Australian Cyber Security Bill – mandatory reporting for ransom payments and smart device consumer protections
After releasing stage one of its privacy reforms last month (discussed in a previous insight), the Federal Government has now released the Cyber Security Bill 2024 (Cth) (the Bill).
The Bill is a product of significant consultation. If enacted without amendment, new legislation will be introduced: the Cyber Security Act 2024 (Cth). The Bill, which includes a proposed mandatory ransom payment reporting regime and enhanced consumer security, forms part of the legislative framework that will assist the Australian Government in achieving its vision of becoming a world leader in cybersecurity by 2030.
In this article, we focus on the key aspects of the Bill that will shape the way entities respond to cyber incidents, along with Australia’s cyber security landscape for years to come.
Key concepts to be introduced |
---|
Introduction of mandatory reporting of ransom payments for entities with a revenue over $3 million. |
Mandatory security standards for devices that directly or indirectly connect to the internet (also known as Internet of Things (IoT) devices or smart devices). |
Establishment of a ‘limited use’ obligation for information provided to the National Cyber Security Coordinator (NCSC) during a cyber security incident, with the intention of restricting how cyber security incident information can be used and shared with other government agencies, including regulators such as the Office of the Australian Information Commissioner (OAIC). |
Establishment of a Cyber Incident Review Board (CIRB) to conduct post-incident reviews into significant cyber security incidents. |
If the Bill is enacted, entities will be obligated to submit a ransomware payment report via the Australian Signals Directorate (ASD) portal following the payment of a ransom to an extorting entity.
The purpose of the reporting regime is to provide the Government with a better understanding of the impact of ransomware and cyber extortion on Australian businesses and the Australian economy.[1] In its most recent Notifiable Data Breaches report, the OAIC reported receiving 49 data breach notifications relating to ransomware between January and June 2024.[2] Importantly, organisations are not obliged to notify the OAIC that it has paid a ransom and we expect the total number of payments made to be materially higher than the reported figure.
In relation to timing, under the proposed Bill, a ransomware payment report must be submitted within 72 hours of payment or 72 hours of becoming aware that payment has been made.[3] The entity will be required to report:
- the name and contact details of the entity who made payment (which may include both the entity submitting the report, along with any third-party ransom negotiator);
- information relating to ‘the cyber security incident, including its impact on the reporting business entity’;
- the value of the demand made by the extorting entity and the ransomware payment; and
- any communications with the extorting entity relating to the incident, the demand and the payment.[4]
Naturally, a major concern for victims of ransomware is any potential legal ramifications for making payment of a ransom. Businesses who pay often take all steps necessary to limit the flow of information out of the business in relation to payment. This appears to have been considered in the drafting of the Bill. An entity will not be liable ‘to an action or other proceedings for damages for or in relation to an act done or omitted in good faith’ in complying with the reporting regime. If an entity fails to comply with submitting a ransomware payment report, they may be liable to a civil penalty of up to 60 penalty units ($18,780)[5]. The Bill is the strongest indication received from the Government to date on the legality of ransom payments.
The information within a ransomware payment report can only be used and/or disclosed by government agencies for permitted purposes, including (among other things) assisting the business resolve the cyber security incident and to allow government to perform the function of an ‘intelligence agency’.[6] The information must not be used or disclosed for civil or regulatory action against the reporting entity.[7]
Another potential deterrent or concern for reporting entities is waiver of privilege. The Bill states that a ransomware payment report ‘does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings’[8] and the information is not admissible in most civil and criminal proceedings.[9]
Industry forecasts predict an average of 33.8 connected smart devices per Australian household by 2025.[10] It’s an astonishing figure, one that will undoubtedly continue to increase exponentially as technology advances. Despite our growing reliance on smart and IoT devices, there are currently no enforceable security standards in relation to information collected, used and disclosed by manufacturers of these devices. The ASD acknowledges these devices are convenient targets for cyber criminals, often collecting not only personal information (through voice recording functionality or otherwise) but other highly sensitive information that can assist in the facilitation of crimes; think doorbell cameras that record when you leave your home, or a robotic vacuum that has mapped the floor of a house.
The Bill proposes to introduce mandatory cybersecurity standards for ‘relevant connectable products’. These are defined to include both products that connect to the internet to send and receive data in their own right, along with products that connect to the internet through another product.
Notably, while the intended purpose of the security standards is to include ‘smart devices’ such as TVs, watches and home assistants, the proposed definitions currently appear to be broad enough to capture devices such as smartphones and computers. While the Bill would allow certain classes of product to be exempt from the operation of the legislation, the proposed cybersecurity standards could have a greater effect.
The definition of ‘manufacturer’ is aligned with the definition set out under section 7 of the Australian Consumer Law (ACL). It extends to capture a person who imports goods into Australia if the manufacturer of the goods does not have a place of business in Australia at the time of the importation. It ensures that there is always an entity responsible for compliance – no matter if the product is purchased from a traditional brick-and-mortar retailer, or a wholesaler’s online marketplace.
Under the proposed legislation, a manufacturer will be required to comply with security standards and publish a statement declaring compliance with the standards. If a product does not comply with these requirements, there may be resulting enforcement action. This may be in the form of compliance notices, stop notices, or mandatory recall notices.
The Bill and Explanatory Memorandum do not currently contain details of the form these standards may take, or how the obligations may overlap with other statutory obligations (including under the Privacy Act and ACL). It is intended that the standard will be formalised in the Rules of the proposed legislation, providing the Government with flexibility to introduce standards as the threat landscape evolves.
A common theme within the Bill is the ring-fencing and protection of incident information provided by reporting entities. This is to encourage organisations to work closely with the NCSC and provide relevant information in a timely manner (ie at the start of an incident).
The NCSC’s primary role is to triage and coordinate response to cyber incidents across all levels of government and assist businesses where there has been a significant cyber incident. Often when responding to cyber incidents, there are numerous statutory and reporting obligations for victim organisations to consider. Government has observed that entities may be reluctant to share information with the NCSC during an incident for concern that the information may be shared with other regulatory or law enforcement authorities.[11]
The Bill proposes to limit recording, use or disclosure of information received by the NCSC to:
- assisting with incident response;
- coordinating a whole government response; and
- if required, informing the Minister or other Ministers of the incident.
This ensures the information is not used for ulterior purposes, such as civil or regulatory action against the reporting entity.[12]
As with the ransom payment reporting regime, the Bill proposes that information exchanged under this section does not affect any claim for legal professional privilege. Further, information provided to the NCSC is not admissible in most civil and criminal proceedings, and the NCSC cannot be compelled as a witness.[13]
The Bill proposes to establish a standing Commonwealth CIRB, with the power to compel entities to produce information, independently review significant cyber security incidents, and make public findings. The CIRB may only conduct a review if an incident, or series of incidents, has one of the following characteristics:
- it has or could reasonably be expected to seriously prejudice Australia’s social or economic stability, defence, or national security;
- it involved novel or complex methods or technologies that will improve Australia’s preparedness or resilience to similar future incidents; or
- the incident is, or could reasonably be expected to be, of serious concern to the Australian people.
This function allows CIRB to make recommendations to government and industry as to preventing, responding to, and minimising the ongoing impact of significant cybersecurity incidents. A public finding cannot apportion blame or determine the liability of any entity involved in a cyber incident, and the proposed legislation would restrict the disclosure of information which, among other things, may be used in civil proceedings against the entity or may prejudice an ‘impartial adjudication’. Additionally, as with the ransom payment reporting regime and the limited use obligation, the relevant sections do not affect a legal professional privilege claim and information provided to the CIRB would not be admissible in court.
The CIRB, which consists of the Chair and up to six other standing members, will have the power to compel entities to produce documents in relation to the cyber incident. There are civil penalties for non-compliance.[14]
The CIRB would appear to build on the Federal Government’s incident coordination and response facilities introduced through the National Office of Cyber Security and the Cyber Security Response Coordination Unit. Consistent with the ‘limited use’ obligation discussed above, the CIRB review process would also provide safe harbour for impacted entities to participate in reviews, which they may otherwise be reluctant to do given the legal and regulatory risks that may result.
We will continue to monitor this important reform process and keep you updated if there are further developments.
If you have any questions, please get in touch with Hall and Wilcox’s market-leading cyber team to discuss how these changes are likely to impact you or your business.
[1] Explanatory Memorandum, Cyber Security Bill 2024 (Cth) page 5.
[2] Office of the Australian Information Commissioner, Notifiable data breaches report: January to June 2024 (16 September 2024) page 28.
[3]Cyber Security Bill 2024 (Cth) s 27(1).
[4] Ibid s 27(2).
[5] Ibid 29(5) notes 60 civil penalty units ($313= one civil penalty unit).
[6] Ibid s 29(1).
[7] Ibid (Cth) s 29(2).
[8] Ibid s 31 and 32.
[9] Ibid s 31 and 32.
[10] Explanatory Memorandum, Cyber Security Bill 2024 (Cth) page 2.
[11] Ibid page 7.
[12]Cyber Security Bill 2024 (Cth) s 38(2).
[13] Ibid s 41, 42 and 43.
[14] Ibid s 50.