Australian Cyber Security: A Primer

Posted by Mark Greisiger

A Q&A with Leah Mooney of MinterEllison
The cyber security field is rapidly evolving in Australia where new legislation, growing costs and an increased awareness of threats and liability have spurred discussion and concern. I spoke with Attorney Leah Mooney, special counsel in the Insurance and Corporate Risk Group of MinterEllison, about the state of affairs in Australia and what businesses operating there might need to know about looming risks and how to mitigate them.

It’s an exciting time to be a cybersecurity and privacy lawyer in Australia. A number of recent high-profile data breaches have placed the issue firmly on the agenda for regulators, law makers and boards.

Can you give us an overview of the legal climate around cybersecurity and privacy and associated regulatory issues in Australia?
It’s an exciting time to be a cybersecurity and privacy lawyer in Australia. A number of recent high-profile data breaches have placed the issue firmly on the agenda for regulators, law makers and boards. Our corporate regulator has provided a clear indication that cyber security and privacy is a board-level issue and has introduced the term “cyber resilience” into common usage through the release of Report 429: Cyber resilience health check for the benefit of the regulated population. Our privacy regulator has recently been granted enhanced powers to help protect the privacy of individuals’ personal information and, while notification of data breaches is not currently mandatory, there has recently been an increase in voluntary notifications. Against this legal and regulatory climate we have seen a significant increase in the availability and uptake of specialist cyber insurance products to assist organizations in allocating and managing cyber security and privacy risks.

Do you feel there will eventually be a national law that compels businesses to notify victims of a data breach?
The Government has recently released for industry consultation a draft bill to require mandatory notification of serious personal information data breaches. A “serious” data breach will include instances where there is a real risk of harm to an individual to whom the loss of information relates. The proposed mandatory notification scheme will require notification to both the privacy regulator and the affected individuals, unlike the two-tier approach favored in other jurisdictions.

Are there any existing fines and penalties for weak security/privacy practices that lead to a breach?
The privacy regulator’s enhanced powers include the option to make civil penalty orders in cases of serious or repeated interferences with the privacy of an individual, although we have not yet seen the regulator apply this penalty since the introduction of the new powers.

Has any significant data breach litigation—for instance, class action suits—been brought against organizations?
Not yet, although fortunately Australia has not yet seen a data breach on the scale of Target or similar international breaches.  Given that Australia does not have a statutory tort for breach of privacy, any future class action litigation is likely to be founded on a breach of contractual obligations to keep personal information secure or the general prohibition on misleading or deceptive conduct under the Australian Consumer Law.

What are Austalian corporate risk managers or insurance buyers most concerned about right now?
Corporate risk managers have a challenging role in the developing legal and regulatory landscape. Cyber resilience is key and risk managers should work with key stakeholders to develop a cyber resilience plan. This process should include:

  • Undertaking a contractual review to identify the allocation of risk and responsibility;
  • Identifying critical systems, data and services;
  • Investing in employee training;
  • Understanding and implementing antivirus software, firewalls and data encryption;
  • Securing a specialist cyber security and privacy insurance policy to allocate risk.

In Summary…
We want to thank Leah for her expertise and legal insights. We have been monitoring the cyber risk activity in the Australian region. With the rise of new laws and events being triggered around the world cyber risk is really a global risk management issue. This can result in a worldwide quilt of legal/regulatory exposure for an organization whose system or data crosses borders.

—###—

NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.