Recent months have seen the conclusion of two significant consultations by the government on sweeping potential changes to cyber security and privacy regulatory settings. The proposed changes emphasise that the government sees enhancing the cyber resilience and data management practices of Australian organisations as a high policy priority.
Cyber Security Strategy 2023-2030
In February, the Department of Home Affairs released its discussion paper on the development of an Australian Cyber Security Strategy 2023 – 2030 (available here). The Government has appointed an Expert Advisory Board comprised of ex-Telstra CEO, Andy Penn AO, former Air Force Chief, Air Marshall (Ret’d) Mel Hupfeld, and Cyber Security Cooperative Research Centre CEO, Rachael Falk, to advise on developing the strategy.
The consultation raised a number of significant policy questions with the overarching policy objective of driving Australia to be the most cyber secure nation by 2030. Of most interest to AICD members was whether:
- Company directors should have specific obligations to address cyber security risks and consequences;
- Cyber ransom payments should be prohibited – both by victims of cybercrime and/or insurers;
- Expanding the existing regime for notification of cyber security incidents (e.g. to require mandatory reporting of ransomware or extortion demands) would improve public understanding of the nature and scale of cybercrime;
- There should be a single reporting portal for all cyber incidents to reduce reporting to multiple regulators; and
- Further reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act) are required
The AICD provided a submission, emphasising that directors are highly engaged on the governance of cyber security and data protection and are acutely aware of the significant damage a cyber security incident can create, including major financial, litigation and reputational risks that often flow from these events.
We encouraged the government to take a coordinated approach across policy areas, recognising the extent of complex, related reforms such as in privacy domain. In our view, there is no shortage of legal obligations encouraging robust board oversight, so any new regulation should be thought through carefully.
In particular, we argued against the creation of a new specific cyber director duty as Australia’s existing corporations’ law and directors’ duties already provide a comprehensive legal framework that obliges directors to effectively oversee the management of cyber security risk and build cyber security resilience. Further, no comparable jurisdiction has imposed a cyber duty on directors, according to legal analysis from King & Wood Mallesons, commissioned by AICD (available here).
Our submission also recognised the policy complexity in assessing whether to prohibit ransomware payments and whether we should limit incentives for cyber criminals to target Australian businesses and individuals. However, we did not support a strict legislative prohibition on the payment of ransoms and extortion demands by either victims or insurers, reflecting that a ransom situation can be very complex and that an outright ban may have unintended consequences.
In late April, the AICD hosted a roundtable with the Hon. Clare O’Neil MP, Minister for Home Affairs and Cyber Security, members of the Expert Advisory Board and senior directors in Melbourne. The roundtable was a key opportunity for the Minister and directors to share perspectives on building cyber security resilience and the necessary supporting policy environment.
Privacy Act Review
The Privacy Act Review commenced in 2020 with a Final Report released on 16 February 2023. The final report contains 116 separate proposals to reform the Privacy Act. The Attorney General’s Department consulted on proposals in the report in March to inform the Government’s response – expected in the middle of 2023.
The scope of proposals contemplated under the report is considerable, and were they to be implemented fully, or in part, they would fundamentally transform the privacy law framework in Australia. The Privacy Act would be broader in scope, more prescriptive and there would be considerable costs for businesses of all sizes in complying. For further details on the proposals in the Final Report, see these AICD articles from March 2023 and May 2023. The AICD is hosting a webinar on 7 June 2023 on the Privacy Act Review and the implications for data governance. The webinar is free for members and you can register here.
The AICD provided a submission in which our key message was that in undertaking privacy reforms, the government must appropriately balance strengthening how Australians’ personal information is collected, stored and protected with not unduly stifling the innovative use of data or imposing a counterproductive regulatory burden.
The AICD did not support the removal of the current exemption for all small businesses as doing so would significantly increase regulatory costs for small businesses with limited improvements in privacy practices. As an alternative, we considered that for small businesses in particular high risk data settings could be required to meet all or some of the Privacy Act requirements.
The AICD provided in-principle support for the introduction of a direct right of action and a statutory tort for privacy for individuals to seek compensation in circumstances where loss or damage has been suffered as a result of an interference of their privacy. Recognising the high-risk cyber environment, and inherent vulnerability to attacks, the AICD has however cautioned against compensation being awarded unless significant fault by the entity can be shown – particularly where ‘loss or damage’ may include non-economic loss (e.g. humiliation or injury to a person’s feelings). Without a serious harm threshold, there is a risk of unintended consequences including a real risk of class action proliferation.
We also urged the government to consider the report’s recommendations holistically with the development of the 2023-2030 Australian Cyber Security Strategy. A coordinated approach across these two reform initiatives must be taken to ensure policy settings are consistent and do not unnecessarily add to the existing complexity of cyber security and data management obligations. KWM analysis highlights that Australia has not fallen behind comparable jurisdictions when it comes to cyber related regulation. Indeed, critical infrastructure laws are some of the strongest globally.
We will continue to update members as these two critical policy processes develop.
What can directors do to navigate cyber security and data management risk?
In October 2022, the AICD, in collaboration with the Cyber Security Cooperative Research Centre (CSCRC), developed the Cyber Security Governance Principles (Principles) to provide a framework for Australian directors to oversee and engage with management on cyber security risk.
The Principles, which received endorsement from the Cyber Minister and were the subject of consultation with key government agencies, provide directors of all sizes of organisations with practical guidance to build cyber resilience and improve the data management practices. The Principles have been downloaded more than 16,000 times, reflecting directors’ focus on this critical topic.
Already a member?
Login to view this content