Digital Bytes – cyber, privacy & data update

Articles Written by Helen Clarke (Partner), Viva Swords (Senior Associate), Lydia Cowan-Dillon (Associate), Dean Baker (Law Graduate), Henry Bakker (Law Graduate), Bailey Britt (Law Graduate), James Finnimore (Law Graduate), Leonie Higgins (Law Graduate)

It has been another busy quarter in the cyber, privacy and data space. We’ve summarised highlights from the past months to give you a whirlwind tour of the most significant updates.

Some Privacy Act reforms slated to progress in August 2024

Our colleagues Sophie Dawson, Jennifer Dean and Emily Lau tell you all you need to know about the Attorney-General’s recent announcement that an undefined subset of Privacy Act reforms will progress (probably first in the form of exposure draft legislation, for consultation) in August 2024.

Check out our article for the details. We will keep you updated as more becomes known about the proposed new laws.

OAIC’s third ever civil penalty proceedings commenced – this time against Medibank

Some 19 months after Medibank’s large-scale data breach of identity and health records, Australia’s privacy law regulator, the Office of the Australian Information Commissioner (OAIC) has commenced proceedings in the Federal Court seeking civil penalties alleging that Medibank failed to take reasonable steps to keep personal information secure. The proceedings take into account Medibank’s size (as an organisation) and its financial resources, the sensitive nature and volume of the personal information (health information, as well as race and ethnicity information) affected, and the risk of harm to individuals in the case of a breach.

As the data breach occurred prior to the introduction of more significant penalties for breach of privacy laws, the maximum penalty to which Medibank will be exposed will be A$2.22 million per contravention. On calculation of a penalty, the OAIC is arguing:

  1. separate contraventions for each of the 9.7 million individuals whose personal information Medibank held during the period 12 March 2021 to 13 October 2022 (Relevant Period) and which was affected;
  2. alternatively, one contravention for the affected individuals whose personal information Medibank held during the Relevant Period; and
  3. further or alternatively to (1) and (2), separate contraventions for each of the 9.7 million individuals whose personal information Medibank held during the Relevant Period, which contravention was repeated for every day that Medibank failed to comply with APP 11.1 during the Relevant Period.

If the data breach occurred after December 2022, maximum penalties would be at least AU$50 million per contravention.

This is the third time the OAIC has applied to the Federal Court seeking civil penalties – the action against Facebook (in relation to Cambridge Analytica) was commenced in December 2020 and is still before the courts, as is the action against Australian Clinical Labs commenced in November 2023.

Partner John Keeves explains the cyber governance implications in this recent article.

The OAIC has recently released a concise statement summarising the allegations against Medibank, which provides insights as to the OAIC’s expectations in relation to APP 11.1 compliance, as well as in relation to the penalty construction arguments we’ve noted above. John Keeves and Sophie Dawson explore the OAIC’s concise statement in the proceeding in this article. Medibank’s response is due on 30 August 2024 at which stage we will have more insights into its perspective on relevant events.

Notifiable data breaches scheme compliance is an enforcement focus of the OAIC

At the start of this year, the OAIC identified as its regulatory priorities: online platforms, social media, high privacy impact technologies and the security of personal information.

In its latest bi-annual report on the notifiable data breaches scheme, the OAIC said it will be taking a stronger regulatory approach to compliance with the scheme, including the obligations to conduct an expeditious assessment of a suspected data breach, and to notify the OAIC and affected individuals as soon as practicable after establishing reasonable grounds to believe that a notifiable data breach has occurred.

Our November 2023 edition of Digital Bytes takes you through two recent OAIC determinations arising from delay in assessing and notifying notifiable data breaches.

In light of this enforcement focus, organisations bound by the Privacy Act 1988 (Cth) (Privacy Act) should review their information security and data breach response arrangements and, in particular:

  • document the steps taken to complete an assessment of a data breach within 30 days of becoming aware of a suspected data breach; and
  • prioritise notification of the OAIC if, for logistical reasons, arranging notifications to individuals will take some time.
Companies’ use of publicly available personal information in the spotlight after OAIC determination

The OAIC’s determination in AHM and JFA (Aust) Pty Ltd t/a Court Data Australia [2024] AICmr 29 is a cautionary warning to entities who collect publicly available information.

The respondent, Court Data Australia, collected and collated the publicly available daily law lists published by each Australian court, which set out the parties to matters being heard in the courts that day. The courts only make the day’s law list available online.

The OAIC found that the respondent had breached:

  • Australian Privacy Principle (APP) 3.5, because the collection of personal information by the respondent was not by fair means – it was collected in breach of the Western Australian court portal’s terms, without the complainant’s knowledge, and the collection could not reasonably have been expected by the complainant;
  • APP 5, because the respondent failed to take reasonable steps to give individuals collection notices – the OAIC accepted that the respondent could not give a collection notice based on the information in the daily court list, but expected it to at least put a collection notice on its website; and
  • APP 10, because the respondent had failed to take reasonable steps to ensure that personal information disclosed was accurate, up to date, complete and relevant, in light of the purpose of disclosure – noting that the respondent failed to take sufficient steps to clearly articulate the limits of personal information it holds and discloses, and because the respondent invited uses to draw (adverse) inferences based on the information the respondent disclosed.

Organisations should exercise caution when collecting publicly available personal information, especially as Australia’s privacy laws require information to be collected directly from an individual (unless unreasonable or impracticable). Being transparent about the collection of publicly available information through a privacy policy and collection notice may mitigate the risks to an extent.

Digital ID laws passed

The digital ID laws received royal assent on 30 May 2024, following passage of the legislation through both Houses of Parliament. The laws provide a framework, governance and safeguards for the roll-out of Australia’s digital ID framework beyond the Commonwealth Government, where it has been in operation under the Trusted Digital Identity Framework since 2018.

The digital ID scheme is based on the accreditation of entities, verifying that they have met stringent requirements and safeguards so that the system is ‘trusted’. At a high level, the system works so that:

  • an individual may choose to verify themselves to an accredited ID provider (by providing core identity documents); and
  • when a relying party (such as a private company) needs to verify some information about the individual (such as their age, or their identity), the relying party can – with the individual’s consent – receive assurance about that information from the accredited ID provider (e.g. “I verify that this person is over 18 years old”).

Given the number of recent data breaches involving identity information, which can often alone meet the threshold for making the incident a notifiable data breach under the Privacy Act, we expect significant uptake from the private sector to use the digital ID scheme as relying entities.

The ACCC will be the primary regulator of the digital ID system and laws, with the OAIC appointed to oversee the privacy safeguards.

It will not be mandatory to have a digital identity. With very narrow exceptions, organisations relying on digital ID must still have other, accessible mechanisms to allow individuals to identify themselves without a digital ID.

ACCC’s report on data brokering highlights the limits of existing privacy laws and their enforcement

On 21 May 2024, the ACCC released its eighth report in its Digital Platform Services Inquiry, focusing on the data brokering industry.

In brief, it finds that individuals are generally unaware of how their personal information is shared with other businesses (and the value the information holds in the hands of data brokers), and that long and complex privacy policies and terms and conditions do little to provide meaningful choice and transparency.

Interestingly, the report notes that while data broker datasets are often de-identified, they are so rich in personal information that they may be reasonably re-identifiable in many cases.

The report also looks at the Australian law that requires personal information to be collected directly from the individual (unless unreasonable or impracticable) and finds that it is under-observed and under-enforced.

While the report ultimately supports the broader reforms of the Privacy Act taking place, it suggests that some of Australia’s existing privacy rules may already be fit for purpose, if they were more strictly observed.

Causes of action in confidentiality may fill gaps where privacy laws do not apply

The recent NSW Supreme Court case of The Star Pty Ltd v AB [2024] NSWSC 690 reminds us that where privacy laws do not apply to individuals (in their private capacity) or to some small businesses, a person may have a cause of action under general law to restrain those persons from dealing with personal information in a way that would breach an equitable obligation of confidence.

In summary, the defendant (an unsuccessful job applicant with The Star) had gained unauthorised access to personal information of The Star’s patrons (in relation to which The Star was subject to obligations under the Privacy Act), and threatened to release it. As an individual, the defendant was not bound by the Privacy Act. The court found that the defendant held that personal information subject to an equitable obligation of confidence, and awarded a permanent injunction restraining its release.

AICD releases ‘Governing Through a Cyber Crisis’ guidance

In February 2024, the Australian Institute of Company Directors (AICD) released its ‘Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors’ publication (Guidance).

The Guidance, which expands on the AICD's Cyber Security Governance Principles released in 2022, provides insights for boards and directors on how best to prepare, respond and recover from cyber incidents, and focuses on four key areas:

 

Boards should

Next steps

Readiness

Implement a current and comprehensive cyber response plan, which includes:

  • clearly-defined crisis decision-making roles;
  • communications strategy for both internal and external stakeholders; and
  • rigorous training and testing protocols which simulate crisis conditions.

Regularly test cyber incident simulations.

Document key lessons learned from simulations and identify gaps in current cyber readiness.

Response

 Supported by expert external advice, provide agile and timely support and oversight to management.

Ensure consistent, accurate, timely and transparent communication with key stakeholders can mitigate reputational damage.

Ensure compliance with regulator reporting obligations.

During the response phase, larger organisations should establish:

  • a cyber-incident sub-committee to provide additional governance; and
  • a remediation and post-incident review team.

Recovery

Ensure appropriate steps are taken to secure systems and data, including investment into immediate or short-term cybersecurity.

Remain cognisant of the impact a cyber incident can have on employee wellbeing, and take steps to provide support where needed.

Oversee a comprehensive post-incident review, including external advice where appropriate.

Share knowledge and insights gained from the cyber incident with other organisations.

Obtain appropriate advice regarding the impact of sharing information on potential regulatory investigations and litigation.

Remediation

Require customer-focused, adequately resourced and swiftly implemented remediation plans.

Oversee continued effective stakeholder communication, including communication about the legal risks and external investigations resulting from the incident.

Oversee remediation, compensation and complaints handling processes where appropriate.

Ensure a strategy for rebuilding the organisation’s reputation is in place.

Demonstrate cyber enhancements to key stakeholders.

The Cyber and Infrastructure Security Centre (CISC) has also updated its Organisational Resilience Good Practice Guide, which sets out the 13 behavioural indicators of organisational resilience.

Consultant Professor Pamela Hanrahan does a deeper dive into what directors and Boards need to be considering in relation to cybersecurity, cyber governance and cyber incidents in this recent article.

Treatment of cyber uplifted in ASX guidance
ASX Corporate Governance Council – updates to the Corporate Governance Principles and Recommendations

As recently reported in JWS’ Above Board (if you’re not already on the distribution list, please get in touch), the ASX Corporate Governance Council (ASX CGC) has released a consultation draft of the 5th edition of its Corporate Governance Principles and Recommendations (Principles and Recommendations).

Recommendation 7.2, in relation to risk management, applies to organisations’ cybersecurity and privacy compliance arrangements. While it has not been changed substantially, the commentary underpinning this recommendation has shifted away from requiring consideration of ‘cybersecurity, privacy and data breaches’ to ‘cyber resilience, data governance’ and ‘third party risk management’.

A focus on third-party risk management is a growing theme espoused by regulators, including ASIC and the OAIC – see our February 2024 and November 2023 Digital Bytes updates.

Submissions to the ASX CGC on the proposed amendments closed on 6 May 2024. Subject to stakeholder consultation, the revised Principles and Recommendations will be released in early 2025 with the expectation that they will have effect on financial years commencing on or after 1 July 2025.

Updates to Guidance Note 8 on continuous disclosure obligations

Partner John Keeves takes you through updates to the latest guidance on ASX continuous disclosure obligations in the context of a data breach.

In brief, notification of a data breach to the OAIC and affected individuals under the Privacy Act will mean that the circumstances of a data breach are no longer confidential, and so the exceptions to continuous disclosure obligations will not apply. Before that point, confidential discussions with regulators may mean that the incident is sufficiently confidential for an exception to apply.

EU’s Cyber Solidarity Act hints at what Australian cyber laws could look like

In March 2024, the European Parliament and Council reached a provisional agreement on the Cyber Solidarity Act, which seeks to strengthen the European Union’s capacity to detect, prepare for and respond to cybersecurity threats and incidents.

The Act establishes:

  1. European Cybersecurity Alert System comprising a network of “cyber hubs” with tools to detect cyber threats and incidents and provide real-time warnings to authorities and other relevant entities.
  2. Cyber Emergency Mechanism, comprising:
    • Support for preparedness actions by testing entities operating in critical sectors (such as healthcare) for potential vulnerabilities.
    • An EU Cybersecurity Reserve with incident response services from “trusted providers” ready to intervene, at the request of Member States, EU institutions, bodies or agencies, in case of significant and large-scale cybersecurity incidents
    • Financial support for mutual technical assistance between Member States’ national authorities.
  3. Cybersecurity Incident Review Mechanism, which permits the EU Cybersecurity Agency (ENISA), on request of the European Commission or national authorities, to review and assess specific significant or large-scale incidents and deliver a report including lessons learnt and recommendations.

The Act has been approved by the European Parliament. Once it is also formally adopted by the European Council, the Act will be published in the Official Journal and enter into force 20 days after.

Cybersecurity on a budget: ACSC releases cyber guidance for charities and not-for-profit entities

On 18 March 2024, the Australian Cyber Security Centre (ACSC) published new guidance on “Cyber Security Checklist for Charities and Not-For-Profits”. The checklist provides valuable guidance to assist organisations in bolstering their cyber resilience when resources are constrained.

The one-page checklist of 10 key points covers the following key recommendations:

  • Implement multi-factor authentication (where possible), automatic updates, back ups and strong passwords.
  • Implement access control on systems on a need-to-know basis.
  • Use trusted and secure cloud services and managed service providers.
  • Roll out cyber training to staff, including on recognising scams and phishing attempts, and maintaining confidentiality and security when working remotely.
  • Regularly test cybersecurity detection, incident response, business continuity and disaster recovery plans.
  • Report cybercrime, incidents or vulnerabilities to cyber.gov.au/report.
  • Join the ASD’s Cyber Security Partnership Program for free advice and insights.
Highlights from recent reports on cyber threats

A number of recent reports canvas the latest insights on cyber threats.

ASIO Director-General Mike Burgess used the recent Director-General’s Annual Threat Assessment 2024 address to stress that the most immediate, low-cost and high-impact vehicle for sabotage is cyber. Mr Burgess went on to frame the serious threat of cyber sabotage by highlighting the interconnection and interdependence of Australia’s critical infrastructure networks, which increase vulnerabilities and expose access points.

Mr Burgess highlighted that good cybersecurity works across three dimensions:

  • vertical or ‘cyber secure by design’ – embedding it into foundations, and not attempting to add it at the end;
  • horizontal – ensuring security across all four pillars of people, places, technology and information; and
  • temporal – regularly adapting to keep up with evolving threats.

Bleeping Computer’s March 2024 analysis of recent ransomware attacks sets out lessons learnt from recent ransomware attacks, before explaining some key steps to take to reduce ransomware risk:

  • email filtering and security – to reduce the risk of a successful phishing attack;
  • endpoint security – to detect unusual changes in a network’s security;
  • encryption of sensitive data – to protect it from unauthorised access;
  • back up strategy – ensure that critical data is backed up and accessible outside the organisation’s main network;
  • patch management – to reduce the risk of public vulnerabilities being exploited to get access.

Finally, Mimecast has published a report on human risk and AI titled ‘The State of Email and Collaboration Security 2024’, setting out its findings from a survey of 1,100 technology and cybersecurity professionals from across six countries (including Australia). It highlights email and collaboration tools as being a key vector for cyber attacks.

Online safety developments

Australia’s Online Safety Act 2021 (Cth) has recently been in the spotlight.

Earlier this year, the Minister for Communications released Terms of Reference for a statutory review of the Online Safety Act. The review will be broad and consider the effectiveness of the OSA, including in relation to new and emerging harm, and whether the eSafety Commissioner’s functions and powers are sufficient to achieve the objects of the OSA. An Issues Paper was published at the end of April and focuses on five key themes:

  • Australia’s regulatory approach to online services, systems and processes;
  • protecting individuals who have experienced or encountered online harms;
  • penalties and investigation and information gathering powers;
  • international approaches to addressing online harms; and
  • regulating the online environment, technology and environmental changes.

Public consultation is being conducted until 21 June 2024, with the final report to be provided to the Minister by 31 October 2024.

Against that backdrop, a recent high-profile case has explored the limits of the eSafety Commissioner’s powers.

In April 2024, the eSafety Commissioner issued a removal notice pursuant to section 109 of the Online Safety Act to Meta and X Corp (X) in relation to “extreme and gratuitous violent material” about an incident in Australia that was available on those social media services. Relevantly, the removal notice required the social media services to “take all reasonable steps to ensure removal of the class 1 material” specified in the removal notice and contained at 65 URLs. While X agreed to geo-block the material so that users with Australian IP addresses could not access it, X objected to making the material inaccessible to all X users in the world (which is what was sought by the Commissioner in order to make the material inaccessible to Australian users using a virtual private network (VPN)).

While the eSafety Commissioner successfully obtained an interim injunction requiring X to “hide” the material, on 13 May 2024, the Federal Court refused the Commissioner’s application for a further extension of the interim injunction. In making a decision on the extension, the Federal Court found that the Commissioner’s interpretation of “reasonable steps” was too broad, and “reasonable steps” did not require X to make material inaccessible to its entire global user base.

On 5 June 2024, the eSafety Commissioner announced she was discontinuing proceedings in the Federal Court against X. The Commissioner’s decision to issue the removal notice remains subject to merits review by the Administrative Appeals Tribunal.

Artificial intelligence developments

On 21 March 2024, the United Nations General Assembly adopted its first resolution on AI, encouraging countries to safeguard human rights, protect personal information, and monitor AI for risks. While it has no immediate binding effect, it is expected to shape countries’ regulatory responses to AI.

The ACCC’s ninth report in its Digital Platform Services inquiry will focus on online search services, including the use of AI and generative AI in search engines. The Issues Paper for this report was published in March 2024 and submissions closed on 17 April 2024.

On 26 March 2024, the Senate established a Select Committee on Adopting Artificial Intelligence to inquire into and report on the opportunities and impacts for Australia that come with the adoption of AI technologies. In particular, it will consider:

  • recent trends, including generative AI;
  • risks and harms arising from use of AI, including bias, discrimination and error;
  • international approaches to AI risk mitigation;
  • how AI can benefit citizens, the environment and economic growth (for example, in the healthcare or climate management spaces);
  • how to foster a responsible AI industry;
  • how generative AI can threaten democracy and trust in institutions; and
  • the environmental impacts of AI.

Almost 170 (published) submissions were received before the 10 May 2024 deadline. The Committee is due to report to Parliament by 19 September 2024.

The Department of Industry, Science and Resources has established an AI reference group to advise on mandatory guardrails to address the design, development and deployment of AI systems in high-risk settings. The reference group will operate until 30 June 2024.

Recorded Future’s recent Cyber Threat Analysis report looks into the following four key use cases in which malicious AI can be used against a company:

  1. using deepfakes to impersonate executives;
  2. influencing operations by impersonating legitimate websites;
  3. leveraging generative AI to augment source codes of small malware variants to lower detection rates; and
  4. identifying sensitive infrastructure, such as power facilities, through aerial imagery reconnaissance.

While the risks posed by these use cases may currently be limited, some have occurred already and they are anticipated to substantially grow in the near future.

Security of critical infrastructure developments

Organisations regulated under the Security of Critical Infrastructure Act 2018 (Cth) and who are required to have a critical infrastructure risk management program are due to submit their first risk management reports in July to September 2024.

The CISC recently released its 2024-25 Compliance Regulatory Posture, foreshadowing a shift from education to enforcement. The CISC intends to commence compliance auditing in the 2024-25 period.

The government continues to roll out its National Cyber Security Exercise program, with the new national cybersecurity coordinator, Lieutenant General Michelle McGuinness, recently identifying food and grocery, finance and transport as the next sectors to be tested.

The National Cyber Intel Partnership, formed in September 2023 to coordinate intelligence sharing and threat blocking between industries and the government, has begun work on a pilot program.

The Australian Government recently closed its public consultation period for its 2023-2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper, including the following five proposed changes to the SOCI Act:

  • expanding the reach of the SOCI Act to cover all data storage systems holding business-critical data (Measure 5);
  • the introduction a broad power for the government to give directions to an entity (exercised as a ‘last resort’) in response to a national significant incident (such as a data breach) (Measure 6);
  • amending the provisions that protect information under the SOCI Act to ensure that they do not impede incident responses and reporting to government (Measure 7);
  • including a right for the government to issue formal directions requiring an entity’s deficient critical incident risk management program to be remedied (Measure 8); and
  • developing a new Telecommunications Security and Risk Management Program under the SOCI Act to replace the current telecommunications security regime under telecommunications legislation (Measure 9).

Most of these proposals were supported in a majority of submissions. However, the Government has noted that further consultation would be required on Measure 8, as submissions emphasised the need for this power to be clearly defined with clear boundaries on when it can be activated.

What else?
  • The Australian media regulator, the Australian Communications and Media Authority (ACMA) has commenced enforcement action against Optus arising out of its September 2022 data breach. It alleges that Optus failed to protect the confidentiality of customers’ personal information under the Telecommunications (Interception and Access) Act 1979 (Cth).
  • ACMA continues its recent trend of issuing regular fines in response to non-compliances with the Spam Act. Pizza Hut has been hit with a $2.5 million fine for sending texts and emails to customers who had not consented or who had unsubscribed, and for sending messages without an option to unsubscribe. Earlier, Luxottica was fined over $1.5 million for sending messages to people who had unsubscribed, or without an unsubscribe facility.
  • Australia’s financial services sector regulator, the Australian Prudential Regulation Authority (APRA) has advised regulated entities to review compliance with CPS 234, with a particular focus on backing up data.
  • The basis of the OAIC’s refusal to deal with two representative proceedings (‘class action’-style privacy complaints) arising out of the Optus data breach has been successfully challenged in the Federal Court. The representative proceedings have been remitted back to the OAIC for consideration.
  • Optus has been unsuccessful in its appeal against the finding that a Deloitte report commissioned in the wake of its data breach was not protected by legal professional privilege.
  • After raising preliminary inquiries about TikTok’s use of pixels, the OAIC has determined that it cannot pinpoint a breach of Australian privacy laws. Pixels, cookies and other tracking tools will remain a focus for the OAIC, but it may need to wait for reforms to the laws before it has more certain legal footing to proceed with investigations.
  • Australia is on a streak of international cooperation on cybersecurity, with Australia signing:
    • an MOU with Singapore to accelerate digitisation and trade – with leaders commenting that responsible State behaviour in cyber space would be a focus of the countries’ Comprehensive Strategic Partnership in the future;
    • an MOU with The Philippines, focused on sharing information on cybersecurity and critical infrastructure challenges; and
    • an MOU with the UK on online safety and security.
What’s next?

Draft legislation amending the Privacy Act will be released in the coming months.

We’re expecting a continuing intense focus on cyber resilience and third-party risk management from a range of regulators, including the OAIC, ASIC and APRA.

We have a large team of privacy and cyber specialists, with substantial experience across the whole spectrum of compliance and incident management.

For a more detailed briefing on any of these updates, or to discuss how we can assist your organisation to manage its risks in these rapidly evolving areas, please get in touch.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).

Related insights Read more insight

Distributor dilemmas: paving the path with 'reasonable steps' under DDO

The Federal Court last week handed down its decision in Australian Securities and Investments Commission v Firstmac Limited [2024] FCA 737. ASIC was successful in its claim that Firstmac Limited...

More
Takeovers Panel orders The Market Limited to appoint two independent directors

Usually who serves on the board of a listed company is a matter for the company itself and others, including the courts, only rarely intervene. That’s why the Takeovers Panel’s order requiring...

More
Australian artificial intelligence regulation: a work in progress

Regulators are grappling with the challenges posed by AI, and where to strike the regulatory balance. Submissions to the Australian Senate Committee tasked to consider AI reveal some of the key...

More