Australia: Ongoing data breach investigations underline regulators’ call for cybersecurity focus

Introduction

In Australia, the current cybersecurity regime is a patchwork result of several distinct legal developments occurring over the past 20 years. One major tranche of developments began at the turn of the century with the Australian response to the Council of Europe’s Convention on Cybercrime (the Convention), which set the scene for reform of Australia’s criminal law response to cybercrime. Separately, Australia has developed an information privacy framework that regulates the cybersecurity of personal information.

More recently, the Australian government has overhauled its regime dealing with the security of critical infrastructure (largely to address the rapidly increasing threat of cyberattack against key infrastructure assets), and we have seen recent cybersecurity incidents impact directors’ duties in the corporate law arena.

This chapter seeks to identify the Australian cybersecurity regime by outlining these key areas of law, as well as identifying the bodies tasked with oversight of the regime. It also addresses the impact of the regime on foreign entities and recent trends, updates and case law.

The Convention and subsequent developments in Australian law

A significant part of the cybersecurity regime in Australia responds to the Convention that came into force on the international level in 2004. The Convention was the first international treaty on internet and computer network crime, and covers copyright infringement, computer-related fraud, child pornography and network security violations, as well as procedural issues, such as (for example) the search and seizure of data, extradition, and trans-jurisdictional data access. The Convention remains ‘the most comprehensive and coherent international agreement on cybercrime and electronic evidence to date’.^[1]

There are two additional protocols to the Convention. The first, the Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No. 189), entered into force in 2006 but was never signed or ratified by Australia. A further protocol, the Second Additional Protocol on enhanced international cooperation and disclosure of electronic evidence (CETS 224), was opened for signature on 12 May 2022 and has not been ratified by Australia as at the time of writing.^[2]

In 2001, largely in response to the Convention (which was in draft at the time), Australia’s federal parliament passed the Cybercrime Act 2001, which added updated computer offences into the Commonwealth Criminal Code and enhanced investigation powers in the Crimes Act 1914 and Customs Act 1901 for the search and seizure of electronically stored data.^[3]

In 2011, the Cybercrime Legislation Amendment Bill was enacted to bring domestic legislation in line with the requirements of the Convention. This included amendments to the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995 and the (then-current) Mutual Assistance in Criminal Matters Act 1987. Australia ratified the Convention in 2012.^[4]

The Commonwealth Criminal Code (the Criminal Code), located in the Criminal Code Act 1995 (Cth), remains the key Australian legislation that criminalises cyberattack. Part 10.7 of the Criminal Code deals with computer offences. Significant offences under this part are:

• unauthorised access to, or modification of, restricted data, which carries a maximum penalty of two years’ imprisonment;^[5]
• unauthorised impairment of electronic communication, which carries a maximum penalty of 10 years’ imprisonment;^[6] and
• using a carriage service to menace, harass or cause offence, which carries a maximum penalty of five years’ imprisonment.^[7]

The Telecommunications (Interception and Access) Act 1979 (the TIA Act) assists the Australian cybersecurity regime as it makes it an offence for a person to intercept telecommunications passing over a telecommunications system^[8] or covertly access stored telecommunications.^[9] To accede to the Convention, the TIA Act was amended so that carriers and carriage service providers became obligated to preserve stored communications in certain circumstances, facilitating the mutual assistance programme (ie, when required by domestic agencies or foreign countries).

Privacy Act

The Commonwealth Privacy Act 1988 (the Privacy Act) is generally relevant to privacy law and deals largely with the collection, use and disclosure of personal information; however, it also imposes a mandatory reporting regime for ‘eligible’ data breaches, which could occur as a result of cybersecurity issues.

An eligible data breach occurs where:

• there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
• the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.^[10]

An entity must report an eligible data breach to the Australian Privacy Commissioner if it has reasonable grounds to believe that one has occurred, or is directed to do so by the Commissioner.

While the reporting obligation under the Privacy Act for data breach is limited to the disclosure or loss of ‘personal information’, many hacking events involve the disclosure or loss of such information and, for that reason, this obligation is relevant for entities considering their cyber liabilities in Australia.

Failure to comply with the mandatory reporting obligation may result in a complaint being made to the Privacy Commissioner. Where the failure amounts to a serious or repeated interference with privacy, the Commissioner has the power to apply penalties of up to A$50 million against body corporates.^[11]

As at the time of writing, the Privacy Act is under review, with significant changes expected as a result of this review, including shorter time frames for notifying data breaches.

SOCI Act

The Australian government also addresses cybersecurity risk through an oversight regime of Australian critical infrastructure assets, currently enshrined in the Security of Critical Infrastructure Act 2018 (the SOCI Act).

The current regulatory framework for Australia’s critical infrastructure began in 2017 with the launch of the Critical Infrastructure Centre, which fell under the purview of the Australian Department of Home Affairs. The mandate of the Centre was initially focused on identifying risks in five key sectors: ports, electricity, gas, water and telecommunications.

In February 2017, the Centre released a discussion paper that identified two issues with carrying out its mandate. The first was the fact that Australia did not have an asset register to capture and track information about who owns and operates Australia’s most critical assets in these high-risk sectors. The second was that the federal minister did not have the power to step in and seek information or issue directions to owners and operators of critical assets when a risk arose that was prejudicial to security that could not otherwise be mitigated.

This discussion paper was the catalyst for the introduction of a bill to the federal parliament to address these two issues, and on 11 April 2018 the SOCI Act gained assent.

The original scope of the SOCI Act imposed requirements on entities responsible for or operating critical electricity, port, water or gas assets, or other assets as declared or prescribed under the SOCI Act’s subordinate legislation. It established mandatory reporting requirements, established a Register of Critical Infrastructure Assets and gave the Commonwealth the power to require information from an entity or direct that entity, if necessary.

From 2018 to 2020, Australia was subject to several cyberattacks, including attacks on the federal parliamentary network. Key supply chain businesses transporting groceries and medical supplies were also targeted by malicious actors.

The Australian Signals Directorate (ASD) stated that ‘Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government’ and that ‘malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, and sophistication.’

The Parliamentary Joint Committee on Intelligence and Security also noted that it has ‘received compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate’.^[12]

Disruptions resulting from cybercrime (as well as further, pandemic-related disruptions) led to the then-Minister for the Department of Home Affairs introducing a bill to enhance the regulatory framework under the SOCI Act in December of 2020. Following extensive consultation with industry, the bill split in two to fast-track urgent cybersecurity amendments. The first tranche of amendments came into force on 2 December 2021, with the second tranche following on 2 April 2022.

The SOCI Act now includes a significantly broadened definition of ‘critical infrastructure asset’. Entities that have a prescribed relationship to critical infrastructure assets are now required to undertake mandatory cyber incident reporting within 12 or 72 hours (depending on the severity of the incident).

The SOCI Act now also provides powers for the Commonwealth to direct entities or intervene in an entity’s operations if cyber incidents impact on a critical infrastructure asset.

Responsibilities of directors

Cybersecurity has recently arisen in the context of company directors’ duties. Directors may be held personally liable for cybersecurity failures through their general duties, such as:

• the duty to exercise powers with due care and diligence; and
• the duty to exercise powers in good faith in the best interest of the company or organisation.

Australian courts have interpreted these duties widely to extend to the cybersecurity context. The Australian Securities and Investments Commission (ASIC) affirmed this understanding, stating that cybersecurity is a high-risk aspect of conducting business.^[13]

The Australian Institute of Company Directors specifically issued Cybersecurity Governance Principles, to provide a clear and practical framework for organisations. It noted that directors have a critical role to play and must seek to lift their own cyber literacy levels.

Regulatory bodies

Australia has a complex web of government and statutory bodies monitoring cybersecurity issues, including:

• the Australian Federal Police (AFP);
• state and territory police;
• the Australian Criminal Intelligence Commission (ACIC);
• the Australian Security Intelligence Organisation (ASIO);
• the ASD (referred to above);
• the Australian Competition and Consumer Commission (ACCC);
• the ASIC (referred to above);
• the Office of the Australian Information Commissioner (OAIC);
• the Australian Prudential Regulation Authority (APRA); and
• the Department of Home Affairs.

The Australian Cyber Security Centre (ACSC) within the ASD leads the Australian government’s efforts on national cybersecurity.

Aside from the ACSC, many of the above are ad hoc regulators from a cybersecurity perspective, in that they only regulate isolated aspects of cybersecurity as an aspect of their general responsibilities.

For example, the ACCC, a competition and consumer law regulator, plays a role in regulating cybersecurity by enforcing general sections of the Australian Consumer Law that require businesses to make accurate representations about the cybersecurity of their goods and the collection of consumers’ data.^[14] Similarly, ASIC can take action against companies and directors should they breach their duties with respect to corporate cybersecurity issues, and the OAIC must be notified by particular entities should certain personal information be lost or disclosed without authorisation.^[15] The APRA also plays a role with respect to how APRA-regulated entities comply with cybersecurity obligations.^[16]

The police, ASIO and ACIC all play roles with respect to dealing with cybercrime. The AFP and state and territory police investigate and prosecute cybercrime at differing levels. ASIO engages in counter-espionage and foreign interference operations, including providing cybersecurity advice to key stakeholders and investigating, uncovering and responding to cyberthreats to national security. The ACIC discovers and works to understand cyberthreats to Australia and associated criminal networks, coordinating with aforementioned entities to assist the Australian government in responding to such threats.

The Department of Home Affairs now plays an important role in administering the SOCI Act (discussed above).

Best practices for responding to breaches

As the primary body responsible for cybersecurity in Australia, the ACSC provides the following guidance on responding to breaches in its ACSC Annual Cyber Threat Report 2020–21:

Be prepared for a cybercrime or cyber security incident and know how to respond

Have an incident response plan and arrangements

Organisations should prepare for a cyber security incident by having incident response, business continuity and disaster recovery plans in place, and testing them. A cyber incident response plan transparently outlines agreed organisational responses to a range of cyber security incidents (see the Cyber Incident Response Plan section below). Testing through cyber exercises in a controlled environment enables organisations to respond decisively and consistently to realworld cyber security incidents, limiting potential impacts and supporting organisational recovery.^[17]

Flagship cyber security advice for Australian organisations

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for malicious cyber actors to compromise systems. Furthermore, proactively implementing these strategies can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.

The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents[.]^[18]

Conduct cyber security exercises

A cyber security exercise is a controlled activity using a scenario in order to simulate a real-life cyber security incident. Regularly conducting cyber security exercises provides organisations with an opportunity to review plans, policies, capabilities, roles and responsibilities in a simulated and safe environment. As a result, cyber security exercises may prove invaluable in the development of an organisation’s ability to respond to and recover from cyber security incidents.^[19]

The OAIC also provides some guidance for organisations responding to cyberattacks, which, although not binding, may help inform the standard required when responding to a data breach.

Company cybersecurity obligations

While there are no general legislative cybersecurity obligations that apply to all companies operating in Australia, there are a range of cybersecurity obligations that could apply to a company, depending on the scope and scale of its operations. Notable obligations include:

• mandatory cybersecurity incident reporting if a company is subject to the SOCI Act; and
• if a company holds personal information and is subject to the Privacy Act, an obligation to take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Effect of local laws on foreign businesses

The effect of Australia’s laws on foreign businesses generally depends on the specific circumstances of the foreign business (eg, whether it carries on business in Australia, whether it has a local entity and the industry it operates in) and the relevant legislation.

An example of how local cyber laws may apply to foreign entities can be found in the SOCI Act. The SOCI Act expressly applies to unincorporated foreign companies, and, to overcome enforcement issues, obligations under the SOCI Act are specifically imposed on each appointed officer of the foreign company. Any offence against the SOCI Act by a foreign company is taken to be committed by each appointed officer who:

• performed the relevant act or made the relevant omission;
• aided, abetted, counselled or procured the relevant act or omission; or
• was in any way knowingly concerned with, or a party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the appointed officer).^[20]

Those individual appointed officers are liable to the civil penalties imposed upon companies (which are higher than those imposed on individuals).^[21]

As an example of how this may impact foreign entities in practice, if a foreign business is responsible for a critical infrastructure asset and that asset suffers a cybersecurity breach of significant impact, that business would be required under the SOCI Act to report the breach. Failure to report the breach can lead to civil penalties being sought against the entity. These penalties can be up to A$55,500 for bodies corporate. If the foreign business is subject to a governmental direction to do or refrain from doing something in relation to a cybersecurity incident, and it fails to comply with that direction, pecuniary liability can be up to A$26,640 for individuals and A$133,200 for bodies corporate.^[22] Penalties for failure to report or failure to comply with a direction apply per day of non-compliance.^[23]

Another example of how Australian cybersecurity laws may impact on foreign businesses is found in the Privacy Act. The obligation to report data breaches will apply to an act done or practice engaged in outside Australia by an organisation, provided that organisation has an Australian ‘link’. There are several prescribed circumstances in which an organisation will be taken to have an Australian link under the Privacy Act. One example is where personal information gathered by the organisation in Australia is disclosed through cyberattack that occurs wholly overseas.^[24]

The Privacy Act can also apply to foreign businesses in various situations, such as where it carries on business in Australia, or collects or holds personal information in Australia.

Private redress options for unauthorised cyber activity

There are limited specific private redress options for unauthorised cyber activity. Cases to date have focused on actions by government entities (as highlighted in the case examples below).

The ACSC provides a reporting mechanism (ReportCyber) as the central place to report cybersecurity incidents, cybercrime or cybersecurity vulnerability.

Recent trends and updates

In its Annual Cyber Threat Report 2021–22,^[25] the ACSC noted that:

The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.

Self-reported losses from cybercrime totalled more than A$33 billion.

The ACSC identified the following key threats and trends:

• cyberspace has become a battleground;
• Australia’s prosperity is attractive to cybercriminals;
• ransomware remains the most destructive cybercrime;
• worldwide, critical infrastructure networks are increasingly targeted; and
• the rapid exploitation of critical public vulnerabilities has become the norm.

There are clear global trends towards increasing cybersecurity regulation. In particular, many countries are moving rapidly to address the global concern of ransomware. The Australian government, having adopted a Ransomware Action Plan in 2021, considered various parliamentary bills targeting ransomware in 2021 and 2022.^[26] This action coincided with an agreement by 32 countries, including Australia, to improve law enforcement, international cooperation and the response of regulators in relation to ransomware.^[27] Australia, along with the rest of the world, is moving towards comprehensive cybersecurity legislation that is, in general, better equipped to manage ransomware and cybersecurity threats than the current ad hoc regime.

In 2019, the Australian government committed A$27 million over four years to the ACCC to implement a Digital Platforms Branch to counter cybersecurity issues by improving enforcement and monitoring.^[28] In recent years, regulators such as the OAIC,^[29] ASIC^[30] and APRA^[31] have increasingly voiced support for a stronger and more targeted focus on regulating cybersecurity. The decision in the RI Advice case (discussed below) demonstrates that courts are prepared to extend general duties and obligations to the cybersecurity context, and regulators are increasingly equipped and willing to hold to account those who fall below the requisite standard. The outcome of this case should serve as a warning to companies and directors that regulators and courts regard cyber resilience as a highly serious, non-optional matter.

Relevant case studies

ASIC v RI Advice

The case of ASIC v RI Advice,^[32] a landmark decision by the Federal Court of Australia in May 2022, is the first Federal Court case brought by the ASIC alleging defective cybersecurity practices.^[33] RI Advice’s network experienced nine cybersecurity incidents between 2014 and 2020, including fraudulent emails being sent, hacking, phishing, ransomware and unauthorised server access compromising clients’ confidential and sensitive personal information.

The Federal Court determined that RI Advice breached its obligations under subsections 912(1)(a) and (h) of the Corporations Acts 2001 (Cth) as a financial services licensee by lacking adequate risk management systems in relation to cybersecurity incidents and failing to ensure that the financial services provided were exercised efficiently and fairly.

The ASIC deputy chair made the following statement^[34] after the decision:

These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.

The OAIC provides some guidance for organisations responding to cyberattacks that, although not binding, may help inform the standard required from directors when responding to a data breach.

Mediabank data breach

Medibank, a large health insurance provider, suffered a cyberattack in October 2022, with more than 9 million customers having their data stolen.^[35]

The investigations into the data breach are ongoing, with the OAIC commencing an investigation on 1 December 2022.^[36] In addition, class actions have been launched on behalf of the affected customers.

Optus data breach

Optus, a major telecommunications provider, suffered a major data breach in September 2022, with about 10 million customers affected by the cyberattack.^[37] The stolen information included names, birthdates, home addresses, phone and email contacts, and passport and driving licence numbers.

The investigations into the data breach are ongoing, with the OAIC commencing an investigation on 11 October 2022.^[38]

Notes