[co-author: Olivia Newbold]
It has been a busy month for cyber and privacy regulation in Australia. On the heels of the proposed amendments to the Privacy Act 1988 released just under a month ago (see our summary here), three further draft Bills relating to cyber security were released this week.
The key takeaways from the new Bills are summarised below:
Mandatory ransomware reporting
The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.
A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:
- a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
- an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
- the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.
Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.
A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.
Cyber Review Board
Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.
Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses.
The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.
Limited Use Exception
A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.
The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.
Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.
The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).
Mandatory security standards for smart devices
The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.
Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.
The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.
Security of Critical Infrastructure
The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.
The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia.
The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.
Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.
We will provide further updates once these Bills are passed.
[View source.]