Key Takeouts
The Cyber Act will introduce a ‘limited use obligation’ to encourage businesses to share cyber incident information with government agencies, but it won’t provide broad immunity from legal liability for risk management failures.
A ‘no fault, no liability’ requirement will mandate that organisations report ransom payments above a specific threshold.
These changes align with recent Privacy Act amendments, promoting timely information sharing while necessitating vigilance around implementation complexities.
Before the end of the year, the Australian Government will move to introduce its new “Cyber Act”, which will include new cyber security safeguards in support of the 2023-2030 Australian Cyber Security Strategy.
Upcoming changes include a ‘safe harbour’ or limited-use protections to encourage companies affected by cyber incidents to share key information with government agencies such as the Australian Signals Directorate (ASD) and the Cyber Coordinator. This will fall short of the business community’s request for immunity from prosecution for any deficiencies or inaction that might be revealed by the shared information.
Additionally, the Government says it will implement a ‘no fault, no liability’ requirement for entities to report the making of ransom payments over a particular threshold. These measures have been advocated by organisations such as the BCA since last year’s Cyber Security Strategy consultation.
The ‘limited use obligation’
The ‘limited use obligation’ provision, to be co-designed with industry, would encourage businesses to share information to the ASD and the Cyber Co-Ordinator when responding to a cyber incident. However, the proposal would not provide a broad immunity from prosecution to directors or organisations who failed to take steps to manage and reduce cyber risk in the time leading up to the incident.
The scheme would limit government agencies’ uses of shared information to the purposes of assisting the organisation and broader economy with responding to the cyber incident, but preclude uses for further investigating whether a regulatory breaches has arisen. The specific details of how the regime would work are yet to become clear, however the true ‘safe harbour’ nature of the protection could be more nuanced than once thought.
The government’s Consultation Paper on the 2023-2030 Australian Cyber Security Strategy acknowledged that in exchange for information-sharing, Australian business seeks a ‘safe harbour’ mechanism as a shield against legal liability for a cyber incident. However, the paper clarified that the limited use obligation “would not impact other regulatory or law enforcement actions, or provide an immunity from legal liability.”
The Office of the Australian Information Commissioner (OAIC) acknowledges that while timely information sharing in the immediate response stages of cyber incidents is crucial, it is also important to have deterrents to reduce the likelihood of such incidents in the first place and ensure robust cyber risk management and data protection measures. The OAIC (who would also get expanded enforcement jurisdiction under the new Privacy Act amendments) is seeking consultation with the Government to ensure any limited use provisions would not “preclude regulatory action in the public interest or impact any legislative reporting requirements”. Therefore, the specifics of this protection remain unclear, and once announced, industry stakeholders should closely monitor the inevitable restrictions and caveats to the protection.
Mandatory ransom payment reporting obligations
A new ‘no fault, no liability’ scheme for entities targeted by ransomware is also proposed. The Government has proposed to mandate that organisations report the making of any ransom payment above a particular threshold.
This scheme aims to reassure entities that the agency receiving ransom payment reports will not seek to assign blame for the incident. However, the Law Council of Australia has expressed concerns about this scheme, noting that the concept of ‘no liability’ might overlap with State and Territory criminal legislation or other laws, especially in cases where ransom payments are made to sanctioned organisations1.
Nevertheless, entities will be required to fulfill mandatory reporting obligations for any ransom payments exceeding a certain threshold. This report must include details such as the amount paid and the recipient to help identify the hackers involved. Therefore, the extent of immunity provided under this scheme is another important consideration, particularly in cases where ransom payments have been made.
Broader privacy context
These proposed protections are complemented by recent amendments to the Privacy Act, introduced in early September 2024 by the Attorney General.
If passed, provisions for handling ‘eligible data breach’ incidents, where the Minister can make a swift declaration that permits APP entities to share information to mitigate harm would be adopted. For instance, this could involve sharing the identities of individuals affected by a breach with banks to ensure the security of their accounts. Otherwise, such sharing of personal information is strictly prohibited.
A welcomed change
If passed, these changes would be a welcome relief for the industry, given the substantial increase in compliance burdens recently associated with the Digital ID Act, as well as the proposed amendments to the Privacy Act and the introduction of the Cyber Act. However, entities should stay alert once details emerge of the actual protections which may be on offer for organisations who share cyber attack information or report making a ransom payment.
1 Law Council Australia, Cybersecurity Consultation Paper 2024