A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 September 2022
Optus (a SingTel subsidiary, and Australia’s #2 telco) suffered a highly publicised cyberattack in late September, which has reportedly resulted in the disclosure of personal data belonging to millions of current and former customers, including driver’s licence and passport numbers.
As would be expected, a breach of this magnitude by a company of this prominence is likely to trigger significant changes, both to the law and the approach and tolerance of regulators. The Home Affairs minister has indicated the government will make material changes to privacy measures and penalties to apply following cyber security incidents. Among these is a proposed requirement for banks and other institutions to be informed earlier of the occurrence of data breaches in order to prevent compromised personal data being used to access bank accounts and to allow for monitoring of customers’ accounts. The government has also flagged the introduction of significant fines for data breaches of this type to mirror fines available under overseas regimes.
While the extent and applicability of regulatory measures is yet to be determined, changes to the federal Privacy Act have been flagged since 2019 and have remained on the back burner.
In August 2020, Australia’s corporate regulator the Australian Securities and Investments Commission (ASIC) commenced proceedings against RI Advice for alleged breaches of its obligations as an Australian financial services licensee under section 912A of the Corporations Act 2001 (Cth) following numerous cyber incidents.
ASIC and RI Advice reached an agreed settlement earlier this year. On 5 May 2022, the Federal Court made declarations of contraventions and ordered RI Advice to conduct a cybersecurity audit and contribute $750,000 towards ASIC’s costs.
While this is the first time ASIC has used its powers to enforce licensing obligations in a cyber context, it is not necessarily a watershed moment. These proceedings involved unusual circumstances, as RI Advice had experienced multiple cyber incidents over time.
The recent decision in Inchcape Australia Limited v Chubb Insurance Australia Limited  FCCA 883 (under appeal) shows the importance of insureds purchasing cyber-specific cover.
Inchcape, a large car retailer, was targeted by a ransomware attack, and instead looked to claim its recovery costs under its Chubb electronic and computer crime insurance policy (designed to cover fraudulent payments). The policy was found to be triggered for some but not all costs. A key issue was whether the costs Inchcape incurred were ‘direct’ financial losses resulting from damage or destruction of data within the terms of the policy.
The Court found that the terms of the crime policy, when read together, meant any costs that involved the intervening step of Inchcape deciding to incur that cost were not direct enough so as to fall for cover. The scope of cover was limited to those costs every insured would necessarily and inevitably incur as a result of damaged data and no more (which in this case was essentially limited to the cost of replacing certain physical media and data stored on it).
As ransomware and related cybercrime has established itself as one of Australia’s fastest growing security threats, there has been a corresponding increase in claims against IT professionals (and other service providers). In particular, liability risks for managed service providers (MSPs) and cloud service providers (CSPs) have become significantly heightened, as the nature of the businesses makes them, and subsequently their customers, prime targets for cybercriminals.
The Security of Critical Infrastructure Act 2018 (Cth) established positive cybersecurity obligations for 11 Australian critical infrastructure industry sectors. From 8 July 2022, owners/operators of critical infrastructure assets have been required to report cybersecurity incidents to the Australian Cyber Security Centre (ACSC), significantly increasing regulatory complexity around reporting cyber incidents and data breaches (as the table overleaf indicates).
On 12 August 2022, the Federal Court ordered Google to pay $60m in damages for engaging in misleading and deceptive conduct regarding the collection of android mobile users’ location data.
Google’s infringing conduct essentially arose due to inconsistency between what users would have understood about the collection/use of location data from turning their ‘location history’ setting off, and the effect of other settings. Rather than clearly stating that location data might still be collected, Google’s android users would have had to ‘click through’ to other information to understand this.
London - Walbrook
+44 (0)20 7894 6930
+44 (0) 20 7894 6925
+44 (0)20 7894 6098
Eleanor Ludlam, Pavan Trivedi
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Jade Kowalski, Charlotte Halford, Christopher Air, Sophie Devlin, Eleanor Ludlam, Rebecca Morgan
Patrick Hill, Sonali Malhotra
Hans Allnutt, Pavan Trivedi
Sophie Devlin, Shanaka Wijetunge
Eleanor Ludlam, Astrid Hardy
Christopher Air, Alexander Dimitrov
Aidan Healy, Charlotte Burke
Eleanor Ludlam, Alexander Dimitrov
Eleanor Ludlam, Sonali Malhotra
Hans Allnutt, Patrick Hill, Eleanor Ludlam