Forgiveness or punishment? The government's proposed 'safe harbour' laws send mixed messages on cyber security

Director-General of the Australian Signals Directorate, Rachel Noble, sees value in safe harbour laws. Bianca De Marchi/AAP

A so-called ‘safe harbour’

The government’s safe harbour offer would involve legislation.

The safe harbour principle is an exemption that can be granted for actions that might otherwise break the law if there’s a larger public good at play.

This is used in other areas of regulation, such as bankruptcy law^[7] and tax law.^[8] It provides legal protections for administrators or accountants who have to take on risky business decisions in order to do their jobs.

Richard Marles claimed a safe harbour regime for self-reporting companies affected by a cyber attack would do two main things.

Firstly, he said, it would deliver the world-class capabilities of the Australian Signals Directorate to the affected company.

Secondly, Marles said it would help drive trust between the government and reticent private sector businesses.

Read more: The $500 million ATO fraud highlights flaws in the myGov ID system. Here's how to keep your data safe^[9]

The government has proposed that complying with the cyber safe harbour requirements would shield companies from further legal action by the government.

In its cyber security strategy, released today^[10], the government committed to consultations with industry on a legislated measure to help build the sort of trust outlined in Marles’ discussion of safe harbour.

But we don’t have any other detail about how this version of safe harbour law would work.

And for most corporations, the government may be the least of their worries in cases of large-scale data breaches or breaches of sensitive intellectual property information.

They will be concerned about the reputational damage first and foremost.

For listed companies, this can lead to a sustained drop in share price and open a pathway to costly law suits from seriously affected clients or business partners.

Safe harbour laws don’t do much to help with that.

Would laws like this work?

In cyber security, the concept of safe harbour is complicated and fraught with definitional and regulatory challenges^[11].

Such laws for cyber security are used in several US states^[12] mainly for promoting stronger compliance with industry standards. This is done by promising companies a degree of protection from various types of litigation if they are certified by the government to be reasonably compliant with the standards.

An Australian study^[13] throws some doubt on the value of that process.

The research shows such standards are seen as a low bar, or even inappropriate in some situations.

Technology always moves more quickly than standards. For example, in May 2023 an intergovernmental working group found^[14] the security standards for 5G were “incomplete” and did not cover all security requirements. Australia has been using 5G technology since 2019.The safe harbour laws may also be too weak to achieve what they set out to do.

A US study^[15] warns a safe harbour law for the US health sector “only offers some protection in certain circumstances”.

Read more: A cancer centre is the latest victim of cyber attacks. Why health data hacks keep happening^[16]

Forgiveness or punishment?

The new Australian proposal, coming from the defence department in 2023, and raised in Senate Estimates in 2022^[17] by an opposition senator, appears to support the defence portfolio’s interest in better national security.

But there is a reasonable risk it will undermine the mission of the home affairs minister, Clare O’Neil.

She has staked much on the need to punish corporations who may have acted irresponsibly in allowing serious data breaches.

Home affairs minister Clare O'Neil has pushed hard for tougher penalties for companies that don’t protect themselves against data breaches. James Ross/AAP

Corporations will remember her statement^[18] in September 2022 that fines of hundreds of millions of dollars for large privacy breaches might be more appropriate than the existing cap of $2.2 million.

By December, new legislation imposing penalties up to $50 million had come into force.^[19]

The moves were designed in part to dampen community outrage over the data breaches.

But the safe harbour idea might increase the consumer concerns O'Neil has been working to allay.

Not all cyber attacks involve a risk of exposing large amounts of personal data, so there would be instances where the safe harbour option would not affect a person’s rights to seek redress.

But by its very nature, the proposal will impact the rights of businesses and consumers to know if they have suffered damage or loss from a cyber attack.

The government has a moral obligation^[20] to inform victims of cyber crime.

At a time of escalating cyber uncertainties, increasing ransomware attacks^[21], and stepped up Russian and Chinese cyber attacks, the safe harbour proposal will need careful consideration.

The government will want to avoid antagonising public sentiment by limiting the rights of consumers.

So a solution that promises protection only against government litigation, but not civil litigation, may not be worth the political balancing act.

Read more https://theconversation.com/forgiveness-or-punishment-the-governments-proposed-safe-harbour-laws-send-mixed-messages-on-cyber-security-218025

• Prev
• Next