Australia’s Cyber and Privacy Regulation: A Month of Significant Developments

In recent weeks, Australia has witnessed a flurry of activity in the realm of cyber and privacy regulation. Following the proposed amendments to the Privacy Act 1988, which were released just under a month ago, three new draft Bills focused on cyber security were unveiled this week. These legislative changes signal a robust response to the growing threats posed by cyber incidents, particularly ransomware attacks, and aim to enhance the overall security landscape for Australian businesses and citizens.

Mandatory Ransomware Reporting

One of the most significant developments is the introduction of mandatory ransomware reporting under the Cyber Security Bill 2024. This requirement mandates that businesses report any ransomware payments made to extorting entities to the Department of Home Affairs within 72 hours of the incident. The rationale behind this measure is to provide the Australian Government with greater visibility into the ransomware threat landscape, particularly given the ongoing concerns regarding the under-reporting of such incidents under the existing notifiable data breach regime.

To trigger this reporting obligation, several criteria must be met: a cyber security incident must have occurred or be imminent, an extorting entity must make a demand for payment, and the reporting business entity must either have made a payment or be aware of another entity making a payment related to the demand. Notably, businesses with an annual turnover below a yet-to-be-specified threshold will be exempt from this requirement.

Establishment of a Cyber Review Board

In a move that mirrors initiatives in other jurisdictions, Australia is set to establish a Cyber Review Board. This Board will conduct no-fault, post-incident reviews of significant cyber security incidents, aiming to bolster cyber resilience across the nation. By analyzing past incidents and providing recommendations to both the government and industry, the Board seeks to foster a culture of learning and improvement in cyber security practices.

The Board will consist of a Chair, standing members, and an Expert Panel drawn from industry experts. While it will have limited information-gathering powers, the success of the Board will largely depend on the cooperation of impacted businesses, emphasizing the need for a collaborative approach to cyber security.

Limited Use Exception for Information Sharing

Another noteworthy aspect of the new legislation is the introduction of a ‘limited use’ obligation under both the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024. This provision is designed to encourage businesses to engage with the government during cyber incidents without fear of repercussions.

Under this regime, any information voluntarily provided to the National Cyber Security Coordinator or the Australian Signals Directorate (ASD) during a cyber incident can only be used for limited purposes. Crucially, this information cannot later be used against the entity by regulators, thereby fostering a more open dialogue between the private sector and government agencies during critical incidents.

Mandatory Security Standards for Smart Devices

The Cyber Security Bill also introduces a framework for mandatory security standards for smart devices. This initiative aims to ensure that suppliers of smart devices adhere to specific security protocols before bringing their products to market. Suppliers will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

To enforce these standards, the Secretary of Home Affairs will have the authority to issue compliance notices, including stop and recall notices for non-compliant devices. This measure is particularly important in an era where smart devices are increasingly integrated into daily life, making their security paramount.

Enhancements to Critical Infrastructure Security

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 seeks to amend the Security of Critical Infrastructure Act 2018. These amendments are aligned with the 2023-2030 Australian Cyber Security Strategy and aim to strengthen the security and resilience of critical infrastructure assets.

A key change is the inclusion of secondary assets that hold ‘business critical data’ as potential critical infrastructure assets. This means that even if an asset is not primarily operational, it may still be subject to the same security requirements if it poses a material risk to critical infrastructure. Additionally, the amendments provide greater clarity on secrecy and disclosure provisions and grant new powers to the Secretary of the Department of Home Affairs.

Conclusion

As Australia navigates the complexities of cyber threats and privacy concerns, these new legislative measures represent a proactive approach to enhancing the nation’s cyber resilience. With mandatory reporting of ransomware incidents, the establishment of a Cyber Review Board, and the introduction of security standards for smart devices, the government is taking significant steps to protect businesses and citizens alike.

As these Bills progress through the legislative process, stakeholders will be keenly watching for further updates and the implications these changes will have on the Australian cyber security landscape. The emphasis on collaboration, transparency, and accountability is a promising sign that Australia is committed to addressing the challenges posed by cyber threats in a comprehensive and effective manner.

For more detailed insights into these developments, stay tuned for further updates as the Bills are passed and implemented.