny: Quite apart from the passage of the data breach notification legislation through Parliament and the obvious interest that the Office of the Australian Information Commissioner has in the protection of personal information, we expect ongoing and increasing interest from other regulators. In particular, 2015 was the year in which the corporate regulator, ASIC, demonstrated a greater level of interest in matters of cyber security risk management (or “cyber resilience“) (see our previous article on this subject here). Consistent with the trend of securities regulators elsewhere in the world, we expect going forward that such regulatory scrutiny will not diminish; and
- More data breaches: In the meantime, no doubt high profile data breaches and cyber hacking incidents will continue to attract interest in the media. We will report on particular incidents of interest, and lessons to be learned, as they occur.
Whatever 2016 brings, we look forward to bringing you further updates and insights in relation to this constantly evolving area of business and legal risk.
In the meantime, if you have any cyber risk related queries, please contact a member of our team.
This edition was written by Andrew Miers, Partner.