It has been another busy quarter in the cyber, privacy and data space. We’ve summarised highlights from the past months to give you a whirlwind tour of the most significant updates.
Our colleagues Sophie Dawson, Jennifer Dean and Emily Lau tell you all you need to know about the Attorney-General’s recent announcement that an undefined subset of Privacy Act reforms will progress (probably first in the form of exposure draft legislation, for consultation) in August 2024.
Check out our article for the details. We will keep you updated as more becomes known about the proposed new laws.
Some 19 months after Medibank’s large-scale data breach of identity and health records, Australia’s privacy law regulator, the Office of the Australian Information Commissioner (OAIC) has commenced proceedings in the Federal Court seeking civil penalties alleging that Medibank failed to take reasonable steps to keep personal information secure. The proceedings take into account Medibank’s size (as an organisation) and its financial resources, the sensitive nature and volume of the personal information (health information, as well as race and ethnicity information) affected, and the risk of harm to individuals in the case of a breach.
As the data breach occurred prior to the introduction of more significant penalties for breach of privacy laws, the maximum penalty to which Medibank will be exposed will be A$2.22 million per contravention. On calculation of a penalty, the OAIC is arguing:
If the data breach occurred after December 2022, maximum penalties would be at least AU$50 million per contravention.
This is the third time the OAIC has applied to the Federal Court seeking civil penalties – the action against Facebook (in relation to Cambridge Analytica) was commenced in December 2020 and is still before the courts, as is the action against Australian Clinical Labs commenced in November 2023.
Partner John Keeves explains the cyber governance implications in this recent article.
The OAIC has recently released a concise statement summarising the allegations against Medibank, which provides insights as to the OAIC’s expectations in relation to APP 11.1 compliance, as well as in relation to the penalty construction arguments we’ve noted above. John Keeves and Sophie Dawson explore the OAIC’s concise statement in the proceeding in this article. Medibank’s response is due on 30 August 2024 at which stage we will have more insights into its perspective on relevant events.
At the start of this year, the OAIC identified as its regulatory priorities: online platforms, social media, high privacy impact technologies and the security of personal information.
In its latest bi-annual report on the notifiable data breaches scheme, the OAIC said it will be taking a stronger regulatory approach to compliance with the scheme, including the obligations to conduct an expeditious assessment of a suspected data breach, and to notify the OAIC and affected individuals as soon as practicable after establishing reasonable grounds to believe that a notifiable data breach has occurred.
Our November 2023 edition of Digital Bytes takes you through two recent OAIC determinations arising from delay in assessing and notifying notifiable data breaches.
In light of this enforcement focus, organisations bound by the Privacy Act 1988 (Cth) (Privacy Act) should review their information security and data breach response arrangements and, in particular:
The OAIC’s determination in AHM and JFA (Aust) Pty Ltd t/a Court Data Australia [2024] AICmr 29 is a cautionary warning to entities who collect publicly available information.
The respondent, Court Data Australia, collected and collated the publicly available daily law lists published by each Australian court, which set out the parties to matters being heard in the courts that day. The courts only make the day’s law list available online.
The OAIC found that the respondent had breached:
Organisations should exercise caution when collecting publicly available personal information, especially as Australia’s privacy laws require information to be collected directly from an individual (unless unreasonable or impracticable). Being transparent about the collection of publicly available information through a privacy policy and collection notice may mitigate the risks to an extent.
The digital ID laws received royal assent on 30 May 2024, following passage of the legislation through both Houses of Parliament. The laws provide a framework, governance and safeguards for the roll-out of Australia’s digital ID framework beyond the Commonwealth Government, where it has been in operation under the Trusted Digital Identity Framework since 2018.
The digital ID scheme is based on the accreditation of entities, verifying that they have met stringent requirements and safeguards so that the system is ‘trusted’. At a high level, the system works so that:
Given the number of recent data breaches involving identity information, which can often alone meet the threshold for making the incident a notifiable data breach under the Privacy Act, we expect significant uptake from the private sector to use the digital ID scheme as relying entities.
The ACCC will be the primary regulator of the digital ID system and laws, with the OAIC appointed to oversee the privacy safeguards.
It will not be mandatory to have a digital identity. With very narrow exceptions, organisations relying on digital ID must still have other, accessible mechanisms to allow individuals to identify themselves without a digital ID.
On 21 May 2024, the ACCC released its eighth report in its Digital Platform Services Inquiry, focusing on the data brokering industry.
In brief, it finds that individuals are generally unaware of how their personal information is shared with other businesses (and the value the information holds in the hands of data brokers), and that long and complex privacy policies and terms and conditions do little to provide meaningful choice and transparency.
Interestingly, the report notes that while data broker datasets are often de-identified, they are so rich in personal information that they may be reasonably re-identifiable in many cases.
The report also looks at the Australian law that requires personal information to be collected directly from the individual (unless unreasonable or impracticable) and finds that it is under-observed and under-enforced.
While the report ultimately supports the broader reforms of the Privacy Act taking place, it suggests that some of Australia’s existing privacy rules may already be fit for purpose, if they were more strictly observed.
The recent NSW Supreme Court case of The Star Pty Ltd v AB [2024] NSWSC 690 reminds us that where privacy laws do not apply to individuals (in their private capacity) or to some small businesses, a person may have a cause of action under general law to restrain those persons from dealing with personal information in a way that would breach an equitable obligation of confidence.
In summary, the defendant (an unsuccessful job applicant with The Star) had gained unauthorised access to personal information of The Star’s patrons (in relation to which The Star was subject to obligations under the Privacy Act), and threatened to release it. As an individual, the defendant was not bound by the Privacy Act. The court found that the defendant held that personal information subject to an equitable obligation of confidence, and awarded a permanent injunction restraining its release.
In February 2024, the Australian Institute of Company Directors (AICD) released its ‘Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors’ publication (Guidance).
The Guidance, which expands on the AICD's Cyber Security Governance Principles released in 2022, provides insights for boards and directors on how best to prepare, respond and recover from cyber incidents, and focuses on four key areas:
Boards should
Next steps
Readiness
Implement a current and comprehensive cyber response plan, which includes:
Regularly test cyber incident simulations.
Document key lessons learned from simulations and identify gaps in current cyber readiness.
Response
Supported by expert external advice, provide agile and timely support and oversight to management.
Ensure consistent, accurate, timely and transparent communication with key stakeholders can mitigate reputational damage.
Ensure compliance with regulator reporting obligations.
During the response phase, larger organisations should establish:
Recovery
Ensure appropriate steps are taken to secure systems and data, including investment into immediate or short-term cybersecurity.
Remain cognisant of the impact a cyber incident can have on employee wellbeing, and take steps to provide support where needed.
Oversee a comprehensive post-incident review, including external advice where appropriate.
Share knowledge and insights gained from the cyber incident with other organisations.
Obtain appropriate advice regarding the impact of sharing information on potential regulatory investigations and litigation.
Remediation
Require customer-focused, adequately resourced and swiftly implemented remediation plans.
Oversee continued effective stakeholder communication, including communication about the legal risks and external investigations resulting from the incident.
Oversee remediation, compensation and complaints handling processes where appropriate.
Ensure a strategy for rebuilding the organisation’s reputation is in place.
Demonstrate cyber enhancements to key stakeholders.
The Cyber and Infrastructure Security Centre (CISC) has also updated its Organisational Resilience Good Practice Guide, which sets out the 13 behavioural indicators of organisational resilience.
Consultant Professor Pamela Hanrahan does a deeper dive into what directors and Boards need to be considering in relation to cybersecurity, cyber governance and cyber incidents in this recent article.
As recently reported in JWS’ Above Board (if you’re not already on the distribution list, please get in touch), the ASX Corporate Governance Council (ASX CGC) has released a consultation draft of the 5th edition of its Corporate Governance Principles and Recommendations (Principles and Recommendations).
Recommendation 7.2, in relation to risk management, applies to organisations’ cybersecurity and privacy compliance arrangements. While it has not been changed substantially, the commentary underpinning this recommendation has shifted away from requiring consideration of ‘cybersecurity, privacy and data breaches’ to ‘cyber resilience, data governance’ and ‘third party risk management’.
A focus on third-party risk management is a growing theme espoused by regulators, including ASIC and the OAIC – see our February 2024 and November 2023 Digital Bytes updates.
Submissions to the ASX CGC on the proposed amendments closed on 6 May 2024. Subject to stakeholder consultation, the revised Principles and Recommendations will be released in early 2025 with the expectation that they will have effect on financial years commencing on or after 1 July 2025.
Partner John Keeves takes you through updates to the latest guidance on ASX continuous disclosure obligations in the context of a data breach.
In brief, notification of a data breach to the OAIC and affected individuals under the Privacy Act will mean that the circumstances of a data breach are no longer confidential, and so the exceptions to continuous disclosure obligations will not apply. Before that point, confidential discussions with regulators may mean that the incident is sufficiently confidential for an exception to apply.
In March 2024, the European Parliament and Council reached a provisional agreement on the Cyber Solidarity Act, which seeks to strengthen the European Union’s capacity to detect, prepare for and respond to cybersecurity threats and incidents.
The Act establishes:
The Act has been approved by the European Parliament. Once it is also formally adopted by the European Council, the Act will be published in the Official Journal and enter into force 20 days after.
On 18 March 2024, the Australian Cyber Security Centre (ACSC) published new guidance on “Cyber Security Checklist for Charities and Not-For-Profits”. The checklist provides valuable guidance to assist organisations in bolstering their cyber resilience when resources are constrained.
The one-page checklist of 10 key points covers the following key recommendations:
A number of recent reports canvas the latest insights on cyber threats.
ASIO Director-General Mike Burgess used the recent Director-General’s Annual Threat Assessment 2024 address to stress that the most immediate, low-cost and high-impact vehicle for sabotage is cyber. Mr Burgess went on to frame the serious threat of cyber sabotage by highlighting the interconnection and interdependence of Australia’s critical infrastructure networks, which increase vulnerabilities and expose access points.
Mr Burgess highlighted that good cybersecurity works across three dimensions:
Bleeping Computer’s March 2024 analysis of recent ransomware attacks sets out lessons learnt from recent ransomware attacks, before explaining some key steps to take to reduce ransomware risk:
Finally, Mimecast has published a report on human risk and AI titled ‘The State of Email and Collaboration Security 2024’, setting out its findings from a survey of 1,100 technology and cybersecurity professionals from across six countries (including Australia). It highlights email and collaboration tools as being a key vector for cyber attacks.
Australia’s Online Safety Act 2021 (Cth) has recently been in the spotlight.
Earlier this year, the Minister for Communications released Terms of Reference for a statutory review of the Online Safety Act. The review will be broad and consider the effectiveness of the OSA, including in relation to new and emerging harm, and whether the eSafety Commissioner’s functions and powers are sufficient to achieve the objects of the OSA. An Issues Paper was published at the end of April and focuses on five key themes:
Public consultation is being conducted until 21 June 2024, with the final report to be provided to the Minister by 31 October 2024.
Against that backdrop, a recent high-profile case has explored the limits of the eSafety Commissioner’s powers.
In April 2024, the eSafety Commissioner issued a removal notice pursuant to section 109 of the Online Safety Act to Meta and X Corp (X) in relation to “extreme and gratuitous violent material” about an incident in Australia that was available on those social media services. Relevantly, the removal notice required the social media services to “take all reasonable steps to ensure removal of the class 1 material” specified in the removal notice and contained at 65 URLs. While X agreed to geo-block the material so that users with Australian IP addresses could not access it, X objected to making the material inaccessible to all X users in the world (which is what was sought by the Commissioner in order to make the material inaccessible to Australian users using a virtual private network (VPN)).
While the eSafety Commissioner successfully obtained an interim injunction requiring X to “hide” the material, on 13 May 2024, the Federal Court refused the Commissioner’s application for a further extension of the interim injunction. In making a decision on the extension, the Federal Court found that the Commissioner’s interpretation of “reasonable steps” was too broad, and “reasonable steps” did not require X to make material inaccessible to its entire global user base.
On 5 June 2024, the eSafety Commissioner announced she was discontinuing proceedings in the Federal Court against X. The Commissioner’s decision to issue the removal notice remains subject to merits review by the Administrative Appeals Tribunal.
On 21 March 2024, the United Nations General Assembly adopted its first resolution on AI, encouraging countries to safeguard human rights, protect personal information, and monitor AI for risks. While it has no immediate binding effect, it is expected to shape countries’ regulatory responses to AI.
The ACCC’s ninth report in its Digital Platform Services inquiry will focus on online search services, including the use of AI and generative AI in search engines. The Issues Paper for this report was published in March 2024 and submissions closed on 17 April 2024.
On 26 March 2024, the Senate established a Select Committee on Adopting Artificial Intelligence to inquire into and report on the opportunities and impacts for Australia that come with the adoption of AI technologies. In particular, it will consider:
Almost 170 (published) submissions were received before the 10 May 2024 deadline. The Committee is due to report to Parliament by 19 September 2024.
The Department of Industry, Science and Resources has established an AI reference group to advise on mandatory guardrails to address the design, development and deployment of AI systems in high-risk settings. The reference group will operate until 30 June 2024.
Recorded Future’s recent Cyber Threat Analysis report looks into the following four key use cases in which malicious AI can be used against a company:
While the risks posed by these use cases may currently be limited, some have occurred already and they are anticipated to substantially grow in the near future.
Organisations regulated under the Security of Critical Infrastructure Act 2018 (Cth) and who are required to have a critical infrastructure risk management program are due to submit their first risk management reports in July to September 2024.
The CISC recently released its 2024-25 Compliance Regulatory Posture, foreshadowing a shift from education to enforcement. The CISC intends to commence compliance auditing in the 2024-25 period.
The government continues to roll out its National Cyber Security Exercise program, with the new national cybersecurity coordinator, Lieutenant General Michelle McGuinness, recently identifying food and grocery, finance and transport as the next sectors to be tested.
The National Cyber Intel Partnership, formed in September 2023 to coordinate intelligence sharing and threat blocking between industries and the government, has begun work on a pilot program.
The Australian Government recently closed its public consultation period for its 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper, including the following five proposed changes to the SOCI Act:
Most of these proposals were supported in a majority of submissions. However, the Government has noted that further consultation would be required on Measure 8, as submissions emphasised the need for this power to be clearly defined with clear boundaries on when it can be activated.
Draft legislation amending the Privacy Act will be released in the coming months.
We’re expecting a continuing intense focus on cyber resilience and third-party risk management from a range of regulators, including the OAIC, ASIC and APRA.
We have a large team of privacy and cyber specialists, with substantial experience across the whole spectrum of compliance and incident management.
For a more detailed briefing on any of these updates, or to discuss how we can assist your organisation to manage its risks in these rapidly evolving areas, please get in touch.
The ACCC recently updated its “Guidelines on ACCC approach to court enforceable undertakings” (Guidelines). The Guidelines reflect the ACCC’s current approach to negotiating and administering court...
The Samarco and Brumadinho tailings dam disasters in Brazil were (in no small part) the impetus for the creation of the ‘Global Industry Standard on Tailings Management’. The Standard is now being...
The Australian Government last week introduced the long-anticipated Bill overhauling the Australian merger review regime to bring it into line with most international jurisdictions. The proposed...