Optus…. Medibank… Canva… Latitude….what do all of these companies all have in common?

Over the last 3 or 4 years, each of the above companies have seen their customers’ private information become compromised after monumental data security breaches. Whilst some of these breaches have been more high-profile or have received more media attention than some of the others, what remains indisputable is the loss of trust from each of their respective consumer bases following their private information falling into the hands of unknown hackers with indiscernible (and potentially malicious) intentions.

How is this relevant for my church or small business?

These data breaches now spark some important questions:

What does this mean for churches and businesses? 

What about smaller entities (and even basic religious charities)?  

The members of your church congregation may want to ensure that their private and sensitive information is safe in the hands of these aforementioned companies, but they will also want to ensure that these details are also safe in the hands of their own church!  This is particularly the case when being on a church database has implications for the categorisation of religious affiliation.

The Federal Government’s agreement in principle to the proposals of the Attorney General’s Privacy Act Review Report have reinforced a need for small businesses and religious institutions to consider the effectiveness of their current systems (or lack thereof) in collecting and protecting the personal and sensitive information they hold, use and/or disclose. In addition to future-proofing your church or business from everchanging privacy laws, designing your operational systems with privacy in mind provides greater confidence to congregants and customers that their private information is secure and reinforces your commitment to serving their best interests.

What is “Privacy by Design”?

The Office of the Australian Information Commissioner provides useful guidance on Privacy by Design. Privacy by Design is the process of “embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures.[i] An example of Privacy by Design in action might be completing privacy impact assessments when seeking to collect private information to assist in designing a church or small business’ privacy collection processes.

The importance of Privacy by Design is highlighted by The Australian Privacy Foundation, who reiterates a concept which may be self-obvious based upon the widespread responses to the recent corporate data breaches: “Australians value privacy. They expect that their rights to privacy be recognised and protected.”[ii]

Considering that personal information includes anything that identifies a person – including sounds, images, data and fingerprints (to name but a few methods) – there are numerous ways in an ever-increasing technological age in which privacy expectations might be abused and in which people might feel violated by how their personal information is treated. This remains a truism, even if the privacy law reforms struggle to be, or are never, fully implemented.

Potential Upcoming Reforms: The Privacy Act Review Report and Proposed Reform of the Privacy Act 1988 (Cth)

In 2019, the Department of the Attorney General commenced a review into the Privacy Act 1988 (Cth) – the predominant piece of legislation governing privacy protection obligations of Australian businesses and not-for-profit entities – to ensure the Act’s provisions and protections remained fit for purpose.

The review culminated in the release of the Privacy Act Review Report 2022 (the “Privacy Report”), in which a number of recommendations were put forth to amend the Privacy Act – the aim being to increase the Act’s regulatory effectiveness and to bring the Act more closely into line with the expectations of the community.[iii]

Are small churches and small businesses exempt from the Privacy Act?

Normally, small businesses are exempt from the obligations imposed by the Privacy Act by virtue of the “Small Business Exemption”.[iv] This is because the Privacy Act does not currently apply to persons or entities who are “small business operators” (i.e. persons or entities that carry on exclusively one or more “small business[es]”). Where a business has an annual turnover of less than $3 million and does not fall within a specific exception under the Privacy Act, that business will likely be a “small business” and exempt from Privacy Act obligations (although, if you operate a business that is not a small business and also operate a small business then this exemption may not apply).

However, the Government has recently “agree[d] in-principle” with the Privacy Report’s recommendation to remove the Small Business Exemption.[v] This proposal, if actioned, would mean that small business operators would have duties under the Privacy Act governing how they use, protect and secure the personal and sensitive information with which they come into contact. Such changes would be particularly relevant to small religious organisations, as the information that these entities often hold about the “religious beliefs or affiliations” of persons is likely to be “sensitive information” to which the Act attaches significant privacy obligations.

The Government has outlined that prior to any legislative reform there will likely be a further period of consultation with small businesses to examine the impacts of any proposed removal of the exemption. Whilst there is no draft legislation yet proposed which scopes the extent of any changes to the Privacy Act, nor has there been an indication of when we are likely to see any such legislation, the Government’s initial responses mark the commencement of a valuable opportunity for small businesses to start considering whether their privacy policies and data protection mechanisms are up to standard.

A Cyber Expert’s Opinion

To assist small businesses in the consideration of their data privacy and information security procedures, we asked Brett Randall, founder of technology consultancy group Fractl with over 20 years’ experience in technology management, for his insights into some common questions small businesses and churches might have.

Q. What is a Privacy Impact Assessment, and how can it assist small organisations in upholding privacy obligations?

A. “Generally, before a new information-related project starts, such as the roll-out of a new Church Management System, a privacy impact assessment should be conducted. As the title suggests, this assesses what the impact of this system on the privacy of the individuals affected will be and determines if there are any gaps between what the law requires, and what the project or system delivers. When conducted properly, it offers a high level of assurance to organisations that they have met their privacy obligations and are effectively protecting their constituents and stakeholders. The Office of the Australian Information Commissioner outlines the ten recommended steps to undertake a PIA, which all organisations should go through ideally prior to, but even after, a new system is implemented.[vi]

Q. What is the first thing you would suggest to an organisation that has already collected personal information?

A. “Start with this very easy exercise: write down what systems you might have people’s data in, what types of information you are storing, and, for each system, who has access to it. Now, think about if there is any data you don’t actually need to keep. Note this down, and work to minimise the data you are storing, as well as who has access to it. The less you have, the less that can be lost.”

Q. Should organisations prepare and maintain a publicly accessible Privacy Policy? If so, why?

A. “Absolutely! Even for organisations exempt from the Privacy Act, their members and stakeholders engaging with them will want to know what information is kept, how/where/why it is kept, and what their avenues are if they require assistance. A privacy policy link on the bottom of your website is the standard place that people look when they want to know how you protect their information. While there are templates available, the best policy is one tailored to your actual processes, policies and systems. It’s an easy step that helps provide confidence to others.”

Q. What does “best practice” privacy look like for churches and similar religious institutions?

A. “We must remember that privacy exists as a right and a law, so that people feel, and are, safe. For churches, nonprofits and other religious institutions, a commonality within their missions is to help people live their lives to the full – safely, effectively, and with opportunities to grow. In the era we’re in, a privacy breach isn’t just an inconvenience – it can literally lead to life-threatening situations, as well as significant life-altering events such as identity theft, bankruptcy, and fraud in the name of the impacted individuals. Best practice privacy looks like a leadership who takes privacy seriously, educates themselves on it, and interweaves good privacy practices throughout their organisations.”

Q. What should an organisation do if they find out that the security or privacy of sensitive or personal information in their possession has been compromised?

A. “Most churches don’t have the capacity to keep technology and legal people on-staff for these possible events. So, look for people you trust now who you can start talking to about security and privacy, so that you can start to make some positive adjustments as well as know who to turn to if there is ever a compromise. In most breaches, technology experts are required to ascertain the extent of the breach, and legal and risk experts determine how to report it, and to whom, to minimise harm both to the individuals affected as well as to your organisation.”

If your organisation is seeking to understand its privacy requirements, or if you are looking to review your current privacy policies and systems, let the experienced team at Corney & Lind Lawyers assist you. Give us a call today on (07) 3252 0011 or send us an enquiry by filling out our online form available here.

 

About the Authors:

Tim Whincop, Director, Corney & Lind Lawyers

Jackson Litzow, Lawyer, Corney & Lind Lawyers

Brett Randall, Founder, Fractl

____________________

[i]Privacy By Design’ can be found here: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design.

[ii] Australian Privacy Charter, December 1994.

[iii] The Privacy Act Review Report (2022) can be found here: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report

[iv] See Privacy Act 1988 (Cth) s 6D.

[v] See in particular page 6 of the Government Response: Privacy Act Review Report (2023) available here: https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report; and Proposal 6.1 of the Privacy Act Review Report (2022).

[vi] The ten steps can be found here: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments

Business lessons from insufficient cybersecurity measures

The case of ASIC v RI Advice Group [2022] FCA 496

With the current online landscape and the recent 2022 Optus and Medibank cyberattacks, cybersecurity measures should be at the forefront of many businesses. The landmark cybersecurity case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is the first of its kind to acknowledge a financial institutions contravention of the Corporations Act 2001 (Cth) (Act) for breaches of insufficient cybersecurity measures.

This case follows on from ASIC’s previous 2020 proceedings against RI Advice group (to read more about these proceedings, click here). This 2022 case study demonstrates ASICS’s regulatory role and highlights the importance of companies compliance with cybersecurity legislation.

 

Background

The Defendant, RI Advice Group, was a subsidiary of the ANZ Banking Group that held an Australian Financial Services License. They had between 89-119 Authorised Representatives (ARs). These AR provide financial services on the Defendant’s behalf. Since 15 May 2018, they had at least 60,000 clients.

During the period of 15 May 2018 to 6 August 2021, the Defendants were held to have contravened sections 912A(1)(a) and (h) of the Act. Since they had failed to have documentation and controls adequate enough to manage cybersecurity risks, it was determined that the financial services the Defendants were providing was not done so efficiently, honestly and fairly.

The relevant sections of the Act are provided below:

(1) A financial services licensee must:

(a)  do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and

(h)  …have adequate risk management systems; …

Prior to 15 May 2018, the Defendants acknowledged that they had no documentation, controls and risk management systems that were adequate to manage cybersecurity risks. However, the Defendants were not audited for their compliance with the professional standard requirements for financial advisers.

The lack of cybersecurity measures of the Defendants were highlighted as they had no up-to date antivirus software, filtering or quarantining of emails or backup systems in place. They also had poor password practices which involved the sharing of passwords, continued use of default passwords and storage of passwords in easily accessible locations.

Between 2014 and 2020, 9 cybersecurity incidents occurred, including the hacking of email accounts, website providers, servers and reception computer. In some events notably, fraudulent emails were sent to clients requesting fund transfers and client’s personal information was compromised, held for ransom and used without authorisation.

Since early 2018 in response to some of the incidents, the Defendants undertook various security steps which included the implementation of training sessions, incident reports, professional standards, compliance auditing and engagement of external security advisory firms. However, these practices were adequately incorporated or complied with by all the Defendant’s ARs until 6 August 2021.

Since the parties had settled the matter and the Defendants admitted they were in breach and should have had more robust cybersecurity measures implemented, the Judge had to consider whether there was a proper basis for making the parties proposed declarations and orders.

 

Judgement Reasons

It was declared that the Defendants were in breach of sections 912A(1)(a) and (h) of the Act.

Further, under section 1101B(1) of the Act, the Defendants were ordered to establish a cyber security compliance program and continue their engagement of the external cybersecurity expert.

To be in breach of section 912A(a) of the Act, there does not need to be a dishonest act. An act or omission that fails to meet a reasonable performance of fair and efficient services is sufficient. Further, services must be provided with competence, with reference to social and commercial norms and standards. While it was held that having inadequate procedures and training is a failure to act efficiently and fairly, there was no social or commercial norm that the Defendants were in breach of.

It was also considered that since cyber risk management is a highly technical area, it requires the expertise of a relevantly skilled person. Therefore, the adequacy of risk management must be informed by people with technical expertise in the area, not the general public.

The Court believed it appropriate to make the declaration to deter future contraventions of financial services laws, notwithstanding the Defendant’s acts were careless and unintentional.

ASIC had a real interest in bringing the matter as a public regulator to ensure licensees are aware that the relevant provisions of the Act apply to the management of cybersecurity risks and the public are protected from sensitive information breaches.

 

Need Assistance? We can help

With criminals moving into the cyberspace to target victims, it is vital for businesses to maintain adequate and updated cybersecurity measures including security protocols and systems. Adhering to ASICS cybersecurity standards requires the consideration of an individual business’s circumstances and capacity.

Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures, the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice or call us on (07) 3252 0011 to book an appointment with one of our Lawyers today.

This article was written by a Corney & Lind law clerk

 

Related Cybersecurity Articles

https://corneyandlind.com.au/litigation/cyber-security-for-australian-business/

https://corneyandlind.com.au/commercial-litigation/asic-cybersecurity-privileged-documents-test-case/

https://corneyandlind.com.au/litigation/cyber-security/guide-notifiable-data-breaches-scheme/

Cyber-security and legal risks

In January 2020, Allianz published the results of their annual Risk Barometer survey[1], which identified cyber incidents as (for the first time ever) the most important global business risk. It affirms cyber-security issues increasingly taking precedent as a concern for businesses.

Under the header of this risk, Allianz reported the following trends which are of particular relevance to law firms:

    1. “Data breaches larger and more expensive” – “As companies collect and use ever greater volumes of personal data, data breaches are becoming larger and costlier….”;
    2. “Litigation prospects rising” – “Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors…; and
    3. “M&A can bring cyber issues” – “Even the best protected companies will be exposed if they acquire a company with weak cyber-security or existing vulnerabilities.”

In light of this risk, Australian entities should consider introducing additional proactive procedures into their privacy governance, keep up to date with new data and privacy related litigation developing in the industry and consider additional auditing and protective measures when buying or selling a business.

 

New obligations and procedures

In Australia, the Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles. These principles require applicable entities to ensure that they are compliant with a number of obligations including (without limitation):

    1. To have an up-to-date policy about the management of personal information by the entity (Australian Privacy Principle 1);
    1. Disclosing how the entity will use and disclose the personal information it collects (Australian Privacy Principle 6);
    1. Imposing obligations in relation to cross-border disclosure of personal information by the entity (Australian Privacy Principle 8);
    1. Ensuring personal information collected is accurate, up-to-date and complete (Australian Privacy Principle 10); and
    1. Ensuring personal information is kept secure (Australian Privacy Principle 11).

2017 amendments to the Privacy Act 1988 (Cth) also introduced mandatory “eligible data breach” obligations. The amendments extend not only to unauthorised electronic data breaches, but may also apply to “physical” data breaches, such as losing an unencrypted USB containing confidential client information whilst taking public transport. If a notifiable data breach occurs, the entity may potentially be required to notify the Australian Privacy Commissioner, professional associations or persons who are affected by the data breach.

In the age of the international retail business, internet shopping and global charities, it is not only Australian legislation that has application to Australian entities. Potentially, the use and disclosure of data in, and transfer out of, the UK, EU and EEA areas by an Australian entity can be subject to the General Data Protection Regulation.

Accordingly, an Australian entity should consider:

    • What their obligations are in relation to the collection, use, disclosure and maintenance of personal and sensitive information;
    • Whether their privacy and cyber-security policies and procedures are up-to-date; and
    • Whether a regular technology and cyber-security audit, and technology road-map are needed. The audit should consider what cyber-security gaps there currently are in the entity’s I. T. environment (for example, gaps arising from with support for Windows 7 ending on 14 January 2020). The roadmap should consider what new hardware and software is needed to ensure is needed to protect confidential data.

 

New types of cyber-security litigation

Allianz’s report identifies that data breach litigation is continuing to develop globally. Potentially, that wave of litigation could find its way to Australian shores, noting that a recent Office of the Australian Information Commissioner’s Statistics Report[1]  attributes 35% of reported data breaches to be as a result of human error (including unintended disclosure or loss of a data storage device), being as high as 55% in the health sector.

Apart from data breaches, notably, litigation over privacy matters are occurring within Australia. Summaries of recent published Australian decisions that highlight changes ordinary businesses are needing to make to their business models and practices include:

‘QP’ and the Commonwealth Bank of Australia Limited (Privacy)[2] :

    • The Complainant had a credit card for his business with the Commonwealth Bank of Australia (“CBA”).
    • In 2013, CBA sold the debt to Credit Corp Group (“CCG”), and the Complainant entered into a payment plan entered in 2013 with the Commonwealth Bank.
    • In January 2015, the Complainant had been advised by CCG the debt had been paid and finalised.
    • However, in June 2015, CBA advised the Complainant that the debt was still outstanding. This affected the complainant’s credit applications.
    • The Commissioner determined that:
    • CBA interfered with the Complainant’s privacy by using and disclosing personal information about the complainant which was inaccurate, out-of-date and/or in complete in breach of Australian Privacy Principle 10.2;
    • CBA was required to issue a written apology acknowledging their interference with the complainant’s privacy, and pay the complainant $15,0000 for non-economic loss;
    • CBA undertake changes to its policies and operation procedures establishing reasonable steps to ensure that financial information about a person that CBA uses or disclosure is accurate, complete, up-to-date and relevant in accordance with its privacy obligations, and provide a copy of its amended policies and procedures to the privacy commissioner.
    • CBA is to engage an auditor to assess its practices and effectiveness of its amended policies and processes, and provide a report to the Commissioner.

‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy)[3]

    • TICA provides information services to a number of industries by providing access to various online databases to real estate industry members for a fee. This included maintaining a Public Record Database which collates publically available information such as daily court lists.
    • In February 2014, the complainant was a party to a proceeding in the New South Wales Civil and Administrative Tribunal.
    • This information was not altered after February 2014, notwithstanding that the evidence as that the proceedings were no longer on foot.
    • The complainant discovered that her personal information had been listed in TICA’s PRD when she sought private rental accommodation, and made a complaint in July 2014 that TICA had published her personal information on its PRD and disclosed this information to property agents. The complaint included that TICA did not take reasonable steps to ensure that the complainant had been made aware of the collection of the complainant’s personal information.
    • TICA contended that it did not have the contact details of the complainant nor was it in a position to locate these details from the face of the information on the PRD listing, and therefore was not in a position to take reasonable steps to bring to the complainant’s attention the fact of the listing of her personal information on the PRD.
    • The Commissioner decided that TICA had failed to take any reasonable steps to comply with its obligations to ensure the complainant was aware of the collection of information, and declared that:
      • TICA were to produce a notice on a tenant-accessible portion of its website that addresses various matters that will assist persons in identifying how TICA collects, uses and discloses information, and how those persons can contact TICA about their personal information; and
      • TICA were to issues an apology and pay $1,500 to the complainant for non-economic loss.

 

New considerations for when purchasing or selling a business

New obligations and increased cyber-security risks may mean that the modern business purchaser would need to consider new obligations to introduce into their contracts. These would of course vary depending on the nature of the business, but potential new considerations can include:

    • Conducting an audit of the business’ I.T. environment and security before the merge, and identifying what risks need to be addressed before (or after) completion;
    • Identifying what personal and sensitive information is being acquired through the business acquisition, and testing whether the information is (without limitation):
    • Kept securely;
    • Current and up-to-date; or
    • Otherwise compliant with obligations under the Privacy Act 1988 (Cth).

If you seek legal advice on cyber-security and legal risk, make an appointment with our client engagement team to speak with a litigation lawyer.

This article was written by James Tan (Director) & Judith Mendes (Graduate Law Clerk).

 

Footnotes

[1] Office of Australian Information Commissioner, Notifiable Data Breaches scheme 12-month insights report, https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/, published 12 May 2019.

[2] [2019] AICmr48.

[3] [2019] AICmr 60

[1] Allianz Global Corporate & Specialty, Allianz Risk Barometer 2020, https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html, January 2020.

Cyber security for Australian business

The threat environment 

In June 2020, the Prime Minister brought to the Australian public’s attention the vulnerabilities which they may face through unsecure cyber assets. He announced that, after attacks from a “sophisticated, state-based cyber actor”, the Government was on heightened alert to the relatively new threat to Australian industries and businesses. [1]

The threat of an attack from a state-based actor may not, on first instance, necessarily pose an acute threat to most small to medium-sized businesses. However, business-owners should be aware of the increasing prevalence of online attacks by smaller but nonetheless detrimental adverse actors.

First, it may be helpful to clarify the difference between cyber security and online safety. As provided by the Australian Cyber Security Strategy 2020[2] (further discussed):

    1. Cyber security includes providing Australians with secure online protection of their data, information, devices and networks from malicious actors. The Australian Cyber Security Centre (ACSC), via cyber.gov.au, is the main point of contact for the public on cyber security.
    2. Online safety includes protecting individuals, families, and communities from harmful content and behaviours such as cyber bulling, image-based abuse and illegal and harmful online content. The eSafety Commissioner, via esafety.gov.au, is the main point of contact for the public on online safety

The scope of this article will cover, predominantly, the impacts and expected responses to cyber security as it relates to the operation and protection of Australian businesses and individuals.

 

Key statistics 

In 2016, the ACSC began as an initiative of the Australian Signals Directorate (run by the Department of Home Affairs) to combat, inform of and regulate the role of cyber security within Australia. Since 2019, the ACSC has begun multiple inquiries and reports specifically to address the increasing threat of cyber-attacks. Of particular note to Australian businesses is the ACSC’s current Cyber Security Strategy 2020. This Strategy is largely informed by the ACSC Annual Cyber Threat Report 2019-2020, which provides for statistics that indicate how relevant cyber threats are to all Australians.

Figure 1 below outlines the threats to various groups within Australia, categorised by cyber security incidents (a single event or series of events that threatens the integrity, availability or confidentiality of digital information) that were least severe (Category 1 or C1) to most severe (Category 6 or C6). The largest proportion of incidents (36.5%) were a Category 5 – Moderate Incident

Figure 1: Categorization of Cyber Incidents 2019-2020[3]

 

As provided by the ACSC Report, the increase of cybercrime reports (Figure 2) directly correlates with cyber security incidents to which the ACSC had responded in 2019 to 2020 (Figure 3). Both figures show the general trend of increasing cyber threats from December 2019, with a high spike in the month of April 2020.

Figure 2: Number of Cyber Security Incidents, per month, 2019-2020[4]

Figure 3: Cybercrime reported, per month, 2019-2020[5]

 

In April 2020, the ACSC reported that there were multiple large, co-ordinated attacks which were comprised mainly of phishing emails seeking to obtain sensitive information about Australian businesses and individuals. It is reported the adversary threatened to release the sensitive information of recipients’ friends and family unless paid a ransom.

The threat of fraud and extortion was the most predominant of all cybercrime reports, making up 39.68% of the total reported cybercrimes. [6] This statistic alone should be of particular concern to Australian businesses given the estimated overall loss of $850 million to Australians in 2020 from cyber scams. [7] This loss was an increase of 23% from the year prior.[8] It has been estimated that total private sector costs of cyber security incidents are as high as $29 billion per year.[9]

 

Government response 

The Cyber Security Strategy 2020

The aforementioned ACSC Cyber Security Strategy 2020 (“the Strategy”) seeks to respond to these concerning statistics by providing both legislative proposals and practical guidance to assist Australians and their businesses. Key actions include:

1. Provisions in the Telecommunications and Other Legislation Amendment (Assisstance and Access) Act to provide law enforcement with broader powers to deter and disrupt dark web adverse actors;

2. The investment of $855.1 million over the next ten (10) years into the Australian Signals Directorate and to “enabling and enhancing intelligence capabilities”;

3. Enforcing positive security obligations for entities responsible for critical infrastructure such as energy, water and mining. This will be done through amending the Security of Critical Infrastructure Act 2018. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently sits before the Commonwealth Parliament with the positive security obligations involving three aspects:

a. Adopting and maintaining an all-hazards critical infrastructure risk management program;

b. Mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and

c. Where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.

4. In line with advice from the 2020 Cyber Security Strategy Industry Advisory Panel and stakeholder feedback, the Australian Government will work with businesses on possible legislative changes that clarify the obligations for businesses that are not critical infrastructure to protect themselves and their customers from cyber security threats. This consultation will consider multiple reform options, including the role of privacy and consumer protection laws, and duties for company directors; and

5. Ongoing consultation with industry and businesses.

 

Industry and Businesses Consultation

Critical to the consultation with industry and business is the Regulations and Incentives Paper of the ACSC which provides for further proposed strategies to be undertaken by the Government in response to cyber security threats. Its purpose is to offer policy considerations to which industry and businesses may respond to in relation to commercial incentives and costs.

Briefly, the paper considers implementing possible new policies, such as:

1. Minimum standards for personal information to be further enabled by the Privacy Act 1988 (Cth) (“the Privacy Act”);

2. Mandating standards and labelling for smart devices of the ‘Internet of Things’ through the Code of Practice: Securing the Internet of Things for Consumers.

3. Promoting responsible disclosure policies;

4. Promoting health check programs for small businesses, with a basic level of due diligence provided by a third party or Government; and

5. Legal remedies for consumers through Australian consumer law reform and further direct right of action through the Privacy Act.

The Government is currently allowing submissions on its Regulations and Incentives discussion paper, until 11:59pm on Friday 27 August 2021. Visit the Department’s webpage to make a submission.

 

Guidance for cyber security protection

The ACSC has comprised the following guidelines for businesses and individuals to prevent and respond to cyber security incidents which may arise out of fraudulent or compromised emails. Noting the statistics mentioned prior, having a clear understanding of this guidance will mitigate the most pertinent cyber risk Australians face – becoming a victim of email fraud.

 

Email Security Prevention Protection Guide

    1. Turn on multi-factor authentication. This kind of authentication requires a combination of something an online user knows (passwords or PINs), something a user has (smartcards, access keys or mobiles) and something a user is (biometric data such as fingerprint scanning). To effectively enable multi-factor authentication, contact your IT provider;
    2. Protect your domain names. This may mean registering multiple domain names which are similar to your existing domain. The expiry date of domain registration/s should be noted;
    3. Set up email authentication measures. Discuss with your IT provider the inclusion of Sender Policy Frameworks (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Implementing these protocols will mitigate against emails being sent fraudulently on your business’ behalf;
    4. Make your personal online presence private. This may involve ensuring that personal social media accounts do not ‘post’ sensitive information about business-related material or documents.
    5. Ensuring policies and procedures are up to date. There are multiple policies and procedures relevant to the privacy and security of Australian businesses. Such policies are necessary to adopt legal obligations and mitigate against external (and internal) cyber security threat.
    6. Training and awareness. It is important to ensure that all staff and employees of any business are aware of the expectations clients, customers and employers hold in relation to cyber security. Of particular importance is managing financial and banking practices. Receiving and making payments should be secure.

 

Emergency Response to Email Hacking

    1. Report to authorities. Reporting cyber security incidents through the ACSC’s Report Cyber Portal allows for reports to go directly to the affected person/business’ police jurisdiction. Take note of the Report Reference Number (beginning with ‘CIRS-’) for your records. Report to your banking or financial institution if the incident involves money.
    2. Check your account security. There are multiple steps involved in the review of email account security. These steps may be taken if an incident is suspected of having occurred or for general due diligence:
      • Change your password/passphrase/PIN;
      • Update your account recovery details (third party accounts used for recovery);
      • Sign out of all other sessions, including in other open browser tabs or other computer sign-ins;
      • Enable multi-factor authentication, as discussed earlier;
      • Review account mail settings (including mailbox rules)
      • Review third party application access;
      • Check login activity; and
      • Review your email folders, devices and other accounts.
    3. Notify contacts and relevant third parties. Under the Privacy Act, certain organisations and businesses have obligations to take positive action in the event of a ‘notifiable data breach’. These kinds of breaches occur when there is a suspected or actual risk of serious harm on any individual. Responses to these breaches should be covered by the organisation’s Privacy Policy.
    4. Request a domain takedown through the .au Domain Authority, auDA. auDA is the official Australian authority for all “.au” website domains. If there is a suspicion that a domain is acting adversely against your business, you may contact the domain owner through the Registrar Abuse Contact Email, by visiting:

 

Further assistance

Proper adherence to cyber security principles and expectations involves the consideration of a business’ individual circumstances and capacity. Ensuring adherence to obligations such as those which arise from the Privacy Act and Australian corporate and consumer law are essential for all relevant Australian businesses.

Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures (including Privacy Policies), the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice.

This article was written by a Law Clerk.

 

Footnotes

[1] Statement of Malicious Cyber Activity Against Australian Networks; 19 June 2020; Prime Minister, Minister for Home Affairs and Minister for Defence.

[2] Page 5, ACSC Cyber Security Strategy 2020.

[3] Figure 2, page 7; ACSC Annual Cyber Threat Report 2019-2020.

[4] Figure 1, page 6; ACSC Annual Cyber Threat Report 2019-2020.

[5] Figure 5, page 10; ACSC Annual Cyber Threat Report 2019-2020.

[6] Page 11, ACSC Annual Cyber Threat Report 2019-2020.

[7] Page 1, ACCC Targeting Scams: Report of the ACCC on Scams Activity 2020.

[8] Ibid.

[9] Frost and Sullivan 2018, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, available at https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75- trillion-in-economic-losses/.