Australia’s privacy watchdog is concerned a mechanism to encourage cyber incident information sharing with the government could impede it from launching future actions.
The Office of the Australian Information Commissioner (OAIC) used a parliamentary submission [pdf] to urge caution on the planned introduction of a “limited use obligation”.
The obligation was raised as part of last year’s federal cyber security strategy.
It is intended to encourage businesses to share information about cyber incidents with the Australian Signals Directorate (ASD) and the national cyber security coordinator.
The information would be subject to restrictions, in both who else can see it and in what it can be used for.
“This obligation would only allow cyber incident information to be used for prescribed cyber security purposes, including helping businesses respond to cyber incidents,” Home Affairs said in a consultation paper at the end of last month. [pdf]
“This means that incident information reported to ASD and the cyber coordinator could not be used for regulatory purposes.
“However, such a limited use obligation would not impact other regulatory or law enforcement actions, or provide an immunity from legal liability.”
In that way, the obligation differs from a safe harbour, in that turning over information to authorities would not shield a hacked business from all liability.
“This proposal will not exempt an organisation from regulatory obligations, nor reduce an organisation’s legal liability on the basis of voluntary reporting to ASD or the cyber coordinator, as this would be out of step with public expectations and is not currently being considered,” Home Affairs said.
While less concerned about enforcement, the OAIC is concerned that the obligation could make deterrence activity difficult.
“The OAIC’s view is that any such obligation needs to be developed carefully and subject to clear boundaries so that regulatory activity in the public interest is not impeded,” the office said.
“While the OAIC appreciates the importance of immediate collaboration and information sharing between affected entities, and the ASD and the national cyber coordinator to facilitate an effective immediate response to cyber incidents, there is a need to balance the facilitation of industry cooperation during an incident with the ability of regulatory agencies to enforce laws and deter non-compliance at an appropriate time.”
The OAIC sought consultation opportunities with the government to ensure the limited use obligation design “does not preclude regulatory action in the public interest or impact any legislative reporting requirements.”
About Author
