Digital Bytes – cyber, privacy & data update

Quick summary

Developments in cyber, privacy and data continue to evolve rapidly, so we’ve summarised highlights from the past three months to give you a whirlwind tour of the most significant updates.

• In late September, all eyes were on the Australian Government’s response to the Privacy Act Review Report. Relatively few of the 116 recommendations were accepted outright, and most were “agreed in principle” and will be subject to further consultation and refinement. Meanwhile, Queensland is updating its privacy laws, applicable to Queensland government bodies, including modernised ‘Queensland Privacy Principles’ and a mandatory data breach notification scheme.
• ASIC has been unequivocal in its expectations that boards and companies up their game on cyber security. The results of its latest cyber pulse survey indicate that companies are typically underprepared.
• The Australian Government has committed to introducing ransomware and ransom payment reporting laws, and to establishing a Cyber Incident Review Board.
• The number of “systems of national significance” declared under the Security of Critical Infrastructure (SoCI) laws has almost doubled, while the Australian Government has also committed to regulating telecommunications as a type of critical infrastructure under the SoCI Act.
• More insights on cyber risk come from the Australian Signals Directorate’s latest report summarising cyber threats in 2022-23, and the Five Eyes’ adoption of five Principles of Secure Innovation.
• Australia’s digital ID scheme is progressing towards significant expansion, after exposure draft legislation and Rules were released for consultation. This legislation will permit the scheme to be used outside government, by private sector entities.
• The Australian Communications and Media Authority (ACMA) has continued its enforcement focus on compliance with the Spam Act, with the A$500,000 fine issued against Ticketek for sending commercial electronic messages without consent, and to individuals who had unsubscribed.
• Recent Optus litigation is a timely reminder to carefully plan how to preserve legal professional privilege when handling a data breach. The Office of the Australian Information Commissioner (OAIC) has also cracked down on mandatory data breach notification, with determinations against two organisations that took too long to investigate before notifying.
• Carefully defining transition out obligations in technology contracts will save a significant headache down the track, as demonstrated by StarTrack’s litigation against its consumables portal supplier, which continued offering the portal to StarTrack’s customers after the contract ended.
• Given the close interest the Australian Competition & Consumer Commission (ACCC) takes in digital platforms and technology, organisations should ensure that their standard form contracts with individuals and small business consumers are cleansed of unfair contract terms after reforms took effect on 9 November 2023. The ACCC is also progressing a new ‘unfair trading practices’ prohibition, which will penalise conduct that otherwise falls short of existing prohibitions.

Government green-lights fairly few Privacy Act reform recommendations

In the latest instalment of review and reforms to the Privacy Act 1988 (Cth), the Australian Government released its response to each of the 116 recommendations made by the Attorney-General, on 28 September 2023.

The Government agrees with 38 recommendations, most of which focus on procedural matters, enforcement powers and guidance of Australia’s privacy regulator, the OAIC, while others are recommendations for “further consultation” only.

Some of the substantive recommendations with which the government agrees are:

• introducing new provisions in relation to consents for the use of personal information for research;
• enhanced obligations in relation to using personal information for automated decision-making;
• white-listing certain jurisdictions as jurisdictions to which personal information may be disclosed; and
• new civil penalty provisions for mid-tier breaches that do not meet the “serious” threshold and low-tier penalties for specific administrative breaches.

The Government “agrees in principle” with the majority of the recommendations, including those in relation to:

• refining the definitions of personal information and sensitive information;
• reducing the scope of the small business and employee record exemptions;
• updates to privacy policy and collection notice requirements;
• consent requirements and privacy default settings;
• a requirement for personal information handling to be fair and reasonable;
• record-keeping;
• nominating a privacy officer to be responsible for privacy compliance;
• specific rules for children’s personal information;
• expanding individuals’ right to access personal information;
• introducing a right of erasure (‘right to be forgotten’) and a right to de-index online search results for particular categories of information;
• direct marketing, targeting and trading of personal information;
• refining information and cyber security requirements, including information retention periods;
• introducing the concept of ‘controllers’ and ‘processors’ (service providers);
• updates to the overseas data flow requirements;
• introducing a direct right of action and a statutory tort for serious invasions of privacy; and
• updates to the notifiable data breaches scheme.

However, it says that further consultation is required before the Government will take a specific position in relation to those recommendations, to ensure that any reforms strike the “right balance” between privacy rights and impacts on regulated entities.

It “notes” the remaining 10 recommendations (including the suggested removal of the political parties’ exemption). We do not expect these recommendations will be progressed any further.

The Government will release an exposure draft of legislation for the recommendations with which it agrees, for consultation in 2024. It will also further progress consultation on the recommendations with which it “agrees in principle”.

The upshot is that given any substantive overhaul to privacy laws will not occur quickly, entities should continue to take steps to manage and review their compliance against the existing privacy laws, as this continues to be a focus of regulatory and media attention, and an increasing area of interest to individuals.

Overhaul of Queensland’s Information Privacy Act

Even while the future state of the federal privacy laws is in flux, Queensland is progressing a refresh of its 2009 privacy laws that apply to Queensland government bodies. A Bill introduced to Parliament on 12 October 2023 proposes to replace the existing Information Privacy Principles and National Privacy Principles with a consolidated and modernised set of Queensland Privacy Principles (QPPs), which mirror the current Australian Privacy Principles under the federal laws to a significant extent.

It also introduces a new mandatory data breach notification scheme, which extends the federal scheme by:

• requiring the breach to be contained;
• requiring the regulator to be notified if an assessment of a suspected breach takes longer than 30 days; and
• requiring the agency to publicly publish its data breach response plan.

Not only are these reforms of interest to Queensland government bodies, but also any organisation providing services to a Queensland government body whose contract requires it to comply with Queensland privacy laws.

ASIC’s unequivocal cyber security focus

Turning now to cyber security, and Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), has made it loud and clear that cyber security is a focus and that it expects boards to be taking it seriously.

On 18 September 2023, in a speech at the Australian Financial Review Cyber Summit, ASIC’s Chair delivered “one message” to their audience: in a world where every system is vulnerable and reliance on third-party providers is a risk, evaluate your third-party supplier cyber risk. ASIC is urging companies to remediate the current disconnect between board oversight, management reporting on cyber risks to boards, identification and remediation of cyber risks, cyber risk assessments and implementation of cyber risk controls. ASIC is clear: “failing to do so could mean failing to meet your regulatory obligations”.

On 13 November 2023, ASIC published the results of its latest cyber pulse survey of almost 700 organisations, finding that overall respondents had a weighted average cyber maturity score of 1.66 out of four. It calls on organisations to move from being reactive to proactive, identifying the top four areas for improvement as:

• supply chain risk management;
• data security and protection of confidential information;
• consequence management; and
• adoption of cyber security standards.

Expansion of regulated critical infrastructure

The Security of Critical Infrastructure Act 2018 (Cth) (SoCI Act) imposes a raft of registration, cyber security and notification obligations on operators of “critical infrastructure assets” (when declared under Rules) and “systems of national significance” (when declared by the Minister).

On 8 September 2023, the Australian Government announced that a further 87 systems of national significance had been declared, in addition to the existing 81 systems. The specific systems declared are confidential.

Further, in the wake of the recent Optus network outage, on 13 November 2023 the government announced that telecommunications companies would be included in the categories of “critical infrastructure” under the SoCI Act. These SoCI Act requirements will apply alongside the existing security obligations imposed on telecommunications companies under the Telecommunications Sector Security Reforms (TSSR), passed in 2017.

Ransomware reporting laws and a new Cyber Incident Review Board to be introduced

After a series of failed attempts to pass ransomware and ransom demand reporting laws in 2021, the Australian Government has announced its intention to pass laws requiring Australian companies to report ransomware events, and whether ransoms are paid. As the Minister for Home Affairs, Clare O’Neil MP has noted, “It will be a mandatory no-fault, no-liability ransomware reporting obligation for businesses that would require business to report any ransom incident, demand or payment to Government.”

While further details on these laws have not yet been published, the Government’s imminent new Cyber Security Strategy 2023-2030 is expected to focus on the growing threat of ransomware, as well as a “whole of nation” cyber uplift framed around “six shields” of cyber security: an informed citizenry and business sector; safe technology; world-class threat sharing and blocking; reliable critical infrastructure; sovereign capability; and a resilient region.

Minister O’Neil has also announced that the Government will establish a new Cyber Incident Review Board, tasked with investigating major cyber attacks, to better “understand how we can reinforce Australia’s national cyber shields.” It will be modelled on other international and domestic agencies like the US Cyber Safety Review Board. The Board’s investigations will be “no fault” and designed purely to collect information and improve cyber defences, and its learnings will be shared with businesses and the wider public.

The Australian Signals Directorate releases cyber threat report for 2022-23

On 14 November 2023, the Australian Signals Directorate (ASD) released its 2022-23 Cyber Threat Report. The ASD includes the Australian Cyber Security Centre, which received almost 94,000 reports of cyber events in the reporting period. The ASD responded to 1,100 of these incidents, and engaged in other proactive monitoring and cyber education activities.

Key takeaways from the report include:

• the average cost of cyber crime is on the rise. The average cost to Australian businesses was $40,000 - $70,000 (depending on the size of the business) per cyber crime report.
• critical infrastructure is a target of State actors.
• cyber criminals’ tactics attempt to extract maximum payment from victims.
• while all of the ASD’s Essential Eight cyber security requirements are important, prompt patching of critical vulnerabilities is particularly important, as unpatched vulnerabilities are increasingly used as a vector for cyber crime.

The Defence Minister has announced support for a “temporary safe habour” that would encourage companies to report cyber attacks by providing temporary relief from liability and regulatory actions.

Five Eyes’ five Principles of Secure Innovation

The first Emerging Technology and Security Innovation Security Summit was launched in October 2023 by the leaders of the Five Eyes intelligence partnership. At the summit, the Five Eyes partners consisting of the heads of the Australian Security Intelligence Organisation and its equivalents in Canada, the US, the UK and New Zealand, launched five principles to help businesses protect themselves against security threats – the five Principles of Secure Innovation.

The five Principles of Secure Innovation are:

1. Know your threats: understand the ways in which State-backed and hostile actors may try to get hold of the business’ innovations or technology.
2. Secure your environment: create an effective system for security risk management, including:
   • risk ownership – appoint a board-level security lead to be responsible for considering security in business decisions and working with the business on security matters;
   • risk identification – identify critical assets and potential threats;
   • risk assessment – assess security risks; and
   • risk mitigation – protect critical assets by implementing physical and virtual barriers, access controls and detection measures, and plan the business’ response to security risks.
3. Secure your products: build security into your products from the start, and actively protect and manage intellectual assets, property and the business’ expertise (this will also help maintain the commercial value of any innovation or technologies).
4. Secure your partnerships: manage the risks associated with partnering with investors, suppliers and collaborators, including by:
   • performing background checks;
   • taking a strategic (and intentional) approach to sharing information with partners; and
   • including legal protections for your assets and data in contracts.
5. Secure your growth: manage security risks as the business grows, in particular:
   • as the business enters new international markets, considering export controls, jurisdiction risk and travel security; and
   • as the business expands its workforce, introducing security measures such as pre-employment screening, security training, and development of the business’ security culture.

The five Principles of Secure Innovation are guided by MI5’s updated Secure Innovation guidance. This guidance may be useful resource for more information on proportionate physical, cyber and personnel security arrangements.

Digital identity exposure draft legislation open for consultation

Australia has been preparing to roll out its existing Trusted Digital Identity Framework beyond government for some time now, but needs legislation to expand the digital identity scheme. On 19 September 2023, the Government released the draft Digital ID Bill and Accreditation Rules for consultation (which closed in late October).

The Digital ID Bill 2023 (Cth) proposes a framework in which Australia’s digital identity scheme can operate, predominantly under the Digital ID Rules and Accreditation Rules, with supplementary requirements on data, technical matters and service standards set out separately. It features:

• the establishment of a Digital ID Regulator to oversee the Digital ID System;
• specific privacy safeguards, particularly in relation to biometric information, unique identifiers and restricted attributes;
• a liability and redress framework; and
• provisions for a Digital ID “trustmark” to be used by accredited participants in the Digital ID System.

Consultation ended on 10 October 2023, and will be taken into account when producing a refined version of the legislation, which will be introduced to Parliament. The rollout will be phased, starting with reciprocal use of Digital ID in States and Territories, followed by private sector services, and finally private sector Digital IDs for accessing particular government services.

Spam Act enforcement action against Ticketek highlights narrow scope of “factual” messages exception

Following the DoorDash infringement notice in August 2023, ACMA has now fined Ticketek more than A$500,000 for sending texts and emails to recipients who had not given their consent, and to recipients who had unsubscribed.

In relation to some of the messages, Ticketek argued that they were ‘designated commercial electronic messages’ (which could be sent without consent, and without an unsubscribe function) as messages containing only factual event information. However, while ACMA acknowledged that one of the purposes was to provide event information, the messages “also had a purpose to advertise or promote tickets to events” because it contained links to Ticketek’s social media accounts.

This enforcement action again reinforces how narrow the ‘factual information’ exception is to the general spam requirements, and that organisations should rely on it very carefully. If organisations seek to rely on this exception, links to social media accounts should not be included.

The importance of preserving privilege during data breach investigations

A good data breach response plan and data breach preparedness includes measures to maintain legal professional privilege over appropriate documents. The importance of this step has been highlighted in recent litigation in which Optus has sought to avoid disclosing a copy of Deloitte’s review of its 2022 data breach and related documents.

The Federal Court of Australia rejected Optus’ claim of legal professional privilege, finding that Optus had not established that the dominant purpose of the review and report was to obtain legal advice or for use in litigation or regulatory proceedings (although it was one of the purposes).

The Court particularly noted that Optus had made public announcements committing to having Deloitte undertake the review, and that a claim of privilege was at odds with those public announcements. The Federal Court’s decision highlights that clear and specific evidence of key decision-makers of an organisation as to their intention with and understanding of an investigation of an incident will be a critical consideration in any court decision in respect of a privilege claim.

OAIC paying attention to delays in assessing and notifying data breaches

Since the mandatory data breach notification laws took effect under the Privacy Act 1988 (Cth) in 2018, the OAIC’s focus has been on investigating the highest profile data breaches and regularly reporting on notification statistics. However, it has recently released two determinations which show that it is paying attention to organisations that fail to notify, or take too long to notify.

In Pacific Lutheran College, an unauthorised actor obtained access to an email account containing approximately 180,000 emails, and sent phishing emails to over 8,000 contacts. The event occurred in late May 2020. A forensic report was finalised in mid-October 2020, and the OAIC was notified in mid-December 2020. The OAIC found that the College had breached its data breach investigation and OAIC notification obligations under the Privacy Act 1988 (Cth), and had also failed to take reasonable steps to protect affected individuals’ personal information in breach of APP 11.1.

Datateks also involved unauthorised access to email for the purposes of conducting a phishing campaign. The unauthorised access occurred in late June 2020, the investigation concluded in September 2020, and the OAIC was notified in mid-January 2021. The OAIC found that Datateks had breached its data breach investigation and OAIC notification obligations.

Both determinations contain a wealth of information about data breach handling and the requirement for expeditious progress in completing a data breach assessment. Importantly, both determinations emphasise that an organisation should prioritise notifying the OAIC even if it takes longer to notify affected individuals for logistical reasons.

Both determinations include an order with very detailed requirements in relation to the incident response plan that each organisation must develop. These requirements should be used as a checklist for organisations to ensure that their data breach response plan is up to scratch. In Pacific Lutheran College, the orders also included detailed requirements about the information security program that the organisation must implement.

The importance of clear transition out obligations in technology contracts

In the excitement of signing a new deal, transition out obligations can often receive insufficient attention. This is demonstrated by the recent Federal Court case of StarTrack Express v TMA Australia, which arose out of StarTrack terminating its contract with TMA, the IT provider of the consumables purchasing portal used by StarTrack’s clients. Following termination, TMA re-purposed the portal for the sale of its own consumables, and continued to use the portal to sell its consumables to StarTrack’s clients – it appeared at the same URL and the clients could use their same login.

In the absence of clear transition out obligations addressing the portal, StarTrack’s claim (currently being considered on an interlocutory basis) attempts to rely on confidentiality and non-solicitation obligations to require TMA to discontinue the supply of the portal to StarTrack’s clients. The judge in the interlocutory hearing has already indicated that there are some weaknesses in that argument.

The decision serves as a timely reminder that detailed and well-considered transition out clauses in a technology contract will save significant headaches later in the winding down of a contractual relationship.

Bringing a fairness lens to your standard form contracts and business practices

Recent and upcoming changes in Australia’s consumer laws will affect many technology and data-driven organisations in Australia, and should be an area of focus given an active regulator in the ACCC and the significant penalties that apply for non-compliance.

Firstly, updates to the “unfair contract terms” (UCT) laws took effect on 9 November 2023, introducing significant penalties for organisations that include unfair terms in their standard form (non-negotiated or lightly-negotiated) contracts with individuals or small businesses (business with less than 100 employees or revenue of under A$10 million). Organisations should ensure that their standard form contracts are closely reviewed for UCT risks.

Secondly, on 1 September 2023, consultation opened in relation to a new “unfair trading practices” prohibition, which would seek to prohibit conduct which currently falls short of existing laws, such as unconscionable conduct, misleading and deceptive conduct, or unfair contract terms. Examples in the consultation paper include:

• targeting vulnerable people;
• predatory or aggressive business conduct;
• making cancelling services or opting out difficult;
• dark patterns and digital engagement practices;
• misleading omissions and hidden information; and
• limited mechanisms or redress.

Consultation closes on 29 November 2023.

Looking forward

The busy lead up to the festive season is no time to let cyber security preparedness and privacy compliance fall by the wayside. The Australian Government’s latest response to the Privacy Act reforms indicates that substantive changes are still some time away, so organisations should continue to focus on compliance with existing laws.

The Australian Government will shortly release its cyber security strategy, and has foreshadowed a focus on ransomware.

For a more detailed briefing on any of these updates, or to discuss how we can assist your organisation manage its risks in these rapidly evolving areas, please get in touch.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).