Our series of posts on "A glance at cyber security laws" of various countries continues, and this time around it is Australia in the review. Australia has many laws related to privacy and cyber security domains. With increasing cyber crimes, The Australian Federal Government as well as various State Governments are amending existing laws as well as introducing new ones to minimize cyber intrusions.
Let’s take a look at a few cyber security related legal, legislative and regulatory obligations applicable for all Australian industry sectors including government agencies.
Cyber Security Regulatory Obligations
Australian Privacy Principles (APP): The APPs regulate the collection, holding, use and disclosure of personal information that is included in records. They apply to government & private organizations having more than AUD 3 million annual turnover.
Cybercrime Act: This act offers comprehensive regulation of computer and Internet-related offenses such as unlawful access and computer trespass, damaging data and impeding accessto computers, theft of data, computer fraud, cyberstalking and harassment and possession of child pornography.
Spam Act: This act established a scheme for the regulation of commercial email and other types of electronic messages. It restricts unauthorized, unsolicited, electronic messages with some exceptions. This act is regulated by the “Australian Communications and Media Authority”.
Telecommunications (Interception and Access) Act: The primary objective of this act is to protect the privacy of individuals who use Australian telecommunication systems. Another purpose is to specify the circumstances under which it is lawful for interception of, or access to, communications to take place. This act covers both stored and real time communications.
It is evident that Australia has a few general cybersecurity related laws but it is missing some of the major industry specific regulations such as Health Insurance Portability and Accountability Act (HIPAA) and North American Energy Reliability Corporation's critical Infrastructure Protection (NERC-CIP) controls. For these missing regulatory frameworks in Australia, it is recommended that Australian organizations adopt some of the regulatory frameworks from the United States or Europe.
Proposed Voluntary Code of Conduct (Guidelines) by various industry verticals in Australia
A voluntary code of conduct aims to help industry members improve business practices and meet their regulatory obligations. Voluntary guidelines are either industry agreed or an organization's willingness to adopt a predefined best practice to improve its business as usual (BAU) operations.
Guideline for Federal Government Agencies
The federal government has mandated that all federal agencies comply with the Protective Security Policy Framework (PSPF) and the associated Information Security Manual (ISM). PSPF and ISM form a comprehensive framework that provides the appropriate controls for the Australian Government to protect its people, information and assets, both at home and overseas. Both PSPF and ISM requirements should be met by organizations (supply chain) that provide services to federal government.
Guidelines for Banking, Finance, Insurance, and Superannuation Industry
Two regulatory bodies, Australian Prudential Regulatory Authority (APRA) and Australian Securities Investment Corporation (ASIC) provide some guidance in relation to cybersecurity guidelines. A recent development by ASIC is the publication of “Report 429: Cyber Resilience - Health Check”. The guideline was released in March 2015 and is based on the “NIST Cyber Security Framework for Critical Infrastructure”. Although at this stage this is just a guidance, there are discussions that this could be mandated by ASIC to all Australian Stock Exchange (ASX) listed organizations.
Guidelines for Internet Service Providers (ISPs) and Telecommunication Providers
ISPs in Australia have no other Acts or regulatory requirements apart from the recently enacted data retention bill. The Communications Alliance was formed to provide a unified voice for the Australian communication industry, offering a forum for the industry to make coherent and constructive contributions to policy development (Commsalliance 1, 2015). The Alliance took over the responsibility for the Industry Codes (iCodes) and core responsibilities of the Internet Industry Association (IIA) under agreement signed on 24th March, 2014. iCode is a voluntary code adopted by all ISPs in Australia. The iCode aims to :
- Instil cyber-security culture within Australian JSPs and their customers.
- Provide consistent messaging and plain language information to customers.
- Encourage ISPs to identify compromised devices on their networks.
There is no escape for private organizations and government agencies in Australia, from complying to legal obligations. Non-compliance is expensive and security managers must be on top of changing regulatory environment in their domains. In today’s world of ever increasing data breaches, identity thefts, state-sponsored cyber security intrusions and privacy disclosures; it is more than prudent for companies to be proactive about security and incorporate security best practices in their regular workflow.