Skip to main content

Site navigation

  • University of Technology Sydney home
  • Home

    Home
  • For students

  • For industry

  • Research

Explore

  • Courses
  • Events
  • News
  • Stories
  • People

For you

  • Libraryarrow_right_alt
  • Staffarrow_right_alt
  • Alumniarrow_right_alt
  • Current studentsarrow_right_alt
  • Study at UTS

    • arrow_right_alt Find a course
    • arrow_right_alt Course areas
    • arrow_right_alt Undergraduate students
    • arrow_right_alt Postgraduate students
    • arrow_right_alt Research Masters and PhD
    • arrow_right_alt Online study and short courses
  • Student information

    • arrow_right_alt Current students
    • arrow_right_alt New UTS students
    • arrow_right_alt Graduates (Alumni)
    • arrow_right_alt High school students
    • arrow_right_alt Indigenous students
    • arrow_right_alt International students
  • Admissions

    • arrow_right_alt How to apply
    • arrow_right_alt Entry pathways
    • arrow_right_alt Eligibility
arrow_right_altVisit our hub for students

For you

  • Libraryarrow_right_alt
  • Staffarrow_right_alt
  • Alumniarrow_right_alt
  • Current studentsarrow_right_alt

POPULAR LINKS

  • Apply for a coursearrow_right_alt
  • Current studentsarrow_right_alt
  • Scholarshipsarrow_right_alt
  • Featured industries

    • arrow_right_alt Agriculture and food
    • arrow_right_alt Defence and space
    • arrow_right_alt Energy and transport
    • arrow_right_alt Government and policy
    • arrow_right_alt Health and medical
    • arrow_right_alt Corporate training
  • Explore

    • arrow_right_alt Tech Central
    • arrow_right_alt Case studies
    • arrow_right_alt Research
arrow_right_altVisit our hub for industry

For you

  • Libraryarrow_right_alt
  • Staffarrow_right_alt
  • Alumniarrow_right_alt
  • Current studentsarrow_right_alt

POPULAR LINKS

  • Find a UTS expertarrow_right_alt
  • Partner with usarrow_right_alt
  • Explore

    • arrow_right_alt Explore our research
    • arrow_right_alt Research centres and institutes
    • arrow_right_alt Graduate research
    • arrow_right_alt Research partnerships
arrow_right_altVisit our hub for research

For you

  • Libraryarrow_right_alt
  • Staffarrow_right_alt
  • Alumniarrow_right_alt
  • Current studentsarrow_right_alt

POPULAR LINKS

  • Find a UTS expertarrow_right_alt
  • Research centres and institutesarrow_right_alt
  • University of Technology Sydney home
Explore the University of Technology Sydney
Category Filters:
University of Technology Sydney home University of Technology Sydney home
  1. home
  2. arrow_forward_ios ... Newsroom
  3. arrow_forward_ios ... 2023
  4. arrow_forward_ios 11
  5. arrow_forward_ios Proposed ‘safe harbour’ laws send mixed messages

Proposed ‘safe harbour’ laws send mixed messages

22 November 2023

Forgiveness or punishment? The government’s proposed ‘safe harbour’ laws send mixed messages on cyber security.

cyber attack

image: Adobe Stock By Skórzewiak

Should companies experiencing cyber attacks be forgiven if they cooperate with the government to stop such attacks? That’s the idea the federal government is considering with its possible “safe harbour” laws.

Last week, the defence minister, Richard Marles, floated the idea of introducing a legally binding exemption from punitive government litigation if a company self-reports to the Australian Signals Directorate (the national signals intelligence agency) and invites its help.

The aim would be to drive more effective collaboration between the private sector and the directorate in dealing with cyber attacks, resolving them faster or preventing them altogether.

But the plan risks undermining the government’s attempts to crack down on corporations that don’t do enough to keep their clients’ data safe.

Reluctance to work together

The government says it’s struggling to overcome resistance by many Australian companies facing a cyber attack to work with the directorate to help defeat intrusions.

Companies are afraid to suffer the inevitable reputation loss if news of the breach leaks out.

They also fear exposing themselves to government fines or customer litigation of the sort being pursued by victims of data breaches at Medibank and Optus.

On the government side, the Australian Signals Directorate has complained their efforts to help companies under attack are being hampered by lawyers concerned mostly with minimising the risk of the company being sued in the future.

This is in direct contrast to the practice of leading US tech companies who prefer lawyers to be the first people involved in the response.

A so-called ‘safe harbour’

The government’s safe harbour offer would involve legislation.

The safe harbour principle is an exemption that can be granted for actions that might otherwise break the law if there’s a larger public good at play.

This is used in other areas of regulation, such as bankruptcy law and tax law. It provides legal protections for administrators or accountants who have to take on risky business decisions in order to do their jobs.

Richard Marles claimed a safe harbour regime for self-reporting companies affected by a cyber attack would do two main things.

Firstly, he said, it would deliver the world-class capabilities of the Australian Signals Directorate to the affected company.

Secondly, Marles said it would help drive trust between the government and reticent private sector businesses.

The government has proposed that complying with the cyber safe harbour requirements would shield companies from further legal action by the government.

In its cyber security strategy, released today, the government committed to consultations with industry on a legislated measure to help build the sort of trust outlined in Marles’ discussion of safe harbour.

But we don’t have any other detail about how this version of safe harbour law would work.

And for most corporations, the government may be the least of their worries in cases of large-scale data breaches or breaches of sensitive intellectual property information.

They will be concerned about the reputational damage first and foremost.

For listed companies, this can lead to a sustained drop in share price and open a pathway to costly law suits from serious affected clients or business partners.

Safe harbour laws don’t do much to help with that.

Would laws like this work?

In cyber security, the concept of safe harbour is complicated and fraught with definitional and regulatory challenges.

Such laws for cyber security are used in several US states mainly for promoting stronger compliance with industry standards. This is done by promising companies a degree of protection from various types of litigation if they are certified by the government to be reasonably compliant with the standards.

An Australian study throws some doubt on the value of that process.

The research shows such standards are seen as a low bar, or even inappropriate in some situations.

Technology always moves more quickly than standards. For example, in May 2023 an intergovernmental working group found the security standards for 5G were “incomplete” and did not cover all security requirements. Australia has been using 5G technology since 2019.
The safe harbour laws may also be too weak to achieve what they set out to do.

A US study warns a safe harbour law for the US health sector “only offers some protection in certain circumstances”.

Forgiveness or punishment?

The new Australian proposal, coming from the defence department in 2023, and raised in Senate Estimates in 2022 by an opposition senator, appears to support the defence portfolio’s interest in better national security.

But there is a reasonable risk it will undermine the mission of the home affairs minister, Clare O’Neil.

She has staked much on the need to punish corporations who may have acted irresponsibly in allowing serious data breaches.

Corporations will remember her statement in September 2022 that fines of hundreds of millions of dollars for large privacy breaches might be more appropriate than the existing cap of $2.2 million.

By December, new legislation imposing penalties up to $50 million had come into force.

The moves were designed in part to dampen community outrage over the data breaches.

But the safe harbour idea might increase the consumer concerns O'Neil has been working to allay.

Not all cyber attacks involve a risk exposing of large amounts of personal data, so there would be instances where the safe harbour option would not affect a person’s rights to seek redress.

But by its very nature, the proposal will impact the rights of businesses and consumers to know if they have suffered damage or loss from a cyber attack.

The government has a moral obligation to inform victims of cyber crime.

At a time of escalating cyber uncertainties, increasing ransomware attacks, and stepped up Russian and Chinese cyber attacks, the safe harbour proposal will need careful consideration.

The government will want to avoid antagonising public sentiment by limiting the rights of consumers.

So a solution that promises protection only against government litigation, but not civil litigation, may not be worth the political balancing act.The Conversation

Greg Austin, Adjunct Professor, Australia-China Relations Institute, University of Technology Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Share
Share this on Facebook Share this on Twitter Share this on LinkedIn
Back to Business and law

Related News

  • a hacker at a computer in a dark room
    Fake Australian identity documents for sale on the dark web
  • Person using drugs. Adobe Stock image
    Cutting-edge research aims to curb fatalities caused by illicit drugs
  • Petri dish. Adobe Stock
    How to slow the spread of deadly ‘superbugs’

Acknowledgement of Country

UTS acknowledges the Gadigal People of the Eora Nation and the Boorooberongal People of the Dharug Nation upon whose ancestral lands our campuses now stand. We would also like to pay respect to the Elders both past and present, acknowledging them as the traditional custodians of knowledge for these lands. 

University of Technology Sydney

City Campus

15 Broadway, Ultimo, NSW 2007

Get in touch with UTS

Follow us

  • Instagram
  • LinkedIn
  • YouTube
  • Facebook

A member of

  • Australian Technology Network
Use arrow keys to navigate within each column of links. Press Tab to move between columns.

Study

  • Find a course
  • Undergraduate
  • Postgraduate
  • How to apply
  • Scholarships and prizes
  • International students
  • Campus maps
  • Accommodation

Engage

  • Find an expert
  • Industry
  • News
  • Events
  • Experience UTS
  • Research
  • Stories
  • Alumni

About

  • Who we are
  • Faculties
  • Learning and teaching
  • Sustainability
  • Initiatives
  • Equity, diversity and inclusion
  • Campus and locations
  • Awards and rankings
  • UTS governance

Staff and students

  • Current students
  • Help and support
  • Library
  • Policies
  • StaffConnect
  • Working at UTS
  • UTS Handbook
  • Contact us
  • Copyright © 2025
  • ABN: 77 257 686 961
  • CRICOS provider number: 00099F
  • TEQSA provider number: PRV12060
  • TEQSA category: Australian University
  • Privacy
  • Copyright
  • Disclaimer
  • Accessibility