The growth of cybercrime and its impact on data security are a growing challenge across Australia. The Federal Government estimates cybercrime costs our economy close to AUD 1 billion annually, and these costs are growing fast. Businesses are losing millions of dollars to preventable cyber-attacks. FY18 saw 734 cyber incidents affecting private sector systems of national interest. The Government hopes that new data breach laws will help promote a “race to the top” that will benefit all Australians.
In March 2018 parliament passed the Security of Critical Infrastructure Bill as a means to further protect the electricity, gas, ports, and water sectors from "foreign involvement" that could lead to espionage, sabotage, and coercion. The Bill gives ministers the power to direct companies to conduct risk mitigation actions. This power will be used to "seek information and issue directions to owners and operators of critical assets in the high-risk sectors when a there is a risk that is prejudicial to security”.
The Notifiable Data Breach (NDB) Scheme came into effect on 22 February 2018. Any company or organisation with an annual turnover greater than AUD 3 million that handles people’s personal information - data like bank account information, credit card details, medical records or identification documents - is covered by the new regulations. The NDB Scheme makes it compulsory in certain circumstances for companies that suffer serious data breaches to notify the Office of the Australian Information Commissioner (OAIC). They must also notify affected individuals whose information is disclosed so they have the opportunity to protect themselves from adverse effects. The essence of the Scheme is ensuring better protection for the public when companies and government organisations experience a data breach, or when they are hacked.
Some Australian businesses covered by the Australian Privacy Act may also need to comply with the General Data Protection Regulation (GDPR) developed by the European Union (EU) if they offer goods and services in the EU or monitor the behaviour of individuals in the EU. Australian businesses should determine whether they need to comply with the GDPR and, if so, take steps to ensure their personal data handling practices comply with the new regulations.
Cyber security is often seen as an IT issue; a lot of CEOs imagine that their IT department will take care of it but it just isn’t that simple anymore. Good cybersecurity policy requires the involvement of all levels of management and a commitment to educating every member of the team.
Something with potential to impact data privacy and increase the sheer amount of data being shared is the draft legislation to introduce a Consumer Data Right Bill. This Bill requires companies to securely share customer’s data if it has been requested to promote competition, enhance customer focus, and encourage innovation. The Australian Competition and Consumer Commission (ACCC) is determining which industries will be impacted, with the OAIC ensuring compliance as they do with the Privacy Act. The big four banks are likely to be first impacted from 1 July 2019, if the bill passes in parliament. Other authorised deposit-taking institutions will join on 1 July 2020, with industries like telecommunications and energy utilities joining sometime after. Whilst this is unlikely to hit data sets from critical infrastructure, it still poses the potential for providers getting vast volumes of data into a shareable format.
GHD has recently started a Cyber Security Practice within our GHD Digital service lines. With mature risk based assessment methods and a strong technology backend, we offer in-depth and end to end Advisory, Protection, Monitoring and Remediation services to assist organisations. Our teams have been involved in designing the industry standards which address the regulations on which cyber security risk management has been built, from the first ICT Governance Standard AS8015 and ICT Project Governance Standard AS8016 and newer standards such as ISO27001.
GHD combines this approach with our deep knowledge of the design, delivery and operation of the assets that underpin an organisation be it in water, power, transportation, environmental, property, construction or energy. It is this combination of top down and bottom up approach of our multidisciplinary teams that truly differentiates GHD's approach to cyber security and risk management.
This thought leadership piece does not deal with every important topic or law relevant to cyber security and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances.