New cyber security rules proposed. Another discussion paper on privacy and cyber security. A good paper, the question is whether anything will come of it.

July 18, 2021 |

On 13 July 2021 the Federal Government released a comprehensive discussion paper titled Strengthening Australia’s cyber security regulations and incentives as part of its attempts to make the digital economy more resilient.  The focus is on cyber security.  It summarises the issues and raises options across the broad subject headings of:

  • Governance standards for largebusinesses
  • Minimum standards for personal information
  • Standards for smart devices
  • Labelling for smart devices
  • Responsible disclosure policies
  • Health checks for small businesses
  • Protecting consumers
  • Clear legal remedies for consumers

As papers go it is comprehensive and a good resource in itself as it sources US, UK and European actions (which are far ahead of Australia’s) in cyber security.  But there is nothing stated in the report which hasn’t been written before.  It is candid enough to state that the primary current regulatory framework of the Privacy Act 1988, the Australian Consumer Law and the Corporations Act as well as other more specialised acts are not effective in this area.  Refreshingly the Paper highlights the dissatisfaction with the Information Commissioner’s approach to enforcement of the Privacy Act stating, at page 17:

The OAIC does have a range of enforcement powers under the Privacy Act, but your previous feedback told us too much focus has been put on conciliation over strong penalties. Specifically, while the Privacy Act confers a range of regulatory powers on the Commissioner, these powers are based on an escalation model, including a requirement for the OAIC to attempt to conciliate a complaint if there is a reasonable possibility that this conciliation would be successful. Civil penalties are only available under the Privacy Act where there have been serious or repeated interferences with privacy by an entity. A Review of the Privacy Act is considering this issue.

The criticism could have been louder and sharper.  The Paper does not consider the risible awards for serious breaches contained in the Commissioner’s determinations and the fact that from complaint to determination is generally around 2 years.  There is little incentive to make a serious complaint and little fear of consequences for a malefactor.

There are some very good ideas which should find their way into legislation, such as setting governance standards, minimum standards for perrsonal information, standards for smart devices and reviewing legal remedies for consumers.  This last issue has been canvassed thoroughly by the Australian Law Reform Commission, on multiple occasions, the Victorian Law Reform Commission and the New South Wales Law Reform Commission.  Each has recommended a statutory tort of interference with the privacy.  The ACCC added to that list of bodies supporting such a right.  The models have varied but all bodies have supported such a right.  Federal Labor Governments have flinched at legislating such a cause of action or, if the Coalition variety, have resisted it.  That has been a failure of public policy.  

There are other options canvassed which are likely to interesting but ultimately difficult to manage and use.  Such as labeling for smart devices and health checks for businesses.

The hard reality is that until businesses realise that there are legal consequences with associated costs of failing to maintain proper levels of cyber security the standard will remain inadequate the damage to the economy will grow.  Telstra chief executive Andrew Penn has publicly stated that company directors should be liable for cyber security negligence.  He gets it.  He has also sounded the alarm of cyber security threat from AI and supercomputers.

Submissions to the 28 questions close on 27 August 2021.

Hopefully something comes of this latest round of discussions and then considerations.  It is just that everything takes so long while cyber threats develop, morph and multiply on a daily basis.  Government and businesses see little need to do only what is absolutely the minimum required.  There is little incentive to put extra effort and money to maintain a proper economy wide level of protection.

The  Australian cover the release of the Paper in  New cyber security rules for business.

It provides:

Businesses would face new minimum cybersecurity requirements and tougher standards on the handling of personal information under proposed new rules to make the nation more resilient to digital threats.

Manufacturers of smartphones and other “internet of things” devices would have to ensure their products met baseline standards under the cybersecurity blueprint.

A new government discussion paper said weak commercial incentives were hindering private sector investments in cybersecurity measures, imposing huge costs on the broader community.

It flagged the introduction of clear minimum expectations on businesses to manage cybersecurity risks, and better information for consumers about the security of technology products.

Consumers would also get access to clear legal remedies after cybersecurity incidents, under proposed changes.

The consultation comes amid a new Australian Institute of Criminology report estimating the total annual economic impact of cybercrime in Australia at $3.5 billion, including $1.9 billion lost by Australian victims.

The paper said cyber governance standards could be expanded beyond the owners of critical infrastructure businesses, which face tough cybersecurity obligations and mandatory cyber incident reporting.

“It is widely accepted that cyber security risks are an increasingly important set of risks that most large businesses, including those established in the corporate form, need to oversee and manage,” it said.

“However, there is no explicit requirement that cyber security forms part of many existing obligations including those applicable to directors.”

It said both voluntary and mandatory requirements were being considered, supported by better cybersecurity education.

It said a voluntary system risked lower compliance, but “a mandatory standard may be too costly and onerous given the current state of cyber security governance”.

New technical standards, such as a requirement for multi factor authentication, are also being considered to help protect Australians’ data.

The paper flags an enforceable code to require companies to “take reasonable steps to protect personal information” by mitigating cybersecurity risks.

But it warns the design of the code must not overburden businesses.

Home Affairs Minister Karen Andrews said the government was acting to address what was a growing international problem.

“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” she said.

“I want to make sure Australian businesses – big and small – are secure, and consumers are protected.”

Fergus Hanson, the head of the Australian Strategic Policy Institute’s International Cyber Policy Centre, said most Australian firms “routinely under-invest in cyber security”.

“Sectors like banking have an absolute crystal-clear rationale for investing in cybersecurity, because they’re trying to get people to stop stealing their money.

“But for companies in other sectors it is not a top priority. So we see over and over again people’s data being leaked or stolen, or company being held to ransom and their services disrupted.”

He said incentives, potentially through the taxation system, were a better way to improve cybersecurity practices than heavy-handed regulation.

Leave a Reply

Verified by MonsterInsights