By Patrick Hill & Hans Allnutt

|

Published 30 September 2022

Overview

New security measures to be unveiled after Optus suffers large-scale data breach

Optus (a SingTel subsidiary, and Australia’s #2 telco) suffered a highly publicised cyberattack in late September, which has reportedly resulted in the disclosure of personal data belonging to millions of current and former customers, including driver’s licence and passport numbers.

As would be expected, a breach of this magnitude by a company of this prominence is likely to trigger significant changes, both to the law and the approach and tolerance of regulators. The Home Affairs minister has indicated the government will make material changes to privacy measures and penalties to apply following cyber security incidents. Among these is a proposed requirement for banks and other institutions to be informed earlier of the occurrence of data breaches in order to prevent compromised personal data being used to access bank accounts and to allow for monitoring of customers’ accounts. The government has also flagged the introduction of significant fines for data breaches of this type to mirror fines available under overseas regimes.

While the extent and applicability of regulatory measures is yet to be determined, changes to the federal Privacy Act have been flagged since 2019 and have remained on the back burner.

 

Cyber: RI Advice Case – Corporate Regulator Takes Action for Multiple Cyber Breaches

In August 2020, Australia’s corporate regulator the Australian Securities and Investments Commission (ASIC) commenced proceedings against RI Advice for alleged breaches of its obligations as an Australian financial services licensee under section 912A of the Corporations Act 2001 (Cth) following numerous cyber incidents.

ASIC and RI Advice reached an agreed settlement earlier this year. On 5 May 2022, the Federal Court made declarations of contraventions and ordered RI Advice to conduct a cybersecurity audit and contribute $750,000 towards ASIC’s costs.

While this is the first time ASIC has used its powers to enforce licensing obligations in a cyber context, it is not necessarily a watershed moment. These proceedings involved unusual circumstances, as RI Advice had experienced multiple cyber incidents over time.

 

Cyber | Insurance: Federal Court decision underscores the need for cyber-specific insurance

The recent decision in Inchcape Australia Limited v Chubb Insurance Australia Limited [2022] FCCA 883 (under appeal) shows the importance of insureds purchasing cyber-specific cover.

Inchcape, a large car retailer, was targeted by a ransomware attack, and instead looked to claim its recovery costs under its Chubb electronic and computer crime insurance policy (designed to cover fraudulent payments). The policy was found to be triggered for some but not all costs. A key issue was whether the costs Inchcape incurred were ‘direct’ financial losses resulting from damage or destruction of data within the terms of the policy.

The Court found that the terms of the crime policy, when read together, meant any costs that involved the intervening step of Inchcape deciding to incur that cost were not direct enough so as to fall for cover. The scope of cover was limited to those costs every insured would necessarily and inevitably incur as a result of damaged data and no more (which in this case was essentially limited to the cost of replacing certain physical media and data stored on it).

 

Cyber | Insurance: Claims against MSPs and CSPs on the rise

As ransomware and related cybercrime has established itself as one of Australia’s fastest growing security threats, there has been a corresponding increase in claims against IT professionals (and other service providers). In particular, liability risks for managed service providers (MSPs) and cloud service providers (CSPs) have become significantly heightened, as the nature of the businesses makes them, and subsequently their customers, prime targets for cybercriminals.

 

Cyber | Regulation: Next Tranche of Security of Critical Infrastructure Obligations Commence

The Security of Critical Infrastructure Act 2018 (Cth) established positive cybersecurity obligations for 11 Australian critical infrastructure industry sectors. From 8 July 2022, owners/operators of critical infrastructure assets have been required to report cybersecurity incidents to the Australian Cyber Security Centre (ACSC), significantly increasing regulatory complexity around reporting cyber incidents and data breaches (as the table overleaf indicates).

 

Privacy: Google $60m penalty decision illustrates heightened risk climate for data collection in Australia

On 12 August 2022, the Federal Court ordered Google to pay $60m in damages for engaging in misleading and deceptive conduct regarding the collection of android mobile users’ location data.

Google’s infringing conduct essentially arose due to inconsistency between what users would have understood about the collection/use of location data from turning their ‘location history’ setting off, and the effect of other settings. Rather than clearly stating that location data might still be collected, Google’s android users would have had to ‘click through’ to other information to understand this.

 

Who?
Person required to notify
Who?
Agency to be notified
What?
Trigger for notification obligation
When?
Max timeframe for notice to be given
How?
Method to use for notification
Why?
Act or regulation
Owners/operators of ‘critical infrastructure assets’ Australian Cyber Security Centre (ACSC) Cyber security incident 12 hours or 72 hours (depending on incident impact)
(different timeframe for follow-up written reports)
Urgent oral – 1300Cyber1 Written – cyber.gov.au Security of Critical Infrastructure Act 2018 (Cth)
APRA-regulated entities
(banks, authorised deposit taking institutions, superannuation funds, insurance companies)
APRA    Information security incident (with material effect on the entity or the interests of depositors, policyholders, beneficiaries or other customers, or which has been notified to other regulators) 72 hours
(but as soon as possible) 
To a regulated entity’s usual APRA contacts CPS 234 Information Security
Organisations with annual revenue >$3M and others covered by the Privacy Act 1988 (Cth)  OAIC, individuals  Eligible data breach  As soon as practicable after investigation into incident and preparation of statement describing impact
(investigations can take up to 30 days after becoming aware of an incident) 
Statement to the OAIC and individual notifications  Privacy Act 1988 (Cth)
Carriers  ACSC Occurrence of cybersecurity incident with significant impact on the availability of any of the carrier’s assets As above for SOCI Act reporting As above for SOCI Act reporting Telecommunications (Carrier Licence Conditions – Security Information) Declaration 2022
Eligible carriage service providers ACSC Occurrence of cybersecurity incident with significant impact on the availability of any of the carrier’s assets As above for SOCI Act reporting As above for SOCI Act reporting Telecommunications (Carriage Service Provider – Security Information) Determination 2022
An accredited data recipient in a designated sector (currently banking only, with energy to follow in November 2022 and then telecommunications) ACSC Security incident As soon as practicable, and no later than 30 days Unclear – we would suggest as above for SOCI reporting Competition and Consumer (Consumer Data Right) Rules 2020

 

Authors