Commercial Law
Is it in the commercial interests of companies to cooperate with the federal government to prevent cyber-attacks?
In late November, the federal defence minister, Richard Marles, floated the idea of introducing a legally binding exemption from punitive government litigation if a company self-reports to the Australian Signals Directorate (the national signals intelligence agency) and asks them to help.
The aim would be to drive more effective collaboration between the private sector and the directorate in dealing with cyber-attacks, resolving them faster or preventing them altogether.
But the plan risks undermining the government’s attempts to crack down on corporations that don’t do enough to keep their clients’ data safe.
Business reluctant to work with government on cyber-security.
The government says it’s struggling to overcome resistance by many Australian companies facing a cyber-attack to work with the directorate to help defeat intrusions.
Companies are often reluctant to suffer the potential reputation damage if news of the breach leaks out.
They also fear exposing themselves to government fines or customer litigation of the sort being pursued by victims of data breaches at Medibank and Optus.
On the government side, the Australian Signals Directorate has complained their efforts to help companies under attack are being hampered by lawyers concerned mostly with minimising the risk of the company being sued in the future.
The government concept of a ‘safe harbour’
The safe harbour principle is an exemption that can be granted for actions that might otherwise break the law if there’s a larger public good at play.
This is used in other areas of regulation, such as bankruptcy law and tax law. It provides legal protections for administrators or accountants who must take on risky business decisions in order to do their jobs.
Richard Marles claimed a safe harbour regime for self-reporting companies affected by a cyber-attack would do two main things:
- Firstly, it would deliver the world-class capabilities of the Australian Signals Directorate to the affected company.
- Secondly, it would help drive trust between the government and reticent private sector businesses.
The government has proposed that complying with the cyber safe harbour requirements would shield companies from further legal action by the government.
In its cyber security strategy the government committed to consultations with industry on a legislated measure to help build the sort of trust outlined in Marles’ discussion of safe harbour.
But we don’t have any other detail about how this version of safe harbour law would work.
And for most corporations, the government may be the least of their worries in cases of large-scale data breaches or breaches of sensitive intellectual property information.
They will be concerned about the reputational damage first and foremost.
For listed companies, this can lead to a sustained drop in share price and open a pathway to costly lawsuits from seriously affected clients or business partners. Safe harbour laws don’t do much to help with that.
Could safe harbour’ laws work in practice?
In cyber security, the concept of safe harbour is complicated and fraught with definitional and regulatory challenges.
Such laws for cyber security are used in several US states mainly for promoting stronger compliance with industry standards. This is done by promising companies a degree of protection from various types of litigation if they are certified by the government to be reasonably compliant with the standards.
An Australian study throws some doubt on the value of that process.
The research shows such standards are seen as a low bar, or even inappropriate in some situations.
Technology always moves more quickly than standards. For example, in May 2023 an intergovernmental working group found the security standards for 5G were “incomplete” and did not cover all security requirements. Australia has been using 5G technology since 2019.
The safe harbour laws may also be too weak to achieve what they set out to do.
A US study warns a safe harbour law for the US health sector “only offers some protection in certain circumstances”.
Forgiveness vs Punishment
The new Australian safe harbour proposal may also serve to undermine the mission of the home affairs minister, Clare O’Neil.
She has staked much on the need to punish corporations who may have acted irresponsibly in allowing serious data breaches.
Corporations will remember her statement in September 2022 that fines of hundreds of millions of dollars for large privacy breaches might be more appropriate than the existing cap of $2.2 million.
By December, new legislation imposing penalties up to $50 million had come into force.
The moves were designed in part to dampen community outrage over the data breaches.
But the safe harbour idea might increase the consumer concerns O’Neil has been working to allay.
Not all cyber-attacks involve a risk of exposing large amounts of personal data, so there would be instances where the safe harbour option would not affect a person’s rights to seek redress.
But by its very nature, the proposal will impact the rights of businesses and consumers to know if they have suffered damage or loss from a cyber-attack.
The government has a moral obligation to inform victims of cyber-crime.
At a time of escalating cyber uncertainties, increasing ransomware attacks, and stepped up Russian and Chinese cyber-attacks, the safe harbour proposal will need careful consideration.
The government will want to avoid antagonising public sentiment by limiting the rights of consumers.
So, a solution that promises protection only against government litigation, but not civil litigation, may not be worth the political balancing act.
For more information and expert advice to ensure that your business sale or purchase goes smoothly, ask to speak to a lawyer at Ezra Legal on (08) 8231 6100 or email reception@ezralegal.com.au
For information on the range of commercial legal services that we provide at Ezra Legal, head to:
Julian Roffe
Practice Manager
Ezra Legal