The Australian Government has tabled its Cyber Security Legislative Package, which includes an obligation to notify the Department of Home Affairs and the Australian Signals Directorate (or another Department or statutory body specified in rules) within 72 hours of making or becoming aware of a ransomware payment in certain circumstances, and a framework for mandatory smart device security standards.
The Cyber Security Legislative Package was introduced into Parliament last Wednesday 9 October, and was referred to the Parliamentary Joint Committee on Intelligence and Security on 10 October. Submissions are due by 25 October 2024.
The Government has indicated that the package signals its commitment to address the growing global concern to strengthen cyber security and privacy protection. This follows the Government’s introduction of the first tranche of long-anticipated privacy reforms into Parliament in September 2024, as covered in our article, ‘Privacy law reforms unveiled in Canberra’.
If passed, the Cyber Security Legislative Package will introduce standalone legislation to address cyber security, called the Cyber Security Act 2024 (Cth) as well as amendments to the Intelligence Services Act 2001 (Cth) and the Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act).
The reforms are aimed at addressing perceived gaps under the current legislative protections and in line with the Australian Government’s vision to position Australia as a world leader in cyber security by 2030. The Bills would implement seven of the initiatives covered under the Government’s 2023-2030 Australian Cyber Security Strategy released in November 2023.
The objects of the Cyber Security Act relate to enhancing the Government’s capabilities to combat the threats posed by cyber security incidents and taking a ‘whole of economy’ approach to addressing the Government’s cyber security concerns, including to:
a) improve the cyber security of smart devices;
b) encourage the provision of information to government about incidents, including in relation to ransomware payments;
c) facilitate the whole of Government response to significant cyber security incidents through the National Cyber Security Coordinator; and
d) prevent and improve the detection of and response to cyber security incidents through the establishment of the Cyber Incident Review Board.
Key provisions included in the Cyber Security Bill are set out in further detail below.
Measure
Overview
Effect of measure
Mandatory cyber security standards
The Act would enable the Government to establish minimum cyber security standards for smart devices.
These standards would be mandatory, and the Government indicated in the Second Reading Speech of the Bill that they are designed to bring Australia into line with international best practice and enhance consumer security, for example, to prohibit the use of universal default passwords on smart devices.
The rules may provide a mandatory security standard for relevant smart devices, being those which:
(i) are manufactured or supplied (other than second-hand goods) on or after the commencement of the Act; and
(ii) otherwise meet the definition of ‘relevant connectable product’ including that the product can directly or indirectly connect to the internet that will be acquired in Australia in ‘specified circumstances’.
This would require businesses who manufacture or supply the relevant products to:
(i) comply with the standards when they manufacture a product and are aware, or could reasonably expected to be aware, that the product will be acquired in Australia in those ‘specified circumstances’;
(ii) comply with any other obligations relating to the product;
(iii) refrain from supplying non-compliant products where the supplier is aware, or could reasonably be expected to be aware, that the products will be acquired in Australia in those ‘specified circumstances’; and
(iv) provide and supply products in Australia with a statement of compliance with the security standard.
In relation to enforcement, the Act would provide powers for the Secretary of Home Affairs to:
(i) issue compliance, stop and recall notices for non-compliance;
(ii) undertake an independent audit of a product; and
(iii) request a statement of compliance and/or the product itself for the purposes of the audit at (ii) above.
Mandatory ransomware reporting
The Government has proposed the introduction of mandatory ransomware reporting for certain businesses. These reporting obligations are intended to provide the Government with a better understanding of ransomware threats in Australia, with the goal of preventing further attacks and to assist businesses to recover following these types of incidents.
Under the proposed Act, certain entities who are impacted by a cyber security incident as defined (that has occurred, is occurring or is imminent), would be required to make a report to the relevant Department (ransomware payment report) where a ransomware payment has been made to an extorting entity.
Relevant entities would be required to make the ransomware payment report within 72 hours of the making of the ransomware payment or becoming aware that the ransomware payment has been made.
The entities subject to this obligation will be those who are (i) carrying on a business in Australia; and (ii) with an annual turnover in excess of the prescribed threshold in the Rules (proposed to be $3 million to match the threshold in the Privacy Act 1988 (Cth)); or (ii) entities who are a responsible entity for a critical infrastructure asset pursuant to Part 2B of the SoCI Act.
A ransomware payment report must include particular information which is known or reasonably able to be found, including details relating to the impact of the cyber security incident, the demand made by the extorting entity and the ransomware payment which was made.
If an entity fails to make a ransomware payment report they may be liable to a civil penalty (60 penalty units). However, an entity or its officers, employees or agents will not be liable where they have acted or omitted to act in good faith in compliance with their reporting obligation.
Use and disclosure of reported information
The Bill introduces obligations for the National Cyber Security Coordinator and the Australian Signals Directorate to limit the use and sharing of information which has been voluntarily provided by an entity affected by a cyber incident.
The obligations are intended to operate together with other measures introduced through the Intelligence Services and Other Legislation Amendment (Cyber Security Bill) 2024 and are proposed to provide business with greater comfort to report cyber incidents.
In relation to information disclosed in a ransomware payment report or voluntarily provided to the National Cyber Security Coordinator, relevant government bodies would be obligated under the Act to:
(i) only use or disclose the relevant information for permitted purposes as specified. This includes for example, to assist the reporting entity and the Commonwealth or State body to respond, mitigate or resolve the cyber security incident; and
(ii) not use or share the relevant information for specified purposes, including for example, regulatory action and for civil enforcement purposes for contraventions outside of the Act.
Civil penalties would apply to this section of the Act.
The Bill also provides that the relevant information provided by the reporting entity would not be admissible in some proceedings, which includes most civil proceedings other than in relation to a contravention of the Act.
Cyber Incident Review Board
The Bill establishes the Cyber Incident Review Board (the Board), an independent advisory body intended to conduct reviews of cyber security incidents.
In the Second Reading Speech of the Bill, the Government suggested it has modelled the Board from the United States Cyber Safety Review Board. The Board would have the ability to review the pre-incident circumstances, form its own findings and provide recommendations to the Government and to Industry.
The Board would be established and provided with the power to cause a review to be conducted in relation to certain cyber incidents.
The reviews would be for cyber security incidents which:
(i) have or could reasonably be expected to seriously prejudice the social or economic stability, defence or national security of Australia; or
(ii) involve novel or complex methods of technologies, where an understanding would significantly improve Australia’s preparedness, resilience or response to similar cyber security incidents; or
(iii) are or could reasonably be expected to be of serious concern to Australian people.
The review would be conducted by a review panel and the purpose of these reviews would be to make recommendations to government and industry regarding measures which could be taken to prevent, detect, respond to or minimise the impact of similar cyber security incidents in future.
Under this measure, the Board would be provided with the power to request and compel the production of information and documents relevant to the review from particular entities. Civil penalties would apply to a failure to comply with a notice to produce document under the relevant section.
Similar provisions (as set out above) regarding the use, disclosure and admissibility of the information would also apply to information relating to reviews.
Voluntary information sharing with the National Cyber Security Coordinator
The Bill provides entities with the option to report significant and potentially significant cyber security incidents to the National Cyber Security Coordinator. This is to enable the National Cyber Security Coordinator to lead the response across the whole of Government.
The Bill contains limits on the use and disclosure by the National Cyber Security Coordinator of information provided in voluntary reports to encourage voluntary reporting.
In addition to the Cyber Security Act, the Bills also progress reforms to the SoCI Act, including to clarify certain existing obligations, simplify information sharing, introduce a new power for the Government to direct entities to address serious deficiencies in their risk management programs and bring aspects of regulation of the security of telecommunications into the SoCI Act.
The Office of the Australian Information Commissioner (OAIC) has expressed its satisfaction with steps taken by 7-Eleven Stores Pty Ltd (7-Eleven) to voluntarily report its own conduct and undertake remediation of its privacy practices following a further privacy breach incident.
In 2021, the OAIC determined that 7-Eleven improperly used Facial Recognition Technology (FRT) during the collection of survey information from customers, in breach of its obligations under the Australian Privacy Principles. The OAIC concluded that during 2020, 7-Eleven had improperly collected sensitive information of customers without express or implied consent, using built-in cameras in tablet devices which captured images of customers as they filled out customer surveys instore.
The Australian Information Commissioner made a declaration that 7-Eleven must not repeat or continue this conduct. However, in 2023, 7-Eleven voluntarily notified the OAIC that the FRT system had been inadvertently re-enabled in some of its stores and improperly captured a further 45,874 facial images over a 12-month period before the feature was identified and promptly deactivated.
In September 2024, the OAIC closed its investigation, having been satisfied that 7-Eleven had “adequately addressed the privacy deficiencies that led to the incident” and that further action by the OAIC was not warranted. In closing its investigation, the OAIC considered several factors, including the inadvertent nature of the privacy incident, the prompt action taken by 7-Eleven to delete all facial images and the implementation of new measures to remedy the issue and prevent it from occurring in future.
Notably, the OAIC indicated its appreciation for 7-Eleven voluntarily reporting the incident, praising that it has ‘acted consistently with the principles of good corporate governance and has assisted the OAIC in promoting and upholding the privacy rights of Australians’. The OAIC commented that the use of FRT remains of concern and a regulatory priority and urged entities to ensure appropriate privacy measures are embedded from the outset, including before each new planned use of FRT and through implementing iterative testing of the robustness of privacy protections.
The OAIC’s decision serves as a good reminder for businesses to remain vigilant and keep privacy obligations front of mind, particularly where sensitive information is captured such as through FRT systems. It is also important to take prompt action to address and remedy any privacy incidents. This determination illustrates the benefits of reporting incidents and working in cooperation with the OAIC as early as possible in appropriate circumstances.
While all eyes have been on the recent introduction of the privacy reform Bill to Parliament, there have been a number of other updates that continue to inform the shifting patterns of opportunity,...
On 8 September 2024, the Honourable Robert French AC released the ‘Report of the Independent Legal Examination into Banning Children’s Access to Social Media’ (French Review) which includes a...
The Government has tabled in Parliament a Bill containing 23 of the 25 privacy reform proposals agreed to by the Government. A large number of “agreed in principle” reforms have been deferred to a...