Australia has enacted some new cybersecurity regulations, but there is concern that the nation Down Under is still lagging in cybersecurity preparedness.
For instance, approximately 1 in 3 of the nation’s law firms are not investing in regular cybersecurity training, reports GlobalX, in a recent study conducted in partnership with the Australian Legal Practice Management Association. Looking at the larger economy, over 40 percent of Australian businesses questioned believe the country to be behind the rest of the world when it comes to cybersecurity practices, adds a new survey from Aura Information Security.
The studies do need to be put in perspective, however, say Australian lawyers.
When reviewing the results of the law firm survey, Fabian Horton, a lecturer at The College of Law in Australia and director of ConnectLaw, said the firms that “do not invest in regular cybersecurity training are most likely small law firms.”
“These firms usually engage outside assistance for cybersecurity and would receive updated information via means other than official training,” Horton said. For instance, the Legal Practitioners’ Liability Committee, which is the state insurer for lawyers, distributes updates to its members about cyber and other risks, according to Horton.
“At the other end of the law firm spectrum, medium and large law firms take cybersecurity very seriously,” Horton said. “Many of these firms have specialist cybersecurity managers. On the lawyer side, many, if not most, of the medium to large firms would have a practitioner who advises on cybersecurity and/or privacy related law.”
He says there is “a spectrum of those who do cybersecurity well, and those who do it poorly. As such, there could always be improvements in understanding and execution,” Horton said.
Looking at the bigger picture, Michael Williams, an attorney at Gilbert & Tobin in Sydney, said Australia has a “developing regime” for dealing with cybersecurity events, and there is “growing awareness amongst public and private sector organizations about the cyber threats.”
Specifically, on law firms, “awareness of the nature and seriousness of cybersecurity risks is uneven across the legal profession,” Williams said. “While some firms have invested heavily in cybersecurity systems and training, many have not—particularly smaller practices. This is leading to a rise in cyber events affecting firms.”
But this year, the extent of legal industry education on cyber risks has increased, he adds, “with cooperation between firms increasing and a greater level of investment in cyber preparedness.”
Still, he warns there is strong anecdotal evidence that attacks on law firms are increasing. Law firms represent a high value target for cyber criminals and hostile state actors because they hold information about the confidential affairs of numerous clients, he said.
Also, Williams said key legal issues surrounding liability for cyber breaches “remain unresolved in Australia. “There are no superior court rulings yet in Australia on the apportionment of liability based on … cyber breaches nor have there been any class actions decided in relation to cyber events,” he explained.
Perhaps, most significantly, a new regulation, the Notifiable Data Breaches scheme, became effective on Feb. 22, 2018. Until the NDB scheme was introduced, Williams said, “there was a degree of complacency amongst corporations and public sector organizations about cyber breaches and a reluctance to disclose cyber breaches or notify affected individuals,” Williams said.
“With the NDB in place, attitudes have had to change significantly across private sector and public organizations,” he added. “This year marked a significant step-change in cybersecurity laws in Australia with the introduction of a mandatory investigation and disclosure regime for cyber breaches.”
NDB applies to organizations operating in Australia with an annual turnover of over $3 million and some other organizations such as in the health sector. Organizations must report eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by a data breach.
He explained the obligations under the NDB are similar but still sometimes differ from the EU’s General Data Protection Regulation (GDPR).
“Some organizations that are subject to both regimes are treating compliance with the GDPR as satisfying relevant obligations under the NDB,” Williams said. “There are unique tests for notification and exceptions to the obligation to notify which are based on Australian law concepts of reasonable suspicion.”
Similarly, Helen Clarke, an attorney at Corrs Chambers Westgarth, said Australia is “as much a target as most other jurisdictions around the world.”
“While we have some laws that seek to address elements of cybersecurity risk, such as relatively new mandatory data (privacy) breach notification laws, and critical infrastructure cyber risk laws, like other jurisdictions, there is no over-arching cybersecurity law,” she said.
She pointed out that the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 is a proposal to increase public safety by providing law enforcement agencies with faster access to encrypted data. The proposed legislation intends to “address a range of threats by introducing a suite of measures that will improve the ability of agencies to access intelligible communications content and data.”
Moreover, David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, Sydney, said there is a proposal “to require not only telco carriers and ISPs but also OTT applications like Facebook and Google to offer ‘assistance and access’ to the contents of messages and communications (rather than the metadata, which is covered by existing law in the Telecommunications Act and the Telecommunications and Interception and Access Act).”
“This is hotly contested, with almost all non-government submissions to recent parliamentary committee inquiries under PJCIS [The Parliamentary Joint Committee on Intelligence and Security] being against it, including local IT industry, civil liberties and human rights, professional bodies and foreign IT and data companies,” Vaile said.
In fact, Australia, in general, has “limited local legislative or policy independence of thought,” and there is “more a tendency to adopt whatever is being pushed by the US or UK,” Vaile added. “Unlike say the US or EU, there is much more limited interest in digging into the evidence and data which would show whether particular cybersecurity or surveillance initiatives were justified.”
Also, unlike in the EU, U.S., and U.K, “there is no enforceable right to privacy (in the EU Privacy Directive, now GDPR); and unlike the U..S., there is no protection of human rights including privacy or data protection, free speech, search and seizure etc. in the constitution,” Vaile said.