Insight,

Cybersecurity,

Cyber security - if you share an incident report with the government, can it come back to bite you?

07 February 2025

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TL;DR

Cyber security legislation enacted by the Australian Parliament in late 2024 aims to encourage full and frank disclosure to the government of information by organisations impacted by serious cyber security incidents.  The legislation seeks to achieve this goal by introducing constraints on what government agencies could do with such information.  This note explores the nuances of those constraints, drawing on the example of a December 2024 court decision involving the use, in a personal injury case, of an incident report provided to government in 2017 shortly after an aircraft crash and 4 years before the personal injury case was commenced.

Overview

A decision in late December 2024 of the Supreme Court of NSW demonstrates the limited application of statutory secrecy laws enacted earlier that month as part of the package of cyber security legislation.  The lesson is that those laws apply only to information about an incident provided to particular government agencies, and not if an organisation chooses to provide the same information directly to other government agencies.  The case considered whether an incident report lodged by an aviation company, the Australian International Aviation College Pty Ltd (AIAC), with the Australian Transport Safety Bureau and the Civil Aviation Safety Authority could be used in evidence in a negligence case against the company brought by a person injured in an aircraft crash.[1]

Cyber security limited use provisions are akin to transport safety statutory secrecy laws

What does a case about an aircraft crash have to do with cyber security?  The answer can be found in the Australian Government’s 2023-2030 Australian Cyber Security Strategy document, which promised to ‘establish a new process for conducting lessons-learned reviews of significant cyber incidents’ drawing on international and domestic models, including the United States Cyber Safety Review Board and the Australian Transport Safety Bureau.[2]

One of the issues addressed by these models concerns the use of information provided to reviews, and whether that information could be used in legal proceedings against the organisation relating to the incident.  In Australia we have seen that the law firm running a consumer class action against telecommunications company, Singtel Optus, has sought to rely on an incident report commissioned by Singtel Optus as part of the evidence against the company arguing that, even though the report was formally commissioned by the company’s general counsel in connection with anticipated legal proceedings, legal professional privilege did not apply to the report.[3]

In evidence given to a Parliamentary Inquiry into the proposed cyber security legislative package, the Department of Home Affairs said:

There have been some circumstances where cyber security incident response and recovery has been treated as a legal issue, with some entities routinely bringing legal counsel to engage with the Government directly, out of fear that any information they provide may be provided to regulators, to be used against them in future regulatory and law enforcement proceedings. A lack of timely information limits how the Government can respond to and help mitigate a cyber security incident, potentially leading to more severe consequences causing further harm to impacted entities.

The Cyber Security Act 2024 (Cth), enacted by the Australian Parliament in December 2024, contains provisions that are aimed at limiting what can be done with information provided to the National Cyber Security Coordinator and the Cyber Incident Review Board so as to encourage full and frank communication channels between organisations that experience a serious cyber security incident and government agencies with a role to mitigate the impact of such incidents.  Similar provisions were introduced into the Intelligence Services Act 2001 (Cth) in respect of information voluntarily provided to the Australian Signals Directorate (which runs the Australian Cyber Security Centre) in connection with a cyber security incident. These are known as ‘limited use rights’.

The limited use rights provisions in the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill were tightened following recommendations made by the Parliamentary Joint Committee on Intelligence and Security. In particular, they are more comprehensive than the ‘restricted information’ provisions in the Transport Safety Investigation Act 2003 (Cth) considered by the Supreme Court of NSW in the AIAC case.  However, there are insights from the AIAC case that are relevant to organisations that experience a serious cyber security incident.

The AIAC case

In the AIAC case, the accident occurred in early September 2017.  Within 2 days investigators from the Australian Transport Safety Bureau arrived to conduct an investigation.  They required AIAC to provide information and documents.  The company ceased flying operations whilst the investigation was underway.  Towards the end of September 2017, AIAC completed its own preliminary report into the accident which included a plan to recommence operations. The company provided the report to the Civil Aviation Safety Authority on the basis that CASA was ‘an important stakeholder’.  The following day, CASA responded by saying that ‘CASA has no issue with your plan to recommence operations’.

Subsequently, in October 2017 AIAC told the ATSB that the incident report existed and proposed that the ATSB make a formal request for a copy.  The ATSB made the formal request and AIAC provided a copy of the incident report to the ATSB.

The personal injury negligence claim was commenced in 2021.  As part of those proceedings, a subpoena was issued to CASA at the request of the plaintiff’s lawyers.  In response, CASA produced various documents including the incident report, which was then given to an expert witness.  In 2023 AIAC’s lawyers raised the issue of whether the incident report was admissible, arguing that the report was ‘restricted information’ within the meaning of the Transport Safety Investigation Act

Section 60(8) of the Transport Safety Investigation Act provides that:

If a person is prohibited by this section from disclosing restricted information, then:

(a)  the person cannot be required by a court to disclose the information; and
(b)  any information disclosed by the person in contravention of this section is not admissible in any civil or criminal proceedings (other than proceedings against the person under this section).

The persons who are prohibited by section 60 from disclosing restricted information are Commissioners, staff members and consultants of the ATSB and other persons authorised by the ATSB to have access to restricted information.

The court held that the report itself was not ‘restricted information’, and that the contents of the report was only ‘restricted information’ when in the hands of the ATSB and persons that the ATSB allowed access.  The company had chosen to provide the report directly to CASA.  The limited use provisions in the Transport Safety Investigation Act had no effect on CASA’s obligations in respect of the information contained in the report.

Lessons for cyber security incident reporting

Whilst the limited use right provisions in the Cyber Security Act and the Intelligence Services Act were modelled in part on the Transport Safety Investigation Act, there are differences.  However, a common factor is that the Cyber Security Act and Intelligence Services Act provisions apply only to information that is provided by an impacted entity to the National Cyber Security Coordinator or to the Cyber Incident Review Board, or to the Australian Signals Directorate, and subsequently shared with other Commonwealth or State government agencies.  It is clear that these limited use right provisions relevant to information about cyber security incidents do not apply to information provided by an impacted entity directly to other government agencies who may be important stakeholders, as CASA was in the case of AIAC.

For this reason it is possible that information provided independently and directly to other government agencies, either as part of an exercise in managing stakeholders or when fulfilling a legal obligation to notify an incident (e.g. a notice to the Australian Prudential Reporting Authority in accordance with CPS 234, or a report of an eligible data breach to the Information Commissioner under the Privacy Act), could be obtained in civil proceedings against the entity such as a consumer or shareholder class action.  Whether that other government agency is restricted from providing the information to a court in such proceedings will depend on any statutory secrecy provisions that apply to that agency, rather than the limited use provisions of the Cyber Security Act and Intelligence Services Act.  This is an issue that organisations should consider in advance and address in their cyber incident response plan or playbook.  The analysis will differ from government agency to government agency.

Prudentially regulated institutions may be relieved to learn that section 56 of the Australian Prudential Regulation Authority Act 1998 (Cth) imposes restrictions on officers of APRA producing ‘protected documents’ (a concept that would include a written notification of a cyber incident) to court, except as part of enforcement of a prudential regulation framework law, and also provides that such a document is an ‘exempt document’ for the purposes of the Freedom of Information Act 1982 (Cth) (FOI Act).

The statutory secrecy provisions that apply to the Office of the Information Commissioner are not as comprehensive as those that apply to APRA.  However, the OAIC has a track record of refusing to provide access under the Freedom of Information Act to some documents relating to reports of eligible data breaches received by that office.  For example, in a decision made in August 2024, an FOI officer within the OAIC refused to identify the government agencies that had reported data breaches to the OAIC in response to a request made under the FOI Act.  This was on the basis that to do so ‘could reasonably be expected to have an adverse effect on the OAIC’s ability to receive timely, full and frank disclosures from agencies who experience, or suspect to have experienced, an eligible data breach where there is a likelihood that their respective identities may be publicly disclosed.[4]

Apart from civil proceedings commenced by persons adversely impacted by a cyber security incident, there may be regulatory investigations trigged by such an incident.  Each regulatory enforcement agency, such as ASIC, the OAIC, APRA and the ACMA has compulsory information gathering powers. 

Section 42 of the Cyber Security Act, which applies to information provided voluntarily to the National Cyber Security Coordinator by an impacted entity and subsequently shared by the Coordinator with other Commonwealth or State government agencies and held by those Commonwealth or State agencies, provides that such information is not admissible in most kinds of legal proceedings.  However, the note at the foot of that section states that the section ‘does not apply to information held by the Commonwealth or State body to the extent that it has been otherwise obtained’.[5]  Section 41BF of the Intelligence Services Act mirrors section 42 of the Cyber Security Act, and includes the same note.  Accordingly, if the note is taken at face value, if an enforcement agency requires an organisation that has experienced a serious cyber security incident to produce documents relevant to that incident and to the organisation’s cyber security posture in the period leading up to the incident the information in those documents will have been ‘otherwise obtained’ by the enforcement agency with the result that section 42 of the Cyber Security Act and section 41BF of the Intelligence Services Act will not prevent the enforcement agency from relying on those documents in legal proceedings.[6]  Taking this a step further, it is common for lawyers running class actions to seek to ‘piggy back’ or leverage evidence obtained by regulators, and the same argument would be available if a plaintiff law firm was to cause a subpoena to be issued by a court to an enforcement agency for the production of the documents obtained by the agency directly from the impacted organisation.

The limited use provisions do operate to prevent an enforcement agency from making a record of, or using, information about a cyber security incident received from the National Coordinator or the Australian Signals Directorate for civil enforcement purposes.[7]  However, they would not prevent an enforcement agency from reading a media report about a cyber incident and using the information in that media report as the basis for commencing inquiries of the affected organisation.  Having said that, we think it would be problematic for an agency to exercise an information gathering power in order to obtain a document that it knows exists from information provided by the National Coordinator or the Australian Signals Directorate. If this was to occur, organisations would be less likely to provide information to the National Coordinator or Australian Signals Directorate, which would then defeat the policy purpose behind the limited use provisions. 

The more difficult question relating to the effect of the limited use provisions is where an enforcement agency merely becomes aware of the existence of a cyber security incident through the National Coordinator or the Australian Signals Directorate, and subsequently reads a media report.  The untested issue is whether the enforcement agency’s information gathering powers are constrained in such a scenario on the basis that it would not be practicable for the agency to put aside knowledge of the existence of the incident obtained subject to the limited use rights.   

Although untested, the issue is akin to that which arises in conflict of interest cases where a person owes conflicting duties in respect of the use of information obtained on a confidential basis.  It may well be that an enforcement agency could establish effective information barriers between personnel responsible for investigating suspected breaches of the law and personnel responsible for mitigating the impact of a cyber security incident, such that a court would conclude that the agency did not use the information that was subject to the limited use rights when deciding to commence an investigation into the affected organisation.

On the other hand, the limited use right provisions do preserve an organisation’s right to rely on legal professional privilege to resist production of documents to an enforcement agency – in other words, the provision of information to the National Cyber Security Coordinator, to a Cyber Security Incident Review, or to the Australian Signals Directorate, is not taken to be a waiver of any privilege that may exist.[8]  Whether or not a particular claim of privilege would be successful will depend on the purpose for which the document was brought into existence.

Of course, the fact that a document provided to a government agency as part of a response to a cyber security incident may be used years later in legal proceedings does not mean that the document should not be provided directly to that agency, especially when provided to a regulator with significant powers over the organisation affected by the incident.  It may well be in the best interests of the organisation to be frank and transparent even if that involves a waiver of privilege or exposes the organisation to incremental risk of a claim for damages in the future.  However, the decision to share information with government should be made with knowledge of the potential consequences.

In the case of government agencies that are important stakeholders where there is no legal obligation to report a cyber security incident, an organisation should consider providing information to the National Cyber Security Coordinator who can, in turn, provide it to the stakeholder agency.  In that scenario, because the stakeholder agency would have obtained the information from the Coordinator, the organisation will have maximised its opportunity to argue that the limited use right provisions apply to the stakeholder agency.

Zheng v Australian International Aviation College Pty Ltd [2024] NSWSC 1622

Australian Government, 2023-2030 Australian Cyber Security Strategy, p24

Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58

See 00352 Decision.pdf

Until 1 January 2010 these kind of ‘notes’ at the end of sections of Commonwealth Acts were taken to be a form of ‘extrinsic material’ similar to an Explanatory Memorandum or law reform commission report and were relevant only if the substantive language of a section of an Act was ambiguous.  However, since then the notes have been taken to form part of the Act, since they form part of the printed version of an Act.  See section 13 Acts Interpretation Act 1901 (Cth).

This interpretation is consistent with the Revised Explanatory Memorandum for the Cyber Security Bill, which stated that ‘It must be highlighted that it is not the Government’s intention to restrict operational, regulatory or law enforcement agencies from carrying out their existing legislated functions, especially where serious breaches of law are made apparent that are not related to the cyber security incident. This Part is not intended to restrict law enforcement or regulators gathering this information using their own existing powers and using it for regulatory or law enforcement purposes against the entity.’ (para 298).

Cyber Security Act 2024 (Cth), 40(3); Intelligence Services Act 2001 (Cth), s41BC(3)

See Cyber Security Act 2024 (Cth), s41 ; Intelligence Services Act 2001 (Cth), s41BE
Categories

Reference

  • [1]

    Zheng v Australian International Aviation College Pty Ltd [2024] NSWSC 1622

  • [2]

    Australian Government, 2023-2030 Australian Cyber Security Strategy, p24

  • [3]

    Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58

  • [5]

    Until 1 January 2010 these kind of ‘notes’ at the end of sections of Commonwealth Acts were taken to be a form of ‘extrinsic material’ similar to an Explanatory Memorandum or law reform commission report and were relevant only if the substantive language of a section of an Act was ambiguous.  However, since then the notes have been taken to form part of the Act, since they form part of the printed version of an Act.  See section 13 Acts Interpretation Act 1901 (Cth).

  • [6]

    This interpretation is consistent with the Revised Explanatory Memorandum for the Cyber Security Bill, which stated that ‘It must be highlighted that it is not the Government’s intention to restrict operational, regulatory or law enforcement agencies from carrying out their existing legislated functions, especially where serious breaches of law are made apparent that are not related to the cyber security incident. This Part is not intended to restrict law enforcement or regulators gathering this information using their own existing powers and using it for regulatory or law enforcement purposes against the entity.’ (para 298).

  • [7]

    Cyber Security Act 2024 (Cth), 40(3); Intelligence Services Act 2001 (Cth), s41BC(3)

  • [8]

    See Cyber Security Act 2024 (Cth), s41 ; Intelligence Services Act 2001 (Cth), s41BE

    • SHOW MORE

KEY CONTACTS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Top 10 Trends for Private Capital in an uncertain world
With sophisticated investors quickly seeking diversification in response to geopolitical risk, Asia Pacific markets are well-positioned to become an attractive hedge.

17 April 2025

Insight
Private Capital Leading the Surge into Data Centres - What have we learned and what next?
Australia and the Asia Pacific Region emerge as a hotbed for data centre investment, as the AI revolution and resulting demand for digital infrastructure surges.

17 April 2025

Insight
Cov-What? Financial covenants in leveraged finance deals
A short primer on the different approaches being taken to financial covenants in leveraged finance deals

17 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies