26 Oct Cyber Security Governance
Author: Helaine Leggat
Cyber Security Governance
“Directors have a critical role to play and must seek to uplift their own cyber literacy levels, recognising that this is a key risk that can never be eliminated but can be effectively managed.”[1]
The Hon Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security understands that when Australians entrust their most sensitive data to organisations, there is a legitimate expectation that it will be protected, and further, that keeping Australians’ data safe requires strong collaboration between government, business, and industry.
Worsening trends
Australian trends for 2020 – 21[2] include one cybercrime report every eight minutes, losses exceeding $33 billion, some 500 ransomware attacks, and that Australia’s critical infrastructure sector is the favoured target (25% of all attacks).
Recent breaches demonstrate worsening trends. In September, Optus[3] notified customers of a cyberattack exposing 9.8 million customer records, including driver licences, proof of age/identity documents (in all states and territories,) Australian and international passports, and Medicare card numbers.
In October, unauthorised access to an EnergyAustralia customer platform exposed personal data of 323 residential and small business customers, including names, physical addresses, email addresses, phone numbers, and electricity and gas bills. More than 2 million Woolworths Group subsidiary, MyDeal, customers had their names, email addresses, phone numbers, delivery addresses and even dates of birth accessed in a data breach. Perhaps the most serious of the October cyber breaches is that of Medibank, due to the extreme sensitivity of the information accessed – personal information and sensitive health data on all 3.9 million Medibank customers.
Immediate legislative response – tougher penalties for serious data breaches
A media release on the Attorney-General’s website dated 22 October 2022[4] reported that the Albanese Government would immediately introduce legislation to significantly increase penalties for repeated or serious privacy breaches, recognising that existing safeguards are inadequate and that it was not enough for a penalty for a major data breach to be seen as merely the cost of doing business.
As an interim remedy, without retrospective application, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) will increase maximum penalties that can be applied under the Privacy Act 1988 (Privacy Act) for serious or repeated privacy breaches, up from the current $2.22 million penalty to whichever is the greater of:
-
-
-
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period.
-
-
The Bill will also:
-
-
-
- provide the Australian Information Commissioner with greater powers to resolve privacy breaches;
- strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner (OAIC) has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
- equip the OAIC and the Australian Communications and Media Authority[5] (ACMA) with greater information sharing powers.
-
-
Comprehensive review of the Privacy Act
It is important to note that this Bill is in addition to a comprehensive review of the Privacy Act by the Attorney-General’s Department which commenced 2 years ago and that will be completed this year, with recommendations expected for further reform.
Observations
Most of the debate around the breaches concerns the large amounts of information collected, and the long retention terms.
There are numerous calls for new laws, better laws: “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
“We urgently need frameworks that encourage corporations and government agencies to enhance their cyber security capabilities …”
“Companies could be forced to delete customer data used to prove ID.”
“… the Privacy Act must also be amended to make it clearer when companies must dispose of customer data …”
“… do more to address the sheer amount of data companies are able to ask for and store … “.
“… requiring companies to dispose of data when they no longer need it, such as after a customer leaves a provider …”
“… should (companies) be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone’s identity.”
“… checking a customer’s driver’s licence or passport number to establish their identity should be the end, … of the company keeping all that data”, …”
“They don’t seem to me to have a valid reason for saying we need to keep that for the next decade.
What the law already provides
From 1999 Australian law has recognised and facilitated electronic communications and transaction. As over-arching and interpretive legislation, it means that the Electronic Transactions Act 1999 (Cth) (and its state and territory equivalents) gave legal recognition to situations where, if some other law required a record to be retained, electronic retention satisfied the retention requirement for that other law.
This means that where the Corporations Act 2001 (Cth) requires a business record to be retained for 7 years, – that is the legal retention term for electronic records retention.
It means that where OHS law requires a record to be retained for 45 years, as in the case of an asbestos related incident, that record must be retained for 45 years in paper or an electronic format.
It means that where the Criminal Code Act 1995 (Cth), or state or territory statutes of limitation apply, the retention term is determined by those statutes. Notably, for an organisation to have a policy, or even a culture that tolerates the destruction of records required in evidence, can result in imprisonment for directors. For example, under the Crimes Act 1958 (Vic):
-
-
-
- Section 254: Destruction of evidence – introduces an indictable offence, liable to level 6 imprisonment (5 years maximum) or a level 6 fine or both; and
- Section 255: Corporate criminal responsibility for offence against section 254, means that a director is liable to a 5-year jail term.
-
-
These are just a few examples. There are literally, thousands of legal record retention requirements, not the least for “Commonwealth Records” – including for health records falling under the Archives Act 1983 (Cth). Many of these requirements are likely to apply in the case of Medibank.
All these requirements need to be weighed against the requirement under the Privacy Act that personally identifying information may only be retained for so long as the purpose for which it was retained (or a directly retaliated purpose) continue to exist, alternatively, if some other law requires it to be retained as described above.
Furthermore, an intervening event such as an illness (e.g. asbestosis) manifesting some years into the retention term, extends the retention term from 45 to perhaps 50 years. Similarly, where litigation is envisaged, a ‘legal hold’ interrupts the retention term, and extends it.
The competing rights and obligations are a balancing act, not necessarily easy to implement. Record retention is typically the responsibility of an organisation’s legal department, and one can understand decisions to err on the side of caution.
The Privacy Act already limits the personal information that can be collected, used, held and distributed. It already limits the retention term. Operational difficulties are likely to arise if identifying information is not retained beyond the initial identification purpose. As to frameworks, there are already so many, international, Australian and industry sector specific.
Complexity in the Australian regulatory regime
The Medibank Privacy Policy[6] itself demonstrates the complexity involved. It records:
“We are bound by laws governing how we collect and use your personal information including the Privacy Act 1988 (Cth) and other State and Territory laws such as the Health Records Act 2001 (Vic), Health Records (Privacy and Access) Act 1997 (ACT), the Health Records and Information Privacy Act 2002 (NSW), and the Health Information Privacy Code 1994 in New Zealand (Privacy Laws)”.
The Australian Institute of Company Directors (AICD) Cyber Security Governance Principles[7] published this month, state:
“Cyber security specific regulatory requirements and standards Australian organisations are subject to a range of regulatory requirements and standards that are relevant to the governance of cyber risk and management of data. Depending on the industry these obligations can be overlapping and complex.
Below is a high-level summary of key cyber regulatory frameworks. A summary of certain industry specific obligations is provided at Appendix C, including Australian Prudential Regulation Authority (APRA) prudential requirements relevant to the governance and management of cyber security risk.
PRIVACY ACT – The Privacy Act 1988 (the Privacy Act)) – with its focus on how organisations collect, manage and dispose of personal information is a key legislative framework relevant to the governance of cyber security. Two key regimes under the Privacy Act 1988 (the Privacy Act) that directors should be aware of are: 1. Notifiable Data Breaches (NDB) scheme – requiring an organisation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable of a material data breach Australian Privacy Principle 11 – Security of Personal Information (APP 11) – requiring an organisation to take active measures to ensure the security of personal information it holds
CRITICAL INFRASTRUCTURE – The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) applies to owners of critical assets in 11 key industry sectors and 22 distinct asset classes, imposing significant cyber risk management and reporting obligations – including a requirement for directors to annually attest that the organisation’s risk management practices are up to date. Additionally, the SOCI Act provides the government with the ability to exercise significant directions and/or intervention powers where an asset owner is unwilling or unable to respond effectively to an incident. Smaller organisations may be indirectly impacted by the SOCI obligations by virtue of being in the supply chain of a SOCI entity.”
Australia, catching up and global cross-border privacy rules
In a joint media release in August, Senator the Hon Don Farrell, Minister for Trade and Tourism, Special Minister of State, and the Attorney-General, Cabinet Secretary The Hon Mark Dreyfus QC MP, announced that Australia had joined the Global Cross-Border Privacy Rules[8] (Global CBPR) Forum, a multilateral[9] initiative which aims to better facilitate the flow of data across borders. The Global CBPR intends to establish an international certification system supporting interoperable privacy regulations and providing effective and enforceable data privacy protections for governments, regulators, and companies globally.
This is encouraging, and similar perhaps to the first EU General Data Protection Regulation (GDPR) – Privacy Certification (Europrivacy), where the European Data Protection Board (EDPB) has approved the Europrivacy seal, the first pan-European data protection certification scheme according to Article 42 of the GDPR.[10]
Start now – interim actions pending reform
According to the AICD, the vulnerability of Australian companies to cyberattacks has been underscored by a new survey showing most boards still lack specific expertise despite the well-known threat posed by hackers.
Less than a month after the cyberattack on Optus exposed the details of millions of customers, the bi-annual sentiment poll by the AICD shows that while boards insist that they are aware of the risks of an attack, only one-third have a committee with a cyber specific focus.
We suggest you start now with an assessment of what laws apply to your business, and an analysis of your status against good privacy practices. We are here to help with an expert international team that specialises in data privacy and cyber security.
We are very happy to announce that the EDPB has approved the Europrivacy seal, the first pan-European data protection certification scheme according to Article 42 of the GDPR, see: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282022-europrivacy-criteria-certification_en.
This can really be a game changer to both formalise and showcase the privacy compliance of specific data processing activities to relevant stakeholders (e.g., data subjects/consumers/users, business partners, etc.).
ICT Legal Consulting is a Europrivacy Ambassador and ICTLC’S experts actively contributed to the drafting of the scheme. It was a long and exciting journey. Now that the EDPB’s approval is reality, ICTLC is available to advise clients with respect to this certification and the related compliance steps.
[1] Hon Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security.
[2] Source: ACSC Annual Cyber Threat Report 2020-21.
[3] https://www.optus.com.au/support/cyberattack
[4] https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022.
[5] The Authority responsible for maximising the economic and social benefits of communications infrastructure, services and content for Australia.
[6] https://www.medibank.com.au/privacy/
[7] https://www.aicd.com.au/content/dam/aicd/pdf/tools-resources/director-tools/board/cyber-security-governance-principles-web3.pdf
[8] https://www.globalcbpr.org/
[9] Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of America.
[10] See: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282022-europrivacy-criteria-certification_en.