Published on the 31/01/2024 | Written by Heather Wright
‘Limited use mechanism’ doesn’t mean limited enforcement…
A proposal designed to encourage organisations to share information with government during cyber attacks, without fear of regulatory action, has sparked concern from the Australian privacy watchdog which says such protections shouldn’t be allowed to prevent future enforcement action.
The Office of the Australian Information Commissioner (OAIC) says the limited use mechanism must be carefully designed in consultation with regulators so it doesn’t preclude regulatory action in the public interest or impact any legislative reporting requirements, including for the OAIC.
“Any such obligation needs to be developed carefully … so that regulatory activity is not impeded.”
The limited use obligation, flagged in the Australian Cyber Security Strategy, would introduce an obligation of confidentiality, limiting how information shared by organisations with the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator could be used by other Australian government bodies, including regulators. Cyber incident information would only be able to be used for prescribed cyber security purposes, including helping businesses respond to cyber incidents, and could not be used for regulatory purposes.
The limited use mechanism is designed to allay concerns that information could be used in future prosecutions.
A recent Home Affairs consultation paper noted that ‘industry are increasingly reluctant to share detailed and timely cyber incident information’.
While cyber incidents are increasing, the ASD says cyber security reporting by industry and critical infrastructure operators has remained steady. It also notes delays in organisations providing it with the technical information relevant to ongoing security incidents and that some organisations are referring ASD to their legal reps, rather than incident response teams for communication.
“This is reducing the Government’s visibility of cyber threats and limiting our ability to offer support to citizens and businesses during an incident,” the Home Affairs consultation paper says.
It notes that consultation with industry stakeholders has flagged that the reduced engagement could be partly driven by a shift to a more compliance-based approach to incident reporting.
“Businesses are concerned that information shared with the ASD or Cyber Coordinator about cyber incidents could be used for regulatory purposes.”
While supporting the need to immediate collaboration and information sharing between affected organisations and the ASD and national cyber coordinator to facilitate an effective immediate response, the OAIC says balance is needed between facilitating industry cooperation and ensuring regulatory agencies can enforce laws and deter non-compliance ‘at an appropriate time’.
“The OAIC’s view is that any such obligation needs to be developed carefully and subject to clear boundaries so that regulatory activity in the public interest is not impeded,” the OAIC submission says.
“In particular it is important that any confidentiality obligations do not impede the current reporting obligations under the OAIC’s Notifiable Data Breaches scheme nor subvert the OAIC’s regulatory role. Ultimately, entities must comply with their legal obligations under the Privacy Act, including their NDB reporting obligations and the obligation to take reasonable steps to protect their data.”
Its submission notes the Information Commissioner’s commencement late last year of civil penalty proceedings against Australian Clinical Labs over a February 2022 data breach.
The data breach resulted in the unauthorised access and exfiltration of personal information, including sensitive health information and credit card details of more than 100,000 people.
“This investigation highlights the importance of appropriate resources for regulators to conduct timely and effective investigations where significant cybercrime occurs,” the submission says.
The Commissioner is alleging Australian Clinical Labs ‘seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information and that its failures left the company vulnerable to cyberattack.
The recommendation is one of four the OAIC is calling for in its submission. It’s also urging that collaboration and information sharing mechanisms, supported by legislative amendment ‘where necessary’, should be encouraged.
Home Affairs notes that while the limited use obligation means information shared with the ASD and cyber coordinator could not be used for regulatory purposes it would not impact other regulatory or law enforcement actions or provide immunity from legal liability, unlike ‘safe harbour’ provisions which provide a shield against legal liabilities. Safe harbour provisions are considered ‘out of step’ with public expectations – with Australians expecting entities should comply with legal obligations and do what they can to proactively respond to cyber security incidents – and as such is not currently being considered for Australia.
In addition to legislating a limited use obligation for cyber incident information provided to the ASD and the cyber coordinator, the government is also exploring options to develop an interim ‘non-legislative mechanism’ for the ASD.
It is being consulted separately with industry on an ‘accelerated timeframe’ the Home Affairs paper notes.