Is cyber security regulation possible in Australia?

On 13 July​ 2021, the Australian Government through the Department of Home Affairs (DHA) opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy.  A number of the discussion topics are highly relevant to privacy practitioners including:

• Introducing a code of conduct for APP 11 security obligations as part of the Privacy Act;
• Considering a right to sue for data breaches, again likely to be included n the Privacy Act.

But how might these proposed changes work, given the existing laws and sharing of power between Federal and State governments?

Why is Government considering cyber security reforms?

The reasons for the proposed regulation and incentives include supporting a growing digital economy and responding to a growing threat environment, particularly ransomware (which is itself the subject of a separate proposed Bill, discussed here).  This work forms links to the well funded initiatives included in  Au​stralia’s Cyber Security Strategy 2020 .  It also complements  other reforms currently being considered including the Government’s critical infrastructure reforms ​(covered in our previous blog post)and the Attorney General’s Review of the Privacy Act 1988.

One of the main themes from the discussion paper is how the government can incentivise businesses to invest in cyber security, including through possible regulatory changes (which seems to be more of a negative than a positive incentive).  Although much attention is given to finding the right balance and not over-burdening business, the incentives  for implementing stronger cyber security controls (other than peace of mind and better security) are difficult to find.

The Discussion paper incorporates other themes raised by the Cyber Industry Advisory Panel and from previous feedback[1] which include:

• There needs to be an accelerated approach to cyber security standards;
• Some market intervention is required as there has been no market correction to date;
• Part of the issue is in the security of products and devices and labelling ad security by design approaches may help;
• SMEs need additional support;
• Government expectations need to be clear and sensible;  and
• Legal protections for consumers should be reviewed.

Also highlighted by the Cyber Industry Advisory Panel is the role of the organisation board or leadership team in prioritising cyber security.

It might be that the Panel was expecting stronger ‘incentives’ for board members to be included in this Discussion Paper. Advisory panel member and Telstra chief executive Andrew Penn has publicly stated that company directors should be liable for cyber security negligence.  He has also sounded the alarm of cyber security threat from AI and supercomputers.

Cyber security regulation: 3 Key Areas

In the Discussion Paper,  the above themes are incorporated into three areas of action on which the government is asking for feedback:

• Setting clear cyber security expectations;
• Increasing transparency and disclosure; and
• Protecting consumer rights.

Mapping to each of these three key areas, the Discussion Paper more specifically is seeking recommendations on the following :

 Setting clear cybersecurity expectations: To set clear minimum expectations they are considering greater use of cyber security standards for corporate governance, personal information and smart devices.  This includes:

• Increasing corporate governance standards with particular focus on accountability for directors and executives;
• Minimum security standards for personal information; and
• Uplifting security standards for smart devices.

Increasing transparency: To increase transparency they are considering initiatives on cyber security labelling for smart devices, vulnerability disclosure and health checks for small businesses:

• Cybersecurity labelling for smart devices to better identify the level of security implemented;
• Software vulnerability disclosure policies to aid detection and remedy of online vulnerabilities; and
• Cyber health checks for small businesses to address cyber risk management.

 Protecting consumer rights: In the area of consumer rights, the government is seeking views about appropriate legal remedies for victims, as part of consumer and privacy regulation:

• Clear legal remedies for consumers affected by cybersecurity incidents – this will involve amending both the Australian Consumer Law as well as the Privacy Act 1988 (Cth).

Cyber security proposals: initial thoughts

There are some very good ideas which should find their way into legislation, such as identifying a code of conduct which could apply to the protection of  personal information (for the purposes of APP 11),  setting standards for smart devices and reviewing legal remedies for consumers and for privacy breaches.  As  already mentioned,  an important part of these considerations is an awareness of the need to carefully balance lower cost voluntary systems, which are likely to have more compliance issues, against more prescriptive mandatory standard which may be too costly or onerous for many entities covered and often become compliance ‘checklists’ to be gamed rather than drivers for substantive change.

The initiatives raised in the Discussion Paper will all be supported by increased investment in education, skills uplift and law enforcement activity directed against cyber criminals (which are also part of the Cyber Security Strategy).  All of which should help with their success.

However, the options open to the government may be limited by the legal basis available to the federal government to support this regulatory intervention.

Regulatory basis for intervention

The paper recognises that this space is covered by three pieces of legislation , and is looking at introducing the measures by some form of amendment to these laws.  The three pieces of existing legislation are:

• Australian Consumer Law – which protects the rights of consumers;
• Australian Privacy Act – which protects personal data as part of Australia’s commitment to protection of personal information based on international treaties; and
• Australian Corporations Act – which regulates the activities of incorporated entities (as part of a power sharing agreement with the State governments).

Each of these laws have a different regulatory objective and as such provide a different regulatory lens to the problem of improving cyber security protections in Australia. Unfortunately, none of these existing pieces of legislation is suitable for the inclusion of general cyber security requirements by itself:

• The lens of consumer protection omits major data sets such as employee records and also rests on market regulation concepts, and the need to protect consumers where markets are not operating efficiently. The references to negative externalities and information asymmetries in the Discussion Paper flag the well-known  and much discussed market issues in the cyber security space. But addressing these issues, through techniques like notices and increased transparency, are unlikely to provide the broader cyber security solutions required to be implemented at the organisational level across every enterprise that handles data as part of the Australian information ecosystem.  Ensuring data is properly protected goes beyond standard consumer protection approaches;
• Similarly, the Privacy Act protects personal data – not corporate data, financial records, details of manufacturing processing, system log-in details, network credentials or trade secrets (other than to the extent that that includes personal information).  Protection of this broader category of data is essential for securing the organisational eco-system.  There are also huge exemptions from the Privacy Act, most notably businesses with an annual turnover of less than $3 million (though there are carve-ins to bring some entities back into scope) and limited application of the Act to employee records held by private entities.  This again has significant implications for a comprehensive plan to improve cyber security practices, which should cover the protection of all types of data.
• The Corporations Act applies to incorporated entities only and  so would leave out sole traders and other unincorporated ventures.  It is also unclear whether the States would be happy to extend the operation of that legislation to the regulation of cyber security practices, and whether this is an area that ASIC would like to step into with its existing regulatory burdens.

Given the shortcoming of the existing regulatory framework, the government is looking to cobble together a patchwork of responses relying on the different avenues available to it.

There is the strong possibility that this might make the space more confusing and more difficult for small business looking to ‘do the right thing’ in terms of protecting the information they hold and their information systems.

Private right of action

The availability of legal remedies for individuals affected by data breaches is raised again for consideration, in the context of both increased rights under the Australian Consumer Law and via including an individual right to sue for breach in the Privacy Act.

This last issue has been canvassed thoroughly by many different and eminent legal bodies and over many years: by the Australian Law Reform Commission, on multiple occasions, the Victorian Law Reform Commission and the New South Wales Law Reform Commission.  Each has recommended a statutory tort of interference with the privacy.

The ACCC, in its influential and more recent Digital Platform Enquiry, joined the list of bodies supporting such a right.

The Government has indicated that it supports the ACCC’s recommendation in the Digital Platform Enquiry in principle,  but ‘subject to consultation and design of specific measures.’  It’s difficult to identify any further consultation that might be useful in regard to the introduction or design of the individual right to sue for breach of the Privacy Act given the extensive review and consideration of this right to date.

One of the only ways to remedy the ineffectual enforcement of the Privacy Act since its passage in 1988 is to introduce a private right to sue.  There are indications that things are moving in this direction anyway with some class action suits being brought on behalf of individuals who have been involved in data breaches, starting with the Privacy Act conciliation process (see our previous blog posts in this issue here and here).

It is possible that the courts via consideration of some of these actions could end up acknowledging a right to privacy as part of Australia’s common law. Rather than waiting for that outcome, would it not be better for the government to introduce a law that is well thought out and provides easy and accessible recourse for the victims of data breaches caused by a failure to take reasonable steps to protect personal data.

The failure over the last 10 years to introduce a statutory cause of action for breach of privacy, from when originally proposed by the ALRC, is not a failure of understanding the regulatory drivers that need to be used to support this important missing piece in the privacy regulatory framework but a failure of political will and public policy.[2]

Issues for consultation

There are important issues for consideration in this paper, many not for the first time.

Will the Department of Home Affairs be able to weave its consumer protection, privacy and corporate law powers to create a more effective cyber security framework for all Australians and their information and supporting systems.  The COVID  experience and the way it has exposed fractures and power mis-alignments between the Federal and State governments is perhaps the clearest example of some of the problems the federal government faces in this area, particularly given that many of the largest and most sensitive personal data stores and information systems are held by State government agencies.

It should be an interesting journey,

The Government is seeking feedback on possible voluntary and regulatory measures in three areas:

• Setting clear cyber security expectations through cyber security standards for:
  • corporate governance
  • personal information and
  • smart (internet of things) devices.
• Increasing transparency through:
  • cyber security labelling for smart devices
  • software vulnerability disclosure policies and
  • health checks for small businesses.
• Protecting consumer rights through appropriate legal remedies for victims.

Submissions are due by August 27, 2021 and can be made here:

Strengthening Australia’s cyber security regulations and incentives – submission form (homeaffairs.gov.au)

Further Reading:

Strengthening Australia’s cyber security regulations and incentives (homeaffairs.gov.au)

[1] This was presented as part of the Qld/NT Discussion Forum on 4 August 2021.

[2] Peter A Clarke » Blog Archive » New cyber security rules proposed. Another discussion paper on privacy and cyber security. A good paper, the question is whether anything will come of it.