Cyber security in Australia: Passed and pending legislation and changes on the horizon

Passed legislation

Online Safety Act 2021

On 23 June 2021, the Online Safety Act 2021 (Cth) was passed by Parliament and will commence on 23 January 2022. The Act builds upon the existing online regulatory framework established in the Enhancing Online Safety Act 2015 (EOSA) and creates additional compliance obligations.

Addressing harmful content

The Act creates a first-of-its-kind cyber abuse scheme for Australian adults. Under the Act, independent regulator eSafety can require the removal of adult cyber abuse material if it is satisfied that the material is posted with the likely intention of causing serious harm. If the material is not removed civil penalties can apply, on both those who post the content and providers of the service where it appears. The time given to providers to comply with a removal notice has also been amended from 48 hours to 24 hours to rapidly address harmful content.

A person experiencing adult cyber abuse must first report the matter to the provider before seeking assistance from eSafety.

Protections for children

The Act also enhances protections for Australian children, with eSafety now having the power to issue removal notices to a full range of online services, not just social media. This includes online gaming platforms, content sharing and messaging services. It also provides a scheme for the take-down of contravening material (for example, material falling within the refused classification, X18+ and R18+ classifications of the Classification Act 1995 (Cth)), with additional powers to the removal of material from, or hosted outside Australia.

Expectations for tech industry

The Act also creates a number of expectations, which the technology industry is expected to meet. It introduces a set of Basic Online Safety Expectations (BOSE) to ensure greater transparency. The eSafety Commissioner is able to require service providers to report on compliance with any or all of the BOSE. A new set of industry codes is also being developed by industry and eSafety to guide the industry on compliance with their obligations under the Act.

Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

On 25 August 2021, the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth) was passed to introduce new law enforcement powers to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to combat online serious crime.

The Act creates three new classes of warrants that the AFP and ACIC may apply for:

1. Data disruption warrants: enable access to data held on a computer(s) to undertake "disruption activities" to frustrate the commission of criminal activity.¹
2. Network activity warrants: enable the collection of intelligence on serious criminal activity being conducted by criminal networks operating online.²
3. Account takeover warrants: enable the takeover of a person's online account to gather evidence of criminal activity.³

The AFP and ACIC may apply for these warrants if the chief officer suspects on reasonable grounds that a group of individuals is involved in a criminal network and that access to data held in a computer that is used or likely to be used by any of the individuals in the group will substantially assist in the collection of intelligence that is relevant to the prevention, detection or frustration of one or more kinds of relevant offences.⁴

Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Bill 2021 (Cth)

On 2 December 2021, the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 was passed to amend the Autonomous Sanctions Act 2011 (Cth). It received royal assent on 7 December 2021.

This is a notable new cyber-related law as thematic sanctions may now address malicious cyber activity. This means the Australian government may issue sanctions directly against cyber hackers that ban them from visiting Australia or investing their criminal gains in Australia. The Act:

• sets out new thematic categories of conduct to which autonomous sanctions can be applied
• clarifies that autonomous sanction regimes established under regulations can be either country-specific or thematic
• specifies a decision-making process for imposing targeted financial sanctions and travel bans on persons and entities under thematic sanctions regimes.

Security Legislation Amendment (Critical Infrastructure) Bill 2021

Following the recommendations of the Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 published on 29 September 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was split in two, so that the urgent elements of the reforms in proposed Part 3A could be separated out and passed as soon as practicable (Bill One).

Bill One was passed on 22 November 2021 and assented on 2 December 2021. It amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to enhance security and resilience of critical infrastructure assets and systems of national significance by:

• increasing the industry sectors recognised as critical infrastructure from four sectors to 11
• establishing positive security obligations for critical infrastructure assets, including to adopt and maintain a critical infrastructure risk management program (to be delivered through sector-specific requirements) and mandatory cyber incident reporting
• introducing enhanced cyber security obligations to ensure government and industry can work collaboratively to strengthen the cyber preparedness and resilience of entities that operate assets of the highest criticality to Australia's national interests (defined as systems of national significance)
• providing government with the necessary and proportionate powers to be exercised as a last resort in circumstances where a cyber security incident has, is, or is likely to impact a critical infrastructure asset and Australia's national interest.

The expanded scope sees the asset classes considered to be critical infrastructure to expand from electricity, water, gas and maritime ports to 11 critical sectors, including healthcare, communications, financial services and markets and food and grocery. Several of these new asset classes require further definition, which is expected to be through sector-specific rules. It is expected that these rules will define operational thresholds to classify critical infrastructure assets.

Entities covered by this expanded scope must now adhere to the following reporting obligations:

1. critical cyber security incidents must be reported within 12 hours of the entity becoming aware of the event. An event will be considered critical where it has a "significant impact," i.e. the asset is used in connection with the provision of essential goods or services and is materially disrupted.

2. other cyber security incidents must be reported within 72 hours if they have a "relevant impact" on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset.

If the reports are given orally, a written report must also be provided within 84 hours of the oral report for critical events and within 48 hours for other incidents.

Introduced as a last resort measure, the SOCI Act now provides for government assistance and intervention to respond to serious cyber incidents. Government intervention may occur when:

• a cyber security incident has occurred, is occurring or is imminent
• the incident has had, is having or is likely to have a “relevant impact” on a critical infrastructure asset (i.e. impact the availability, reliability, confidentiality or integrity of the asset)
• there is a material risk that the incident has, is or is likely to seriously prejudice the social or economic stability of Australia or its people, the defence of Australia, or national security; and
• no existing regulatory system of the federal or state governments could provide a practical or effective response.

In this situation, the government has a number of powers including the ability to give directions to the entity for the purposes of gathering information in relation to the incident, require the entity to take specific action in response to the incident and authorise the Australian Signals Directorate to intervene and assist in responding to the incident. The entity is required to comply with government directions and failure to do so can result in penalties varying in severity.

Looking to the future, Bill One includes a provision that empowers the Parliamentary Joint Committee on Intelligence and Security to conduct a review of the operation, effectiveness and implications of the SOCI Act and to report any recommendations to parliament, as long as the review is conducted within three years of Bill One receiving royal assent.

The remaining non-urgent elements of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have been deferred and amended into a separate Bill (Bill Two). It is expected that Bill Two will implement several cyber security obligations, including implementing and maintaining risk management programs.

For more information on ways to protect critical infrastructure organisations from cyber attacks, please see our previous article.

Legislation not proceeding

Ransomware Payments Bill 2021

This Bill was introduced into the lower house in June by Shadow Assistant Minister for Cyber Security Tim Watts. In a joint statement by Tim Watts and Kristina Keneally, Shadow Minister for Home Affairs, it was announced that the government failed to bring it on for debate and that it was to be reintroduced in the Senate.

Pending Legislation

Ransomware Payments Bill 2021 (No. 2)

As above, the Ransomware Payments Bill 2021 (No. 2) was introduced in the Senate after the original Bill was not progressed in the House of Representatives.

This Bill seeks to establish a mandatory reporting requirement for Commonwealth entities, state or territory agencies, corporations, and partnerships who make ransomware payments in response to a ransomware attack.

The Bill will create an obligation on entities who make a ransomware payment to notify the Australian Cyber Security Centre (ACSC) of key details of the attack, the attacker, and the payment. This information will be held by the ACSC and used to:

• share de-identified information to the private sector through the ACSC threat-sharing platform
• collect and share information that may be used by law enforcement
• collect and share information to inform policy making and to track the effectiveness of policy responses.

The Bill was recently considered by the Scrutiny Committee, who raised issue with subclause 9(6) which provides an exception (offence-specific defence) where the information is disclosed in certain circumstances, for example to a court. They state that the provision reverses the burden of proof and requires a defendant to disprove, or raise evidence to disprove, an element of the defence that interferes with the common law right of innocent until proven guilty.

To date, no further amendments to the Bill have been made.

Updates on Australian privacy law reform

In October 2021 the Attorney-General's Department recently released its Privacy Act 1988 Discussion Paper and the Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 in response to the release of the Australian Competition and Consumer Commission's Digital Platforms Inquiry Final Report (26 July 2019).

Read our article on the discussion paper here.

Read our article on the Online Privacy Bill here.

¹s 27KC

²s 27KM

³s 3ZZUP

⁴s 27KK(1)