I am often asked as a cyber security professional about the legal obligations and regulatory requirements concerning cyber security. This concern is warranted, as most companies in today’s digital world are using technology to create opportunities which also introduces legal risks that directors analyse and monitor.
The best way to answer this question is to contact your lawyer to seek independent advice regarding applicable laws and regulations to your particular business.
However, in this blog post, I wanted to shed some light on some critical cyber regulatory laws that may apply to Australian organisations. The laws that apply to a business depend on various factors, including their size and the nature of the business.
Please note that the following information does not constitute legal advice, but it is a good starting point to get you thinking. See our disclaimer below.
The Corporation Act 2001 (Cth) is Australia’s principal legislation regulating business entities (primarily companies). The Corporation Act imposes duties on directors to exercise their powers and discharge their duties honestly, in good faith, and with the degree of care and diligence that a reasonable person would exercise. These obligations require board directors to consider and appropriately manage cyber security risks which may impact the company.
For example, in 2021, the Australian Securities and Investments Commission (ASIC) commenced its first enforcement action against RI Advice Group for data breaches arising from a failure to have adequate cyber security policies, systems and resources.
The Privacy Act 1988 (Cth) is Australia’s primary legislation dealing with privacy. The Privacy Act regulates how individuals’ personal information is handled and applies to Australian Government agencies, organisations with an annual turnover of more than $3 million, and some small businesses with an annual turnover of $3 million or less.
Entities that are subject to the Privacy Act have various obligations relating to cyber security, including:
- To take reasonable steps to protect the personal information it holds (i.e. name, signature, address, phone number, date of birth, credit reporting information, and tax file numbers) from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- Destroy or permanently de-identify personal information the entity holds once it no longer needs the information for the purpose for which it was collected (unless it is required to be kept longer under another law or court order).
- To notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable of certain material data breaches impacting personal information (or credit reporting information or tax file information) held by the entity.
- If there are reasonable grounds to suspect a material data breach has occurred, the entity must conduct an expedition assessment within 30 days to determine if the breach is notifiable.
Australian Prudential Regulation Authority (APRA)
APRA is an independent statutory authority that supervises banking, insurance and superannuation institutions in Australia.
APRA governs specific obligations under the Corporation Act that apply to entities with an Australian Financial Services License (AFSL), such as having risk management systems and controls to manage business risks, including cyber security.
APRA-regulated entities are required to comply with Prudential Standard CPS 234 (Information Security), which requires such entities to have clearly defined security-related roles and responsibilities, implement security controls commensurate with the criticality and sensitivity of its assets (and undertake systematic testing), and notify APRA of information security incidents within 72 hours (if it materially affected, or had the potential to affect materially, the entity or the interests of depositors, policyholders, beneficiaries or other customers, or it notified any other regulator of the incident).
ASX Listing Rules
ASX Listing rules govern companies listed on the Australian Securities Exchange (ASX).
The Listing Rules are enforceable against listed entities and their associates under the Corporation Act. There are multiple principles on which the listing rules are based; the two that are related to cyber security are:
- An entity must satisfy appropriate minimum standards of quality, size and operations before it is admitted to the official list. While there is no specific mention of cyber security minimum standards in the ASX listing rule related to admission or continuous disclosure, cyber security plays a key role in satisfying the required operations standards.
- An entity must advise the market immediately of any information (such as a cyber security incident) that would have a material effect (positive or negative) on the company’s share price.
For example, in February and May 2019, Australian property valuation firm LandMark White (LMW) suffered two data breaches affecting more than 100,000 customers. LMW lost several key financial institution clients due to the two data breaches. Upon return to the ASX in August 2020 following two trading halts, share prices had fallen by 52% since May 2019.
Consumer Data Right
The Consumer Data Right (CDR) under the Competition and Consumer Act 2010 (CCA) provides consumers with improved access and control over the data businesses hold about them.
The CDR was introduced in the banking sector and has been recently rolled into the energy sector, and the telecommunication sector is to follow shortly.
The CDR has strict controls that will be enforced by the OAIC and the Australian Competition and Consumer Commission (ACCC).
Organisations under the CDR must comply with privacy safeguards and rules that ensure the consumers’ data is protected, transferred and managed securely. This includes meeting strict information security requirements to protect consumers’ data from misuse, unauthorised access or disclosure.
Office of the Australian Information Commissioner (OAIC)
The Office of the Australian Information Commissioner (OAIC) is an independent national regulator for privacy and freedom of information. They promote and uphold Australians’ rights to have their personal information protected.
The OAIC has issued the Australian Privacy Principles (or APPs), which impose that an APP entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss and unauthorised access, modification or disclosure.
They are also the entity to notify when an organisation or agency have reasonable grounds to believe an eligible data breach has occurred.
Security of Critical Infrastructure Act 2018 (Cth)
This Act creates a framework for managing critical infrastructure risks and applies to owners of critical assets in 11 key industry sectors.
The Act imposes significant cyber risk management and reporting obligations on critical infrastructure owners, including a requirement for directors to annually attest that their organisation’s risk management practices are up to date.
My Health Records Act 2012 (Cth)
The My Health Records Act is designed to facilitate access by the healthcare recipient and treating healthcare providers to a summary of health information about a healthcare recipient.
The My Health Records rules specify that a healthcare provider must satisfy specific requirements concerning information security. In addition, there is an obligation for certain participants in the My Health Records system (such as registered healthcare providers, portal operators and contracted service providers) to notify both the My Health Records system operator and the OAIC (unless an exemption applies) in the event of certain data breaches relating to the My Health Record System.
Australian Energy Sector Cyber Security Framework (AESCF)
The AESCF has been developed through collaboration with industry and government stakeholders and is designed to assess cyber maturity and promote an increase in the capability and cyber resilience of the energy sector.
To meet their obligations, board directors should always familiarise themselves with their organisation’s legal and regulatory requirements while ensuring cyber risks are an integral part of their organisation’s risk management framework and frequently review cyber resilience programs at the board level.
This article is introductory in nature and is current as of the date of publication. The article does not constitute legal advice (and we are not qualified to provide you with legal advice) and should not be relied upon as such. You should always seek independent legal advice on your specific circumstances. If we have sourced information from external sources, we cannot guarantee the accuracy or currency of such information.
About the Author:
Mouaz Alnouri is a company director, a cyber security enthusiast and a graduate of the Australian institute of company directors. With over a decade in the IT services industry, he has provided intelligent solutions for complex problems throughout his career. He’s worked with major technology and telecommunications firms, including Telstra and NBN. Mouaz is leading the team at Skillfield with a passion for protecting Australians and their businesses from hackers and all sorts of bad actors.
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.