The Commonwealth Government has recently put cyber security and data privacy reform at the centre of its agenda. In addition to the new Attorney-General flagging sweeping data privacy reform, the Commonwealth Government will have a dedicated Minister for Cyber Security for the first time. This recognises the importance of cyber security in the protection of Australia's national security and economic future, and forms part of the broader legislative reform in the cyber security and data privacy spheres.
These actions and comments reflect the Commonwealth Government's election campaign which identified the importance of the interplay between cyber security and national security, and how it is intimately entwined with Australia's defence and economic future, particularly considering recent geo-political unrest. This is evident from the Australian Cyber Security Centre's annual cyber threat report for the 2021 financial year which identified over 67,500 cybercrime reports (up 13% and nearly one incident every eight minutes), self-reported losses of $33 billion and approximately one quarter of those cybercrime reports affecting entities associated with Australia's critical infrastructure.
We expect the ongoing reforms to place increased obligations on Government entities and public sector organisations to ensure they adequately protect themselves, their operations and the data and information they hold.
Changing cyber security and data privacy landscape
The Australian Investments and Securities Commission's (ASIC) recent success in the Federal Court demonstrated the high standard of cyber security that the public is entitled to expect from organisations under general provisions not explicitly concerned with cyber security.
ASIC is not the only corporate regulator who has turned their mind to cyber security, data protection and privacy. Each of the OAIC, the Australian Competition and Consumer Commission's (ACCC), the Foreign Investment Review Board and the Australian Prudential Regulation Authority have flagged the importance of one or more of these issues in the context of compliance within the broad obligations imposed on the regulated businesses which they oversee.
To effectively deal with a global and domestic economy and lifestyle based around data, the Commonwealth Government has, for example, incorporated cyber security obligations into the Security of Critical Infrastructure Act 2018 (Cth) and is undertaking a broad review of the Privacy Act 1988 (Cth).
Impact on business of possible privacy reforms
So, is what the public is entitled to expect when it comes to cyber security and data privacy about to change? We expect the new Commonwealth Government will continue with broad reforms to set clear expectations and to increase transparency and accountability. That being so, in considering whether your organisation's current cyber security and data privacy policies and practices meet this expectation, your organisation may need to consider the following matters:
- Directors: While the Government has proposed cyber security governance standards, it is already the case that directors are expected to have identified the cyber security standards which apply in respect of the data of their organisation, customers and suppliers. Doing so will help protect the organisation from financial, reputational and operational harm and ensure compliance with their statutory and common law duties.
- Cyber security and data privacy policies: While having these policies is important, the OAIC's recent approach has been to look past what policies an organisation has in place and focus on whether those policies are operationalised (ie. complied with and continually practiced within an organisation).
- Delegation to third parties: As data and personal information can be transferred across the globe, regulators such as the OAIC have been quick to criticise organisations where they have sought to contract out of their obligations with little care for whether the third-party contractor will be able to fulfil their contractual obligations. Having contractual provisions relating to the handling of personal information may no longer be enough, particularly where sensitive personal information is concerned. That is, organisations may need to look at what sits behind the contractual promise.
- Increasing transparency: To address the information asymmetries between organisations and consumers, a number of proposals have been suggested to empower and inform consumers of how their data and personal information is managed and protected. These proposed measures include cyber security labels, an expectation of 'privacy by design' and 'privacy by default' and an obligation for organisations to demonstrate an ongoing and demonstratable comprehensive privacy management program.
- Regulatory scrutiny: Australian regulators may now be emboldened to pursue claims under general provisions in current legislative regimes to enforce what they believe to be community expectations in respect of cyber security and/or data privacy obligations.
- Consumer and shareholder scrutiny: Currently, consumers have little to no recourse against organisations where their data and personal information is compromised. One aspect of the proposed reforms to the Privacy Act 1988 (Cth) currently under consideration is whether to create a direct right of action for an individual or group of individuals. While awards of compensation to individuals for breaches of privacy may be individually low, the prospect of facing claims by groups impacted by large data breaches elevates the issue to one of material concern.
Dealing with each of the above issues will likely bring with it direct and indirect costs, be they administrative, legal or operational. However, your organisation may well find that these must be incurred to protect against the potential financial, reputational and operational harms associated with not having adequate systems. Accordingly, organisations should prepare for the future and protect themselves from a real and growing regulatory risk.