November has already been a busy month for Australian cyber developments, with some important judgments, OAIC actions and media releases published.
We will provide a more comprehensive analysis of the below and other recent developments in our upcoming Cyber + Technology Bulletin.
OAIC takes legal action against Australian Clinical Labs for data breach delay
The OAIC commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs (ACL), following an investigation into ACL’s privacy practices which arose as a result of a data breach suffered by ACL in February 2022. This is the first time that proceedings have been commenced for, amongst other things, delay in notification arising from a data breach. Read more
Court rules against legal privilege for Optus in cyber-attack forensic report
The issue of legal privilege over the forensic investigation report Optus obtained from Deloitte relating to the September 2022 cyber-attack came before the courts: see the judgment in Robertson v Singtel Optus Pty Ltd  FCA 1392. While Beach J did not find that mere reference to the report in press releases by Optus would have resulted in a waiver of legal privilege, the issue was rather that the report was never privileged to begin with because the evidence did not establish the dominant purpose was for the provision of legal advice. In his judgment, His Honour was critical of what he characterised as “endeavours to cloak the Deloitte review with legal professional privilege” after work had already commenced.
New cybersecurity measures: Australian organisations mandated to report ransom demands and payments
Ahead of the release of the Government’s new cybersecurity strategy, Home Affairs Minister Clare O’Neil announced that it will become mandatory for Australian organisations to report ransom demands and payments to the Australian Government to assist the Government with tackling the growing threat of ransomware in the country: “You can’t fix a problem, though, that you can’t see, and today this problem is hidden from us. We’re going to require for the first time Australians to report and to make clear to government when ransomware demands are made and when payments are made, to start the process of making sure that we can properly tackle this problem together as a country.” Read more
ASIC cyber pulse survey reveals critical gaps in corporate Australia’s cybersecurity preparedness
On 13 November, ASIC released the results of its recent cyber pulse survey into the cyber capabilities of corporate Australia. The survey identified significant cyber gaps, in particular that many organisations are still being reactive rather than proactive when managing their cybersecurity, as well as a lack of sufficient control and oversight over third party or supply chain risks (presenting easy access to threat actors into organisations’ systems and networks). ASIC pulse survey