Are the proposed cyber laws a ‘turning point’?

Earlier this month, Cyber Security Minister Tony Burke (pictured) proposed new legislation to the lower house that would result in the country’s first standalone Cyber Security Act.

The new legislation will introduce mandatory reporting for those who paid threat actors ransom, minimum cyber security standards for smart devices, and the establishment of a Cyber Incident Review Board, all as part of seven sections of the 2023–2030 Australian Cyber Security Strategy.

“The creation of a Cyber Security Act is a long-overdue step for our country and reflects the government’s deep concern and focus on these threats,” Minister Burke told the media at the time.

“This legislation ensures we keep pace with emerging threats, positioning individuals and businesses better to respond to and bounce back from cyber security threats.

“To achieve Australia’s vision of being a world leader in cyber security by 2030, we need the unified effort of government, industry, and the community.”

But what do lawyers and industry experts think of the proposed legislation? Lawyers Weekly spoke with several senior professionals about the bill and its implications moving forward.

A ‘jewel in the government’s crown’?

The bill, Norton Rose Fulbright partner Annie Haggar proclaimed, is a “turning point” for cyber law in Australia.

VIEW ALL

“Whilst it won’t resolve our current ‘jigsaw puzzle’ of laws and regulations for cyber security, it does provide a framework for the development of the regulation needed to address the cyber risks facing our community,” she said.

Mills Oakley partner Jason Symons called the proposed changes “very significant”, noting they will support greater collaboration between impacted organisations and relevant government agencies and drive greater transparency with the public regarding cyber security incidents.

Holding Redlich general counsel Lyn Nicholson had similar sentiments, noting that the bill provides “much-needed clarity and resources” to help businesses navigate growing threats.

The proposed legislation, Cyooda Security founder and chief information security officer John Reeman mused, is “certainly a step in the right direction” and brings things like the improvement of IoT security devices more in line with the EU Cyber Security Act.

According to Clyde & Co partners Reece Corbett-Wilkins, John Moran, Richard Berkahn, and Stefanie Luhrs, the proposed changes “are the jewel in the government’s crown” (and by extension that, of the Home Affairs team responsible for consultation and its preparation).

“The Cyber Security Strategy working groups should all be commended for bringing this to life; there has been a lot of work that has gone into this, and other jurisdictions globally are taking interest,” the quartet said.

“Fundamentally, they are bold reforms aimed to introduce friction into the cyber crime economy and encourage increased investment at an aggregate level to improve cyber security resilience.”

Mandatory reporting

The bill, AUCyber chief executive Peter Maloney outlined, mandates that entities with revenues over $3 million report any ransom payments within 72 hours so as to improve transparency and allow the government to gauge the extent of cyber crime affecting the economy.

Reeman said the 72-hour reporting requirements for ransomware extortion are a good initiative but added that, in his opinion, they do not go far enough.

“I’ve personally helped several small businesses that have been ransomware victims this year,” he said.

“So, the threshold for reporting ignores 95 per cent of businesses that fall under the $3 million threshold, and these are the ones being targeted, too, so this activity will continue to go unnoticed unless the victims voluntarily report, which is unlikely.”

The Clyde & Co partners, for their part, noted that the proposed reporting requirements are a “compromise from outright banning ransom payments” but added they do “get the government as close to what it ultimately wants – better data around who is paying (how much and why) and better chances to chase down bad guys after the event”.

All organisations, Haggar advised, should review their incident response plan and include processes “to enable this tight deadline to be met”.

The reporting requirement, Symons added, means the entity must be appropriately advised throughout the negotiation process, given it is illegal to pay a ransom in some cases.

“Entities also need to be properly advised on the potential consequences of sharing information and reporting a payment from a legal professional privilege (LPP) perspective,” he said.

“The proposed legislation limits the use of information provided by organisations to the government and protects LPP claims to a degree, but the potential waiver of LPP must still be considered.”

Cyber Incident Review Board

The establishment of the CIRB, Maloney detailed, allows for independent reviews of significant cyber incidents, fostering a culture of learning and improvement within organisations.

The CIRB and its expert panel are a “commendable” move, Symons noted.

“The reviews are designed to help us learn from past serious incidents so that we can try and prevent, detect, respond, and minimise the impact of similar incidents in the future. However, such reviews will prolong a nightmare situation for the impacted entity and its staff. Information and documentation will be required to be produced,” he said.

“And, when the review is announced and when the final report is released, the entity faces potential further reputational damage with its name in the media again. Given these downsides, we must hope the recommended actions of the review serve the greater good.”

The Clyde & Co partners deemed the CIRB a “welcome idea” – but noted that “bearing in mind incident response is fast-paced, dynamic and very situationally dependent, the composition of the review board and their experience will be critical”.

Limited-use disclosure framework

The bill also introduces limited-use obligations for information shared with the National Cyber Security Coordinator, Maloney said.

“The bill includes a limited-use obligation for information shared with the National Cyber Security Coordinator, ensuring that such information is used solely for incident response and not for punitive measures,” he said, thereby encouraging organisations to share critical information without fear of legal consequences.

Critically, Haggar observed, this is not a “safe harbour” or immunity from investigation or regulatory action, “but it enables early sharing of sensitive incident information that can benefit the Australian community”.

In-house counsel, she suggested, “should consider working with their CISO and communications team on a responsible disclosure policy to provide a structure for this sharing”.

The proposed limited-use disclosure framework and opening up to the government during a breach “isn’t without its critics”, the Clyde & Co partners mused, “or some nervousness amongst Australian directors (particularly those facing investigations or class actions)”.

“But, generally, the IR industry is onboard, and we are keen to see how we can make it work,” the quartet said.

Smart device security standards

Another significant aspect of the bill is the introduction of, elsewhere, Maloney pointed out, mandatory security standards for smart devices.

This, he said, “aims to protect consumers from cyber threats that exploit IoT vulnerabilities”, adding that the proposed broad definition of “smart devices” “ensures that a wide range of products, from home assistants to connected appliances, must adhere to cyber security standards”.

Any lawyers advising in this space, Haggar mused, will need to help clients understand the requirements of the regime, including statements of compliance, labelling, and other components.

Other reflections

Broadly speaking, Symons noted that given the complexity of the new reporting and information-sharing regulations, “these proposals also greatly heighten the importance of appropriate legal representation within an organisation’s incident response team”.

The government and impacted organisations (together with their in-house legal teams), he continued, “have aspired to communicate openly for some time – built largely on mutual trust and understanding from working side by side in the trenches on incidents”.

The proposals formalise protections around information sharing that will greatly assist the government and those law departments, he said, to respond to an incident “in a way that serves the interests of the Australian community and organisations simultaneously”.

Speaking directly to legal practitioners who are concerned about how the proposed changes impact them directly, the Clyde & Co quartet said: “Encourage clients to engage early with these changes as the uplift work required to get ahead will carry over well into 2025.”

And, on the question of impacts upon lawyers themselves, they said: “Given law firms generally have an increased propensity to pay ransoms, this will very much become relevant to their own incident response processes during a breach and preparation efforts now.”

Ultimately, Nicholson concluded, a comprehensive approach to cyber security reform as set out in the bill “begins the important work flagged” under the 2023–2030 Australian Cyber Security Strategy.

This story was originally published on Cyber Daily’s sister brand, Lawyers Weekly.