Government business, privacy and cybersecurity regulators are getting serious about rebooting their compliance efforts with a series of public outreach efforts from bodies including the OAIC, ASIC, and Department of Home Affairs.
Home Affairs, for one, took the unusual step of calling for public submissions around the structure of the 2020 Cyber Security Strategy – which will update a 2016 strategy that has dramatically changed the cybersecurity-related interfaces between government, business, and the public.
Government action has completed 25 of 33 action items outlined as part of the 2016 strategy – with another 5 items marked as ‘ongoing’ – Home Affairs reported in a discussion paper outlining the terms of the new engagement.
“It is crucial that Government, at all levels, are exemplars in how they bake cyber security to everything they do,” Macquarie Government managing director Aidan Tudehope said in the wake of the announcement.
“Innovation without the strongest cyber security underpinnings are a train crash waiting to happen. Government needs to know where citizen data resides and whether 24x7 global support models mean unknown individuals have privileged access to government systems.”
A series of public forums will run through the end of October, starting in Sydney (18 September) and progressing through all eight capital cities. Submissions are being accepted until 1 November. Home Affairs is even maintaining a Twitter channel to focus the conversation.
Home Affairs isn’t the only agency working to reshape privacy and cybersecurity policy around consumers: the Office of the Australian Information Commissioner (OAIC), for its part, is also pivoting to a new operational mode under new commissioner Angelena Falk, who is overhauling its functions in the runup to the consumer data right (CDR) go-live next February.
“While our core purpose – to promote and uphold privacy and information access rights – remains constant, the environment in which we regulate has undergone significant change,” she wrote in introducing the agency’s Corporate Plan 2019-20.
In an environment marked by the increasing value, volume and complexity of business and government data and data management, she said, the agency “will achieve this vision by strengthening online privacy protections, influencing and upholding privacy and information rights frameworks, and supporting proactive provision of information by government.”
Deliverables in the coming year include development of a binding code of privacy protection for online platforms; engaging with business and government to ensure they have processes, systems and procedures “to build privacy into their practices by design and default”; supporting participants and consumers through the transition to CDR; and working with the Attorney-General’s Department to implement the Cross Border Privacy Rules – a regional privacy and trust framework based around certification of privacy practices.
The OAIC would also be building on the experiences of the Notifiable Data Breaches (NDB) Scheme, which in its past 18 months of operation has provided “clear evidence of the causes of breaches,” Falk wrote, “with compromised credentials and the human element featuring strongly.”
“We will drive a strategy to educate individuals on how to prevent breaches, and focus on regulating entities to uplift their security posture, particularly in the finance and health sectors.”
Also working to improve the security posture of the finance sector is ASIC, which authored its Corporate Plan 2019-2023 around creating “a more robust enforcement posture to deter, punish and publicly denounce misconduct.”
It’s a philosophy that increased enforcement actions by 20 percent as of the end of June, and moving forward ASIC’s ramped-up enforcement posture is being guided by a ‘why not litigate?’ operational discipline that “addresses the community expectation that unlawful conduct should be punished and publicly denounced through the courts.”
This approach will be supported by increased government funding, increasing the strictures around corporate operation in a host of areas. In this context, the report says, cybersecurity threats are “a major concern for both businesses and regulators” because of their ability to not only drive data breaches, but to disrupt critical operational systems and facilitate attacks on the broader national financial system.
ASIC will “mitigate the potential harms of technological change by… identifying and addressing technology, security and operational failures that result in harmful outcomes for consumers, investors and markets, or expose them to fraud,” the strategy said.
This included addressing technology, security, and operational failures through actions such as reviewing risk controls of market intermediaries, and implementing new market integrity rules on technology and operational resilience.