Australia introduces new cyber security law

Certain organisations affected by a cyber security incident that receive a ransomware demand and make a payment (or gives some other benefit) must report the payment to the Australian Signals Directorate and the Department of Home Affairs. Interestingly, the reporting obligations will only be triggered upon the payment of a ransom and not when a ransomware demand is made.

The report must be made within 72 hours of making (or becoming aware of) the ransomware payment and must include certain details of the payment and related communications with the extorting party. Failure to comply may result in a civil penalty.

The organisations required to comply with the reporting obligation include:

• Any organisation carrying on business in Australia with an annual turnover exceeding a certain threshold, likely $3 million (this is still to be confirmed).

• Any organisation who is a ‘responsible entity’ for a ‘critical infrastructure asset’ under the Security of Critical Infrastructure Act 2018 (Cth)(SOCI Act).

The mandatory reporting obligation is due to commence within the next six months. This adds to the existing complex patchwork of reporting obligations that may be applicable to organisations such as those required by:

• the Privacy Act 1988 (Cth) with respect to data breaches of personal information under the Notifiable Data Breach Scheme;

• the ASX Listing Rules with respect to continuous disclosure obligations in relation to information that has a material effect on the price of an organisation’s securities;

• the SOCI Act with respect to cyber security incidents which impact critical infrastructure assets; and

• the APRA Prudential Standard CPS 234 with respect to material information security incidents.

Unfortunately, the law provides no new guidance as to the legality of a ransomware payment itself which is currently a hot-button issue. Nevertheless, paying a ransom may breach other laws, such as those relating to sanctions or anti-money laundering.

Historically, smart devices were not subject to mandatory cyber security standards, nor were there regulations to require built-in security features be active by default. This is despite smart devices being used to collect significant volumes of potentially sensitive data about users, with or without their knowledge.

As a result of the reforms:

• The Government will have the power to mandate cyber security standards for devices that can directly or indirectly connect to the internet (whether wirelessly or via a wired connection). This means that manufacturers must manufacture the devices in compliance with the requirements of the relevant standards. The supply of non-compliant devices is prohibited. The types of devices that can be the subject of cyber security standards are defined very broadly and will likely include many widely used devices such smart TVs, smart watches, home assistants and baby monitors. The standards have yet to be released.

• Failure to comply with the applicable standards can result in the Government taking enforcement action. This may include issuing compliance notices requiring manufacturers or suppliers to demonstrate compliance with the standards, issuing stop notices or requiring that product recalls be issued for devices that do not meet the applicable standards.

• Manufacturers and suppliers will be required to provide a statement of compliance with respect to the applicable cyber security standards for devices supplied to the Australian market.

The above reforms are due to commence within the next twelve months.