A Comparison of Cyber Security Regulation in the USA and Australia

Prior to the last decade, cyber security focused regulation around the world was relatively limited — likely, at least to some extent, due to the entire field being perceived by external observers as somewhat of a ‘dark art’ in which regulation may prove more of a hindrance than a help.

Naturally, that has changed as cyber security as a whole has become a more ‘topical’ issue — particularly in the context of the growing prevalence and reporting of cyber attacks and data leaks in the mainstream media. As a result, regulation in this space has grown substantially, and will continue to do so.

In this context, this article examines and compares the growing number of regulatory instruments being used to cover cyber security related matters in the United States and Australia. It also highlights contrasts in the way the two jurisdictions approach the topic of cyber security regulation. The intent is not to provide commentary on the merits of the respective regulatory models each employs, but simply raise awareness of the sorts of challenges that can arise in specific scenarios — for example, when an organisation is looking to expand its operations from one nation to the other.

General Characteristics

The United States has a matrix of regulatory measures that potentially influence a business’ cyber security practices and the way they respond to potential security breaches. The concept of regulation for cyber security related matters has been around for a longer period of time in the US than Australia, where cyber security related regulations have emerged more recently.

Characteristics of cyber security regulation in the US (vis-à-vis Australia) include:

In the remainder of this article, we look at specific areas where cyber security regulation has (or is starting to) emerged and look at the approaches taken in both jurisdictions.

Cyber Security Information Sharing

USA

One of the most significant pieces of legislation concerning cyber security came with the passing — after much debate and many preceding versions — of the Cybersecurity Information Act of 2015 (CISA).

In broad terms, CISA allows private companies to monitor their systems, implement defensive measures and share and receive information about cyber threats on a voluntary basis. Specifically:

The Act creates a framework for information sharing between and among the public and private sectors. Essentially, it allows (but doesn’t compel) private companies to share cyber security threat related information with the federal government or other private companies. This includes:

• information that pertains to cyber security threats — among other things, this can include information a company has gained about a threat that describes or identifies methods of defeating security controls or exploiting security vulnerabilities
• Information about defensive measures that can be applied to detect, prevent, or mitigate against a cyber security threat

Businesses are required to remove any personally identifiable information from information that is shared with the government or other entities. Indeed, concerns around the potential for personal information to be shared with third parties has been one of the principal concerns of opponents to the introduction of a legislatively-backed cyber security collaboration regime in the USA. CISA also incentivizes cyber security collaboration by providing businesses who share or receive threat information with a range of liability protections.

The Act authorises companies to take defensive measures for cyber security purposes to protect the rights or property of networks. These are measures aimed at detecting, preventing or mitigating a known or suspected cyber security threat or vulnerability. This does not permit a company to undertake offensive cyber security efforts such as ‘hacking back’ against another entity/organisation/individual.

The Act allows companies to monitor their own systems for cyber security purposes — essentially allowing network operators to undertake surveillance of their networks with the goal of protecting from potential hacking, denial of service attacks, or exploitation of security vulnerabilities. It’s not confirmed, as the legislation is still fairly new and there is minimal case law to clarify its scope and operation, but it could potentially cover the monitoring of employee activities on a company network to prevent the potential unauthorised leaking of valuable/sensitive company information to third parties.

Australia

Australia has so far eschewed a legislated model for cyber security information sharing, but has still recognised its importance in improving the overall ability of the nation to protect and defend against cyber threats.

To that end, as part of the introduction of a new Cyber Security Strategy in 2016, the Australian Government established a cyber information sharing network, centred on the Australian Cyber Security Centre and supported by the establishment of new joint cyber security centres in each state[1]. The intent of this network is to facilitate partnerships and collaboration between business, government and academia on cyber security related matters.

Consumer Protection Laws

Both the US and Australia have consumer protection laws that can potentially be used in response to cyber security incidents affecting consumers. To date, however, only the USA has seen much activity in this area.

USA

The Federal Trade Commission in the United States has powers conferred by it under an eponymous consumer protection law — the FTC Act of 1914 — to take action against businesses where they have engaged in unfair or deceptive acts or practices affecting commerce (section 5).

To date, there have been a number of cases in the US where the FTC has used this law to take action against businesses it has believed have engaged in deceptive acts when it comes to their cyber security practices — for example, by failing to adhere to security practices they claim to comply with in published privacy policies — or where businesses have simply failed to meet a satisfactory level of cyber security practice that has resulted in harm to the community. See, for example:

· The Wyndham Worldwide case — in which the FTC took action against one of the largest hospitality chains in the world following a series of security breaches in 2008–2009 which affected more than 619 000 customers[2].

· The Ashley Madison case — in which users of a website infamously known around the world for facilitating extra-marital affairs — had personal information leaked by hackers who compromised Ashley Madison’s IT infrastructure following lax security practices[3] (this case was also investigated jointly by the privacy authorities of Australia and Canada)[4].

Australia

Australia has a comprehensive set of consumer protection laws in place, principally covered in the Competition and Consumer Act 2010. Enforcement of this Act is overseen by the Australian Competition and Consumer Commission (ACCC). The Competition and Consumer Act has provisions in it which could conceivably be used in cases involving cyber security incidents that cause harm to consumers:

• Section 18 of Schedule 2 of the Act (known as the Australian Consumer Law) prohibits misleading or deceptive acts in trade or commerce

• Section 61 of the Australian Consumer Law ensconces a consumer guarantee that services supplied to consumers are fit for purpose.

There is a strong argument — particularly given the actions of the FTC under the corresponding consumer protection laws in the USA — that the ACCC could use either of these powers in an appropriate case to take action against an organisation that engages in a deceptive practice when it comes to cyber security (for example, making a false representation about the level of security it has in place), or fails to meet a ‘reasonable’ standard of cyber security to ensure a service supplied online is fit for purpose. To date, the ACCC has not used these laws for this specific purpose — but it is not beyond the realms of possibility this could occur at some point in the future.

Sector Specific Regulation — USA

The notion of applying sector-specific cyber security is relatively well ensconced in the USA. Primary examples include:

Health

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the US that puts in place a range of privacy and security protections for patient health information that health care providers need to comply with.

The HIPAA Security Rule in particular seeks to facilitate the protection of electronic patient health information from unauthorized access (whether the unauthorised access attempt comes from an internal or external source, and whether the information is stored or in transit), by requiring health care providers subject to the Act to implement technical safeguards (in addition to administrative and physical safeguards). These safeguards are determined by the relevant health care provider based on what is ‘reasonable and appropriate’ — which means that healthcare providers of different sizes would not necessarily need to put in place the same safeguards[5].

Nuclear and Energy

The Office of Nuclear Security and Incident Response (NSIR), which sits under the United States Nuclear Regulatory Commission, evaluates licensees (among other things, anyone operating, constructing or decommission commercial reactors) for their adherence to the provisions of a regulatory instrument known as 10 CFR 73.54: Protection of digital computer and communication systems and networks[6]. That regulation requires licensees to provide a high degree of assurance that digital computer and communication systems and networks associated with particular functions (such as safety, security, and emergency preparedness) are adequately protected against cyber-attacks.

On the energy front, the North American Electric Reliability Corporation (whose jurisdiction covers the US, Canada and parts of Mexico) has implemented a Critical Infrastructure Protection (CIP) Program to provide a level of assurance around the security of the North American power grid. The Program requires covered entities, through a series of 11 different standards, to secure infrastructure against cyber attacks through a combination of risk assessments of critical assets, protective measures (including firewalls and monitoring tools), and the development of comprehensive contingency plans for cyber attacks.

Finance

The New York Department of Financial Services has introduced a new regulation that sets cyber security standards for banks, insurance companies, and other financial services organizations across the state. It requires covered organisations to, among a range of requirements:

· Maintain a board-approved cyber security program to protect information systems against cyber attacks

· Appoint a Chief Information Security Officer

· Conduct periodic cyber security risk assessments and annual penetration tests

· Have a detailed security incident response plan

· Notify regulators within 72 hours of a cyber security incident

· Provide a certification from senior officers at the company that its security controls are adequate.

Sarbanes-Oxley (The Public Company Accounting Reform and Investor Protection Act 2002) is also worth mentioning. In 2002, in response to a number of financial accounting scandals, the Sarbanes-Oxley law (SOX) was introduced in the US in an aim to ensure more accurate financial reporting by all US public companies and accounting firms. There are a couple of provisions in SOX that have implications from a cyber security perspective:

· Company CEOs and CFOs need to certify the accuracy of financial reports, and that internal controls around financial reporting are sufficient and effective (section 302). This includes internal controls covering cyber security insofar as they support accurate financial reporting.

· The controls in place need to be verified for effectiveness, including by a 3rd party auditor[7]

Australia

While sector-specific regulation is more nascent in the Australian context, it is starting to emerge in specific areas.

Telecommunications

On 18 September 2017, the Australian parliament passed a series of reforms to telecommunications sector security which will be implemented over a 12 month period. These are contained in the Telecommunications and Other Legislation Amendment Act 2017 and are designed to improve the overall security of critical telecommunications infrastructure. At a broad level, the reforms require:

• Telecommunications carriers and carriage service providers to “do their best” to protect networks and facilities they own, operate or use from unauthorised interference or access;

• Carriers and nominated carriage service providers are to notify the Government of planned changes to systems and services that are likely to have a material adverse effect on their ability to protect networks and facilities they own, operate or use from unauthorised interference or access (for example, outsourcing the management of part of their network or facilities)

The concept of requiring carriers and carriage service providers to ‘do their best’ in the first point above is relatively unprecedented from a cyber security standpoint, and it will be interesting to see how the enforcement of this requirement unfolds in practice.

Banking and Insurance

The Australian Prudential Regulation Authority (APRA), in March 2018, released its first draft prudential standard on information security. The proposed new standard would require regulated entities[8] to, among other things:

· Have robust mechanisms in place to detect and respond to cyber security incidents in a timely manner;

· Define security roles and responsibilities of the board, senior management and individuals;

· Maintain a security capability commensurate with the size and extent of the cyber threats faced by the entity’s information assets;

· Notify APRA of material security incidents.

This is a significant step up from the existing Prudential Practice Guide 234[9] developed by APRA to cover the management of security, elevating cyber security to a dedicated standard.

Data Breach Laws

In the United States, data breach notification is covered by separate laws in each state. In Australia, there is a single national law covering data breach notification which was introduced in 2018.

USA

Forty-eight of the states, plus Washington, DC, Guam, Puerto Rico and the Virgin Islands have some sort of legislation covering reporting of security/data breaches. There is no national requirement, so businesses need to comply with the legal requirements of each state they do business in. This can create complexities where a business suffers a data breach that affects individuals who reside in multiple states, because laws across the US differ in terms of:

· The scope of definition of personal information

· The definition of a breach

· Whether a threshold applies before notification needs to occur — some states only require notification where there is a risk of harm to affected individuals, whereas other states require notification in the event of unauthorised access to personal information regardless of whether there is a risk of harm

· Some states require organisations to notify external entities (such as state attorney general or another state agency) of a breach — but this is not the case across every state.

Many of the laws in the various states are reactive in nature — they cover what needs to be done in the event of a security/data breach[10].

However, it is also worth noting that in some states, laws extend beyond this to also imposing requirements on how businesses are to secure personal information. California, for example, requires that businesses that own or license personal information about California residents implement and maintain reasonable security procedures to protect the information from unauthorised access, use, disclosure, destruction or modification. Massachusetts has also introduced a similar law.

Australia

In February 2018, Australia had its first data breach notification laws commence operation. These laws apply to organisations subject to the existing Australian Privacy Principles in the Privacy Act 1988 (generally, includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients).

The laws apply across Australia — so, unlike the USA, there is a single threshold that applies in each state and territory for when breaches need to be reported. The laws cover personally identifiable information and require organisations subject to them to report, both to affected individuals and the Australian Information Commissioner, where they experience a data breach that is likely to result in serious harm to individuals to whom the information relates[11].

Conclusion

It is clear that cyber-security related regulation is growing in prevalence in both the US and Australia, and is here to stay. What will be interesting to observe over the next several months and years is how the merits and challenges associated with different approaches to this type of regulation emerge. In particular:

· Are regulations which have a high level of specificity when it comes to expected cyber security practices for organisations preferable, or are regulations that are less prescriptive, and rely on notions of what is ‘reasonable’ in the circumstances more practical?

· Does the application of different security benchmarks for different business sectors have merit?

· What are the advantages of both state-based, and federal regulations when it comes to cyber security?

Hivint will continue to monitor and report on developments in this area.

—

Arun Raghu is a Principal Security Advisor at Hivint.

[1] https://www.cert.gov.au/jcsc

[2] https://www.ftc.gov/enforcement/cases-proceedings/1023142-x120032/wyndham-worldwide-corporation

[3] https://www.ftc.gov/news-events/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting

[4] https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/ashley-madison

[5] Note that the Health Information Trust Alliance Common Security Framework (HITRUST CSF) has been developed to provide organizations with a framework of security controls for, among other things, the protection of ePHI and PHI data in the healthcare industry. See https://hitrustalliance.net/.

[6] https://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html

[7] A new bill, the Cybersecurity Systems and Risks Reporting Act, was proposed to amend the Sarbanes-Oxley Act of 2002 “to protect investors by expanding the mandated internal controls reports and disclosures to include cyber security systems and risks of publicly traded companies.”

[8] APRA regulates entities in the following industries: banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies and most members of the superannuation industry

[9] http://www.apra.gov.au/crossindustry/documents/ppg_ppg234_msrit_012010_v7.pdf

[10] A good breakdown of state-by-state laws for data breach notification in the US is available here: https://www.dwt.com/statedatabreachstatutes/

[11] For more information see https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme