AUSTRALIA Law and Practice Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis
2.4 State Responsibilities and Obligations
aged to voluntarily report cybersecurity inci - dents. Any impacted entity carrying or a business in Australia or otherwise a responsible entity for critical infrastructure is now being statutorily encouraged to make voluntary reports to the NCS Coordinator under the Cyber Security Act, even where it is unclear if an incident is a cyber - security incident. Other Mandatory Reporting Obligations Other reporting obligations under the SOCI Act for critical infrastructure assets include: • taking reasonable steps to notify a third-party entity if that third party is processing or stor - ing “business critical data” on a commercial basis; • an ongoing obligation on a “reporting entity” to report a “notifiable event” in relation to an asset usually within 30 days after the event occurs, which relates to changes in the operational information and interest/control information in relation to “director inter - est holders”, or the status of an entity as a reporting entity; and • reporting if a hazard had significant relevant impacts on a critical infrastructure asset. See additionally relevant obligations in 6.1 Cybersecurity and Data Protection . Criminal Offences Related to infrastructure, Part 10.6 of the Crimi - nal Code places obligations on providers of con - tent or hosting services to notify the AFP as to the existence of material displaying “abhorrent violent conduct” (if occurring in Australia) and, in any event, to expeditiously remove or cease to host such material.
The Australian government considers “the responsibility for ensuring the continuity of oper - ations and the provision of essential services to the Australian economy and community” as being shared “between owners and operators of critical infrastructure, state and territory govern - ments and the Australian Government”. Generally speaking, government bodies may also be captured within the scope of legislative regimes such as the Privacy Act, and therefore have the same (or similar) obligations as their private-sphere counterparts. However, the SOCI Act does not apply to the Commonwealth or a body corporate established under Common - wealth law unless so declared or prescribed. The Australian government is responsible for the “final defence” of Australian infrastructure and cybersecurity. To this end, the SOCI Act grants the Minister last resort “government assistance measures” and powers where a cybersecurity incident relates to a declared national emergen - cy, or else where there is a material risk that a cybersecurity incident has, is or will likely seri - ously prejudice the Australia’s social or econom - ic stability, defence or national security. These include the heavily circumscribed Ministerial power to request an authorised agency to inter - vene in relation to computer-related activities where an entity is unwilling or unable to respond to an incident. Additionally, the Cyber Incident Review Board (CIRB) has been established as an independent statutory advisory body responsible for conduct - ing no-fault, post-incident reviews of significant cybersecurity incidents in Australia. The CIRB post review report will contain recommenda - tions to government and industry about actions
19
CHAMBERS.COM
Powered by FlippingBook