New Legislation, So What?

Introduction

There’s a lot of legislation, but it’s not always easy to figure out what it means, how it applies, and what it means for my organisation. This article aims to give you a brief overview of some of the obligations that might apply to your organisation in the cyber space.

This article specifically looks at the recent updates and amendments in relation to the following legislation:

  • Privacy Act 1988 (Cth)
  • Security of Critical Infrastructure Act 2018 (Cth)
  • Cyber Security Act 2024 (Cth)

Please note that this article is intended to be used as a general overview of the recent changes in cyber legislation, and does not constitute legal advice to be acted upon

1. Privacy Act

1.1        Serious invasions of privacy

The new tort (wrongdoing) for serious invasions of privacy allows individuals to sue for privacy breaches involving intrusion or misuse of information, provided the invasion was intentional or reckless, and serious.

1.2        Automated decision-making

Organisations are required to update their privacy policies to disclose when personal information is used by computer programs, including Artificial Intelligence, to make decisions that significantly affect individuals’ rights or interests. This requirement is broadly applied, regardless of when the decision-making arrangement or data acquisition occurred.

1.3        Children’s Online Privacy Code

Within the next two years (by December 2026) the Information Commissioner is to develop an additional Children’s Online Privacy Code, which will apply to providers of social media services, relevant electronic services, or designated Internet services that are ‘likely to be accessed by children’ and are not providing a health service.

1.4        Facilitating overseas data flows

The amendment introduces a ‘white list’ mechanism to identify countries with similar privacy laws, facilitating the disclosure of personal information to overseas recipients. As such, organisations should consider whether any information is stored outside of Australia and whether appropriate protections, such as legislation, is in place in the respective countries.

1.5        Doxxing

This is where an individual publishes the name, image, and telephone number of an individual on a website, encouraging others to repeatedly contact the individual with violent or threatening messages, is an example of conduct. This amendment includes a proposed criminal offence, under the Criminal Code Act 1995 (Cth), where an individual could face a penalty of imprisonment for six or seven years if found guilty of doxxing.

2. Security of Critical Infrastructure Act 2018

The Security of Critical Infrastructure Act 2018 (SOCI Act) was introduced to ensure that critical infrastructure providers in Australia protect their assets. It sets out the legal responsibilities for these providers, especially for the most crucial systems, known as Systems of National Significance (SoNs). The SOCI Act applies to the following 11 sectors:

  • Communications
  • Financial services and markets
  • Data storage or processing
  • Defence industry​
  • Higher education and research
  • Energy
  • Food and grocery
  • Healthcare and medical
  • Space technology
  • Transport
  • Water and sewerage

In December 2024 a few key changes were made to the SOCI Act that included, but is not limited to:

  • Compliance audits of Critical Infrastructure Risk Management Programs (CRIMP) and other SOCI Act obligations.
  • Critical infrastructure owners must protect important data storage systems that hold essential business data. This includes any data storage that, if vulnerable or accessed improperly, could affect the availability, integrity, confidentiality, or reliability of critical infrastructure.
  • The Government’s ability to manage the consequences of “all-hazards” incidents (not just cyber) has been expanded on critical infrastructure assets.
  • The definition of “protected information” has been amended to include a harms-based assessment and a non-exhaustive list of relevant information, with clarifications on when protected information can be shared or used. kyk

3. Cyber Security Act

In November 2024 the Cyber Security Act 2024 (Cth) became law and includes the following obligations or considerations that businesses should take into account.

3.1        Limited Use Provision

  • This provision defines the limited use obligation that restricts how the National Cyber Security Coordinator and the National Office of Cyber Security can record, use, or disclose information that your organisation, or another entity acting on your organisation’s behalf, voluntarily provide.

3.2        Smart Devices

  • Manufacturers and suppliers of smart devices are required to comply with security standards, which include:
    • No universal default passwords
    • Vulnerability reporting
    • Providing information on the device’s minimum support timeframe
  • Devices or products could be excluded from these compliance requirements if the following applies:
    • The related cyber risks be covered by existing legislation.
    • The Australian Government is developing a higher or bespoke standard for such devices.
    • The complexity of these devices means that enforcing these rules could lead to lower standards.

3.3        Ransomware Payment Reporting Overview

(comes into effect on 30 May 2025)

  • Organisations required to comply with reporting ransomware payments, not only include organisation’s responsible for a critical infrastructure assets (as defined in the SOCI Act), but also organisations conducting business in Australia which exceed the annual turnover threshold of $3 million for the previous year, at the time the ransomware payment was made.
  • These organisations are required to notify the designated Commonwealth body with a ransomware payment report within 72 hours of making the ransomware payment, or becoming aware that the ransomware payment has been made.
  • The ransomware payment report should include details such as whether the ransomware payment was made, which organisation made the payment (i.e., did another organisation make the payment on behalf of the reporting organisation), impact of the related cyber security incident, ransomware payment, and any communications with the extorting entity including the demand and the payment.
  • Should an organisation not comply with the relevant legislation they could be liable to a civil penalty amounting to $19,800. (This civil penalty is the equivalent of 60 penalty units valued at $330 each as of 18 March 2025.)

 

3.4        Incident Review Board

(comes into effect on 30 May 2025)

  • The Cyber Incident Review Board (the Board) is an independent statutory advisory body that reviews major cyber security incidents in Australia. It aims to advise the government and industry on how to prevent, detect, respond to, or lessen the impact of similar incidents in the future.
  • The Board will comprise of a Chair, Standing Members, an Expert Panel, and will be supported by staff from the Department of Home Affairs. The Expert Panel will consist of a pool of people, which includes industry participants, subject matter experts, cyber security experts, academics, and other appointed individuals to assist in conducting cyber security incident reviews.
  • The Board and Expert Panel will have common eligibility criteria, such as qualifications or experience in cyber security and incident management. Members must hold or be eligible for an Australian security clearance or an equivalent recognised by the Commonwealth.
  • The review may only be conducted upon conclusion of immediate response activities, related to a cyber security incident or series of incidents.
  • To support the review, the Board can request information from organisations involved in the cyber security incident. If voluntary requests fail, the Chair can compel information, where an organisation still does not comply it could face civil penalties. Furthermore, organisations are entitled to reasonable compensation if the Chair requires the production and copy of documents.
  • The Board must give the draft report to the Minister and may share it with other Commonwealth or State bodies, for feedback or to check for sensitive information. The final report must consider any feedback, summarise the findings and recommendations, and include required information. It must not assign blame, determine liability, identify individuals without consent, or imply guilt. Sensitive information must be redacted, and a protected report with reasons for redaction must be provided to the Minister and Prime Minister.

Support From Division 5

At Division 5, we specialise in helping organisations understand and meet their cyber security compliance obligations through our comprehensive advisory services. Our expertise includes:

  • Compliance Gap Analysis: We can assess your current security posture against the requirements of the Privacy Act, SOCI Act, and Cyber Security Act to identify areas needing attention before regulators do.
  • Ransomware Reporting Readiness: We help you establish processes and procedures to meet the new 72-hour ransomware payment reporting requirements coming into effect on 30 May 2025.
  • Privacy Impact Assessments: We evaluate your automated decision-making systems and data handling practices to ensure compliance with the strengthened Privacy Act provisions.

Our specialists bring extensive experience working with Australian cyber security legislation and can translate complex legal requirements into practical security measures. 

Chat to us to discuss how these legislative changes impact your business.

Leave us a message