HWL Ebsworth Cyber Bytes: Twelve Days of Christmas edition

What a year it has been for cyber security. Not only has 2018 continued to see high profile and large cyber incidents and data breaches, but in Australia we have seen the legal, regulatory and policy response to cyber risks evolve at a rapid pace.

In this special “Twelve Days of Christmas” edition of Cyber Bytes, we reflect below on twelve key cyber developments in Australia from 2018. These include developments in relation to reporting and disclosure of cyber risks and incidents, legislative measures to address cyber related national security and foreign espionage risks and a couple of developments which, although from overseas jurisdictions, nevertheless have a current or future potential impact on businesses in Australia.

1. Notifiable Data Breaches Scheme (NDB Scheme)

After a decade’s gestation, the NDB Scheme under the Privacy Act 1988 (Cth) kicked off on 22 February 2018. Since then, and through to the end of September, there have already been 550 notifications to the Office of the Australian Information Commissioner (OAIC) (compared to a mere 114 voluntary notifications for the whole of the 2016/2017 financial year). The OAIC’s useful quarterly statistics reports show that, while old world paper breaches still occur, online cyber incidents have been the biggest single cause of notified data breaches, including exploitation of human vulnerabilities (such as phishing emails), malware, ransomware and hacking by other means.

2. General Data Protection Regulation (GDPR)

While Australian businesses were still coming to grips with the NDB Scheme, many also had to get their heads around the European Union’s GDPR, which commenced in May, given that it applies to the data processing activities of non-EU entities offering goods or services to EU customers or monitoring the behaviour of individuals in the EU. As to breach notification, a much stricter 72 hour timeframe applies (compared to the NDB Scheme’s ‘as soon as reasonably practicable’), so a heavy onus lies on the company to act with urgency. The OAIC released a resource in June to help Australian businesses understand and comply with the requirements in the GDPR.

3. ASIC’s focus on cyber resilience

Australia’s corporate regulator, ASIC, continued its active interest in cyber resilience. In June, in the lead up to the annual reporting season, ASIC Commissioner John Price gave a speech, ‘ASIC update: Informing and engaging shareholders‘, that reminded listed companies of their obligations to disclose information on risks and other matters that may have a material impact on the future financial position or performance of the entity, including cyber security. In a further speech in November, ‘Financial regulation in a digital world’, Commissioner Price spoke of the need for cyber resilience practices to be embedded into whole of business enterprise risk management framework and said that ASIC will follow an evolutionary approach to cyber that reviews and raises the regulatory bar on a periodic basis.

4. The SEC on cyber security – the American influence

Like ASIC, the Securities and Exchange Commission (SEC) in the United States has also emphasised the need for corporate disclosure of cyber risks. It has gone a step further and, in February this year, updated its cybersecurity disclosure guidelines for reporting companies, emphasising the importance to investors and markets for prompt and robust disclosure relating to cyber issues. The SEC’s new Cyber Unit also brought its first enforcement action relating to cyber security against Yahoo! for failing to disclose to investors a large cyber breach in which hackers stole personal data relating to hundreds of millions of user accounts. The action settled in April for a USD35 million penalty. At the end of September, the SEC’s Division of Enforcement Annual Report revealed it had more than 225 cyber-related investigations ongoing. The SEC’s approach is likely to inform the approach ASIC will take here.

5. Privacy class actions

In July, we saw the launch of a representative complaint to the OAIC under the Privacy Act on behalf of the 300,000 Australian Facebook users impacted by the Cambridge Analytica incident involving the harvesting by a third party of personal data from over 50 million Facebook users for use in political campaigning. The action is backed by the ASX listed litigation funder, IMF Bentham. As well as being part of a growing trend towards privacy related class actions (including, in the United States at least, shareholder class actions arising out of data breaches), the case also demonstrates that the very mature and active litigation funding market in Australia is now turning its sights to privacy related matters.

6. Prudential standards and cyber risk

The Australian Prudential Regulation Authority (APRA) released its prudential standard ‘Information Security’ – CPS 234 – in November. The new standard, which will take effect on 1 July 2019, aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents including cyber-attacks. The standard requires APRA-regulated entities to clearly define information-security related roles and responsibilities; maintain an information security capability commensurate with the size and extent of threats to their information assets; implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and promptly (and within no later than 72 hours) notify APRA of material information security incidents.

7. A new cyber role for the Australian Signals Directorate (ASD)

In March, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Act 2018 was passed, separating the ASD from the Department of Defence and establishing it, from 1 July 2018 onwards, as an independent statutory agency under a newly appointed ASD Director-General. The Australian Cyber Security Centre (ACSC) and CERT Australia have now been brought under the ASD’s umbrella and the ASD’s functions have been expanded to include providing material, advice and other assistance to any person on matters relating to the security and integrity of electronic information and on cybersecurity and to combating cybercrime. The new Director-General, Mike Burgess, in a recent speech described the revamped role of the ASD as ’emerging from the shadows’ as both a foreign intelligence and a cyber security agency, and sees its role as being to ‘inform, protect and disrupt’. The ACSC also had a face lift on its website in August, relaunched as https://www.cyber.gov.au/, a one-stop shop cyber reporting portal and consolidated source of updates and advices on current threats for individuals, businesses and government.

8. Critical Infrastructure Security

To address concerns as to national security risks arising from increased foreign involvement in Australia’s critical infrastructure, the Security of Critical Infrastructure Act 2018 was passed by Parliament in late March. The Act creates a register of critical infrastructure assets with reporting obligations as to ownership and operating information concerning such assets. The government is particularly interested in information about offshoring of industrial control systems and security of corporate systems and outsourcing arrangements relating to data. The Act also provides for ministerial directions to be issued requiring an owner or operator of a critical infrastructure asset to take specified steps reasonably necessary to eliminate or reduce a security risk. This might include implementing extra cyber security measures to guard against data theft or unauthorised access to the asset’s control network or directing that corporate and operating data stored offshore be moved to a more secure data storage provider.

9. Foreign Espionage and Interference

Another piece of legislation passed by Parliament aimed at national security concerns, including those of a cyber nature, was the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 which passed in June. The Act introduces a range of reforms including strengthening existing espionage offences to now cover more complex foreign cyber intrusions, new foreign interference offences which target attacks on Australia’s democracy, a range of new sabotage offences concerning the causing of damage to critical infrastructure and a new offence of theft of trade secrets, targeting economic espionage which not only damages Australia’s security interests but also economic and business interests.

10. Telecommunications Sector Security Reforms (TSSR) and 5G networks

The Telecommunications and Other Legislation Amendment Act 2017 commenced in September this year aimed at managing national security risks on telecommunications networks and facilities, described as ‘a key pathway’ for cyber threats. There is a new security obligation on carriers to ‘do their best’ to manage the risk of unauthorised access and interference to their networks and facilities. In light of particular concerns as to the security of the soon to be rolled out 5G networks, the government in August issued guidance as to how carriers’ new legal obligations would apply to 5G networks. Specifically, the government said that ‘the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law may risk failure by the carrier to adequately protect a 5G network from unauthorised access or interference’.

11. Digital health and cyber risk

The national electronic health record system, now known as My Health Record, was first introduced in 2012, but attracted attention in 2018 due to the transitioning to an opt-out model. Public debate touched on issues of privacy and cyber risk and two Senate Committee inquiries looked into security vulnerabilities and other measures. On the one hand, concern was expressed by some witnesses that a centralised database containing a large amount of valuable data may be a ‘honey-pot’ attracting cyber criminals but, on the other hand, the Australian Digital Health Agency gave assurances as to its ‘multiple layers of security to protect the system from malicious attack’. The Senate Community Affairs References Committee was ultimately satisfied that the opt-out model should stay but the My Health Records Amendment (Strengthening Privacy) Act 2018, passed in November, did introduce some modifications including the requirement that the Australian Digital Health Agency must permanently delete an individual’s health information if they have cancelled their record and that it cannot disclose an individual’s health information to law enforcement or other government agencies without an order from a judicial officer.

12. Decryption legislation

The parliamentary year ended with the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 being passed on 6 December 2018. This legislation is an example of the tension between the desire to strengthen national security without undermining personal security and privacy. The explanatory memorandum spoke of the ability of encryption technology to both promote ‘confidence in cyber space’ and yet also be ‘increasingly … used by terrorist groups and organised criminals to avoid detection and disruption’. The Act therefore establishes a graduated framework for industry assistance to law enforcement and intelligence agencies to circumvent encryption technologies, ranging from voluntary cooperation through to compliance with mandatory notices. The passing of the legislation was accompanied by debate about whether it might in fact weaken encryption security and therefore create new cyber security vulnerabilities but the government points to the requirement in the legislation that the mandatory notices must not require providers to implement or build ‘backdoors’ i.e. systemic weaknesses in forms of electronic protection.

It may be hard to believe there could be more to come in 2019, but there is. Already new cyber related legislation and policy initiatives are on the cards. Look out for our HWL Ebsworth Cyber Bytes publication early in the new year where we will look to what lies ahead in 2019 in the Australian cyber security legal, regulatory and policy landscape.

If we can assist with any advice in relation to cyber security obligations or incidents, please contact a member of our team.

This article was written by Andrew Miers, Partner, Jason Symons, Partner, Karen Keogh, Partner, and Zoe Tishler, Law Graduate.