2022 – A big year for cyber attacks and regulation in Australia
2022 has been a big year for cyber in Australia.
Most notably, two of the largest and most high-profile data breaches in our nation’s history impacting Optus and Medibank, affected millions of Australians. This resulted in, among other things, sweeping changes to the penalty regime for serious or repeated breaches of the Privacy Act 1988 (Cth), which we wrote about when the Bill was submitted to Parliament.
2022 also saw various new obligations ‘switched on’ for operators of critical infrastructure assets across a wide and expanded range of industries. We discussed the impact of these amendments for the medical industry.
These legislative amendments were not surprising, given the increasing cyber risk landscape facing Australian businesses, which is demonstrated in the most recent reports published in November 2022 by the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC).[1]
Below, we provide a further update about the Privacy Act reform and our analysis of the most recent ACSC and OAIC reports.
Privacy Act reform
The Privacy Act amendments introduce various reforms, such as increasing the OAIC’s investigative and information sharing powers, as well as expanding the Act’s extraterritorial application.
While these amendments will have a practical impact on the way the OAIC regulates organisations, we consider the most significant change relates to the maximum penalties that the OAIC can seek to impose for serious or repeated breaches of the Privacy Act.
Prior to the amendments, the maximum penalty for serious or repeated privacy breaches for body corporates was $2.2 million (and $440,000 for non-corporates).
Under the new amendments to the Privacy Act, the maximum penalty for body corporates who are found to have committed serious or repeated privacy breaches of the Privacy Act can be the greater of:
- $50 million; or
- three times the value of any benefit, directly or indirectly, obtained, that is reasonably attributable to the privacy breach; or
- 30% of the entity’s adjusted turnover for the relevant period (our emphasis).
But what does ‘adjusted turnover’ and ‘relevant period’ mean in the context of these penalties?
The adjusted turnover of a body corporate during a period is the sum of the values of all the supplies (including, but not limited to, income derived from a supply of good, services or provision of advice or information) that the body corporate, and any related body corporate, have made, or are likely to make, during the period, other than:
- supplies made from any of those bodies corporate to any other of those bodies corporate; or
- supplies that are input taxed; or
- supplies that are not for consideration (and are not taxable supplies under section 72-5 of the A New Tax System (Goods and Services Tax) Act 1999); or
- supplies that are not made in connection with an enterprise that the body corporate carries on; or
- supplies that are not connected with the indirect tax zone.
Using the example of a law firm, the adjusted turnover is the GST exclusive amount of revenue that the law firm bills.
The relevant period is defined as the longer of the following periods:
- the period of 12 months ending at the end of the month in which the contravention ceased, or proceedings in relation to the contravention were instituted (whichever is earlier); or
- the period: (i) starting at the beginning of the month in which the contravention occurred or began occurring; and (ii) ending at the same time as the period determined under paragraph (a).
This means that a breach turnover period is at least 12 months and commences when a breach of the Privacy Act began.
The effect of the amendment cannot be overstated. If an organisation is in serious breach of the Privacy Act from some historical point in time, the relevant period may date back to the beginning of that period. It is not necessarily limited to 12 months.
Take, for example, Australian Privacy Principle 11 (APP 11), which among other things (and subject to exceptions), requires an organisation to take reasonable steps to:
- protect personal information from unauthorised access; and
- delete or de-identify personal information when it is no longer needed for any purpose for which it may be used.
If, hypothetically, an organisation failed to implement reasonable cyber security measures and hoarded all personal information it ever collected without any consideration of deletion or de-identification, there is a real risk that the organisation may be in breach of APP 11.
If that organisation then had a significant cyber attack, which resulted in the theft of its data, depending on the circumstances, it is conceivable that the aforementioned failings could be deemed a ‘serious’ breach of the Privacy Act.
In this scenario, the contravention of the Privacy Act may have occurred from the time the organisation started collecting personal information, which could date back to when the organisation first started operating as a business.
When one considers that the OAIC could, under the amendments, seek to impose a penalty of 30% of adjusted revenue during a relevant period, it is theoretically possible that organisations could face a penalty of 30% of every dollar of revenue the organisation has ever produced.
While we expect the OAIC will continue to take a judicious approach to enforcing privacy laws, it is also fair to assume that the OAIC will use these powers as a way to change corporate behaviour when it comes to protecting personal information.
Australian businesses should make themselves aware of their privacy obligations and ensure that they have adequate processes in place to comply with Australia’s privacy regime.
ACSC report
Australia remains a prominent target for cyber criminals, who attempt to take advantage of Australia’s financial, economic and technological prosperity.
In the 2021-22 financial year (FY22), the ACSC received over 76,000 cyber crime reports. That is one report every seven minutes (or over 200 reported cyber incidents every day). This represents a 13% increase on the previous year. Importantly, reporting a cyber incident to the ACSC is voluntary, so the true number of cyber incidents in Australia is likely to be materially higher than those reported.
The ACSC report identified the following key cyber trends:
Cyber crime and cyber security incidents are growing in number and severity
Australia’s prosperity makes it an attractive target to cyber criminals. Invoice scams, business email compromise (BEC) and identify theft continue to be among the most common cyber threats during FY22, resulting in losses totalling $98 million (with an average of $64,000 per reported incident).
This equates to approximately 1,530 reports of BEC crime per year.
The cyber criminals are always adapting. For example, BEC attacks targeted high-value property settlements as digital settlement methods became more frequently used during the COVID-19 pandemic.
Ransomware remains the most destructive cyber crime threat in Australia
In FY22, ransomware groups stole and sold the personal information of hundreds of thousands of Australians as part of their extortion tactics.
447 ransomware incidents were reported. While this is actually a reduction from the previous year, the ACSC consider the ransomware attacks to be ‘significantly underreported’, especially by victims who pay the ransom.
Of the organisations that reported, the industries most impacted by ransomware were:
- Education and training – 11%
- IT – 10%
- Professional and technical services – 10%
- Government – State/Territory/Local – 8%
- Health care – 8%
Ransomware groups continue to target ‘big game’ (high value) Australian entities.
The ACSC assessed ransomware to be the most destructive cyber crime threat in FY22 owing to the duality of its impact on organisations. Businesses faced ‘double extortion’, where ransomware groups would use both data encryption and (often publicly) threaten to publish sensitive information on the dark web as a strategy of forcing the hands of victims to pay.
Ransomware attacks hit an organisation’s bottom line in multiple ways. There is not only the ransom demand, but also costs involved in system reconstruction, lost productivity and lost customers as a result of reputational damage.
The ACSC, like other Australian government agencies, advises against paying ransoms.
Critical infrastructure networks are increasingly targeted worldwide, and this has put Australia’s essential services at a heightened risk.
Approximately one quarter of cyber security incidents the ACSC responded to affected critical infrastructure, demonstrating the real risk posed to essential services in Australia by geostrategic, profit-motivated, and opportunistic attacks.
In FY22, attacks on critical infrastructure increased globally. Ukraine was heavily targeted – with Russia-aligned cyber crime groups not only attacking the country but also threatening to act against Ukraine’s allies.
Potential disruptions to Australian essential services in FY22 were averted by effective cyber defences. In 2021, CS Energy, an organisation which generates 10% of Australia’s electricity nationally, was targeted by the Russia-aligned ransomware group Conti. Owing to CS Energy’s network segmentation and robust incident response plans, business continuity plans and disaster recovery actions, energy supplies were not affected by the incident.
Critical infrastructure organisations have additional cyber security obligations and may be subject to mandatory reporting requirements under the Security of Critical Infrastructure Act 2018 (Cth).
Rapid exploitation of critical public vulnerabilities has become the norm.
The ACSC noted that the majority of significant incidents they responded to were due to inadequate patching.
When a software provider identifies a vulnerability, they often send a ‘patch’ (or update) to the end-user. Within that update will be a mechanism or code to protect and strengthen any vulnerabilities in the software. Between the time that the patch is sent out and the end-user’s program is actually updated, there is a window of opportunity for cyber criminals to exploit the known vulnerability.
The number of software vulnerabilities recorded worldwide increased more than 25% on the previous financial year. Over 24,000 ‘Common Vulnerabilities and Exposures’ were identified during FY22, using newly released critical vulnerabilities.
Malicious state actors target Australian small businesses and individuals to gain sensitive information.
Cyber operations are used as a geostrategic tool in a global battleground. Some countries use cyber operations to gain advantage by stealing other nations’ security secrets and intellectual property. Russia’s attacks against Ukraine provides a pertinent example of the real and disruptive impact of cyber operations on critical systems and supply chains.
In July 2021, a Microsoft vulnerability exploitation was attributed to China’s Ministry of State Security. In November 2021, Five-Eyes (an intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the United States) confirmed exploitation of the Microsoft vulnerability to an Iranian state actor.
Political and economic espionage was rampant in FY22 and Australia remains a target to state attacks owing to its global interests and international partnerships, particularly in the Indo-Pacific region.
The ACSC maintains that the current most effective means of defence for larger businesses against cyber threats continues to be the implementation of the Essential Eight cyber security strategies: Essential Eight mitigation strategies, Strategies to Mitigate Cyber Security Incidents.
For smaller organisations, the ACSC has published useful advice for advice for ransomware, Business Email Compromise and other threats.
OAIC report
In their biannual report, the OAIC provides practical guidance to organisations on how to manage key risk areas identified in the January to June 2022 reporting period.
In this report, the OAIC focused on the following:
Large scale data breaches
The OAIC identified an increase in the number of data breaches that impacted a larger group of Australians in FY22. Four of these breaches affected 100,000 or more Australians, compared with one breach in the previous reporting period.
Section 26WH of the Privacy Act requires organisation to ‘carry out a reasonable and expeditious assessment’ of any ‘suspected’ eligible data breach within 30 days.
This obligation arises where there is any activity relevant to the breach or surrounding circumstances which would, from the viewpoint of a reasonable person in the entities’ position, give rise to reasonable grounds to suspect that an incident was an eligible data breach.
In the reporting period, only 71% of entities notified the OAIC within this timeframe.
Recommendation: We recommend that organisations comply with the timing requirements for assessing whether an incident is an eligible data breach. If the assessment cannot be completed within the time allowed by the Privacy Act, an organisation should seek legal advice about how to approach the situation.
Source of data breaches
Of the 396 breaches notified between January to June 2022, malicious or criminal attack remains the leading source of breaches at 63%. Human error remained a major source of data breaches (33%).
The health (20%) and finance (13%) sectors are the highest reporting sectors.
Recommendation: We recommend that organisations focus on employee training to reduce the risk of human error. Data breach/cyber attack simulation training should be run for executives and crisis management groups of organisations. Organisations should also ensure that they are taking reasonable steps to secure their network and have systems to ensure prompt patch management.
Data breaches involving more than one entity sharply increasing
This reporting period saw a 100% increase in secondary notifications of a data breach incident (or, ‘multi-party breach’). This occurs where more than one entity holds personal information subject to a data breach. An example is a cloud service provider that stores information for its clients.
The OAIC recommends an early assessment of the responsibilities of each entity upfront to support an efficient response to a data breach affecting multiple entities. Section 26WH of the Privacy Act requires that only one of the affected entities reports the data breach; however, each entity that holds relevant personal information needs to demonstrate they are able to meet the requirements of the Notifiable Data Breach (NDB) scheme.
Recommendation: We recommend that organisations assess their contracts with third parties and ensure that the contract sets out how the parties will handle a multi-party data breach. It is important to ensure that your organisation has a right to information needed to comply with legal obligations and the contract sets out which party notifies the OAIC or affected individuals. Multiple parties notifying the OAIC about the same incident can create inconsistencies, cause confusion and increase the risk of an OAIC investigation.
What should you do with this information?
Cyber risk is rising in Australia.
Understanding cyber risk and taking steps to mitigate it can be critical for your organisation’s financial well-being and reputation.
To achieve this, you need to be prepared for a cyber incident, know how to respond effectively in the event that one occurs and understand your regulatory obligations.
A key part of being prepared is understanding that cyber risk cannot be eliminated and therefore preparedness for a cyber attack is key. The development of a robust and tested incident response plan can aid in responding to a cyber incident promptly and decisively. To read more about what you should include in your incident response plan, see our article ‘Brace for impact – the importance of a tested cyber incident response plan‘.
The Hall & Wilcox cyber and privacy teams can assist you in relation to all aspects of cyber risk. Our team is comprised of lawyers who have acted for or advised hundreds of organisations in connection with Australian and multinational cyber security and data breach incidents, including some of Australia’s largest and most high-profile matters.
Our services include:
- providing incident response services where we act as a ‘breach coach’/first responder to handle the complete end-to-end response to a cyber incident or data breach;
- managing the engagement of our network of leading cyber security and other experts where necessary to respond to an incident;
- providing privacy and other legal advice in respect of actual or suspected data breaches or security incidents, including drafting notifications to and engaging with the Office of the Australian Information Commissioner, other regulators and individuals affected by data breaches;
- providing advice on communications with third parties, including the organisation’s leadership team, customers, employees and the public;
- defending or bringing litigated claims in connection with cyber incidents, particularly in relation to ransomware attacks, data breaches, social engineering fraud and system outages;
- cyber advisory services, focused on delivering workshops, preparing plans and conducting assessments of cyber risk for organisations and their leadership teams; and
- our ‘Beyond Compliance‘ offering for boards in relation to cyber risk.
If you would like to discuss your organisation’s cyber risk posture, how to respond to a cyber incident, your privacy or data retention policy, your organisation’s privacy policy, or how to be better prepared for a cyber incident, please contact our cyber and privacy experts at Hall & Wilcox.
[1] On 4 November 2022, the Australian Cyber Security Centre released a report entitled ‘July 2021 – June 2022 Annual Cyber Threat Report’, and on 10 November 2022 the Office of the Australian Information Commissioner released a report entitled ‘Notifiable data breaches report January to June 2022’.