Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Regarding cyberattacks, the principal instrument that makes it illegal to commit cyberattacks in Australia is the Criminal Code Act 1995 (Cth) as amended by the Cybercrime Act 2001 (Cth).
The Act expressly makes it an offence to cause unauthorised access or modification to data held in a computer or cause any unauthorised impairment of electronic communication to or from a computer.
Other offences under the Criminal Code Act include:
- causing unauthorised modification of data held in a computer, where the person is reckless as to whether the modification impairs or will impair access to that data or other data or the reliability, security or operation of that data;
- knowingly causing any unauthorised impairment of electronic communication to or from a computer;
- intentionally causing any unauthorised access to, or modification of, data restricted by an access control system associated with a function of the computer, where it is known that such behaviour is unauthorised;
- intentionally causing unauthorised impairment of the reliability, security or operation of data held on a computer disk, credit card or another device used to store data by electronic means, where it is known the behaviour is unauthorised;
- possessing or controlling data with the intent to use or allow use, in order to commit an offence; and
- producing, supplying or obtaining data with the intent to commit an offence.
The Telecommunications (Interception & Access) Act 1979 (Cth) also makes it an offence for a person to intercept or access private telecommunications without the knowledge of those involved. The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) are also fundamental in regulating the way in which data containing personal information is stored, disseminated and protected. The APPs and the Privacy Act impose obligations on private sector organisations and Commonwealth government agencies (unless and exemption applies) to take steps to protect personal information from unauthorised access, modification or disclosure. There are equivalent rules under state and territory legislation for state and territory government agencies.
The following industry-specific regulations and guidelines also apply in respect of cybercrime and data protection:
- the Australian Prudential Regulation Authority (APRA) administers the Authorised Deposit Institutions Prudential Standards and associated practice guide in respect of managing data risk (the Prudential Practice Guide CPG 235 Managing Data Risk), which apply to Australia’s financial institutions and insurers). Additionally, in March 2018, APRA released a draft prudential standard CPS 234 on information security (Information Security Management: a new cross-industry prudential standard) for industry consultation. The standard is intended to come into force as of 1 July 2019 as a legally binding minimum standard for information security. The proposed standard would require regulated entities to:
- define information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- implement and maintain information security capabilities commensurate with the size and extent of threats, and undertake systematic testing and assurance regarding the effectiveness of those controls;
- have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
- notify APRA of material information security incidents;
- Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), assesses entities that hold an Australian financial services licence under the Corporations Act 2001 (Cth) on their IT management systems (see: ASIC Regulatory Guide 104: Licensing: Meeting the general obligations);
- the telecommunications sector is also subject to specific data protection rules, including in the Telecommunications Act 1997 (Cth), which imposes restrictions on the use and disclosure of telecommunications- and communications-related data;
- the MyHealth Records Act 2012 imposes specific data-handling rules for health records;
- generally, it is recommended that all organisations comply with ISO/IEC 27001 information security management systems; however, compliance is not mandatory under any general or industry-specific law; and
- the Broadcasting Services Act 1992 (Cth) regulates the hosting of prohibited offensive and illegal online content in Australia.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
The telecommunications, financial and health sectors are most affected by industry specified regulations and guidelines in Australia. Given the nature and volume of information collected and exchanged in those industries they are often targeted by cyberattacks. According to the Australian Cyber Security Centre Threat Report 2017, in the 2016-2017 financial year, telecommunications and financial services industries were targeted by cyberattacks most often, second only to ‘non-traditional’ industries such as accommodation, automotive and hospitality sectors. In the 2016-2017 financial year, attacks on non-traditional industries increased by 11 per cent. In 2017, as part of the response to the Australian government’s Cyber Security Strategy, over 100 firms operating across Australia’s financial markets participated in a cybersecurity survey for the ASX 100 Cyber Health Check Report. ASIC also released a report on the cyber resilience of those firms (Report 555), which similarly indicated that cyber resilience is vital to the financial markets sector in particular.
Generally, in our experience, the financial services industry is the most advanced in its cyber-readiness, given the additional rules that apply to financial services licence holders, and the centrality of the financial services sector to the community at large. However, owing to the close interaction between retail and the financial services sector (and the mandatory imposition of standards such as PCI-DSS compliance by financial services entities on retail entities), retail is also becoming increasingly developed in this space.
Has your jurisdiction adopted any international standards related to cybersecurity?
There are no international standards related to cybersecurity that have been adopted on a mandatory basis.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Directors owe general duties to their company under the Corporations Act 2001 (Cth) and the common law, including to exercise reasonable care and diligence, and adopt the appropriate risk management strategies to protect the company and its shareholders. However, courts generally impose a high standard of care in dealing with director’s duties, which requires directors to keep up to date on matters related to any significant threat to the company, including cybercrime and necessary protections. This is a growing area of focus and development for directors and the corporate regulator, ASIC. ASIC has also noted in Report 555 that it intends to continue to raise awareness of cyber risk across the financial markets sector by providing good practice guidance and key questions for boards of directors. To this end, ASIC has released a guide on cyber resilience good practice that focuses on board ownership, responsiveness and agility in relation to cybersecurity.
ASIC has the power to bring actions against directors and officers who fail these duties. Civil proceedings can also be brought against the directors by shareholders or a company’s liquidators or receivers.
As well as the obligations noted above, a financial services company should (by the actions of its directors) consider its cyber vulnerabilities and update its risk management processes to manage those vulnerabilities. Directors of financial services companies also have annual director report disclosure requirements, which would require the disclosure of matters relating to a cybersecurity incident.
ASIC has suggested that directors consider:
- how cyber risks may impact their duties and annual director report disclosure requirements;
- whether they have appropriate board-level oversight of cyber risks and cyber resilience;
- whether cyber risks have been incorporated into their governance and risk management practices; and
- the company’s controls and measures for managing these risks.
How does your jurisdiction define cybersecurity and cybercrime?
There are no statutory or accepted case law definitions of cybersecurity or cybercrime. However, the Australian Cyber Security Centre (ACSC), which is the Australian government’s lead on national cybersecurity, defines cybercrime as the following:
[C]rimes directed at computing or other ICT, such as unauthorised access to, modification or impairment of electronic communication or data. This does not include technology-enabled crimes where computers or ICT are an integral part of an offence, such as online fraud, identity theft and the distribution of child exploitation material.
The concept of ‘unauthorised access’ is a core principle under the Criminal Code Act 1995 (Cth) and is an element of most of the cybercrime offences under that Act. Unauthorised access is defined as access, modification or impairment of data that the person is not entitled to have carried out. Accordingly, in Australia, ‘cybercrime’ can be considered to be any action in respect of data, computers or the internet that a person is not entitled to take and ‘cybersecurity’ is anything that protects or attempts to protect against that unauthorised act.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
The APPs set out legal standards in relation to the steps that businesses and government agencies subject to that Act must take to protect personal information. APP 1.2(a) requires the relevant organisations to take such steps as reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that will ensure that the entity complies with the APPs. APP 11.1 requires an entity to take such steps as are reasonable in the circumstances to protect the information from (i) misuse, interference and loss and (ii) unauthorised access, modification or disclosure. Additional legal obligations are imposed on an entity if it is sharing personal information outside of Australia.
There are no specific measures that an entity must implement under the APPs or otherwise. However, guidelines that businesses are recommended to follow often set out protective measures. For example, the Australian Signals Directorate (ASD) (a government signals intelligence and security agency which is, among other things, responsible for the ACSC) has published ‘Strategies to Mitigate Cyber Security Incidents’. Government agencies recommend that private sector businesses adopt these strategies. While acknowledging that no single strategy is guaranteed to prevent cyberattack, the ASD estimates in that publication that at least 85 per cent of adversary techniques can be mitigated by:
- using application whitelisting to help prevent malicious software and unapproved programs from running;
- patching applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers;
- patching operating systems; and
- restricting administrative privileges to operating systems and applications based on user duties.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
There are no Australian laws or regulations that specifically address cyberthreats to intellectual property. In line with the government’s approach of encouraging businesses to take responsibility for their own cybersecurity, this is not surprising. The ACSC recognises that cyberespionage poses the most advanced threat to Australian business, and includes the theft of intellectual property, company negotiation strategies, business plans and other commercially sensitive information. In the first ACSC Cyber Security Survey (2016), 76 per cent of organisations reported that one of their top three reasons for investment in cybersecurity was to protect company-owned data, and 25 per cent of organisations reported that it was to protect their intellectual property.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
The Telecommunications Sector Security Reform under the Telecommunications and Other Legislation Amendment Act 2017 (Cth) aims to establish more formal and comprehensive arrangements that mitigate national security risks of espionage, sabotage and interference. The reform became operational on 18 September 2018. A 12-month transitional period is in place, after which more onerous obligations will be imposed. The reform applies to carriers, carriage service providers and carriage service intermediaries. Key elements of the reforms include the following:
- a requirement to ‘do the carrier’s best or the provider’s best’ to:
- protect networks and facilities from unauthorised access and interference;
- ensure confidentiality of and protect against unauthorised access to communications carried on their networks; and
- protect and maintain the integrity of the network and facilities;
- a requirement to maintain competent supervision and effective control over telecommunications networks and facilities owned or operated by the carrier, carriage service provider or carriage service intermediary;
- a requirement to notify the government of planned changes to their networks and services that could compromise their ability to comply with the security obligations; and
- granting the Minister for Home Affairs a broad directions power, to direct a carrier, carriage service provider or carriage service intermediary to do, or not do, a specified thing that is reasonably necessary to protect networks and facilities from national security risks.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
The Telecommunications (Interception and Access) Act 1979 regulates access to telecommunications content and data in Australia. Under this Act, a person cannot lawfully intercept or access private telecommunications without the knowledge of those involved in that communication. Also under this Act, telecommunications carriers are required to store certain metadata regarding network users’ activity for two years. This information must be encrypted and can only be accessed on application by a restricted list of entities (such as law enforcement agencies).
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
See question 1.
How has your jurisdiction addressed information security challenges associated with cloud computing?
Moving data to the cloud offers companies a broad range of benefits and efficiencies, such as lower fixed costs and higher flexibility. However, companies must weigh up these benefits against the inherent data security and privacy concerns of the cloud. The market generally assumes that data centres will be more secure than an organisation’s own servers, but there is still a risk that the data centre may be compromised. Cloud hosting environments create enormous centralised pools of stored data, which are naturally enticing for hackers.
The government recognises both the opportunities and risks of cloud computing, the latter being loss of control of data and problems recovering data. The Secure Cloud Strategy released by the Australia’s government’s Digital Transformation Agency in 2017 was developed to guide government agencies in preparing for and moving to cloud hosting environments and to coordinate the approach of government agencies in this regard. This strategy (among other things) addresses the Australian government’s risk management stance maintained through the Protective Security Policy Framework and Information Security Manual, which provides mandatory guidance and obligations for government agencies to be compliant in handling government data. All cloud services are certified and accredited for government use by the ASD through those frameworks.
The ASD is a key entity responsible for delivering cloud computing security recommendations to both private business and government agencies. It also certifies cloud services as appropriate for the Australian government’s use. Only a few providers have passed the physical, personnel and information security requirements sufficient to receive ASD certification. The Secure Cloud Strategy also sets out a layered approach to certification, which encourages government agency-led certification in addition to ASD certification.
The APPs under the Privacy Act also regulate cloud computing services. The APPs provide that before an entity subject to the APPs discloses personal information about an individual to another person who is not in Australia (the overseas recipient), that entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs (other than APP1) in relation to that information. The entity must also ‘take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure’ under APP11. This means that a cloud computing service provider will need appropriate contractual arrangements with any overseas entity to which it sends information. Similarly, an entity subject to the APPs will also need to ensure it has appropriate contractual arrangements in place with any cloud service provider located outside Australia and any provider that stores data outside Australia. An entity that discloses personal information overseas should also be aware that it will be deemed liable for the acts of the overseas recipient if such acts would amount to a breach of the APPs.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Australia’s cybersecurity laws will bind overseas entities performing contracts in Australia, supplying services to Australia or working with Australian governments. The reach of Australia’s privacy laws is not limited to companies based or operating in Australia. The Privacy Act and the APPs will apply to any APP entity that is established in Australia, carries out business in Australia or collects personal information in Australia. This is quite broad and will capture, for example, any APP entity based outside Australia that collects personal information about an individual located in Australia through a website hosted outside Australia. As discussed above, the APPs also regulate the transfer of personal information to overseas entities. See question 11.
Furthermore, the Minister for Foreign Affairs is responsible for appointing a Cyber Ambassador to lead Australia’s international cyber effort. The Ambassador is to uphold the principles of free speech, privacy and the rule of law in advocating for an open and free internet. The regulatory obligations are the same for both domestic and foreign entities. The government is also trying to promote ‘peacetime’ norms by which foreign states prevent and refrain from online activity that damages Australia’s critical infrastructure, assist Australia’s cybercrime agencies, investigate and police malicious cyberactivity and must not facilitate or conduct cybertheft of intellectual property. The government is developing overseas partnerships with the intent of better closing down ‘safe havens’ and increasing its capacity to identify and target cybersecurity risks at their source.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
Yes. The ASD provides cybersecurity advice in its publication, ‘Strategies to Mitigate Targeted Cyber Intrusions’. The guidelines are designed for implementation by IT specialists, and are based on the ASD’s analysis of reported security incidents and identified vulnerabilities. The guidelines address targeted cyber intrusions, external adversaries with destructive intent, ransomware, ‘business email compromise’ and industrial control systems.
How does the government incentivise organisations to improve their cybersecurity?
The government is investing significantly in cybersecurity research and development. In early 2017, the Australian Cyber Security Growth Network, coordinated by the Cyber Security Growth Centre, commenced operations to facilitate enhanced cybersecurity innovation and R&D. The Growth Centre seeks to develop workforce skills in the cybersecurity sector and seek opportunities for Australian cybersecurity businesses to access global markets. Data61 is a branch of the government-funded agency CSIRO that is encouraging information-sharing, cross-collaboration and growth across Australia’s cybersecurity research, government and industry cohorts. The Department of Industry, Innovation and Science is also improving the capabilities of its Entrepreneurs’ Programme Business Advisers to assist businesses facing a high cyberthreat and provide advice about cybersecurity.
Additionally, the government released its Cyber Security Strategy in 2016, which, among other things, invests in the Australian Cyber Security Centre and increases its capacity to work with Australian businesses (particularly those businesses providing critical services). As part of the Cyber Security Strategy, Australia’s Computer Emergency Response Team (which has now been subsumed within the ACSC) has also commenced the development of Voluntary Cyber Security Guidelines. The voluntary guidelines will promote good practice that all organisations can use and will be aligned with international standards where possible.
The government also offers a research and development tax incentive, which is a powerful tool in accessing funds at the start of research. This incentive is available for cybersecurity research and development and should be increasingly utilised for such purposes as the government continues to promote the importance and value of investing in cybersecurity.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
See question 1.
Are there generally recommended best practices and procedures for responding to breaches?
The first issue companies must address when they suffer a data security incident is limiting and remedying the initial damage of the incident. Companies must then identify how the incident occurred and take appropriate steps to rectify any vulnerability in their data systems in order to protect against similar incidents in the future. Depending on the type and scale of the incident, this may take some time and be costly for organisations, particularly when business disruptions are factored in. Companies must also try to limit the harm such data security incidents cause to their brand and reputation. Such incidents can diminish customers’ trust in an organisation, particularly if records are lost or stolen that contain personal, sensitive, financial or other confidential data. This may ultimately result in the loss of customers. Therefore, a quick and effective response can positively impact public perceptions of a businesses’ trustworthiness in the event of a breach.
In addition, as discussed further at question 28, entities subject to the Privacy Act 1988 (Cth) are also subject to a mandatory data breach notification regime. Under this regime, if a relevant business or government agency suspects there has been a data breach, it has 30 days to make an assessment as to whether there are sufficient grounds to believe that there has been a breach that is likely to result in serious harm to any of the affected individuals and make certain notifications to the Office of the Australian Information Commissioner (OAIC) and affected individuals. In this context, best practice is to develop and implement an effective data breach response plan to ensure a timely and streamlined response to breaches. The OAIC has released a guide to managing data breaches in accordance with the Privacy Act in which it also recommends that businesses prepare a data breach response plan to meet their obligations under the APPs to take reasonable steps to protect personal information, limit the consequences of a breach, and preserve and build public trust.
Appointing a PR consultant is a step that some businesses take when faced with major data breaches. To minimise delay in responding in the event of a data breach or suspected data breach, best practice is for businesses to include in their data breach response plans the contact details of an external PR consultant or a particular individual or position within the businesses as responsible for PR issues associated with a breach.
The Australian Cybercrime Online Reporting Network allows individuals to report cybercrimes that breach Australian law. It also provides advice on how to recognise and avoid cybercrime. The government encourages businesses that have or may have been a target of a cyberattack to contact the Computer Emergency Response Team Australia (CERT) through the ACSC. This is particularly important where the attack threatens infrastructure. Faster identification and reporting may minimise the extent of potential damage.
The government’s strategy in this respect is to streamline reporting of incidents and obtain a higher-level view of cyberthreats in Australia. Eighty-six per cent of organisations surveyed in the ACSC Cyber Security Survey (2016) indicated that all or some of the cyber incidents experienced had been reported to the organisation’s board. Eighty-two per cent of participants in the survey indicated they would request help from the ACSC in respect of a cyberattack. However, the number of participants reporting to external agencies was at just 40 per cent in 2015 to 2016. The ACSC recommends that more be done to encourage reporting to external agencies of both attempted and successful incidents, so that the government can better understand the cyberthreat environment.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
As part of the government’s strategy to mitigate the risk of cyberattacks, it actively encourages the sharing of cyberthreat information. The ACSC reports that 81 per cent of surveyed organisations reported regularly receiving cyberthreat intelligence. However, organisations considered information sharing as the least important factor in mitigating cybersecurity risks. The ACSC considers that the sharing of cyberthreat information is crucial for two reasons. First, it allows filtering of sophisticated threats from unsophisticated threats, which provides insight into the evolution of sophisticated adversary tradecraft. Second, sharing information about the factors of the compromise increases the costs and limits the effectiveness of cyberattacks.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The government recognises that private sector entities need easy and consistent access to government cybersecurity agencies and it is facilitating an online cyberthreat sharing portal to allow real-time sharing of information about cyberthreats. It also recognises that cybersecurity is a serious strategic issue for community leaders, not just for IT and security staff, but including ministers, senior executives and board members. The ACSC works with businesses, government, and academic partners, including the owners and operators of Australia’s critical infrastructure, and advises these entities on investigating and developing solutions to cybersecurity threats. The ACSC also encourages and assists these businesses to take responsibility for their own cybersecurity and works closely with other cybersecurity response teams to promote information exchange and, as a result, Australian cybersecurity. The ACSC also organises and facilitates information exchanges with its business partners. The government encourages business leaders to do more to raise cybersecurity prominence within their organisations and promotes cybersecurity as a top priority for corporate boards and organisation leaders.
The government has also reorganised its cybersecurity interface with members of the business community, as part of the Cyber Security Strategy, bringing together both the policy and operations areas of its current interface. Public or private sector initiatives under that strategy include the following:
- The Prime Minister is supported by a minister assisting with cybersecurity, who is responsible for working with businesses to implement the government’s cybersecurity initiatives and has, among other things, hosted quarterly dialogues with industry. The 2017 Annual Update on the Cyber Security Strategy notes that recent dialogues have focused on cybersecurity incident response and increasing cybersecurity capacity in small to medium-sized enterprises.
- CERT (which has now been subsumed within the ACSC) drafted national cybersecurity exercise programme guidelines as part of the Cyber Security Strategy and has started developing Voluntary Cyber Security Guidelines in concert with its public and private sector partners.
- A pilot Joint Cyber Security Centre was opened on 24 February 2017 with representatives from more than 20 organisations within the energy, water, finance, transport and mining sectors, as well as the Queensland government, the ACSC, the Australian Federal Police and the Australian Criminal Intelligence Commission. Priorities for that Joint Cyber Security Centre are automated information sharing and targeted analysis of specific cybercrime threats against Australian industry networks.
- The Prime Minister has also appointed a special adviser on cybersecurity. The Department of the Prime Minister and Cabinet is also set to strengthen its current lead on cybersecurity policy, continuing its current role as the central point for policy issues. The special adviser has been tasked with ensuring that the government is effectively partnering with the private sector.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Cyber insurance is becoming increasingly popular in Australia. Australia’s Cyber Security Strategy estimates that demand for cybersecurity services and related jobs, such as legal services, insurance and risk management, will grow by at least 21 per cent over the next five years. However, the ACSC warns that cybersecurity insurance it is not an adequate substitute for investing in appropriate cybersecurity measures. The policy may not adequately compensate for lost intellectual property, comprising personal information and irreparable reputational damage.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
As discussed above, the ASIC is responsible for enforcing companies’ and directors’ obligations in respect of managing cyber risk. As mentioned, the ACSC, which is a part of the ASD, is also instrumental in partnering with local and international businesses and public sector entities to drive cyber resilience. The Australian Crime Commission and the Australian Federal Police are responsible for mitigating cybercrime and enforcement action. Australia’s state and territory law enforcement agencies also have their part to play in enforcing cybercrimes. Where cybercrimes involve personal information, the APPs or the Privacy Act, the OAIC is responsible for investigating the alleged breaches and enforcement of the relevant penalties.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
The ASIC has the extensive range of investigative powers open to it under the Corporations Act 2001 (Cth), including the power to require the production of documents, inspect documents, compel disclosure of information, require individuals to attend examinations, compel assistance, or apply for a search warrant.
The ASIC has the power to bring actions against directors and officers who fail to comply with these duties. Civil proceedings can also be brought against directors by a company’s shareholders, liquidators or receivers. If the ASIC considers a company or its directors are in breach of the company’s financial services licence, it may also issue fines, penalties, solicit enforceable undertakings, impose licensing conditions, or suspend or cancel the licence.
As mentioned, the ACSC is a part of the ASD (a government agency) that centralises a wide range of government cybersecurity specialists and capabilities. The ACSC’s role is to drive cyber resilience in the Australian economy, including critical infrastructure, government, businesses and academia. To that end, it has a wide range of monitoring and advisory powers that assist in the prevention and mitigation of cyber attacks, including:
- receiving and responding to cybersecurity incidents as Australia’s computer emergency response team (CERT);
- collaborating with its business and government partners to share information on threats and increase resilience;
- working with businesses, the government and the community to increase awareness of cybersecurity; and
- providing general information, advice and assistance.
The ACSC does not have any powers to prosecute in relation to cyber incidents.
Australian Crime Commission and the Australian Federal Police
The ACC has a broad range of investigative powers under the Australian Crime Commission Act 2002 (Cth), including the power to apply for search warrants, participate in controlled operations, use surveillance devices, intercept telecommunications and access stored communications.
Additionally, the ACC has a range of coercive powers including the power to conduct examinations, issue a summons requiring a person to attend an examination, and require the production of any document or thing. Failure to comply with a direction given by the ACC is considered an offence that is punishable by fines or imprisonment.
The AFP is responsible for the enforcement and prosecution of federal cybercrimes under the Criminal Code Act, as discussed above at question 1. The AFP also has a High Tech Crime Operations portfolio, which provides the AFP with a specialised capability to investigate, disrupt and prosecute offenders committing cybercrimes.
Office of the Australian Information Commissioner
The Information Commissioner is responsible for overseeing compliance with the Privacy Act.
The Information Commissioner has a legislative mandate to conduct education programmes, and can also:
- conduct investigations in relation to a suspected or actual breach of the Privacy Act (whether in response to a complaint, or as an ‘own motion’ investigation that is made of its own volition), including by requiring a person to give information or documents, or to attend a compulsory conference and entering premises to inspect documents;
- accept enforceable undertakings from an APP entity, the breach of which can lead to a civil penalty;
- make determinations;
- seek an injunction regarding any conduct that would contravene the Privacy Act; and
- seek a civil penalty order from the Federal Court for the imposition of a statutory penalty of up to A$2.1 million for serious or repeated interference with the privacy of an individual.
Additionally, the Australian Communications and Media Authority regulates the telecommunications industry, including industry-specific privacy-related rules noted above.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
A developing issue with enforcement in relation to cybersecurity is that entities have to deal with multiple regulatory bodies that can all touch on cybersecurity-related issues. For instance, the Information Commissioner deals with compliance with the APPs, the Australian Stock Exchange deals with listed companies’ continuous disclosure obligations, the Australian Prudential Regulation Authority deals with elements of the Australian financial services industry and the ASIC deals with the issuing of Australian Financial Services Licences. Each of these regulatory bodies has different enforcement priorities and, understandably, different degrees of tolerance for non-compliance. This divergent approach to enforcement can make it difficult for some organisations to maintain a sufficiently broad cybersecurity compliance policy that encompasses the requirements of each regulator.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Where the Information Commissioner is satisfied that there has been a breach of the Privacy Act, the Information Commissioner may order a range of remedies, including a declaration that compensation must be paid for any loss or damage suffered because of the act or practice that caused the complaint.
In the case of serious or repeated interference with the privacy of an individual, the Information Commissioner may also seek civil penalty orders before the Federal Court of up to A$420,000 for individuals and up to A$2.1 million for companies. An act or practice is an ‘interference with the privacy’ of an individual if it breaches the APPs in relation to personal information about the individual.
Other orders include injunctions and orders to give a public apology. Compensation orders are not subject to any particular monetary limit, but are generally in the low thousands of Australian dollars.
Also, see question 4 regarding the ASIC’s ability to impose penalties on directors and companies for failing in their duty to adequately address cyberthreats.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
As discussed in question 28, entities subject to the Privacy Act are subject to a mandatory data breach notification regime.
An entity can be subject to a civil penalty up to A$2.1 million in the event of serious or repeated breaches of its notification obligations under that regime.
As discussed above, the Australian Cybercrime Online Reporting Network allows individuals to report cybercrimes that breach Australian law. However, as reporting to this network is voluntary, there are no penalties associated with a failure to report.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Australian law currently does not allow an individual to make a claim directly against an APP entity for a breach of the Privacy Act. Any complaint about how an APP entity collects and handles personal information must go through the Information Commissioner, who may then take appropriate actions, such as investigating the complaint or seeking a court order. Similarly, Australian law does not currently allow an individual to make a claim directly against another party for breach of cybercrime provisions in the Criminal Code Act 1995 (Cth). Any complaint would need to be reported to the Australian Federal Police for further action.
However, it is anticipated that other avenues within Australian law will be identified and used by affected individuals (or classes of individuals) to bring private actions against entities (for instance, class action claims for negligence, breach of disclosure obligations under Australian Stock Exchange listing rules or for breach of consumer protection laws).
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
The government’s approach is one of self-regulation, rather than prescription. A voluntary set of guidelines co-designed with the private sector is considered the best means to assist the private sector improve their cybersecurity resilience.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
There are none; although, it is considered good practice to retain such information.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Australia’s mandatory data breach notification regime began on 22 February 2018. This regime applies to all businesses and government agencies subject to the Privacy Act. Under this regime, which was enacted under the Privacy Act and administered by the Information Commissioner, if a relevant business or government agency suspects there has been a data breach, it has 30 days to determine whether there are sufficient grounds to believe that there has been a breach that is likely to result in serious harm to any of the affected individuals. An eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Serious harm has not been defined under the Act but is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. If an eligible data breach has occurred, it must then notify the Information Commissioner and affected individuals as soon as practicable.
What is the timeline for reporting to the authorities?
From 22 February 2018, if an eligible data breach has occurred or the entity suspects a breach has occurred, it must then notify the Information Commissioner and affected individuals as soon as practicable (and it has 30 days to determine if an eligible data breach has occurred).
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
The only mandatory reporting obligations relate to ‘eligible data breaches’ under the Privacy Act. These require affected organisations to notify the Information Commissioner and affected individuals.
The steps necessary to notify individuals of mandatory data breaches will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the entity and the affected individual. At a minimum, this should set out the organisation’s contact details, a description of the breach and recommended steps for the affected individual to take. For example, this could include a recommendation to more closely monitor bank account activity or to cancel credit cards if financial information was the subject of the breach.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Australian cybersecurity regulation has historically been piecemeal, with regulation split between various pieces of legislation and regulatory bodies, each with different enforcement priorities. This approach has made it difficult for organisations to comply with the requirements of each regulator. The key challenge in developing cybersecurity regulation in the Australian environment will be consolidating the current approach to regulation such that public and private sector entities are clear on their obligations and how they can best protect themselves against cyber risk.
The Australian government has taken steps to address this issue, most notably with the launch of Australia’s Cyber Security Strategy in 2016 and the consolidation of various Australian government cybersecurity-related websites and services into the ACSC. It has also taken a collaborative approach to developing the regulatory landscape by engaging with public and private sector entities. For example, the ACSC’s computer emergency response team is in the process of co-designing voluntary cybersecurity guidelines to promote good practice with its government, business and research partners. In line with this, it is expected that the cybersecurity landscape will be informed by further collaboration between government, business and research stakeholders.
Regulators in Australia have also been focused on building and promoting cyber resilience, on the basis that strong cyber defences and contingency plans are fundamental to sustainable enterprise in the long term. Corporate and financial regulators have investigated and reported on board level governance of cyber risk and security, with a view to promoting a greater overall engagement within businesses. It is expected that further guidance will follow from these investigations. Additionally, with the introduction of mandatory personal data breach notification legislation, it is expected that future legislative and regulatory developments in Australia will be focused on the mishandling and proper protection of data (and in particular, personal information).