Bills Digest No. 28, 2024-25

Cyber Security Bill 2024 [and] Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

Home Affairs

Author

Leah Ferris, Nigel Brew and David McGovern

Go to a section

Key points

  • The Cyber Security Bill 2024 (Cyber Bill) will implement legislative proposals stemming from the 2023–2030 Australian cyber security strategy by establishing a new Cyber Security Act 2024.
  • The 4 key measures of the Cyber Bill:
    • require manufacturers and suppliers to comply with minimum security standards for smart devices acquired in Australia, with the standards to be specified in Ministerial rules
    • require businesses that make a ransomware payment in relation to a cybersecurity incident to report the payment to the Commonwealth within 72 hours
    • establish a limited use obligation to restrict the sharing of information provided to the National Cyber Security Coordinator (NCSC), to promote business confidence in sharing information following an incident
    • establish a Cyber Incident Review Board (CIRB) to conduct reviews after some cybersecurity incidents.
  • The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 will make complementary amendments to the Intelligence Services Act 2001 to apply a limited use obligation to information obtained by the Australian Signals Directorate.
  • There has been various consultation and engagement guiding the development of the Cyber Security Strategy and the proposed legislation, which appear to be generally supported in principle by stakeholders.

On 10 October 2024 the Bill was referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report. At the time of writing, the Bill had not been reported on by any parliamentary scrutiny committees.


 

Introductory InfoDate of introduction: 2024-10-09

 

House introduced in: House of Representatives

Portfolio: Home Affairs

Commencement: Cyber Security Bill 2024: Parts 1, 4, 6 and 7: the day after Royal Assent; Part 2 on the earlier of Proclamation or 12 months after Royal Assent; Parts 3 and 5 on the earlier of Proclamation or 6 months after Royal Assent. Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024: Sections 1–3 on Royal Assent; Schedules 1 and 2 at the same time as Part 4 of the Cyber Security Act 2024 commences.

 

Purpose and structure of the Bills

The purpose of the Cyber Security Bill 2024 (the Cyber Bill) is to implement legislative proposals stemming from the 2023–2030 Australian cyber security strategy by establishing a new Cyber Security Act 2024.

The 4 key measures of the Cyber Bill:

  • require manufacturers and suppliers to comply with minimum security standards for smart devices sold in Australia, with the standards to be specified in Ministerial rules (Part 2)
  • require businesses that make a ransomware payment in relation to a cybersecurity incident to report the payment to the Commonwealth within 72 hours (Part 3)
  • establish a limited use obligation to restrict the sharing of information voluntarily provided to the National Cyber Security Coordinator (NCSC), to promote business confidence in sharing information, alongside other requirements and protections (Part 4)
  • establish a Cyber Incident Review Board (CIRB) to conduct reviews after some cybersecurity incidents (Part 5). The CIRB will be appointed by the Minister and supported by an expert panel and will be given powers to compel provision of information.

The purpose of the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (the Intelligence Bill) is to amend the Intelligence Services Act 2001 to apply a limited use obligation on information obtained by the Australian Signals Directorate (ASD), similar to that applied to the NCSC by the Cyber Bill. Schedule 2 of the Intelligence Bill provides an exemption from the Freedom of Information Act 1982 for documents relating to the National Cyber Security Coordinator.

A separate Bills Digest will be published for the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, which was introduced along with the Cyber Bill and the Intelligence Bill. The reforms also follow the introduction of the Privacy Act and Other Legislation Amendment Bill 2024 which includes provisions for notifying eligible data breach incidents (see the Bills Digest for further information).

 

Background

Cybersecurity has been a concern for government for some years, with a 2011 publication by the Parliamentary Library highlighting the risks of cyber espionage. In the 2022–23 Budget (p. 42), the Morrison Government committed $9.9 billion over 10 years to the ASD to expand its capabilities and double its staff. As the Parliamentary Library noted at the time, this expansion was intended to assist with not only defending Australia from cyber attacks by state actors, but also from ‘malicious activity by actors, including cybercriminals seeking to extract ransoms, and issue-motivated groups’ (p. 85).

A series of major data breaches during 2022 and 2023, each involving millions of customer records, drew significant public attention to the issue of cybersecurity and made government moves to prevent and address such breaches all the more important.

In September 2022, Australia’s second-largest telecommunications company, Optus, experienced a cyber attack that resulted in a data breach involving some 10 million former and current customers and the disclosure online of the personal data of 10,200 people. It was described at the time by the government as ‘the largest consumer data breach in Australian history’.

Shortly after the incident, the then Minister for Cyber Security summarised the inadequacy of the powers available to the government and its intention to improve the prevention and management of cybersecurity incidents in future:

So under the previous government, there was a set of laws passed … And I can tell you that those laws were absolutely useless to me when the Optus matter came on foot. So I'm not flagging any specific directions for reform, but I would simply note that we do not have the right laws in this country to manage cyber security, emergency incidents, and this is something that we are going to need to look at … But what we do need is a federal government which has got the laws at its fingertips to make sure that we can do things, for example, mandating reporting to customers when their data has been breached within a certain time period. That is one of a whole plethora of things that I believe the federal government should be able to do in a situation like this.

… this incident is a huge wake up call to corporate Australia. It's a wake up call to government too, and it's a wake up call to everyday Australians. We simply have to make a step change in our cyber security in this country … I said last week that we are five years behind in cyber security laws or in the digital age … Looking at the powers that we have in an emergency is something that's going to have to happen … we need to undertake here a whole of nation effort of improving the security around data protection, around cyber security, so that we are better equipped in the 21st century…

So I think everyone looking at this situation has got to accept that we've got a problem here as a country and it is the intention of our government to step up and lay out a clear path for us to try to fix it.

In October 2022, a cyber attack on Australia’s largest health insurer, Medibank, resulted in the theft of 9.7 million customer records that included identification details and sensitive medical information, much of which was posted to the dark web. The Minister for Cyber Security noted that ‘combined with Optus, this is a huge wake-up call for the country and certainly gives the government a really clear mandate to do some things that frankly probably should have been done five years ago but I think are still very crucially important’. In jointly announcing in January 2024 the first-time use of Australia’s cyber sanction powers against a Russian individual for his role in the Medibank data breach, the minister described it as ‘the single most devastating cyber-attack that we have experienced as a nation’. The sanctions included ‘targeted financial sanctions and a travel ban’.

In March 2023, the consumer lending business Latitude Financial experienced a cyber attack in which some 14 million customer records were stolen. This affected current and former customers in Australia and New Zealand, with some records dating back to 2005. The records stolen included 7.9 million driver licence numbers, 103,000 copies of driver licences or passports and 53,000 passport numbers. The Attorney-General has noted that according to the Australian Federal Police, approximately half of all Australians experienced a potential compromise of their personal data as a result of the Optus, Medibank and Latitude data breaches combined.

The Albanese Government has shifted its cybersecurity stance to focus on a whole-of-economy approach, moving cybersecurity strategy and industry engagement to the Department of Home Affairs, establishing a National Office for Cyber Security and appointing a new National Cyber Security Coordinator.

The current legislative package arises from the 2023–2030 Australian cyber security strategy (the Cyber Security Strategy), which sets out the Australian Government’s ‘bold vision for Australia to be a world leader in cyber security by 2030’ (p. 4). There has been various consultation and engagement guiding the development of the strategy and the proposed legislation:

  • An Expert Advisory Board was appointed in December 2022 to advise on the development of the strategy, which released a Discussion Paper that attracted over 330 public submissions (over 50 consultation events were also held).
  • The 2023–2030 Australian cyber security strategy was released in November 2023 with an action plan that maps out the delivery of the strategy across 3 ‘horizons’ – strengthening foundations (2023–25); scaling cyber maturity across the whole economy (2026–28); advancing and leading the global frontier of cybersecurity (2029–30).
  • In December 2023, the government released a Consultation Paper on the proposed legislative reforms (which attracted over 130 submissions) and conducted virtual briefing sessions.

Explaining the reasons for the reforms, the Consultation Paper states (p. 4):

Through the development of the Strategy, the Government has identified a number of opportunities to strengthen and improve our cyber security laws. Reviews of recent cyber incidents have indicated that there are gaps in our current legislative and regulatory framework for cyber security.
 

Policy position of non-government parties/independents

Shortly after the release of the Cyber Security Strategy, the Australian Greens described it as a ‘disappointing continuation of the pattern of Australia steadily lagging behind the rest of the world in response to the enormous risks posed by cyber attacks’. While acknowledging improvements such as providing small businesses with cybersecurity assessments and community groups with grant money to improve their cybersecurity, the Greens called for ‘dedicated funds, specific initiatives, measurable goals and some clear accountability in Home Affairs and ASD’.

Similarly, the Shadow Minister for Cyber Security, Senator Paterson, stated in March 2024 that he feared the Cyber Security Strategy aspired to do ‘too much, too soon, with too little’. He also said that the consultation process underway at the time was being rushed, and claimed that ‘many people in industry are concerned that these reforms have been poorly explained’.

There has so far been little reaction from non-government parties to the Bill itself.

 

Key issues and provisions

Smart device standards

Part 2 of the Cyber Bill covers security standards for smart devices, to be specified in Ministerial rules. The provisions of the Bill apply to ‘relevant connectable products’, which are products capable of sending or receiving data that have not been exempted by rules.

Device standards were one of the key initiatives highlighted by then Cyber Security Minister Clare O’Neil in previewing the Cyber Security Strategy in 2023, when Minister O’Neil described a future world where ‘clear global standards for digital safety in products’ provide security assurance for smart devices comparable to assurance provided when purchasing a car.

The Cyber Security Strategy (p. 30) included 2 initiatives intended to improve the security of Internet of Things (IoT) devices: enforcing a mandatory minimum standard of cybersecurity for consumer devices and encouraging the use of labelling on devices that helps consumers to understand the risks posed by smart devices.

Australia has an existing voluntary code of practice for IoT manufacturers, which does not appear to have been updated since Home Affairs closed consultation in August 2021. According to the Department of Home Affairs (p. 7), the voluntary code aligns with the European Telecommunications Standards Institute’s (ETSI) baseline cybersecurity requirements for the Internet of Things (ETSI EN 303 645). These standards have formed the basis of many national initiatives, including the United Kingdom’s Product Security and Telecommunications Infrastructure Act 2022.

According to the Explanatory Memorandum (p. 3), ‘a government study of manufacturers’ uptake of the voluntary Code of Practice revealed low levels of adoption across the country’ and that ‘there was consensus among Australian government, industry, and consumers, to support a mandatory approach to uplift the cybersecurity of smart devices in Australia’.

Despite consultation having covered specific cybersecurity standards (see pp. 29–34 of the government’s discussion paper), these are not provided for in the Bill and instead clause 14 provides that these will be set out in the rules.

Security standards can apply to all devices that meet the definition of relevant connectable product, or be limited to a subset, type, or class of devices to be defined in the relevant standard under rules. A qualifying criterion for what relevant connectable products may be subject to the mandatory standards are those that will be acquired in Australia in specified circumstances (this is not limited to products that are manufactured or supplied in Australia). As stated in the Explanatory Memorandum, ‘the use of ‘specified circumstances’ provides flexibility for the rules to dictate the types of ‘acquisitions’ that will enliven the security obligations relating to particular products’ (p. 26).

The Cyber Security Strategy highlighted 3 examples of national initiatives expected to be comparable to the proposed IoT standards, those of the US, Singapore, and the UK (p. 30). These differ on the level of maturity, whether they rely on voluntary labelling to inform consumers or enforce minimum standards, and how closely they mirror the requirements of ETSI EN 303 645.

Clause 15 imposes obligations on both manufacturers and suppliers of products subject to a security standard to comply with the obligations set out in the standard. Subclauses 15(5) and 15(6) provide that where there isn’t relevant legislative head of power under section 51 of the Constitution to justify imposing the standard, an entity is not required to comply with the standard.

Clause 16 requires manufacturers and suppliers to provide a statement of compliance for those products, with requirements to retain a copy of the statement for a period specified in rules. Standards will apply to products acquired in Australia, including products produced internationally which an entity ‘could reasonably be expected to be aware’ will be acquired in Australia.

Part 2, Divisions 3 and 4 cover enforcement of the security standard. The Secretary of the Department of Home Affairs is empowered to issue compliance notices if an entity is not complying with requirements under clauses 15 or 16, and if the entity does not rectify their non-compliance the Secretary is empowered to issue a stop notice specifying actions the entity must take or refrain from taking. If the entity does not adequately rectify the non-compliance, the Secretary may issue a recall notice requiring the entity to ensure the product is not acquired or supplied in Australia and for the product to be returned to the manufacturer. If the entity does not comply, the Minister may publish details of the non-compliance. Internal review may be sought for a decision by the Secretary to issue a notice (see clause 22).

In its submission to the PJCIS, the Tech Council of Australia noted:

…there is no threshold for application of the standard, creating the possibility that startups creating and iterating new devices, while not incurring significant consumer exposure, could incur a regulatory burden. (p. 1)

The Tech Council recommended that the government ensure the regulatory environment for these businesses is no more onerous than in equivalent jurisdictions.

Ransomware payment notification

Part 3 of the Bill imposes a requirement for payments (referred to as ‘ransomware payments’) made in response to a demand by an extorting entity in relation to a ‘cyber security incident’, to be reported. The broad definition of cybersecurity incident in clause 9:

…captures circumstances where an entity may be subject to a demand by an extorting entity, but where there has been no direct access to a reporting business entity’s computer or computer systems. Instead, the extorting entity may be making a demand with respect to information obtained via mere interception. Where information is intercepted, an extortion demand made and payment provided in relation to that incident, it would be captured by this reporting obligation. (p. 39)

Therefore, the reporting obligations are not limited to traditional ransomware attacks.

The obligation applies if the payment is made by an entity responsible for a critical infrastructure asset, or if a non-government entity carrying on a business in Australia exceeds a certain turnover threshold (to be prescribed in rules). An impact analysis attached to the Explanatory Memorandum (p. [162]) recommends the threshold be set at $3 million. The Explanatory Memorandum also provides guidance on what is meant by ‘carrying on a business in Australia’ (pp. 41–42).

Subclause 26(4) specifies that any incident which has a sufficient constitutional nexus will be presumed to be a cyber security incident for the purpose of ransomware reporting. However, where no nexus exists, an entity will not be liable for not making a ransomware payment report.

Clause 27 imposes the reporting obligation. The report will be required to be made to a designated Commonwealth body within 72 hours of the payment being made, and must include details regarding the entity which made the payment, the extorting entity which received the payment, the amount paid and communications with the extorting entity. A civil penalty of 60 penalty units applies if a payment is not reported.

Clauses 29 and 30 provide that information disclosed as part of an entity’s ransomware reporting obligations may only be used and disclosed by the designated federal body or a secondary entity for certain permitted purposes. These include assisting in mitigating adverse impacts arising out of the relevant cyber security incident, briefing relevant Ministers, or assisting an Australian intelligence agency in the performance of its functions.

Subclause 29(2) restricts the information provided by the entity from being used for the purposes of investigating or enforcing civil or regulatory actions against them, though it may be used against them as evidence of a criminal offence or in investigating non-compliance with their ransomware reporting obligations (as set out in Part 3 of the Bill). Law firm Allens has noted that this will not exclude federal or state bodies from disclosing information provided by entities where the payment of a ransom is an offence under criminal sanctions, terrorism financing, or other financial crime law. However, the information will not be admissible as evidence except where the proceedings relate to offences committed by the entity in relation to their ransomware reporting obligations (clause 32). This provision does not apply if the Commonwealth or state body is able to obtain the same information through other lawful means (for example, a subpoena or a freedom of information request).

Clause 31 provides that information included in a ransomware payment report is not intended to impact a claim of legal professional privilege in relation to that information (regardless of who makes the claim). In its submission on the Australian Cyber Security Strategy, the Law Council of Australia argued for:

…clear statutory safeguards that preserve legal professional privilege and confidentiality in any documents provided following a ransomware attack. This includes ensuring material is exempt from disclosure under a subsequent freedom of information request. (p. 10)

The Business Council of Australia (BCA) raised concerns regarding the legal privilege exemption in clauses 31, 41 and 57 of the Bill (exemptions are also included with respect to information voluntary provided to the NCSC and information provided to the CIRB). The BCA argued that the sharing of information with another entity by the Commonwealth body to which it was disclosed ‘is potentially inconsistent with the confidential nature of the information and therefore the claim of legal professional privilege’. The BCA recommended:

…the Bill should include a clearer statement to the effect that neither initial disclosure by the company, nor its subsequent disclosure to another entity, a Commonwealth body (other than ASD) or a State body will impact a claim of legal professional privilege. This is particularly important given that there is not a settled position on whether and when provision of information to government agencies constitutes a waiver of legal professional privilege. (p. 6)

Regulation of ransomware payments is a contentious issue. Consultation included the possibility of banning the payment of ransoms, a move supported by Optus (p.7) and Telstra, for example. Telstra believes that ‘prohibiting the payment of ransoms would provide clarity to victims of cyber-crime and insurers about the options available to them following a ransomware attack’ (p. 2). The Business Council of Australia opposes prohibiting ransom payments, questioning how a ban could be enforced and believing that a ban ‘is likely to see actors “raise the stakes” – looking to take more violent, dangerous, or harmful attacks to secure a payment’ (p. 9).

Mandatory reporting allows for greater government awareness of the threat landscape while avoiding re-victimisation and placing a more proportionate burden on business. Businesses reportedly supported the ransomware reporting requirements, noting that this initiative places Australia ahead of peers such as the EU, US and UK, while raising concerns that the proposed $3 million threshold may be too low and impose excessive requirements on smaller businesses.

However, as the Australian Banking Association has noted:

…incidents affecting small businesses can indirectly affect the banking industry more broadly … turnover based omission from reporting obligations would likely present an unacceptable intelligence gap and disproportionately incentivise threat actors to target these entities – potentially as a back door into larger entities (pp. 5–6).

Similarly, the Law Council of Australia believes that for a ransomware reporting regime to be effective, it should ideally not be limited to large entities only (p. 8). In an article discussing the Cyber Bill, law firm Gilbert + Tobin argued that the ransomware payment provisions add another layer to an already ‘complex and overlapping landscape’ when it comes to reporting cybersecurity incidents in Australia. In its submission to the PJCIS, the Australian Institute of Company Directors recommended that the Bill be amended so that an entity which is also captured by the Security of Critical Infrastructure Act 2018 (SOCI Act) is not required to report under both frameworks (p. 3). The institute also raised concerns about how large, listed companies with complex structures were required to report and recommended that at a minimum, Home Affairs publish guidance that addresses these issues (p. 4).

Law firm Minter Ellison stated that the protections contained in the Cyber Bill ‘will not provide a “safe harbour” in relation to the ransomware incident itself’ and that ‘the organisation may incur liability if the ransomware incident constitutes a breach of the Privacy Act or the SOCI Act, or if the ransomware incident has arisen as a result of negligence or gives rise to a breach of contract’.

Cyber Incident Review Board

Part 5 of the Bill provides for the CIRB to be established as an independent statutory advisory body within the Department of Home Affairs and empowered to conduct reviews after cybersecurity incidents. The CIRB will be comprised of a Chair and at least 2, but no more than 6, members. Details on who is eligible to be appointed to the CIRB have been deferred to the rules.

Stakeholders such as the Australian Institute of Company Directors have recommended that the eligibility requirements ensure that the majority of the members are non‑government/public service, with a focus on appointing members with the requisite skills and experience (p. 7). It is unclear from the provisions whether members will be required to hold security clearances and at what level. In its submission to the PJCIS, the Tech Council of Australia made similar recommendations and argued that ‘reciprocity agreements between boards comparable to the CIRB, allowing for the recognition of investigative material or the basis of findings, would save time and reduce duplication’ (p. 2).

The CIRB may be required to conduct reviews into cybersecurity incidents which:

  • have seriously prejudiced, or could reasonably be expected to seriously prejudice, Australia’s security or social or economic stability
  • are considered a novel or complex incident, for which a review would assist Australia’s preparedness or response to similar attacks or
  • are or could be of serious concern to the Australian people.

The legislation specifically provides that reviews are intended to be conducted on a no-fault basis, and the CIRB will not seek to apportion blame or liability in respect of incidents (see clause 62). In its submission to the PJCIS, the Australian Institute of Company Directors noted that the ‘no fault principle is limited to entities and is not as comprehensive as was envisaged in the Consultation Paper’ (p. 6).

Before the CIRB may conduct a review, the Minister for Cyber Security, the National Cyber Security Coordinator, an entity that has been impacted, or a member of the CIRB must, in writing, refer a cybersecurity incident to the CIRB (subclause 46(1)).

A review can only be conducted where the Minister has approved terms of reference (paragraph 46(2)(c)). Each review is to be conducted by a review panel that consists of the Chair, the standing members of the CIRB that are specified in the Terms of Reference for the review, and the members of the Expert Panel that are appointed to assist in the review (see clause 70). Significant details on how reviews will be conducted will be set out in the relevant rules.

The CIRB will also have the ability to request information and documents and in certain circumstances, compel the production of documents via notice to the relevant entity (clause 49). Civil penalties will apply for entities which fail to comply with requests by the CIRB for information, though some exceptions apply. With respect to information obtained by the CIRB, clauses 55–58 set out disclosure limitations that are similar to those that apply in relation to ransomware payment reporting (discussed above).

In its submission to the Consultation Paper, the Law Council related concerns about ‘introducing further bureaucratic layers without clear benefits’, and cautioned that it was important for the CIRB ‘to be structured so as not to duplicate the functions of other regulatory bodies, or impact transparency and collaboration between regulators and immediate incident responders’ (p. 12). Optus holds a similar view, noting that if it is the government’s view that existing processes are insufficient, ‘it would be more effective to make the necessary changes to this existing process rather than establishing a new one’ (p. 5). In its submission to the PJCIS, the Insurance Council of Australia noted that it had previously called for a legislated review process for the CIRB and that it may be appropriate for the Bill to include provisions setting out periodic, whole-of-legislation reviews.

National Cyber Security Coordinator

The government announced the appointment of Lieutenant General Michelle McGuinness as the National Cyber Security Coordinator (NCSC) in February 2024, and provided funding for the position in the 2023–24 Budget. The position has been operating with support from the National Office of Cyber Security within Home Affairs. For example, the Prime Minister reportedly stated that the coordinator was involved in responding to the Crowdstrike outage in July 2024.

Part 4 of the Bill establishes a framework for the voluntary provision of information related to cybersecurity incidents to the NCSC, including providing for a limited use obligation (discussed further below).

Clause 37 sets out the role of the NCSC in legislation, which includes leading whole of government coordination and triaging of action in response to a ‘significant cyber security incident’ and informing and advising the Minister and government in relation to the response. Clause 43 provides that, subject to certain conditions, the Secretary will be able to issue a certificate confirming that the NCSC has been involved in a specific matter and preventing them from being compelled to appear as a witness in relation to that matter.

Sharing of information with NCSC and ASD

The concept of a ‘safe harbour’

Entities are already encouraged to report cybersecurity incidents to ASD. However, according to the Explanatory Memorandum, ASD has observed that cybersecurity incident reporting and engagement between industry and the government during a cybersecurity incident has plateaued, in part due to concerns from industry that information disclosed to the government may be later used in legal proceedings (p. 6). This is why the Business Council of Australia had called for ‘at least a temporary safe harbour for cyber incidents, with any reports treated as confidential, and not passed between agencies or used for regulatory investigation or enforcement action until such time as an incident has been contained and/or addressed’ (p. 3).

In its discussion paper on legislation reforms to implement the Cyber Security Strategy, the government noted that there had been calls from stakeholders to introduce a ‘safe harbour’ for entitles who provide cyber incident information to ASD and NCSC (p. 19). The purpose of a ‘safe harbour’ is to provide entities with a shield against any legal liability incurred as a result of a cybersecurity incident.

At an Estimates hearing in November 2022 the former director-general of ASD, Rachel Noble, described the ‘safe harbour’ concept from ASD’s perspective as a ‘most excellent idea’ and a ‘very attractive arrangement for our technical people who are in that minute-by-minute, hour-by-hour engagement with a company under duress’. In an interview in December 2023, Deputy Prime Minister, Richard Marles, stated:

… that safe harbour concept is absolutely a concept that we want to see pursued. We need to be building the greatest possible confidence that we can for companies to interact with ASD in the moment, like when the attack is actually happening, because that's the way in which we mitigate it the most, make sure that the least amount of data ends up leaving the system, as it were. So, safe harbour mechanisms, safe harbour legislation is absolutely an area that we are going to examine very carefully.

In the discussion paper on legislation reforms to implement the Cyber Security Strategy, the government argued that the introduction of a safe harbour ‘would be out of step with public expectations and is not currently being considered (p. 19). Rather, the Bills provide for certain ‘limited use obligations’.

‘Limited use’ obligations

Clauses 38, 39 and 40 provide that information disclosed to the NCSC during a cybersecurity incident may only be used and disclosed by the NCSC or a secondary entity for certain permitted purposes. The government has referred to these provisions as establishing a ‘limited use’ obligations (see pp. 6–7 of the Explanatory Memorandum).

These obligations are similar to those which apply to information obtained as part of an entity’s ransomware reporting obligations, though the permitted purposes for which the information may be used and disclosed differ. If the information disclosed relates to an incident that is a significant cybersecurity incident, the purposes for which the information may be used and disclosed by the NCSC are significantly broader than for other cybersecurity incidents.

While the NCSC may only use and disclose the information for 3 specific purposes (see subclause 39(2)) with respect to other incidents, the NCSC may may use or disclose the information for a range of ‘permitted cyber security purposes’ with respect to significant cybersecurity incidents (see subclause 38(1)).

A cybersecurity incident is a ‘significant cyber security incident’ if there is a material risk that the incident:

  • has seriously prejudiced, or could reasonably be expected to seriously prejudice, Australia’s security or social or economic stability or
  • is or could be of serious concern to the Australian people (clause 34).

Permitted cyber security purposes include preventing or mitigating material risks arising out of the incident which seriously prejudice, or could reasonably be expected to seriously prejudice, Australia’s security or social or economic stability, and the performance of the functions of intelligences agencies and Commonwealth enforcement bodies. A secondary entity (which is not ASD) may also use or disclose the information for a range of ‘permitted cyber security purposes’ (which are defined in clause 10), regardless of whether it relates to a significant cybersecurity incident.

Information provided to the NCSC is subject to similar secondary disclosure restrictions and legal protections as provided for in respect of information disclosure relating to ransomware payments (discussed above).

The Amendment Bill will amend the Intelligence Services Act to insert complimentary obligations that will limit the on-sharing of information voluntarily provided to ASD (proposed sections 41BA, 41BB and 41BC). ASD will be able to share the information for a range of permitted purposes, including the performance of the functions of certain intelligence agencies and Commonwealth enforcement bodies.

The Explanatory Memorandum provides some clarity on how Commonwealth enforcement agencies may use information communicated by the NCSC:

It is not the Government’s intention to restrict operational, regulatory or law enforcement agencies from carrying out their existing legislated functions, especially in circumstances where serious breaches of law not related to the cyber security incident are made apparent. However, information voluntarily provided under permitted cyber security purposes will not be used by regulators for compliance action against the reporting entity. There is no specified time limit imposed on the information that determines how long it remains under the limited use obligation. (p. 7)

This will not prevent law enforcement or regulators from gathering this information through other means and using it for regulatory or law enforcement purposes against the entity. In its submission on the Australian Cyber Security Strategy, the Law Council recommended that the government adopt restrictions on both the use and sharing of information, with information obtained by ASD or the NCSC only available to regulators with the express consent of the disclosing entity (pp. 10–11). In its submission to the PJCIS, the Australian Institute of Company Directors noted it had long been a supporter of the limited-use protections and recommended that the Bills be amended so that the protections also apply to the recovery phase of the incident (pp. 4–5).