Developments in cyber, privacy and data continue to evolve rapidly, so we’ve summarised highlights from the past three months to give you a whirlwind tour of the most significant updates.
In the latest instalment of review and reforms to the Privacy Act 1988 (Cth), the Australian Government released its response to each of the 116 recommendations made by the Attorney-General, on 28 September 2023.
The Government agrees with 38 recommendations, most of which focus on procedural matters, enforcement powers and guidance of Australia’s privacy regulator, the OAIC, while others are recommendations for “further consultation” only.
Some of the substantive recommendations with which the government agrees are:
The Government “agrees in principle” with the majority of the recommendations, including those in relation to:
However, it says that further consultation is required before the Government will take a specific position in relation to those recommendations, to ensure that any reforms strike the “right balance” between privacy rights and impacts on regulated entities.
It “notes” the remaining 10 recommendations (including the suggested removal of the political parties’ exemption). We do not expect these recommendations will be progressed any further.
The Government will release an exposure draft of legislation for the recommendations with which it agrees, for consultation in 2024. It will also further progress consultation on the recommendations with which it “agrees in principle”.
The upshot is that given any substantive overhaul to privacy laws will not occur quickly, entities should continue to take steps to manage and review their compliance against the existing privacy laws, as this continues to be a focus of regulatory and media attention, and an increasing area of interest to individuals.
Even while the future state of the federal privacy laws is in flux, Queensland is progressing a refresh of its 2009 privacy laws that apply to Queensland government bodies. A Bill introduced to Parliament on 12 October 2023 proposes to replace the existing Information Privacy Principles and National Privacy Principles with a consolidated and modernised set of Queensland Privacy Principles (QPPs), which mirror the current Australian Privacy Principles under the federal laws to a significant extent.
It also introduces a new mandatory data breach notification scheme, which extends the federal scheme by:
Not only are these reforms of interest to Queensland government bodies, but also any organisation providing services to a Queensland government body whose contract requires it to comply with Queensland privacy laws.
Turning now to cyber security, and Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), has made it loud and clear that cyber security is a focus and that it expects boards to be taking it seriously.
On 18 September 2023, in a speech at the Australian Financial Review Cyber Summit, ASIC’s Chair delivered “one message” to their audience: in a world where every system is vulnerable and reliance on third-party providers is a risk, evaluate your third-party supplier cyber risk. ASIC is urging companies to remediate the current disconnect between board oversight, management reporting on cyber risks to boards, identification and remediation of cyber risks, cyber risk assessments and implementation of cyber risk controls. ASIC is clear: “failing to do so could mean failing to meet your regulatory obligations”.
On 13 November 2023, ASIC published the results of its latest cyber pulse survey of almost 700 organisations, finding that overall respondents had a weighted average cyber maturity score of 1.66 out of four. It calls on organisations to move from being reactive to proactive, identifying the top four areas for improvement as:
The Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) imposes a raft of registration, cyber security and notification obligations on operators of “critical infrastructure assets” (when declared under Rules) and “systems of national significance” (when declared by the Minister).
On 8 September 2023, the Australian Government announced that a further 87 systems of national significance had been declared, in addition to the existing 81 systems. The specific systems declared are confidential.
Further, in the wake of the recent Optus network outage, on 13 November 2023 the government announced that telecommunications companies would be included in the categories of “critical infrastructure” under the SoCI Act. These SoCI Act requirements will apply alongside the existing security obligations imposed on telecommunications companies under the Telecommunications Sector Security Reforms (TSSR), passed in 2017.
After a series of failed attempts to pass ransomware and ransom demand reporting laws in 2021, the Australian Government has announced its intention to pass laws requiring Australian companies to report ransomware events, and whether ransoms are paid. As the Minister for Home Affairs, Clare O’Neil MP has noted, “It will be a mandatory no-fault, no-liability ransomware reporting obligation for businesses that would require business to report any ransom incident, demand or payment to Government.”
While further details on these laws have not yet been published, the Government’s imminent new Cyber Security Strategy 2023-2030 is expected to focus on the growing threat of ransomware, as well as a “whole of nation” cyber uplift framed around “six shields” of cyber security: an informed citizenry and business sector; safe technology; world-class threat sharing and blocking; reliable critical infrastructure; sovereign capability; and a resilient region.
Minister O’Neil has also announced that the Government will establish a new Cyber Incident Review Board, tasked with investigating major cyber attacks, to better “understand how we can reinforce Australia’s national cyber shields.” It will be modelled on other international and domestic agencies like the US Cyber Safety Review Board. The Board’s investigations will be “no fault” and designed purely to collect information and improve cyber defences, and its learnings will be shared with businesses and the wider public.
On 14 November 2023, the Australian Signals Directorate (ASD) released its 2022-23 Cyber Threat Report. The ASD includes the Australian Cyber Security Centre, which received almost 94,000 reports of cyber events in the reporting period. The ASD responded to 1,100 of these incidents, and engaged in other proactive monitoring and cyber education activities.
Key takeaways from the report include:
The Defence Minister has announced support for a “temporary safe habour” that would encourage companies to report cyber attacks by providing temporary relief from liability and regulatory actions.
The first Emerging Technology and Security Innovation Security Summit was launched in October 2023 by the leaders of the Five Eyes intelligence partnership. At the summit, the Five Eyes partners consisting of the heads of the Australian Security Intelligence Organisation and its equivalents in Canada, the US, the UK and New Zealand, launched five principles to help businesses protect themselves against security threats – the five Principles of Secure Innovation.
The five Principles of Secure Innovation are:
The five Principles of Secure Innovation are guided by MI5’s updated Secure Innovation guidance. This guidance may be useful resource for more information on proportionate physical, cyber and personnel security arrangements.
Australia has been preparing to roll out its existing Trusted Digital Identity Framework beyond government for some time now, but needs legislation to expand the digital identity scheme. On 19 September 2023, the Government released the draft Digital ID Bill and Accreditation Rules for consultation (which closed in late October).
The Digital ID Bill 2023 (Cth) proposes a framework in which Australia’s digital identity scheme can operate, predominantly under the Digital ID Rules and Accreditation Rules, with supplementary requirements on data, technical matters and service standards set out separately. It features:
Consultation ended on 10 October 2023, and will be taken into account when producing a refined version of the legislation, which will be introduced to Parliament. The rollout will be phased, starting with reciprocal use of Digital ID in States and Territories, followed by private sector services, and finally private sector Digital IDs for accessing particular government services.
Following the DoorDash infringement notice in August 2023, ACMA has now fined Ticketek more than A$500,000 for sending texts and emails to recipients who had not given their consent, and to recipients who had unsubscribed.
In relation to some of the messages, Ticketek argued that they were ‘designated commercial electronic messages’ (which could be sent without consent, and without an unsubscribe function) as messages containing only factual event information. However, while ACMA acknowledged that one of the purposes was to provide event information, the messages “also had a purpose to advertise or promote tickets to events” because it contained links to Ticketek’s social media accounts.
This enforcement action again reinforces how narrow the ‘factual information’ exception is to the general spam requirements, and that organisations should rely on it very carefully. If organisations seek to rely on this exception, links to social media accounts should not be included.
A good data breach response plan and data breach preparedness includes measures to maintain legal professional privilege over appropriate documents. The importance of this step has been highlighted in recent litigation in which Optus has sought to avoid disclosing a copy of Deloitte’s review of its 2022 data breach and related documents.
The Federal Court of Australia rejected Optus’ claim of legal professional privilege, finding that Optus had not established that the dominant purpose of the review and report was to obtain legal advice or for use in litigation or regulatory proceedings (although it was one of the purposes).
The Court particularly noted that Optus had made public announcements committing to having Deloitte undertake the review, and that a claim of privilege was at odds with those public announcements. The Federal Court’s decision highlights that clear and specific evidence of key decision-makers of an organisation as to their intention with and understanding of an investigation of an incident will be a critical consideration in any court decision in respect of a privilege claim.
Since the mandatory data breach notification laws took effect under the Privacy Act 1988 (Cth) in 2018, the OAIC’s focus has been on investigating the highest profile data breaches and regularly reporting on notification statistics. However, it has recently released two determinations which show that it is paying attention to organisations that fail to notify, or take too long to notify.
In Pacific Lutheran College, an unauthorised actor obtained access to an email account containing approximately 180,000 emails, and sent phishing emails to over 8,000 contacts. The event occurred in late May 2020. A forensic report was finalised in mid-October 2020, and the OAIC was notified in mid-December 2020. The OAIC found that the College had breached its data breach investigation and OAIC notification obligations under the Privacy Act 1988 (Cth), and had also failed to take reasonable steps to protect affected individuals’ personal information in breach of APP 11.1.
Datateks also involved unauthorised access to email for the purposes of conducting a phishing campaign. The unauthorised access occurred in late June 2020, the investigation concluded in September 2020, and the OAIC was notified in mid-January 2021. The OAIC found that Datateks had breached its data breach investigation and OAIC notification obligations.
Both determinations contain a wealth of information about data breach handling and the requirement for expeditious progress in completing a data breach assessment. Importantly, both determinations emphasise that an organisation should prioritise notifying the OAIC even if it takes longer to notify affected individuals for logistical reasons.
Both determinations include an order with very detailed requirements in relation to the incident response plan that each organisation must develop. These requirements should be used as a checklist for organisations to ensure that their data breach response plan is up to scratch. In Pacific Lutheran College, the orders also included detailed requirements about the information security program that the organisation must implement.
In the excitement of signing a new deal, transition out obligations can often receive insufficient attention. This is demonstrated by the recent Federal Court case of StarTrack Express v TMA Australia, which arose out of StarTrack terminating its contract with TMA, the IT provider of the consumables purchasing portal used by StarTrack’s clients. Following termination, TMA re-purposed the portal for the sale of its own consumables, and continued to use the portal to sell its consumables to StarTrack’s clients – it appeared at the same URL and the clients could use their same login.
In the absence of clear transition out obligations addressing the portal, StarTrack’s claim (currently being considered on an interlocutory basis) attempts to rely on confidentiality and non-solicitation obligations to require TMA to discontinue the supply of the portal to StarTrack’s clients. The judge in the interlocutory hearing has already indicated that there are some weaknesses in that argument.
The decision serves as a timely reminder that detailed and well-considered transition out clauses in a technology contract will save significant headaches later in the winding down of a contractual relationship.
Recent and upcoming changes in Australia’s consumer laws will affect many technology and data-driven organisations in Australia, and should be an area of focus given an active regulator in the ACCC and the significant penalties that apply for non-compliance.
Firstly, updates to the “unfair contract terms” (UCT) laws took effect on 9 November 2023, introducing significant penalties for organisations that include unfair terms in their standard form (non-negotiated or lightly-negotiated) contracts with individuals or small businesses (business with less than 100 employees or revenue of under A$10 million). Organisations should ensure that their standard form contracts are closely reviewed for UCT risks.
Secondly, on 1 September 2023, consultation opened in relation to a new “unfair trading practices” prohibition, which would seek to prohibit conduct which currently falls short of existing laws, such as unconscionable conduct, misleading and deceptive conduct, or unfair contract terms. Examples in the consultation paper include:
Consultation closes on 29 November 2023.
The busy lead up to the festive season is no time to let cyber security preparedness and privacy compliance fall by the wayside. The Australian Government’s latest response to the Privacy Act reforms indicates that substantive changes are still some time away, so organisations should continue to focus on compliance with existing laws.
The Australian Government will shortly release its cyber security strategy, and has foreshadowed a focus on ransomware.
For a more detailed briefing on any of these updates, or to discuss how we can assist your organisation manage its risks in these rapidly evolving areas, please get in touch.
This week marks a significant development in Australia’s privacy law reform process, which is likely to result in some changes becoming law before the next federal election.
The European Commission recently fined a large global pharmaceutical company €462.6 million for abusing its dominant position to lessen competition in the market for the supply of Copaxone...
The past year has undoubtedly been challenging for companies in the lithium, rare earth and critical minerals sectors. To provide some context, lithium carbonate, lithium hydroxide and spodumene...