Viewing entries tagged
Legislation

Security Legislation Amendment (Critical Infrastructure) Act 2021

By Mike Trovato

Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) - An Act to amend legislation relating to critical infrastructure, and for other purposes

As of December 2021, SLACI is now law. It was the first of two additions to the Security of Critical Infrastructure Act 2018 (SOCI Act) which initially only included four industry sectors. SLACI expanded the law to apply to 11 industry sectors, plus added notification requirements which do not align with, but are generally supportive of, the Notifiable Data Breaches (NDB) Scheme. 

The second bill will start the consultation process shortly and contains additional requirements which could require significant effort for a regulated entity to comply with. Most of the obligations for the first bill still need to be ‘switched-on’ by the Minister for Home Affairs, with assets already proposed by the Cyber and Infrastructure Security Centre (CISC).

The first bill (SLACI):

  • Extends the definition of critical infrastructure from 4 to 11 sectors and extends the existing reporting requirements to those sectors.

  • Mandates timely cyber incident reporting for specified critical infrastructure.

  • Legislates government assistance measures (i.e., gather information, action requests, invention request) by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security, or defence.

The second bill will arguably have a bigger impact to regulated entities and looks to:

  • Introduce additional Positive Security Obligations and a Risk Management Program, which will be applied to entities responsible for critical infrastructure.

  • Introduce Enhanced Cyber Security Obligations, including vulnerability reporting and cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

Critical Infrastructure owners and operators are required to report a cyber security incident if they are captured by the critical infrastructure asset definitions:

  • 12 hours if having a significant impact on the availability of the asset (up to 84 hours in writing); or,

  • 72 hours if having a relevant impact on the availability, integrity, reliability, or confidentiality of the asset.

These changes are likely to support better privacy though enhanced data protection and urgent notification, increasing the spotlight on assessment for CI and NDB purposes.

New Zealand reforms its privacy law

New Zealand reforms its privacy law

By Sarah Bakar and Natasha Roberts

In June 2020, New Zealand’s Parliament passed a bill reforming the nation’s privacy law. The new Privacy Act 2020 replaces the 27-year-old Privacy Act 1993. The Privacy Commissioner John Edwards has stated: “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.” 

The Act introduces significant changes to the privacy law. According to the New Zealand Privacy Commissioner’s website the key changes include: 

1. Mandatory notification of harmful privacy breaches.
If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.

2. Introduction of compliance orders.
The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

3. Binding access determinations. 
If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.

4. Controls on the disclosure of information overseas. 
Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.

5. New criminal offences. 
It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.

More significantly, in line with its aim to better protect New Zealander’s privacy rights, the new Act has greater extraterritorial reach as it will also apply to entities that carry on business in New Zealand regardless of whether or not they have a legal or physical presence in New Zealand (Section 3A (1)(b)). The Act states that an overseas agency may be treated as carrying on business in New Zealand without necessarily being: 

  • a commercial operation; or 

  • having a place of business in New Zealand; or

  • receiving any monetary payment for the supply of goods and services; or 

  • intending to make a profit from its business in New Zealand. 

This will have implications for Australian businesses that collect or hold the personal information of New Zealanders as part of their business operations. They will be obliged to comply with this law regardless of where they or their servers are based. The Act will come into effect on 1 December 2020.

As such, IIS suggests that businesses check their coverage under the reformed legislation and start preparing to ensure compliance.