Why cybersecurity is everyone’s business
There is no doubt that businesses, government, and individuals are targets for cyber attacks which are increasing in frequency and severity.
In March 2021, Channel Nine was targeted with a cyber attack which disrupted broadcasting and forced Channel Nine to move its entire business operations from Sydney to Melbourne, while closer to home, the South Australian Government in the lead up to Christmas was required to advise over 80,000 public servants that it had been the subject of a cyber attack and employees should assume their personal details had been stolen.
Data by the Australian Cyber Security Centre revealed there were over 67,500 reported cyber attacks in the 2020 to 2021 financial year, the combined losses of which totalled more than $33 billion. The statistics further revealed that it is medium businesses (being those with between 20 to 200 employees) who are hardest hit by a cyber attack, with the average financial loss for a medium business averaged to be over $33,000.
However, while there is a perception that cyber attacks and data breaches are caused by a mysterious, unknown figure operating in the shadows, such a perception greatly underplays the fact that many data breaches are caused by people within the business. In fact, an analysis by the Office of the Australian Information Commissioner (OAIC) of all notifiable data breaches for July to December 2020 revealed that nearly 40% of data breaches were caused by ‘human error’, while of the 58% of data breaches which were considered to be malicious or criminal, a significant amount was the result of ‘rogue employees’ or ‘insider threat’.
Legislative framework
In Australia, there is no principal piece of legislation which regulates or imposes minimum cyber security requirements or standards. Instead, cyber security is regulated collectively by a number of differing legislations which each address or impose cyber security requirements tangentially, in a piecemeal-like manner.
Privacy Act and GDPR
The Privacy Act 1988 (Cth) regulates the handling of individuals’ ‘personal information’. Given that a majority of information (including personal information, such as names, signatures, addresses, phone numbers) is now being collected, stored and used digitally, the application of the Privacy Act is obvious.
The Privacy Act applies to all businesses with turnover of $3 million or more, or businesses under the $3 million threshold who deal with particular types of sensitive information (APP entity). The obligations on APP entities relevant from a cyber security perspective include a requirement to:
- have in place an up to date privacy policy about the management of personal information;
- not collect personal information unless that information is reasonably necessary for the APP entity’s functions or activities;
- comply with certain obligations where personal information is being disclosed overseas;
- take reasonable steps to protect personal information; and
- make mandatory disclosure to affected individuals and the OAIC of any data breaches which are likely to result in serious harm (including financial or economic harm) to an individual whose personal information is involved.
Any Australian business who offers goods or services to individuals residing in the EU, operates a business in a member state of the EU, or otherwise monitors the behaviour of individuals in the EU may also be caught by the European Union General Data Protection Regulation (GDPR).
While the GDPR shares many similarities with Australia’s Privacy Act, there are a number of key differences between the two, which businesses with a relationship to the EU should be aware of.
Security of Critical Infrastructure Act
Businesses in Australia which operate “critical infrastructure assets” may also be subject to the recently amended Security of Critical Infrastructure Act 2018 (Cth). One of the effects of those recent amendments was to significantly expand the scope of infrastructure sectors and assets which are considered to be “critical” to include sectors such as financial services and markets, energy, transport, health care, medical and communications.
The Security of Critical Infrastructure Act imposes an obligation on entities responsible for critical infrastructure assets to report cyber security incidents within either 12 or 72 hours of the entity being aware of the incident, depending upon the severity of the incident. Civil penalties can apply for failing to comply.
Most controversially, the Act also allows the Government to intervene where a cyber security incident in respect of critical infrastructure has occurred, is occurring, or is imminent.
Ransomware Payments
The Ransomware Payments Bill 2021 (Cth) is currently before Parliament. While the Bill would not expressly prohibit or make unlawful the making of a ransomware payment in itself, it would require an entity that makes a ransomware payment to disclose the payment to the Australian Cyber Security Centre along with other details such as the identity of the attacker and a description of the attack.
Corporate Governance and Disclosure
Section 180 of the Corporations Act 2001 (Cth) requires all company directors and officers to exercise their powers and perform their duties with care and diligence.
While there have not been any case authorities which have directly applied this obligation to having in place adequate cyber security protections and countermeasures, it is not difficult to see how regulators and shareholders may seek to draw this distinction in the near future, particularly as cyber attacks become more frequent and severe in nature.
Similarly, public companies listed on the Australian Stock Exchange would be required to consider whether a cyber attack would trigger their continuous disclosure obligations to the market under the listing rules on the basis that a cyber attack would have a material effect on its share price.
In what may be an indication of increased regulatory action in the area of cyber security, in 2020 ASIC announced it commenced proceedings against RI Advice Group, which is an Australian Financial Service Licence (AFSL) holder, for failing to have adequate cyber security systems in place following a number of cyber attacks on authorised representatives of RI.
This is the first test case of its kind in Australia in respect of the adequacy of business’s cyber security systems and policies. ASIC is seeking declarations that RI’s inadequate policies and systems to manage its cyber risk is a breach of certain obligations owed by RI as a AFSL holder including:
- to do all things necessary to ensure the financial services covered by its licence are provided efficiently, honestly and fairly;
- having adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
- having adequate risk management systems.
The matter is listed for hearing shortly. If ASIC is successful, this decision is likely to have significant ramifications by setting out minimum cyber security standards required.
Takeaways
As cyber security continues to be an increasing area of risk and focus for businesses, businesses should consider what cyber-risk management strategies and systems are currently in place.
In particular, businesses should be:
- reviewing their employment contracts to consider whether it has key terms regarding privacy and confidential information;
- considering whether the business has in place relevant (internal) policies such as an information security policy, acceptable use of IT policy and social media policy;
- reviewing their supplier and customer contracts to ensure that relevant information and data protections are included;
- ensuring that they have an external privacy policy;
- preparing a data breach response plan so that the business is able to properly identify, respond and remedy a mandatory data breach; and
- providing education and training to the wider business regarding cyber security risks and awareness.
Author: Lachlan Chuong
Position: Associate
Practice: Disputes
This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.