In brief - Legislation passed in 2021 addresses the cyber security of critical infrastructure and introduces a notification scheme for ransomware attacks, while in 2022 we may see legislative changes to the Corporations Act and Privacy Act.

Cyber attacks have continued to make news headlines in 2021, with long lockdowns playing into the hands of threat actors who take advantage of the rapid digital transformation, which has been accelerated by the events of the last two years.

The Australian Cyber Security Centre (ACSC) observed that to 30 June 2021, there was an increase of nearly 13% from the previous year in reported cyber attacks resulting in losses of more than $33 billion. Interestingly, Queensland and Victoria were the most targeted jurisdictions in Australia, collectively bearing 60% of the nation's cyber attacks. Whilst individuals are being targeted through online shopping and banking frauds, Government bodies remain the key focus. 

Australia is not alone in tackling cyber attacks of ransomware, business email compromise, phishing, and data breaches. In 2021 there have been some notable cyber events:

  • Facebook suffered a data breach of over 500 million users' information. 

  • JBS Foods, Australia's largest meat and food processing company, which employs 11,000 people in Australia, had its operations paralysed and supply chain threatened by a ransomware attack. JBS Foods paid AUD14 million in ransom monies to ensure no data was exfiltrated. 

  • In the United States, a successful ransomware attack shut down the Colonial pipeline, which carries almost half of the Eastern United States' fuel supply, for six days leading to widespread fuel shortages. 

  • A ransomware attack disrupted Nine Entertainment's ability to broadcast. 

  • Levitas Capital, a Sydney hedge fund, suffered a business email compromise fraud and lost AUD8.7 million. 

  • Health services providers UnitingCare and Eastern Health lost access to electronic patient data and hospital IT systems during separate ransomware attacks, with staff having to resort to manual processes.

  • Data breaches suffered by:

    • Ubiquiti Networks, a vendor of 'internet of things' devices 

    • Ambulance Tasmania 

    • Northern Territory Government 

    • Western Australian Parliament 

It is not surprising that the increase in frequency and quantum of cyber attacks means that the Federal Government is wanting a streamlined notification and response framework. 

In 2020, the Federal Parliament introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The bill was passed on 22 November 2021 with the effect discussed below. In 2021, the Shadow Assistant Minister for Cyber Security introduced the Ransomware Payments Bill 2021.  

Cyber risk forecast for 2022

The inescapable permeation of technology in our lives means that there will continue to be cyber risks which need to be managed. The next twelve months will see an increase in the regulatory framework for cyber risks. 

Security Legislation Amendment (Critical Infrastructure) Act 2021

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACIA), which was enacted in December 2021, is split into two so that the government intervention into cyber security incident responses can be progressed urgently. The Act enhances the regulatory framework to address serious cyber security incidents to infrastructure, which include gas pipelines, banking institutions, and electricity assets. 

Under the recommendations of the Parliamentary Joint Committee on Intelligence and Security which were adopted by the House of Representatives, there is now a notification requirement by infrastructure assets within eighty four hours of the event. The overall effect of the Act being an emergency lever for government intervention into cyber security incident responses.   

Ransomware Payments Bill 2021

Whilst the SLACIA focuses on the ability to respond to attacks on critical infrastructure assets, the Ransomware Payments Bill 2021, which was introduced into Federal Parliament on 12 August 2021, seeks to introduce a notification scheme for ransom payments.

Under the Bill, entities intending to make a ransom payment (excluding those with an annual turnover less than AUD3 million) will be required to notify the ACSC of key details. These include the purported identity of the attacker, the details of cryptocurrency wallets for payment, the ransom amount demanded, and indicators of compromise for the attack thus giving the ACSC clearer oversight into attacker trends. 

The Bill highlights the continued concerns of the ACSC, which estimates that ransomware incidents alone cost the Australian economy as much as AUD2.59 billion annually, but that the scale of the problem is unclear because Australian victims who pay out the ransoms keep these payments secret due to potential commercial and reputational harm, insurance ramifications and legal liability. 

The other potential changes for 2022 in cyber security legislators forecast, include:

  • Amendments to the Corporations Act to include obligations on directors regarding cyber security

  • Amendments to the Privacy Act 1988 and again the constant theme of notifications. It has long been discussed that the small business exemption should be removed (that is, most businesses with an annual turnover of AUD3 million or less are exempt from complying with the Privacy Act and do not need to report an otherwise notifiable privacy breach). Whilst there is no formal review process underway, with an increase in data breaches and the value attached to personal information ever increasing, it is likely that the exemption will need to be reviewed at some point in the near future. 

  • We also expect the introduction of a private cause of action in the privacy regime (although to date plaintiffs have managed to bring de facto privacy claims via employment or consumer law). This would also bring the Australian privacy regime closer to the GDPR, which is one issue in the long list of negotiations with respect to an EU AUS free trade agreement to facilitate a GDPR adequacy decision (although Australia's state security surveillance powers may cause difficulties post Schrems I and Schrems II).

 

This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2022.