Australian Cyber Security Strategy: Legislative reforms
The Law Council provided a response to the Department of Home Affairs’ 2023–2030 Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper (the Consultation Paper).
The 2023–2030 Australian Cyber Security Strategy plays a critical role in identifying the key principles and challenges emerging from the parallel proposals, reforms and review processes taking place in relation to privacy, data protection and cyber security regulation across the economy.
The Law Council emphasises the need to ensure proportionality, consistency, and certainty within the regulatory landscape. Regulatory and procedural certainty is critical in the aftermath of a cyberattack where the timeframe to make decisions and to respond appropriately is significantly constrained.
The Law Council has primarily focussed on proposals in the Consultation Paper as they relate to information sharing in the wake of a cyber incident, especially Measure 2 (ransomware reporting) and Measure 3 (limited use obligations). In responding to these proposed measures, the Law Council has sought to achieve a balance between incentivising disclosure through requirements that are easily applied and understood without unnecessary regulatory burden, while providing entities with assurances that information shared will be used effectively to add value by providing better protections for Australian citizens and businesses.
The Law Council makes the following key recommendations:
- Compulsory reporting following a ransomware attack should be limited to situations where an entity has made a ransomware or extortion payment. Reporting on ransomware or cyber extortion attacks more generally should be managed through the limited use framework in Measure 3, subject to the changes recommended by the Law Council.
- There should be clear statutory safeguards that preserve legal professional privilege and confidentiality in any documents provided following a ransomware attack. This includes ensuring material is exempt from disclosure under a subsequent freedom of information request.
- Clarity is required on the role of ‘no fault and ‘no liability’ protections in the context of instruments of crime and sanctions regimes, which may be inadvertently breached through a ransomware payment.
- To adequately incentivise disclosure, information provided to the Australian Signals Directorate (ASD) and/or Cyber Coordinator should not be shared with regulators without the express consent of a disclosing entity.
- There should be clear statutory safeguards that preserve legal professional privilege and confidentiality in any documents provided to the ASD and/or Cyber Coordinator under Measure 3. This includes ensuring material is exempt from disclosure under a subsequent freedom of information request.
- If ‘consequence management’ is to be relied upon as a purpose for the sharing of incident information, this term should be clearly defined to cover a narrow set of circumstances.
Read the full submission below.
Last Updated on 22/03/2024