Every year, Australian organisations dispose of thousands of tonnes of e-waste. Some is recycled, some is re-sold and some is shipped overseas - and a lot is not properly sanitised. The insecure disposal of e-waste, which remains a peripheral issue in the cyber security space, presents serious cyber and data security threats to Australian organisations and citizens. Notably, in the context of Australia's critical infrastructure regime, which has undergone significant reforms, there exists no explicit obligation for captured entities to securely dispose of e-waste. The data stored on these devices and their components may contain sensitive information related to an organisation’s operations and intellectual property, as well as personally identifying information (PII). And if they end up in the hands of a malicious actor, the results could be catastrophic.
While there is no silver-bullet solution to prevent insecure e-waste disposal, there is a key policy lever that could be pulled to help drive uplift in this space. Therefore, this paper proposes the Security of Critical Infrastructure Act 2018 (SOCI Act) or its guidance could be amended to include explicit obligations for captured entities to securely dispose of e-waste when it becomes redundant. This would ultimately fill a significant gap in the legislation as it currently exists, ensure a truly holistic ‘all-hazards’ approach to cyber security risks and further bolster the cyber security of Australia’s critical infrastructure entities. It would also bring cyber security requirements of captured entities into line with the provisions Australian Government entities are required to adhere to under the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). More broadly, with the introduction of significant fines for serious or repeated privacy breaches now in force under the Privacy Act 1988 (Cth) (Privacy Act), captured entities must also be aware of this looming data security threat and take steps to ensure the secure disposal of e-waste to better protect PII.
Robert Di Pietro
Cybersecurity & Digital Trust Leader, PwC Australia
Tel: +61 418 533 346