On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia's digital economy. This call for views has been made in response to concerns about cyber security under-investment and information asymmetries (the difference in cyber security knowledge held by suppliers and consumers).
This initiative is the latest in a line of proposed digital, privacy and cyber reforms and strategies announced by the Government and key regulators, such as the Australian Competition and Consumer Commission, to align the law with the growing reliance on digital technologies and community expectations.
With at least 11 billion accounts globally, billions of dollars of global economic damage a year, and critical infrastructure – such as the largest fuel pipeline in the United States – falling foul of cyber-attacks, it is apparent that bad actors are becoming bolder and more sophisticated.
In its consultation paper, the Government has identified three key aims:
- setting clear cyber security expectations;
- increasing transparency; and
- protecting consumer rights.
Each of these key aims is discussed in more detail below together with the proposals as to how they may be achieved.
Setting clear cyber security expectations
The Government is concerned about underinvestment in cyber security by businesses and the associated risks to Australia's economy, infrastructure and individuals' privacy. By proposing that clear expectations will be set, businesses and authorities will be expected to continue to actively monitor the cyber risk environment to ensure continued compliance with their obligations.
The consultation paper envisages that this may take the form of:
- Governance standards for large businesses – As larger businesses are more likely to have dedicated cyber security teams and, if attacked, are more likely to significantly impact national security and the economy, the Government proposes to introduce either voluntary, Government co-designed, or mandatory governance standards for large businesses. The proposed mandatory standards would impose strict obligations which may place a higher onus on directors.
- Broad cyber security standards – The Government may encourage the uptake of cyber security best practices through the introduction a cyber-security code, which would incorporate a broad cyber security standard into the Privacy Act 1988 (Cth) so as to create regulatory incentives.
- Standards for smart devices – The Government proposes to adopt, in whole or in part, the European Telecommunication Standards Institute's baseline standard for smart devices which would require manufacturers to implement baseline cyber security requirements for smart devices.
Increasing transparency
To address information asymmetries, the Government proposes to introduce a number of consumer friendly labels or trust marks to assist consumer and business decision-making in respect of products susceptible to cyber security issues. This may involve:
- Voluntary rating or mandatory expiry labelling for smart devices – The proposed voluntary rating label approach would follow the cyber security rating labels implemented by Finland, Singapore and the United Kingdom – similar to the six star energy rating labels we are now familiar with on electrical appliances and equipment. The proposed mandatory expiry label would display the length of time that security updates will be provided to a smart device.
- Responsible disclosure policies – A responsible disclosure obligation would require vulnerabilities to be reported to software developers, businesses or agreed third parties, including the Government. The proposed policy is to address recent research which suggests that 50% of vulnerabilities exist for longer than 438 days, compromising many businesses' cyber security.
- Health checks for small businesses – In response to feedback from small businesses – that they have limited time, money and cyber security expertise – the Government proposes to introduce a voluntary cyber security health check program. It is proposed that small businesses would self-assess their own compliance against a Government issued self-assessment, with a basic level of due diligence provided by the Government or a third party. If satisfactory, the business would receive a 12-month cyber-health check trust mark.
Protecting consumer rights
To complement the cyber security and transparency aims, the Government is seeking to ensure consumers and individuals are able to obtain appropriate compensation where a business fails to meet its obligations and to incentivise businesses to maintain acceptable levels of cyber security.
To ensure a consumer or individual is able to obtain appropriate compensation after a cyber-attack, the Government has highlighted potential reform to the Australian Consumer Law and the Privacy Act, as well as alluding to interplay with a director's duty to act in the best interests of the company and for a proper purpose, whether as discrete proceedings or class actions.
Key takeaways
The introduction of even some of these proposals, particularly the more onerous mandatory standards and obligations, would significantly impact businesses' approach to cyber security and the handling of personal information.
Those interested in helping shape the discussion have been encouraged to file submissions in response to the issues paper by 27 August 2021. We are happy to assist businesses, large and small, assess the potential impact of the changes raised in the issues paper, and to help craft your response.