Security

The NSW Auditor General December 2025 report on Cyber security in Local Health Districts states 

 NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber secuements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.  

The report states 

 The New South Wales (NSW) public health system includes more than 220 public hospitals, community and other public health services. 15 Local Health Districts across NSW administer the hospitals and other health services. eHealth NSW was established in 2014 to provide statewide leadership on the planning, implementation and support of information communication technologies (ICT) and digital capabilities across NSW Health. Health service delivery is increasingly reliant on digital systems, which in turn requires the effective management of cyber security risks. Cyber attacks can harm health service delivery and may include the theft of information, breaches of private health information, denial of access to critical technology or even the hijacking of systems for profit or malicious intent. These outcomes can adversely affect the community and damage trust in government. 

Audit objective 

This audit assessed whether NSW Health is effectively safeguarding clinical systems, required to support healthcare delivery in Local Health Districts, from cyber threats. The audit assessed this with the following questions: Do relevant NSW Health organisations effectively manage cyber security risks to clinical systems? Do relevant NSW Health organisations effectively respond to cyber attacks that affect the clinical systems that are essential for service delivery? To focus the audit, 4 of the 15 Local Health Districts were selected for audit. These districts are referred to as ‘the audited Local Health Districts’ throughout this report. The audit further focused on one facility in each of the audited Local Health Districts that provided a common type of healthcare service. The names of the audited Local Health Districts, selected facilities and healthcare services are not disclosed. 

Conclusion 

NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber security requirements that have been outlined in NSW Cyber Security Policy since 2019. Local Health Districts are not adequately prepared to respond effectively to cyber security incidents. Systemic non-compliance with NSW Government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.

Key findings are 

  Local Health Districts do not manage cyber security risks effectively 

Local Health Districts generate, use and maintain large volumes of sensitive personal and health information about patients. The NSW Cyber Security Policy sets out an expectation that cyber security efforts are commensurate with the potential effect of a successful cyber breach. Under NSW Health policy, Local Health Districts, in collaboration with eHealth NSW, are responsible for managing cyber security and resourcing a fit-for-purpose cyber security function. The current NSW Cyber Security Policy 2023–2024 recognises that agencies providing critical or high-risk services, such as Local Health Districts, should implement a wider range of controls and aim for broader coverage and effective implementation of additional controls. However, the audited Local Health Districts have not complied with the minimum requirements of the NSW Cyber Security Policy since it was introduced in 2019. None of the four districts had effective cyber security plans. Local Health Districts that do not have effective cyber security plans cannot articulate their approach to managing cyber security risks and are not adequately prepared to respond to and manage cyber security risks and incidents. 

Local Health Districts do not have plans and processes in place to respond effectively to a cyber attack 

None of the audited Local Health Districts had effective cyber security response plans. Nor did Local Health District business continuity plans and disaster recovery plans consider cyber security risks. Local Health Districts that do not have effective cyber security response, disaster recovery or business continuity plans that include considerations of cyber security, may not be able to safeguard clinical systems against potential cyber security incidents. This may also hamper responses during an incident because roles and responsibilities may not be understood, and actions to address cyber security incidents may not be undertaken as quickly as required, affecting the delivery of services to patients. 

NSW Health has not clearly communicated cyber security roles and responsibilities amongst NSW Health organisations 

eHealth NSW coordinates cyber security matters within NSW Health. However, eHealth NSW has not clearly defined and communicated its roles and the expected roles of Local Health Districts for cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery) and identifying and mitigating critical vulnerabilities, threats and risks. eHealth NSW does not provide Local Health Districts with sufficient support to manage cyber security risks, and Local Health Districts have not applied the tools provided by eHealth NSW to all clinically important systems eHealth NSW has developed and distributed cyber security frameworks, guidance and training to all Local Health Districts. eHealth NSW has developed whole-of-system tools to meet key requirements of the NSW Cyber Security Policy and improve the effectiveness of Local Health Districts’ cyber security activities. These tools include risk assessment frameworks. However, eHealth NSW has not ensured that its tools have been implemented in Local Health Districts, nor whether Local Health Districts have the capability or capacity to do so. In the audited Local Health Districts, the effectiveness of eHealth’s cyber threat identification tools is hampered by incomplete application to all clinically important ICT assets. This means that critical systems used by Local Health Districts to deliver, or support the delivery of, clinical treatment are not effectively protected from cyber security incidents. 

Local Health Districts do not have an effective cyber security culture 

In all audited Local Health Districts, critical cyber security controls are not consistently applied by clinical staff who perceive a tension between the urgency of clinical service delivery and the importance of cyber security policies. This has led to normalisation of non-compliance with cyber security controls. This audit observed clinical staff non-compliance at all audited Local Health Districts with multiple cyber security controls that Local Health Districts had put in place. Despite known systemic non-compliance by clinical staff, the audited Local Health Districts have not assessed the effectiveness of the controls they have put in place, nor have they identified any alternatives that might balance the need for clinical urgency with effective cyber security practice. In addition, they have not considered investing in alternative ICT solutions that better meet the needs of clinical staff while also addressing cyber security concerns. 

NSW Health’s Cyber Security Policy attestation lacks transparency on the level of cyber security capability within the health system 

The NSW Cyber Security Policy requires an agency head to attest to the agency’s compliance with the policy. In 2023, eHealth NSW surveyed all NSW Health organisations, including Local Health Districts, on their self-assessed maturity against the NSW Cyber Security Policy in developing a summary assessment for NSW Health to inform its attestation of NSW Cyber Security Policy compliance. That summary showed that Local Health Districts had immature cyber security controls, including for the Essential Eight controls – the most effective set of controls identified by the Australian Cyber Security Centre. However, in 2024, the survey was not completed, so NSW Health aggregated its assessment of whether NSW Health organisations had met NSW Cyber Security Policy requirements. This audit identified systemic Local Health District non-compliance with NSW Cyber Security Policy. The 2024 attestation therefore obscures the risks that exist in Local Health Districts. If NSW Health continues to attest to Cyber Security Policy compliance in the aggregate, the risk is that neither NSW Health nor Cyber Security NSW fully understand where and what the cyber security risks are across NSW Health organisations. 

Recommendations 

The Ministry of Health should: 

by October 2025, collate and validate information on compliance with NSW Cyber Security Policy by each entity that reports to or via the Ministry of Health prior to annual attestation by December 2025, finalise and communicate cyber security roles and responsibilities within the NSW Health system. 

By December 2025, eHealth NSW should: 

work with the Ministry of Health to develop clear guidance for Local Health Districts on the obligation to manage the need to deliver clinical services while meeting critical cyber security requirements determine and apply sufficient resources to support the Privacy and Security Assessment Framework and Cyber Security Risk Assessments in Local Health Districts support Local Health Districts to improve cyber security capability by articulating a whole-of-health cyber security risk appetite statement providing direct assistance to localise centrally developed tools and frameworks ensuring all Local Health District crown jewel assets are monitored by the Health Security Operations Centre. 

By December 2025, Local Health Districts should: 

design and implement a fit-for-purpose cyber security risk management framework incorporating: an enterprise cyber security risk appetite statement, which aligns with the whole-of-health statement complete up-to-date cyber security and cyber security response plans, which are regularly tested and updated investment in establishing and maintaining the Essential Eight cyber controls cyber security controls that identify and address the root causes of non-compliance and balance the need for clinical urgency with effective cyber security consideration of cyber security needs in the implementation of any new clinical systems.

Privacy Reform: Two cheers and waiting for detail

EM Forster famously offered two cheers for democracy. In the same spirit we might say two cheers for the Government's very uneven response to the Privacy Act Review Report (discussed here) - some recommendations embraced, others merely noted (the policy can being kicked down the road or into the weeds) and much dependent on sighting the detail.

The Review reflected 20 years of recommendations by law reform commissions, scholars and parliamentary committees.

The response states 

 The Government will progress consideration of reforms to Australia’s privacy framework under five key focus areas: 

1. Bring the Privacy Act into the digital age 

Bring the scope and application of the Privacy Act into the digital age by recognising the public interest in protecting privacy and exploring further how best to apply the Act to a broader range of information and entities which handle this personal information. 

2. Uplift protections 

Uplift the protections afforded by the Privacy Act by requiring entities to be accountable for handling individuals’ information within community expectations, and enhancing requirements to keep information secure and destroying it when it is no longer needed. 

Reforms to the Notifiable Data Breaches (NDB) scheme will assist with reducing harms which may result from data breaches and new organisational accountability requirements will encourage entities to incorporate privacy-by-design into their operating processes. 

New specific protections will also apply to high privacy risk activities and more vulnerable groups including children, especially online. 

3. Increase clarity and simplicity for entities and individuals 

Provide entities with greater clarity on how to protect individuals’ privacy, and simplify the obligations that apply to entities which handle personal information on behalf of another entity. The reforms will increase the flexibility of code-making under the Act, reduce inconsistency and improve coherence across different legal frameworks with privacy protections, and simplify requirements for transferring personal information overseas, particularly to those countries with substantially similar privacy laws. 

4. Improve control and transparency for individuals over their personal information 

Provide individuals with greater transparency and control over their information through improved notice and consent mechanisms. 

We will also explore the scope and application of new rights in relation to personal information and increased avenues to seek redress for interferences with privacy, through a direct right of action permitting individuals to apply to the courts for relief for interferences with privacy under the Privacy Act and a new statutory tort for serious invasions of privacy. 

5. Strengthen enforcement 

Increase enforcement powers for the OAIC, expand the scope of orders the court may make in civil penalty proceedings and empower the courts to consider applications for relief made directly by individuals. 

A strategic assessment of the OAIC and further consideration of its resourcing requirements, including investigating the effectiveness of an industry funding model and establishing litigation funds, will enhance the effectiveness of Australia’s privacy regulator.   

Next steps 

The Attorney-General’s Department will lead the next stage of implementation which will involve:

• development of legislative proposals which are ‘agreed’, with further targeted consultation to follow 

• engagement with entities on proposals which are ‘agreed in-principle’ to explore whether and how they could be implemented so as to proportionately balance privacy safeguards with potential other consequences and additional regulatory burden 

• development of a detailed impact analysis, to determine potential compliance costs for regulated entities and other potential economic costs or benefits (including for consumers), and 

• progressing further advice to Government in 2024, including outcomes of further consultation and legislative proposals. 

The Government acknowledges that entities covered by the Privacy Act will require sufficient time to be in a position to comply with new requirements when reforms commence. Consideration will be given to appropriate transition periods as part of the development of legislation as well as appropriate guidance and other supports which could be developed to help entities understand their compliance requirements. 

An impact analysis will be undertaken to more comprehensively determine the costs and benefits for Australians, including consumers as well as businesses and organisations. Given the diversity of entities required to comply with the Privacy Act, the impact analysis will consider the costs to different sectors of the economy and whether particular industries may require additional support to comply with new requirements. It will also facilitate a more detailed understanding of the practical implications for entities in transitioning to meet new obligations. Transition periods will be critical to ensure entities are in a position to comply with new obligations on their commencement. 

The Government’s role in strengthening privacy regulation, enforcing privacy protections and assisting with coordinating responses to significant data breaches must be complemented by Australians’ increased understanding of privacy risks, and improved privacy practices of both individuals and entities. There is also an important role for the Government in conducting its own activities – including its use of data and digital technologies – in an appropriately careful manner. The Government will adopt robust and appropriate privacy and security settings as set out in this response and its Data and Digital Government Strategy. 

Reforming Australia’s privacy framework will complement other reforms being progressed by the Government, including the 2023-2030 Australian Cyber Security Strategy, the Digital ID, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia. All these initiatives recognise the critical importance of Government working with stakeholders on reforms which will assist entities to manage risks appropriately and enable Australians to safely and securely engage in the digital economy. In progressing privacy reforms, the Government will continue to work closely with all stakeholders to ensure appropriate implementation.

Reasonable Security

'Locking Down 'Reasonable' Cybersecurity Duty' by Charlotte Tschider in Yale Law & Policy Review comments 

Following a data breach or other cyberattack, the concept of “reasonable” duty, broadly construed, is essential to a plaintiff’s potential causes of action, such as negligence, negligence per se, breach of contract, breach of fiduciary duty, and any number of statutory claims. The impact of an organization’s discretionary choices, such as whether to take specific security steps for a system, may result in potential risk to an individual, another organization, or the organization itself. Although organizations regularly engage in cybersecurity risk analysis, they may not understand what practices will be considered reasonable in a court of law and are therefore unable to anticipate downstream legal issues. Attorneys are likewise unable to confidently advise their clients on how to best avoid liability. This Article examines, in detail, potential sources for reasonably defining duty, and how organizations and attorneys might consider legal duty through the lens of cybersecurity risk management. 

Specifically, I call for a two-part cybersecurity duty analytic model: static, or objective duty informed by industry practices, and dynamic, or subjective duty informed by situational risk. For some doctrinal areas, this may work primarily as an analytic model, while for others, such as negligence, this could be formalized as a test. By offering a model for analyzing what cybersecurity duty ought to be, organizations can adequately understand how potential legal risk might be evaluated in order to implement practices that protect would-be plaintiffs and avoid liability. Moreover, courts can use this model to determine whether organizations have made decisions that avoid real, foreseeable risk to the plaintiff. Indeed, amidst an increasing frequency and diversity of cyberliability claims, legal analysis informed by actual risk analysis ensures that reasonable, rather than perfect, cybersecurity practices can be developed precedentially over time. 

ID Theft

'Do data breach notification laws reduce medical identity theft? Evidence from consumer complaints data' by Aniket Kesari in (2022) Journal of Empirical Legal Studies comments 

As the number of data breaches in the United States grows each year, cybersecurity has become an increasingly important policy area. The primary mechanism for regulating and deterring data breaches is the “data breach notification law.” Every US state now has such a law that mandates that certain organizations disclose data breaches to their data subjects. Despite the popularity of these laws, there is relatively little evidence about their effectiveness at deterring breaches, and therefore reducing identity theft. Using medical identity theft panel data collected from the Consumer Financial Protection Bureau, this study implements an augmented synthetic control approach to analyze the effect of California's 2016 data breach notification standards on medical identity theft. This approach suggests that medical identity theft reports in California were reduced by 3.5 reports/100,000 people.

Crookto, Cyber Security and Corporate Responsibility

'Crime and Cryptocurrency in Australian Courts' by Aaron M Lane and Lisanne Adam in Monash University Law Review (Forthcoming) comments 

This article presents the findings of the first empirical study of reported Australian case law involving Bitcoin and other cryptocurrencies between 2009 and 2020. The initial dataset consists of 103 cases, with 59 criminal decisions and 44 other decisions. Focusing on criminal proceedings, the study finds that cryptocurrency has been considered in the context of bail, extradition, restraining orders, trials and sentencing. Significantly, the study finds that the use of cryptocurrency in the commission of an offence is seen by courts as a factor that tends to increase the sophistication or seriousness of the offence – becoming an aggravating factor in sentencing – and leads the court to consider general deterrence above other sentencing purposes.

The authors argue

There is a perception that Bitcoin, and the other cryptocurrencies that followed, are associated with criminal activity. By our count, there are four dimensions to this perception from the literature – which is briefly surveyed here as introductory context for the first study on crime and cryptocurrency in the Australian courts.

First, law enforcement experts claim that Bitcoin is “the currency of choice for cybercriminals” in the commission of ransomware attacks and other forms of theft and extortion in the digital environment. Also in this category, cybercriminals are using cryptocurrency in running fraudulent investment scams. Statistics collected by the Australian Competition and Consumer Commission show that “in 2019, reported losses for cryptocurrency scams exceeded $21.6 million from 1810 reports.” Data reported by Chainalysis puts the global figure at US$7.8 billion. 

Second, cryptocurrencies are used to exchange illegal goods and services from ‘dark web’ online marketplaces, such as Silk Road, which exclusively used Bitcoin for the platform’s illicit transactions. Famously, Silk Road’s founder Ross Ulbricht was convicted in the United States and sentenced to life imprisonment for charges relating to his role in the criminal enterprise. The convictions were upheld on appeal notwithstanding that two federal agents were also charged and sentenced for their conduct in the course of the investigation against Ulbricht, including misappropriating Bitcoin into offshore bank accounts. The Ulbricht saga brought into popular consciousness the fact that cryptocurrencies provided a new payment platform for those seeking to illicitly transact with counterparts across borders, pseudonymously. While estimates vary, the most recent industry analysis reports total illicit cryptocurrency transactions at US$14 billion in 2021 – although this equates to just 0.15% of the total volume of cryptocurrency transactions. 

Third, Bitcoin has been described as a “criminal's laundromat for cleaning money”  that has been earned from illicit enterprises. Of course, money laundering is a serious criminal offence in and of itself. Although, initially, the use of Bitcoin and other cryptocurrencies were not subject to the same regulatory constraints as the use of fiat currency. In 2017, the Federal Minister for Justice and Minister Assisting the Prime Minister for Counter-Terrorism asserted that “it is recognised globally that convertible digital currencies, such as bitcoin, pose significant money laundering and terrorism financing risks because they allow people to move money around the world on a peer-to-peer basis without revealing their identity.” On this basis, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (‘AML CTF Act’) was amended to require Australian cryptocurrency exchanges to comply with Anti- Money Laundering and Counter-Terrorism Financing laws under regulator AUSTRAC’s purview. The stated purpose of the amendments was to “deter criminals from using convertible digital currencies to move illicit funds and avoid detection” and “facilitate the collection of transactional information about exchanges in digital currency for use by law enforcement, intelligence and national security agencies”. At the end of February 2022, AUSTRAC had revoked the registration of seven cryptocurrency exchanges, suspended another, and refused to register a further six exchanges. 

Fourth, there are concerns that cryptocurrencies could be used for tax evasion. The Australian Taxation Office has provided guidance on various issues surrounding the tax treatment of cryptocurrency. As with money laundering, the pseudonymous, borderless nature of cryptocurrency transactions — combined with Australia’s tax system of self-assessment — means that the task of tax enforcement is more difficult and provides a greater opportunity for tax evasion. Tax evasion is a crime regardless of the underlying legitimacy of the transaction that gave rise to the taxable event. 

As this introduction outlines, it appears that criminal entrepreneurs were among the first to find a use case for cryptocurrencies. It is not surprising, therefore, that law enforcement and regulatory agencies around the world have established digital taskforces focusing on crime and cryptocurrency. Domestically, the Australian Federal Police’s (AFP) Cybercrime Operations Unit and AUSTRAC have primary carriage of these matters among enforcement bodies, in addition to the Australian Cyber Security Centre. State and territory police forces also appear to have developed some capabilities in this area. 

Against this background, it was inevitable that criminal cases involving cryptocurrency would come before the Australian courts. However, there is currently no reported data on criminal cases involving cryptocurrency in Australia. The purpose of this article, therefore, is to investigate in what contexts Bitcoin and other cryptocurrencies have been considered in criminal matters before Australian courts and critically analyse of how the use of cryptocurrency has factored into judicial decision making in the context of criminal proceedings. This article will proceed as follows. Section two introduces Bitcoin and cryptocurrencies. Section three explains the study’s methodology and reports the study’s quantitative findings. Section four provides the study’s qualitative findings. Section five will bring the study’s findings into conversation with theoretical perspectives from the law and economics and criminology literatures. Section six concludes.

In Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 - a landmark judgment - the FCA has identified that obligations for Directors under the Australian Financial Services Licence regime include obligations to adequately manage cyber resilience and cybersecurity risks. RA was found to be in breach of the Corporations Act 2001 (Cth). 

Rofe J made declarations that RI breached obligations under s 912A(1)(a) by failing to ensure adequate cybersecurity measures were in place and/or adequately implemented across its Authorised Representative,  with breach under s 912A(1)(h) by failing to implement adequate cybersecurity and cyber resilience measures and exposing its Authorised Representatives’ clients to an unacceptable level of risk.

He stated 

it is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

noting  'that the relevant risks and controls deployed to address cybersecurity evolve over time' and that 'as cybersecurity risk management is a technical area, the adequacy of risk management must be informed by people with technical expertise in that area'. 

AFS Licence holders are required to identify the risks faced in the course of providing financial services, including in relation to cybersecurity and cyber resilience. The holders must have established documentation, controls and risk management systems that are adequate to manage risk across their network.

The 'reasonable standard of performance' is to be assessed by reference to the reasonable person qualified in that area, not the expectations of the general public.

Data Breach

'The Data Breach Epidemic: A Modern Legal Analysis' by Laura A Hendee in (2021) 24(1) Journal of Technology Law and Policy comments 

This Note sheds light on the major legal issues surrounding the numerous data breaches that plague our modern technology-driven society. Current laws in the United States vary widely in how they handle the resolution of harm to unsuspecting victims of data breaches. The issue of Article III standing is commonly at the forefront of the conflict and discussion in this area, which has resulted in a substantial circuit split in the United States. The newly enacted California Consumer Privacy Act will likely have a major impact in this area of the law and will undoubtedly influence how consumers’ personal information is handled in the years to come.

'Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches' by Alicia Solow-Niederman in (2018) 127 Yale Law Journal Forum 614 comments 

Data breaches continue to roil the headlines, yet regulation and legislation are unlikely to provide a timely solution to protect consumers. Meanwhile, individuals are left, at best, in a state of data insecurity and, at worst, in a compromised economic situation. State common law provides a path forward. Rather than rely on statutory claims or the privacy torts to protect consumer data, this Essay suggests that courts should recognize how contemporary transactions implicate fiduciary-like relationships of trust. By designating what this Essay terms data confidants as a limited form of information fiduciary, courts can reinvigorate the tort of breach of confidence as a remedy for aggrieved consumers.

Data Breach and EU competition law

'Can competition law protect consumers in cases of a dominant company breach of data protection rules?' by Marija Stojanovic in (2020) European Competition Journal comments 

 This paper focuses on the “burning debate” of whether competition law and data protection could go: “hand in hand”. More accurately, whether a breach of data protection law could be considered a breach of competition law and serve as a tool to define that a dominant company abused its dominant position in digital markets. Notably, the recent preliminary finding in the favour of dual proceedings was brought by Bundeskartellamt in the Facebook case but the “too harsh” decision by the Düsseldorf Higher Regional Court created additional confusion and contradicted Bundeskartellamt’s approach. However, the twist happened this week when the German Federal Supreme Court has ruled in favour of Bundeskartellamt. The position of the author is in favour of the need for dual proceedings. A breach of data protection can be considered a breach of competition rules only if a cogent theory of harm based on solid evidence proves that competition is harmed.

Genealogy Data Breaches

In March this year Julia Creet commented 

Surprising news recently emerged from the personal genetics business. The two leading direct-to-consumer companies in North America, 23andMe and Ancestry.com, announced within a week of each other that they were laying off a significant proportion of their workforce as a result of a steep drop in sales. This past Christmas, the sales of testing kits were expected to take a sharp hike — nothing says family like a gift that says prove it. But sales plummeted instead.

 

According to Second Measure, a company that analyzes website sales, 23andMe's business plummeted 54 per cent and Ancestry kits sales declined 38 per cent.

 

Industry executives, market watchers and genealogists have all speculated about the causes of the drop in consumer interest. Market saturation? Early adopters tapped out? Limited usefulness? Recession fears? Whatever the theory, everyone seems to agree on one factor: privacy concerns.

 

For observers like me, who have been watching the trends in the industry of family history for years and have repeatedly raised concerns about genetic and family privacy, there's a certain relief that consumers have taken notice.

 

Two third-party uses of genetic genealogy have given consumers pause for thought.

 

One: Almost every database shares information with the pharmaceutical industry. 23andMe was clear from the beginning that its health information would be used by its research partners and asked consumers to consent. But when it started to sign major deals with drug developers in 2015, consumers began to realize that, once again, similar to social sharing platforms, they were the product. A fact not so surprising from a company whose initial investors were from Google and Facebook.

 

Still, as long as testing prices were low and continued to fall, consumers bought the sell. Companies promised consumers they were contributing to a greater good. Medical science could use their genetic information to develop treatments, even if they might never need the drugs (or indeed if any drugs would ever be developed).

 

So even though the companies were profiting from their information, the number of people sending in their spit grew exponentially. Business was going well. Then a second third-party use was revealed and sales started tumbling. ...

 

Shortly after California detectives announced they had used GEDmatch, a public genetic genealogy database, to solve the cold case of a sadistic rapist and killer known as the Golden State Killer, the exponential rate of growth in the industry began to decline. That 2018 case set off a wave of privacy concerns about genetic genealogy and divided people who had already submitted their samples.

 

Almost overnight, a new industry was hatched using genetic genealogy databases to solve cold cases. GEDmatch, the company at the centre of the debate, was caught in the middle.

 

The GEDmatch founders, a couple of genealogists who just wanted to provide a place for genealogists to share DNA results without the privacy restrictions of the testing companies, eventually sold the company after attempting and failing to align its privacy policy with something viable for consumers and the company.

 

Sealing the marriage of genetic genealogy with policing, GEDmatch sold its database to Verogen, a forensics equipment company that services law enforcement. Ironically, Verogen promised it would offer better privacy protections and resist police incursions.

I waited for the excitement and for more fodder for my book on genomic privacy. It wasn't a long wait. 

The NY Times now reports that there have been two substantial databreaches at Verogen's GEDMatch. The Times piece by Heather Murphy notes that nearly two-thirds of GEDmatch’s users opt out of helping law enforcement. Data breaches have resulted in them being gifted with numerous 'relatives' and a million or so users who had opted not to help law enforcement had been forced to opt in. The piece states 

GEDmatch, a longstanding family history site containing around 1.4 million people’s genetic information, had experienced a data breach. The peculiar matches were not new uploads but rather the result of two back-to-back hacks, which overrode existing user settings, according to Brett Williams, the chief executive of Verogen, a forensic company that has owned GEDmatch since December. 

 

Though the growth of genealogy sites has slowed slightly in recent years, their use by the police has increased. After the authorities in California used GEDmatch in 2018 to identify a suspect in the decades-long Golden State Killer case, police departments across the country began to dig through their cold case files in the hopes that this new technique could solve old crimes.

 

And GEDmatch was often their preferred site. Unlike the genealogy services Ancestry and 23andMe, which are marketed to people who are new to using DNA to learn about themselves, GEDmatch caters to more advanced researchers. The site appeals to the police because it allows DNA that has been processed elsewhere to be uploaded. Verogen has a long history of working with law enforcement, and the acquisition of GEDmatch further solidified this collaboration.

 

Scientists and genealogists say the GEDmatch breach — which exposed more than a million additional profiles to law enforcement officials — offers an important window into what can go wrong when those responsible for storing genetic information fail to take necessary precautions.

 

In an interview, Mr. Williams said that the first breach occurred early on July 19. After shutting down the site, his team “covered up the vulnerability,” he said, and brought it back online, but only briefly. “On Monday we took the site down again because it was clear the hackers were trying again,” he said.  This time the site remained down for nearly a week. ...

 

Mr. Williams said he had hired an outside security team and contacted the F.B.I. to see if the agency would investigate. The F.B.I. did not respond to a request for comment.

 

All was far from resolved when the site’s settings were restored, said Debbie Kennett, a genealogist in England, who wrote about the breach on her blog. We’re stuck with our DNA for life, she said. “Once it’s out there it’s not like an email address you can change,” she said in an interview. Because of its interconnected nature, she added, when any one person’s genetic information is exposed, the exposed DNA can potentially affect their family members too.

 

That's a point I've made in several publications with Dr Wendy Bonython.

The Times states 

 In a paper published last year, Michael Edge, a professor of biological sciences at the University of Southern California, and fellow researchers warned several genealogy websites that they were vulnerable to data breaches.

 

“Of course, hacks happen to lots of companies, even entities that take security very seriously,” he said. “At the same time, GEDmatch’s, and eventually Verogen’s, response to our paper didn’t inspire much confidence that they were taking it seriously.” Other genealogy websites, he added, seemed more open to the researchers’ recommendations for improving security.

 

For many, the presence of fake users in GEDmatch was as alarming as the breach itself. Genealogists know that they cannot trust names or emails. They also know that a user can easily upload someone else’s genetic profile. But the breach exposed that behind the scenes, hidden by privacy settings, were all kinds of profiles of people who were not even real.

 

 

The giveaway that the matches were not actual relatives was that their DNA was too good to be true, said Leah Larkin, a biologist who runs DNA Geek, a genealogical research company. People who managed profiles for many clients and relatives repeatedly found that these fake users somehow were displayed as close relatives across the unrelated profiles. Their visible ancestry information reinforced the matches were impossible and suggested the fake profiles had been designed to trick the site’s search algorithm for some reason.

 

In Dr. Edge’s paper, he warned that it was possible to create fake profiles to identify people with genetic variants associated with Alzheimer’s and other diseases.

 

“If something is just a geeky genealogist messing around, there is no concern,” Dr. Larkin said. But it becomes a problem, she said, if users are trying to find people who all share a particular genetic mutation or trait, as Dr. Edge cautioned. Such information could be abused by insurance companies, pharmaceutical companies or others, she said.

 

The breach also reinforced something that genealogists have been saying for years: Mixing genealogy and law enforcement is messy, even when you try to draw clear lines. Until two years ago, the primary DNA databases that law enforcement used for investigations were maintained by the F.B.I. and the police. That changed with the Golden State Killer case in 2018.

 

As police departments rushed to reinvestigate cold cases, GEDmatch, which at the time was run by two family history hobbyists as a sort of passion project, tried to serve two audiences: genealogists who simply wanted to trace their family tree and law enforcement officials who wanted to know if a murder or a rapist was hiding in one of its branches. Amid a backlash, GEDmatch changed its policy in May 2019 so that only users who explicitly opted to help law enforcement would show up in police searches. Still, there is little regulation around how the authorities can use GEDmatch and other genealogy databases, so it’s largely up to the companies and their users to police themselves.

 

And as the breach demonstrated, users’ wishes could be quickly overridden.

Australian Cyber Security Strategy

The Industry Advisory Panel on the  Australia’s 2020 Cyber Security Strategy appears to be underwhelmed by the Commonwealth government's approach. It its report this week it comments

 Technology now sits at the very heart of the lives of most Australians and increasingly shapes our economy, our society and our future. It is fast changing how we live, learn and work as well as creating incredible new opportunities, efficiencies and benefits - from remote working to digitised global supply chains, from tele-health to e-commerce. The Federal Government is clear-eyed about the opportunities:

“Our Government’s goal is for Australia to be a leading digital economy by 2030. Our degree of success will be critical to income growth and job creation over the next decade and beyond. Our extensive policy agenda encompasses digital access, connectivity, consumer data and competition policy, government service delivery and skills development, trade and global e-commerce governance, as well as the necessary focus on security and privacy concerns.” Prime Minister Scott Morrison BCA annual dinner keynote 21 November 2019

The scope and timing of that ambition is well placed. As we enter the 2020s the world is on the exciting cusp of a fourth industrial revolution driven by connectivity and digital technologies. Artificial intelligence, sensors, autonomous machines and systems, edge compute, augmented reality and 5G will combine to create incredible new products and services, infuse the physical world with digital, revolutionise business operations, elevate human work, and serve customers and citizens in many new ways. 

All of this was true before the emergence of the COVID pandemic which has only further underlined the importance of the digital economy in Australia. In responding to COVID, mandatory social distancing and self-isolation means healthcare, education, work and commerce and even staying in touch with friends and family are largely being done online. Looking beyond this crisis, technology and our ability and willingness to embrace the digital world has now emerged as central to a rapid economic recovery. 

With so much at stake, robust and effective cyber security has never been more important and the 2020 Cyber Security Strategy Industry Advisory Panel welcomed the opportunity to contribute to that outcome. 

Australia’s 2020 Cyber Security Strategy 

The Panel were engaged in late 2019 at a time when the Federal Government were reviewing the progress of the landmark 2016 Cyber Security Strategy. This work led to the establishment of the Joint Cyber Security Centres, creation of cyber.gov.au as a one-stop-shop for cyber security advice and the establishment of key leadership positions including the Ambassador for Cyber Affairs. 

Despite these achievements the Government acknowledged that significant and ongoing changes in the scope, scale and sophistication of cyber threats required an evolution in our approach to cyber security as a nation. Minister for Home Affairs, Peter Dutton, has described how meeting the evolving cyber challenge is key to Australia’s economic prosperity and national security. In September 2019 he said:

“Cyber security has never been more important to Australia’s economic prosperity and national security. In 2016, the Australian Government delivered its landmark Cyber Security Strategy, which invested $230 million to foster a safer internet for all Australians. Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community.” “Cyber criminals are more abundant and better resourced, state actors have become more sophisticated and emboldened, and more of our economy is connecting online. Cyber security incidents have been estimated to cost Australian businesses up to $29 billion per year and cybercrime affected almost one in three Australian adults in 2018.” 

This escalation in malicious cyber activity has only increased during COVID as we have been forced to work, learn and connect from home, outside of some of our usual security frameworks. We are seeing malicious actors including criminals and state based actors exploiting this opportunity to their own advantage, to the significant risk and detriment of Australian citizens. 

On 30 June 2020, Prime Minister Scott Morrison pointed to the urgency of the issue: “The Federal Government’s top priority is protecting our nation’s economy, national security and sovereignty. Malicious cyber activity undermines that.” Australia’s ability to prosper as a digital economy can be enhanced if we increase our investment in our cyber defences. We must move to comprehensively protect ourselves and our businesses from cybercrime, protect our national infrastructure and improve the security of our institutions – including our democratic electoral processes, which have been the subject of malicious cyber-attack in other parts of the world. It is crucial we act quickly and decisively. 

The 2020 Cyber Security Strategy Industry Advisory Panel was formed in November 2019 and asked to provide advice from an industry perspective on best practices in cyber security and related fields; emerging cyber security trends and threats; key strategic priorities for the 2020 Cyber Security Strategy; significant obstacles and barriers for the delivery of the 2020 Cyber Security Strategy; and the effect of proposed initiatives on different elements of the economy, both domestic and international. 

The Panel met 13 times between November 2019 and July 2020, including two meetings with Minister Dutton and formal briefings, including some classified, from the Department of Home Affairs, the Australian Signals Directorate, the Attorney-General’s Department, the Department of the Treasury, the Australian Competition and Consumer Commission, the then Department of Communications and the Arts, the eSafety Commissioner, the Australian Federal Police, the Australian Security Intelligence Organisation, the Cyber Security Cooperative Research Centre and AustCyber. 

After broad consultation and careful deliberation, the 2020 Cyber Security Strategy Industry Advisory Panel has developed a series of recommendations that we believe strike the right balance between increasing our cyber defences, promoting the development of a digital economy and countering threats to our economy, safety, sovereignty and national security. 

The Panel’s recommendations are structured around a framework with five key pillars:

• Deterrence: deterring malicious actors from targeting Australia. 

• Prevention: preventing people and sectors in Australia from being compromised online. 

• Detection: identifying and responding quickly to cyber security threats. 

• Resilience: minimising the impact of cyber security incidents. 

• Investment: investing in essential cyber security enablers.

On deterrence, we recommend that the Government establish clear consequences for those targeting Australia and people living in Australia. A key priority is increasing transparency on Government investigative activity with more frequent attribution and consequences applied where appropriate. Strengthening the Australian Cyber Security Centre’s ability to disrupt cyber criminals by targeting the proceeds of cybercrime derived both domestically and internationally is a priority. 

On prevention, the recommendations include the pursuit of initiatives that make businesses and citizens in Australia harder to compromise online. This includes a clear definition for critical infrastructure and systems of national significance with a view to capturing all essential services and functions in the public and private sectors; consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for owners and operators of critical infrastructure and systems of national significance; measures to build trust in technology markets through transparency such as product labelling; and the extension of existing legislative and regulatory frameworks relevant in the physical world to the online world. Ultimately cybercrime is just crime, cyber espionage is just espionage and hacktivism is just activism online. 

All levels of Government should take steps to better protect public sector networks from cyber security threats. Government agencies should be required to achieve the same or higher levels of protection as privately-owned critical infrastructure operators. Different levels of government should collaborate to share best practices and lessons learned. Ultimately Governments should be exemplars of cyber security best practice and Australian governments have some way to go in achieving this aspiration. 

On detection, recommendations include that Government establish automated, real-time and bi-directional threat sharing mechanisms between industry and Government, beginning with critical infrastructure sectors. Government should also empower industry to automatically block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’. 

On resilience, recommendations include the development of proactive mitigation strategies and strengthening of systems essential for end-to-end resilience. Government should strengthen the incident response and victim support options already in place. Speed is key when it comes to recovering from cyber incidents and Government should hold regular large scale and cross-sectoral cyber security incident response exercises to improve the readiness of interdependent critical infrastructure providers and government agencies. 

Resilience includes both the ability to recover from a cyber-attack as well as the redundancy designed-in to systems and processes. In other words, a key factor influencing the ability to recover is the level of redundancy present in systems in the first place. It is important to also call out that a number of recommendations to build resilience relate to the role of the individual, in particular around building cyber awareness. In this regard there is an important distinction between cyber security (which means protecting data and information networks and critical infrastructure functions) and cyber safety (which means protecting users from harmful online content). The fundamental ability to participate safely online is the difference between enjoying the internet’s abundant information resources and opportunities, and being a potential victim of a cybercrime. 

On investment, recommendations support the ongoing development of highly specialised and effective capabilities exemplified by the Australian Cyber Security Centre and the state-based Joint Cyber Security Centres. This existing capability should be substantially increased and enhanced through significant investment and a more integrated governance structure that maintains an industry leadership role. It is going to be a critical enabler to the success of the 2020 Cyber Security Strategy. 

The Panel is also of the view that it is important for Government and industry to continue to invest in cyber skills development and security risk management in Australia. Good enterprise security management includes all aspects of securing people, property and technology. This skills investment is recommended at both a professional and specialist skills level and also more broadly, and should include primary, secondary and tertiary courses (including programs that focus on all aspects of enterprise security risk management, particularly cyber skills uplift). Importantly many of these skills should be built as foundational requirements in science, maths, engineering and technology. Although the cyber skills and awareness of directors on the boards of Australia’s listed companies has been developed in recent years, there is opportunity for further development and support. 

Within this framework of 60 recommendations sit 25 high priority and 35 other recommendations that address the full spectrum of cyber security threats – from the ‘routine’ threats that target vulnerable people in Australia every day to sophisticated ‘state actor’ cyber-attacks that threaten our economy, safety, sovereignty and national security. The Panel recommends that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first. 

State, territory and local governments should also be considered key implementation partners for all elements of the Strategy. We encourage the Australian Government to establish formal mechanisms to ensure ongoing engagement with all levels of government. 

Clear roles and responsibilities 

Cyber threats continue to shift and evolve and, as the threats evolve, so must our response. The recommendations we propose are built around creating robust and adaptable defences as threats emerge and technologies and opportunities change. 

It is important to recognise that effective cyber defences involve more than just investment dollars. Our report highlights that an effective response includes fundamentally organising and governing differently to ensure more efficient and effective use of resources and aligning cyber security imperatives across Australia. This requires clearly defined roles, responsibilities and authorities to be established and the Federal Government’s role in leading and coordinating the national effort is therefore critical. Ultimately the Government is in a unique position with access to information and tools which mean that in particular circumstances it is the appropriate party to lead our cyber defence. This is not only about the Federal Government but effective coordination with other tiers of Government. Government also plays an important role partnering with industry, as well as broadening community awareness and skills in adequately addressing cyber issues. 

If Australia’s cyber security is well organised and well governed then the application of all resources - public, private, people, infrastructure and capital investment – will achieve far more efficient and effective results. This was an important learning from the 2016 Cyber Strategy. 

The only way to look at cyber security is as a team. Large enterprises, small and medium businesses and Government all have shared platforms, common customers, and all are the target of attacks. We all therefore play a role, and share an accountability, in keeping Australians safe. 

Implementation 

The 2020 Strategy will be largely measured based on how well it is implemented and whether it meets or exceeds objective and bold metrics. During consultation, some stakeholders viewed implementation of the 2016 Cyber Security Strategy as being limited by regular changes in governance arrangements, lack of clarity about the roles of different government departments and inconsistent public communication. We encourage the Government to create strong governance and evaluation mechanisms around the 2020 Strategy. Data collection and evaluation, based on a maturity framework, should be afforded a high priority. A standing industry advisory panel could be established to advise the Minister for Home Affairs on cyber security matters and implementation of the 2020 Strategy on an ongoing basis strengthening the important link between Government and industry. Such a panel should have appropriate representation from across business, academia and the community. State and territory governments should be closely involved in implementation of the Strategy. It would be appropriate for state and territories to be represented on the public service committee responsible for implementing the Strategy. 

Never a more important time 

The Australian Government deserves real credit for the leadership it has shown on cyber security, including through the development of Australia’s 2020 Cyber Security Strategy and the announcement of a $1.35 billion investment (Cyber Enhanced Situational Awareness and Response package) over the next 10 years which will support a number of the key recommendations set out in this report. With robust cyber security critical for our economic prosperity, international competitiveness and national security, this work will only become more important as Australia continues to digitise in the future. The Chair of the Panel, Andy Penn, describes the opportunity and the challenge ahead:

“The beginning of the 2020s has been marked by a period of profound disruption for Australia with the devastating bushfires and the COVID virus. At the same time and as we progress further into the decade we will also experience an extraordinary new era of technology innovation. As an optimist I am convinced we will adapt and technology will help to solve some of society’s biggest challenges and realise some of its biggest opportunities. But at the same time, this period of working and studying from home and the accelerated trend to a digital economy are exposing us to a more vulnerable environment of cyber threats. We are seeing increased levels of malicious cyber activity both state based and criminal. Successfully meeting this challenge requires upgrading Australia’s cyber defences to be strong, adaptive and built around a strategic framework that is coordinated, integrated and capable. The 2020 Cyber Security Strategy has an opportunity to be all of those things and provide an enormous – and never more important - contribution to a safer, more prosperous Australia.”

The Panel appreciate the opportunity to have worked with the Australian Government to build Australia’s cyber defences through the 2020 Cyber Security Strategy and look forward to the key initiatives emanating from this work - they could not arrive at a more important time. 

List of Recommendations 

Objective 1: There are clear consequences for targeting Australians 

In considering how Australia can increase the consequences of malicious cyber activity for nation states and cyber criminals, the 2020 Cyber Security Strategy should as an immediate priority:

1 Target the growing volume of cybercrime by increasing operational-level cooperation with states, territories, and international partners leveraging the Australian Cyber Security Centre and Joint Cyber Security Centres. 

2 Increase the Australian Cyber Security Centre’s ability to disrupt cyber criminals on the Dark Web and to target the proceeds of cybercrime. 

3 Leverage existing cybercrime awareness raising campaigns to better inform businesses and individuals about new and emerging cybercrime threats to them. 

4 Hold malicious actors accountable via enhanced law enforcement, diplomatic means, and economic sanctions or otherwise as appropriate. 

5 Work with industry to better inform threat visibility and Government attribution activities where appropriate. 

6 The Australian Government should openly describe and advocate the actions it may take in response to a serious cyber security incident to deter malicious cyber actors from targeting Australia. 

7 Promote international law and continue to embed norms of responsible state behaviour online, in particular those that relate to the protection of critical infrastructure serving the public and deterring malicious cyber activity including intellectual property theft and ransomware attacks.

Objective 2: Cyber risks are owned by those best placed to manage them 

In considering how Australia can improve cyber security risk management across the economy and for critical infrastructure, the 2020 Cyber Security Strategy should as an immediate priority:

8 Review the Australian Government’s definition for critical infrastructure with a view to capturing all essential systems and functions in the public and private sectors and supply chains, including digital infrastructure such as data centres, that address all systems of national significance. 

9 Introduce consistent, principles-based requirements to implement reasonable protection against cyber threats (where needed) for owners and operators of critical infrastructure (regardless of whether owned or operated by Government or private), with measurement based on a fit-for-purpose cyber maturity-based framework. In alignment with international best practice, this should leverage rather than duplicate existing sectoral regulations and minimise regulatory burden. We further recommend that the 2020 Cyber Security Strategy should:

 We further recommend that the 2020 Cyber Security Strategy should:

10 Review Australia’s legislative environment for cyber security to ensure that suppliers of digital products and services have appropriate obligations to protect their customers.  

11 Strongly encourage major vendors to sign-up to a voluntary ‘secure by design’ charter to leverage international best practice. 

Objective 3: Australians practise safe behaviours at home and at work 

In considering how Australia can reduce human risk factors in cyber security, the 2020 Cyber Security Strategy should as an immediate priority:

12 Unify all Government messaging on online safety and cyber security awareness raising, noting that existing campaigns run by different Government agencies share a common audience who do not distinguish between different online issues. Government should speak with one voice. Campaigns should be age and sector appropriate. 

13 Increase assistance to small and medium businesses and the community through cyber security toolkits, trusted advice and practical assistance.

14 Partner with industry to increase the scale, reach and impact/effectiveness of cyber security awareness raising campaigns, including through co-design and co-funding where appropriate. 

15 Incentivise large businesses to provide cyber security support to small and medium businesses in their supply chain and customer base. 

Objective 4: Government is a cyber security exemplar 

In considering how the Australian Government can improve trust in the cyber security of its own systems and networks, the 2020 Cyber Security Strategy should as an immediate priority:

16 Make Australian governments exemplars of enterprise security risk management, including cyber security, physical security and personnel security. 

17. Require Government agencies providing essential services to meet the same cyber security standards as privately owned critical infrastructure, with increased accountability and oversight. 

18 Prioritise the decommissioning or hardening of vulnerable legacy systems as part of an accelerated shift towards secure cloud based services.

 We further recommend that the 2020 Cyber Security Strategy should:

19 Better coordinate digital procurement decisions across Government, with a view to negotiating best practice outcomes and where appropriate cost savings with common vendors. 

20 Leverage Government procurement processes to improve cyber security through purchasing products and services with higher standards. 

21 Require larger, more capable Government departments to provide cyber security services to smaller agencies on a basis that is uniform, consistent and risk based. 

22 Fund the Australian Cyber Security Centre (ACSC) to continue its rolling program of cyber security improvements (but not audits) for other Australian Government agencies. Given the ACSC essentially provides a second line of defence role in risk management terminology, audit should be undertaken by a separate agency.

Objective 5: Trusted goods, services and supply chains 

In considering how Australia can encourage the development of a digital technology market where security is built-in across the supply chain, the 2020 Cyber Security Strategy should as an immediate priority:

23 Increase investment in cyber security research and development, including basic sciences, and coordinate state and territory-led research and development at the national level. This will enable Government to maximise economic opportunities and drive national security outcomes. 

24 Work with industry to increase Australia’s role in shaping international cyber security standards. 

25 Work with industry and likeminded nations to encourage diversity, transparency and competition in digital supply chains.

We further recommend that the 2020 Cyber Security Strategy should:

26 Develop a program to identify and assess emerging threats and emerging technologies that could introduce new vulnerabilities leveraging Australia’s global leadership in policy development related to cyber risks. The CSIRO and Defence Science and Technology are two existing national agencies that could be leveraged to support the development of this program. 

27 Obtain industry consensus around what cyber security standards should be used in Australia and accelerate the adoption of these standards to ensure digital products and services are ‘secure by design’. 

28 Require increased recognition and adoption of specific cyber security standards in Australia. 

29 Implement a dynamic accreditation or mandatory cyber security labelling scheme so that consumers can make informed choices about their own cyber security (recognising that accreditations and product labelling will need to take account of changes in technology). 

30 Work with the emerging cyber insurance industry to improve access to reliable actuarial data and develop best practice approaches to nudging the cyber security hygiene of policy holders. 

31 Build transparency into critical and emerging technology supply chains to enable consumers to trust the cyber security of their devices. 

32 Consider mandatory requirements or certification of supply chains for software and hardware supporting critical infrastructure.

Objective 6: Comprehensive situational awareness enables action 

In considering how the Government and industry can improve the timeliness and quality of threat information sharing to better anticipate and respond to threats, the 2020 Cyber Security Strategy should as an immediate priority:

33 Establish automated, real-time and bi-directional threat sharing mechanisms between Government and industry, beginning with critical infrastructure sectors.

 We further recommend that the 2020 Cyber Security Strategy should:

35. Consider the development of ‘safe harbour’ legislative provisions that give industry certainty about the information it can voluntarily share with other organisations to prevent or respond to cyber security threats. 

36. Resume the publication of annual reports on the state of cyber security threats to Australia.

Objective 7: Effective incident response options and victim support 

In considering how Government and industry can create and sustain a high level of preparedness for incidents and improve support to victims, the 2020 Cyber Security Strategy should as an immediate priority:

34 Empower industry to automatically block a greater proportion of known cyber security threats in real-time, including by providing legislative certainty. 

37 Map in partnership with industry, the resilience of critical infrastructure networks, with a view to increasing maturity levels over time. 

38 Identify and assess in partnership with industry interdependencies, single points of failure and consolidation risk to enable better understanding of cyber risk. 

39 Work with industry to agree a unique set of circumstances in relation to critical infrastructure and systems of national significance where it would be necessary for Government to provide reasonable assistance to Australian businesses during a cyber security emergency, and define suitable oversight and thresholds for action. 

40 Provide additional funding to not-for-profit organisations that support victims of cybercrime and communicate their role and existence to the community.

 We further recommend that the 2020 Cyber Security Strategy should:

41 Hold a large scale and cross-sectoral cyber security incident response exercise at least every two years to improve national coordination and incident response readiness of interdependent critical infrastructure providers and government agencies. Exercises should include links to international activities where appropriate. 

42. Include industry in Australia’s formal incident response plans by amending the national Cyber Incident Management Arrangements.

Enabler 1: The Australian Signals Directorate’s Joint Cyber Security Centres (JCSCs) 

Recognising the JCSCs are the local offices of the Australian Cyber Security Centre, the 2020 Cyber Security Strategy should as an immediate priority:

43 Establish a national board chaired by ASD (with industry co-chair) and including industry representation to strengthen the strategic leadership of the Joint Cyber Security Centres, underpinned by a charter outlining the JCSCs’ scope and deliverables. 

44 Fund ASD to provide enhanced technical and consulting cyber services to industry through the JCSC Program, including a greater focus on information sharing. 

We further recommend that the 2020 Cyber Security Strategy should:

45 Create a staff exchange program between the ACSC, academia and industry to enable cross-sectoral collaboration and information sharing. The CSIRO and Defence Science and Technology could be leveraged to support the engagement between academia and industry. 

46 Dedicate additional JCSC resources to engage with local governments.

Enabler 2: Cyber security skills 

In considering how Government, industry and academia improve risk postures by strengthening the pipeline of skilled cyber security professionals, the 2020 Cyber Security Strategy should:

47 Position the Australian Government to take a national leadership role in addressing Australia’s cyber security skills shortage. 

48 Work with professional bodies and academia to include cyber security education in adjunct technical fields such as engineering and data science and extend cyber skills training to company directors. 

49 Consider creating an internationally aligned accreditation scheme to recognise the skills, experience and qualifications of cyber security professionals in both technical and management roles. This should including mapping the equivalency of existing qualifications. 

50 Adopt a national framework that defines the roles that make up the cyber security profession. Use this framework to develop a national workforce planning program for the cyber security profession. 

51 Consider additional incentives to attract and retain Government cyber security specialists. 

52 Strengthen voluntary professional accreditation of university cyber security courses, to provide greater assurance to students and employers that courses are meeting contemporary industry demands. 

53 Develop targeted cyber security programs in primary and high school to inspire young people to take up a career in cyber security, and build foundational skills in science, maths, engineering and technology. 

54 Undertake a regular survey across Government and business to better understand the size of cyber security skills shortage in Australia and evaluate new programs under the 2020 Cyber Security Strategy. 

Enabler 3: Intelligence and Assessment 

The Panel recognises the importance of intelligence-led efforts to combat malicious cyber activity and acknowledges that this is primarily a matter for Government. The Panel is of the view that successful implementation of the recommendations above relating to Objective 1 (Clear consequences for targeting Australia and Australians), 

Objective 6 (Comprehensive situational awareness enables action) and Enabler 1 (The Australian Signals Directorate’s Joint Cyber Security Centres) will support Government to enhance the delivery of this enabler. The Panel encourages the Government to be open and transparent about its knowledge of the threat environment wherever possible, including by declassifying information when appropriate, increasing proactive cyber threat briefings to security cleared industry personnel with a need to know, and sponsoring greater numbers of industry representatives to obtain security clearances. 

Enabler 4: Governance 

In considering how Government should manage implementation of the Strategy, including oversight arrangements, ongoing industry consultation and reporting mechanisms, the 2020 Cyber Security Strategy should as an immediate priority:

55 Include state and territory Governments in development, implementation and monitoring of all relevant initiatives under the 2020 Cyber Security Strategy.

We further recommend that the 2020 Cyber Security Strategy should:

56 Appoint an industry advisory panel to advise the Government on cyber security on an ongoing basis, including on the implementation of the 2020 Cyber Security Strategy. The panel should work with the accountable Government agency or department responsible for implementing the Strategy, while reporting to the Minister for Home Affairs. 

57 Task the industry advisory panel to publish an annual progress report on implementation of the 2020 Cyber Security Strategy and emerging cyber security threats and priorities for Australia from an industry perspective. 

Enabler 5: Evidence and Evaluation In considering the best practice approaches to evidence collection and evaluation that can inform implementation of the Strategy and future policy making, the 2020 Cyber Security Strategy should:

58 Adopt a maturity model approach to evidence and evaluation. 

59 Invest in improved data collection, research and analysis to underpin evaluation of the performance against the metrics of the 2020 Cyber Security Strategy. This should include periodic surveys of the cyber security maturity of public and private sector organisations. 

60 Publish regular updates on implementation of the 2020 Cyber Security Strategy and periodically review and refresh the Strategy every 2 or 4 years.

Australian Data Breach Settlement

The settlement of proceedings in Evans v Health Administration Corporation [2019] NSWSC 1781 - important Australian data breach litigation - features the following Confidential Opinion of Counsel  -

 In the present case, I had the benefit of a confidential memorandum of advice prepared by Mr Michael Rivette of Counsel (Counsel retained by the plaintiff in these proceedings) in which he expresses the opinion that the Settlement Sum and proposed distributions fall within the range of fair and reasonable outcomes, and that the settlement is in the interests of the Group Members. 

Central to Mr Rivette’s opinion in that regard is that, from information obtained through the issuing of subpoenas, it now appears that the information disseminated was confined to only that information contained in what is defined in the amended statement of claim as “the Coloured List” (that being a document allegedly prepared by or at the instigation of the second defendant in which is recorded the information the subject of the present complaint). 

In particular, Mr Rivette has advised that, although the Coloured List contained personal information as defined under the Privacy and Personal Information Protection Act (and contained what in his opinion was confidential information, being health information), that health information was descriptive of the injury suffered by each individual only, and did not contain any details of medical treatments or medical history. Mr Rivette also attaches significance to the fact that it now appears that the Coloured List was provided by the second defendant only to a single recipient (a lawyer who reported it to police once he suspected that the second defendant might not have had the necessary authority to give him the Coloured List). 

Mr Rivette has pointed in his opinion to the inherent risks in this litigation (noting his instructions that the second defendant is unlikely to have funds to pay any compensation orders), those risks including the following: that it is presently undecided in New South Wales whether an equitable cause of action for breach of confidence will sound in damages or equitable compensation for mental distress falling short of psychiatric illness (as claimed by certain of the Group Members); that the causes of action pleaded for breach of the tort of invasion of privacy depend upon the court accepting that “it should take an incremental step and recognise the existence of the new tort” (as has been the case in New Zealand and the United Kingdom); the fact that, insofar as the second defendant committed criminal offences through conduct that was outside the scope of his engagement/employment, the first defendant may contend that it cannot in these circumstances be held vicariously liable for the second defendant’s actions (especially when the disclosures occurred around twelve months after he had left the first defendant’s employment); and, in relation to the misleading and deceptive conduct claim, that the plaintiff will need to meet the first defendant’s claim that its dealings with its employees are not in trade and commerce, and therefore not covered by either s 18 or s 29 of Schedule 2 of the Australian Consumer Law. 

As to the nature of the information and its dissemination, as noted above Mr Rivette accept that the information was of a limited nature and its dissemination was limited to one person. The Coloured List contains the following types of information about the individuals there recorded: name; address; date of birth; a short general description of how the injury occurred (for example: manual handling of a patient; twist/bend-no patient; exposure to mental stress factors); and a short general description of the affected body part (for example: back-lower; forearm; psychological system). Mr Rivette is of the opinion that this constitutes personal information as defined in the Privacy and Personal Information Protection Act, health information as defined in the Health Records and Information Privacy Act and confidential information as it contains some health information relating to those individuals; but notes that any health information was generally descriptive only, and in no way detailed as to treatment or prognosis. 

By way of elaboration of the risks inherent in the litigation, Mr Rivette points to the following. 

As to the claim for breach of confidence, he is not aware of any decision in New South Wales in which the equitable cause of action for breach of confidence has sounded in damages or equitable compensation for mental distress falling short of psychiatric illness. He notes that s 38 of the Supreme Court Act 1986 (Vic) (which was relied upon to justify the award of compensation in Giller v Procopets (No 2) (2009) 24 VR 1; [2009] VSCA 72 (Giller v Procopets) per Neave JA), differs from the form of s 68 of the Supreme Court Act 1970 (NSW). It is, however, also noted that (as a matter of principles of precedent), as a decision of an intermediate appellate court, at first instance a court in this jurisdiction (and also the Court of Appeal) should not depart from that decision unless convinced it is plainly wrong (see Farah Constructions Pty Ltd v Say-Dee Pty Ltd (2007) 230 CLR 89; [2007] HCA 22 at [135]). 

As to the causes of action pleaded for breach of the tort of invasion of privacy, it is noted that such a tort has not been recognised in this jurisdiction. 

As to the claim that the first defendant has vicarious liability for the conduct of the second defendant (in addition to the direct claims made against the first defendant as to the second defendant being given direct and unfettered access to the information in question), it is noted that the first defendant will argue that it cannot be held vicariously liable for the second defendant’s actions in circumstances where: the second defendant committed criminal offences; through conduct that was outside the scope of his engagement/employment; and where the disclosures occurred around twelve months after he had left his employment with NSW Ambulance. It is noted that the first defendant will seek to rely on the decision of Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270; and that although it is arguable that this decision is distinguishable, it is a defence the first defendant will press and that will need to be met by the plaintiff in relation to the vicarious liability claims. 

As to the Australian Consumer Law claims, it is noted that one argument the plaintiff must meet is that the first defendant’s dealings with its employees are not in trade and commerce, and therefore not covered by either ss 18 or 29 of the Australian Consumer Law. It is noted that although the activities of the first defendant have a commercial component to them (referring to subscription payments or charges for use of ambulances) the argument will be whether the internal relationships are relationships are in trade or commerce; and this will be a defence that the plaintiff will need to meet. Mr Rivette notes that in order to determine whether the distribution amounts fall within the appropriate range of what may be considered a fair and reasonable outcome, guidance can be obtained from awards of compensation in different jurisdictions relating to privacy and data breaches. In this regard, it is his opinion that although direct claims for compensation have not been made under either the Privacy and Personal Information Protection Act or the Privacy Act 1988 (Cth), determinations under these Acts still offer guidance as to the appropriate range of compensation for non-economic loss in privacy breach cases.

In relation to compensation for breach of confidence, Mr Rivette draws attention to three cases in which it has been found that breach of confidence will sound in damages or equitable compensation for mental distress falling short of psychiatric illness (which he considers also offer some guidance, albeit as to what can be considered the higher end of compensation for the “most egregious disclosures”). 

The most comparable complaint that Mr Rivette has identified is a complaint determined by the Office of the Australian Information Commissioner (OAIC) in Jo and Comcare [2016] AICmr 64 (Jo and Comcare). It is noted that Comcare was found to have interfered with the complainant’s privacy by disclosing information about workplace injuries at his current employment to his former employer and an insurance company, in breach of Australian Privacy Principle 6. It is noted that, unlike the current proceeding, this was a disclosure made to multiple recipients, which were all large organisations. An award of $3,000 was made by way of compensation for the loss or damages suffered by the complainant by reason of this interference with his privacy. 

Mr Rivette points out that, generally, higher awards will be given by the OAIC when the dissemination is broader, or the suffering arising from the breach is greater (reference there being made to: ‘EQ’ and Great Barrier Reef Marine Authority [2015] AICmr 11; 'D’ and Wentworthville Leagues Club [2011] AICmr 9; and ‘DK’ and Telstra Corporation Limited [2014] AICmr 118). 

Relevant decisions by the New South Wales Civil and Administrative Appeals Tribunal (NCAT) on the assessment of compensation for breach of the Privacy and Personal Information Protection Act as identified by Mr Rivette are: CJU v SafeWork NSW [2018] NSWCATAD 300; ALZ V SafeWork (NSW) (No 4) [2017] NSWCATAD 1; and AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179. 

As to awards of compensation for breach of confidence, reference is made to Giller v Procopets; Jane Doe v Australian Broadcasting Corporation [2007] VCC 281; and Wilson v Ferguson [2015] WASC 15. It is noted that each of those cases involved the wide broadcast or dissemination of highly sensitive and personal matters relating to rape or intimate sexual material (and hence it is said that the awards must be seen to be in the highest category of compensation for non-economic loss or injury falling short of psychiatric injury). It is noted that these awards relate to far more explicit and confidential material than that disclosed by the second defendant and that in all those cases there was actual distress (or psychiatric illness) that resulted from the breach, and not a mere presumption of loss through distress. 

As to the differential amount of the minimum initial distribution to the lead plaintiff (approximately four times that of the minimum initial payment to the remaining Group Members), Mr Rivette has opined that the additional amount so allocated is justified given the time, money and energy expended in preparing witness statements, attending on experts for the purposes of those experts providing expert evidence to the court, and generally providing instructions in relation to the proceeding; and the fact that she has assumed the risks associated with being the lead plaintiff in a class action. Thus, Mr Rivette has concluded that, having regard to the awards by the OAIC and NCAT in other cases, the settlement amount and the proposed initial distributions are within the range of acceptable outcomes “even before one factors in the risks associated with the litigation”. It is his view that the awards for breach of confidence relate to the wide dissemination of highly sensitive, intimate and confidential information that was never meant to be seen or heard by any other person and are therefore not representative of what could be expected if the plaintiff’s claims in breach of confidence succeeded in the present case; and that the most comparable award of compensation is the $3,000 award by the OAIC in Jo and Comcare being for the dissemination by an employer of worker’s injury information (but noting that the disclosure in Jo and Comcare was direct and was not from an illegal act by a person employed/engaged by the defendant paying the compensation; and hence that that proceeding did not have the same inherent risks that appear in this proceeding).