Australia has a broad system of federal, state and territory-based laws which govern data protection, cybersecurity and cybercrime. Further details on these laws are at 2.1 Key Laws.

Data Protection

Privacy Act

Federally, data containing personal information is protected under the Privacy Act 1988 (Cth) (Privacy Act). Schedule 1 of the Privacy Act contains the Australian Privacy Principles (APPs), which regulate the way in which private organisations and federal agencies are required to handle personal information. The Privacy Act also requires mandatory reporting for certain APP breaches under the notifiable data breach (NDB) scheme. Breaches of the Privacy Act may result in investigation and enforcement action by the Office of the Information Commissioner (OAIC).

Health information

Health information recorded in Australia’s online “My Health Records” system is protected under the My Health Records Act 2012 (Cth) (My Health Records Act) and Privacy Act.

States and territories

Australia also has various state and territory-based legislation which protects privacy and health information.

Cybersecurity

Cybersecurity laws in Australia are primarily governed under sector-specific federal laws.

Critical infrastructure

Critical infrastructure is regulated under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), which imposes registration, reporting and notification obligations on owners and operators of critical infrastructure and empowers the Australian government to gather information and issue directions where there is a risk to security.

Telecommunications

Telecommunications is regulated under the Telecommunications Act 1997 (Cth) (Telecommunications Act), which imposes security and notification obligations on Australian telecommunications providers and empowers the Australian government to gather information and issue directions.

The Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) also regulates telecommunications by prohibiting the interception of communication and access to stored communication data, except for certain law enforcement and national security purposes.

Corporations, consumers and financial services

Cybersecurity aspects of:

• corporations are regulated under the Corporations Act 2001 (Cth) (Corporations Act);
• consumers affairs are protected under the Competition and Consumer Act 2010 (Cth) (Consumer Act); and
• certain financial, insurance and superannuation entities are regulated through standards, including the Prudential Standard CPS 234 on Information Security (CPS 234), issued by the Australian Prudential Regulation Authority (APRA).

Cybercrime

Cybercrime offences in Australia broadly encompass two categories:

• offences that are directed at computers or other devices and involve hacking-type activities; and
• cyber-enabled offences where such devices are used as a key component of the offence, including in online fraud, online child abuse offences and cyberstalking.

Federally, cybercrime is criminalised under Parts 10.6 and 10.7 of the Schedule to the Criminal Code Act 1995 (Cth) (Criminal Code), which set out a variety of offences with maximum penalties ranging from fine-only through to life imprisonment.

Australian states and territories also have their own criminal laws which govern cybercrime offences.

Australia has a range of federal, state and territory regulators which deal with cybersecurity. Further details of these regulators are at 2.2 Regulators.

Data Protection

The OAIC is the federal privacy and information regulator with a range of functions and powers to investigate and resolve privacy complaints and enforce privacy compliance.

There are also state and territory privacy commissioners which administer state and territory-based privacy and health information laws.

Cybersecurity

There are a range of sector-specific federal regulators as outlined below.

Critical infrastructure

The Critical Infrastructure Centre (CIC) is the federal regulator of the SOCI Act and certain provisions of the Telecommunications Act with powers to investigate, audit and enforce on compliance matters.

Telecommunications, broadcasting and marketing

The Australian Communications and Media Authority (ACMA) is Australia’s regulator for broadcasting, telecommunication and certain online content and provides licensing to industry providers. ACMA has specific regulatory powers under the Telecommunications Act, the TIA Act, the Spam Act, and the Do Not Call Register Act to investigate and resolve complaints and enforce compliance.

Additionally, the Office of the eSafety Commissioner (eSafety Commissioner) has powers to promote and regulate online safety with respect to telecommunications, broadcasting and other online industries.

Corporations, consumers and financial services

The Australian Securities and Investments Commission (ASIC) regulates publicly listed corporations under the Corporations Act and may investigate issues which touch on cybersecurity.

APRA regulates certain finance, insurance and superannuation entities and issued information security standards CPS 234.

The Australian Competition and Consumer Commission (ACCC) deals with consumer affairs, including consumer data protection and cyberscams.

Cybercrime

Cybercrime at the federal level is investigated and enforced by the Australian Federal Police (AFP) and prosecuted by the Commonwealth Director of Public Prosecutions (CDPP).

State and territory-based police and prosecution agencies investigate, enforce and prosecute state and territory cybercrimes.

Law enforcement agencies may be supported by criminal intelligence agencies including the Australian Criminal Intelligence Commission (ACIC), Australian Security Intelligence Organisation (ASIO), Australian Signals Directorate (ASD) and Australian Transaction Reports and Analysis Centre (AUSTRAC). More details are at 2.2 Regulators.

Data Protection and Cybersecurity

Broadly, federal data protection and cybersecurity regulators handle complaints and commence their own investigations into non-compliance matters. These regulators will initially seek to collaborate with regulated entities and seek voluntary compliance. If these efforts fail, the regulators may consider taking enforcement action. Decisions made by these regulators can often be reviewed internally and can also be referred to certain federal tribunals and courts including the Administrative Appeals Tribunal (AAT), the Federal Circuit and Family Court of Australia (FCFCA), or the Federal Court of Australia (FCA). Complaints about federal regulators, including complaints about unfair treatment, can be referred to the Commonwealth Ombudsman.

Details regarding the specific administrative and enforcement powers of specific regulators are provided in 2.2 Regulators.

Cybercrime

Law enforcement and intelligence agencies that deal with cybercrime have a broad range of investigative and enforcement powers, including investigative and disruption powers executed through warrants.

The passing of the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth) (SLAID Act) enabled law enforcement to obtain “data disruption warrants”, which, if issued, permit law enforcement to intervene in order to frustrate the commission of cybercrime.

There are various oversight and review processes for decisions and actions undertaken by law enforcement and intelligence agencies, including through Australian courts and complaints to statutory bodies such as:

• the Commonwealth Ombudsman and the Australian Commission for Law Enforcement Integrity (ACLEI), which oversees AFP activities; and
• the Inspector-General of Intelligence and Security (IGIS), which oversees intelligence agency activities, as well as the use of network activity warrants by the AFP or ACIC.

Australia engages in a variety of multilateral processes to address data protection, cybersecurity and cybercrime matters which are outlined below. Details of subnational issues are detailed at 2. Key Laws and Regulators at National and Subnational Levels.

Data Protection

Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System

Australia acceded to the CBPR in 2018. The CBPR is a voluntary accountability framework and requires participating businesses to implement data privacy policies and practices consistent with the APEC Privacy Framework, a principle-based model for national privacy laws that account for cross-border information flows. Business compliance with the CBPR is assessed by an independent Accountability Agent recognised by APEC. Non-compliance with the CBPR may result in a loss of CBPR certification, referral to government enforcement authorities and other penalties.

Cybersecurity

Norms of state behaviour in cyberspace

Australia participates in the UN General Assembly’s two parallel processes that were established to foster responsible state behaviour in cyberspace.

• The Open-Ended Working Group on security of and in the use of information and communications technologies (OEWG), established in 2020. The OEWG is mandated to further develop the rules, norms and principles of responsible behaviour of states, and promote dialogue, co-operation and capacity-building between states. The OEWG will meet for its seventh substantive session between 4 and 8 March 2024.
• The sixth Group of Governmental Experts on advancing responsible state behaviour in cyberspace in the context of international security.

Australia, New Zealand, United States Security Treaty (ANZUS Treaty)

In September 2011, Australia and the USA agreed that the ANZUS Treaty could be invoked in response to a cyber-attack.

The ANZUS treaty is a non-binding collective security agreement between Australia and New Zealand and between Australia and the USA, which facilitates state co-operation on military matters in the Pacific Ocean region.

Cybercrime

International crime co-operation

Australia engages in extradition, mutual assistance and international transfer of prisoners with other countries as part of its international crime co-operation efforts, which also apply in relation to cybercrime.

International crime co-operation relationships in Australia are regulated under bilateral and multilateral treaties, or through non-treaty arrangements with particular countries.

On 31 January 2024, Australia and the USA brought into force the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 15 December 2021. The Agreement is incorporated into Australian law by Schedule 1 of the TIA Act.

The Agreement enables Australian and US law enforcement and national security authorities to issue orders directly to communications providers in the other country for the production of electronic data relevant to investigations or prosecutions of criminal activity. Australia may also engage in direct police-to-police co-operation and intelligence information sharing in respect of cybercrimes.

Budapest Convention

Australia is party to the Convention on Cybercrime of the Council of Europe of 2001 (CETS No 185) (Budapest Convention), which provides for:

• standards for criminalising particular cyber-activities ranging from illegal access and interference to computer-related fraud and child pornography;
• procedural law tools for the investigation of cybercrime and the securing of electronic evidence more effectively; and
• efficient international co-operation.

Australia participated in the development of the Second Additional Protocol to the Budapest Convention that deals with cross-border access to information. With Armenia signing in November 2023, there are 43 state signatures to this Protocol, which details co-operation requirements between state parties on cybercrime information sharing. The Protocol includes provisions regarding direct co-operation with service providers registrars in other jurisdictions to obtain registration and subscriber information, and government co-operation to obtain this data.

Data Protection

The OAIC works collaboratively with public and private sector organisations to share information about privacy issues and encourage privacy compliance.

Cybersecurity and Cybercrime

The Australian Cyber Security Centre (ACSC) facilitates information and collaboration across private, public and NGO sectors to develop collective cyber-resilience and to respond to cyber-incidents. In this regard, the ACSC has commenced:

• a partnership programme, which brings participants from the private, public, and NGO sectors together to enable information sharing and network hardening; and
• an alert service, which provides information on recent cyberthreats as well as prevention and mitigation advice.

The Joint Cyber Security Centres (JCSC) are state-based agencies which collaborate with organisations across the private, public and NGO sectors on cybersecurity and cybercrime threats and response options.

Data Protection

Australia’s privacy framework is largely centralised under the Privacy Act and involves a principle-based approach to privacy. The centralised principle-based model is similar to the approach undertaken by the EU’s General Data Protection Regulation (GDPR) and can be contrasted to the US approach to privacy laws, which relies on less centralised privacy governance.

The GDPR and Australia’s privacy framework share some commonalities including principles framework, transparent information handling practices, and protected information types. However, the GDPR is broader in scope, provides more robust enforcement mechanisms and affords additional privacy rights to individuals (such as the right to be forgotten).

Cybersecurity and Cybercrime

Australia’s approach to cybersecurity and cybercrime governance appears largely consistent with global governance trends, in which we see more and more states focus on:

• broadening government powers in relation to cyber-investigations, interventions, oversight and enforcement;
• increasing state offensive and defensive cyber capabilities;
• building technical cyber capabilities across private and public sectors;
• establishing legal frameworks and other standards for cybersecurity; and

• improving user awareness and promoting cyber-education programmes.

Data Protection and Privacy Proceedings

In July 2023, the Federal Court of Australia ordered two subsidiaries of Meta, Facebook Israel and Onavo Inc, to each pay AUD10 million for engaging in misleading conduct in breach of the Australian Consumer Law, in an action brought by the ACCC. The Federal Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes.

Further significant privacy proceedings are set out at 8.1 Regulatory Enforcement or Litigation.

Australia’s Cybersecurity Reform

On 22 November 2023, the Australian government released the 2023–2030 Australian Cyber Security Strategy, and supplementary 2023–2030 Australian Cyber Security Action Plan (2023–30 CS). Together, they detail the federal government’s key cybersecurity initiatives that will be delivered over the next two years.

The 2023–30 CS describes “six cybershields” that provide layers of defence against cyberthreats. These shields include strengthening Australian citizens, improving safety of smart technology, further protection of critical infrastructure, and building regional cyber-resilience.

Under each shield, the Australian government intends to carry out initiatives of legislative reform, policy reform, capacity-building and awareness-raising. Some relevant initiatives include:

• introducing a no-fault, no-liability ransomware reporting obligation;
• amendments to data retention requirements, with a focus on non-personal data, to address the burden and risks that arise from entities holding significant volumes of data for longer than necessary;
• further amendments to the SOCI Act, which include clarifying the cyber-obligations of managed service providers and increasing the cyber-reporting requirements of telecommunications companies; and
• introduction of a limited use obligation for the ASD and the National Cyber Security Coordinator (Cyber Coordinator) which would limit how relevant information shared with either of these parties can be used by other Australian government entities.

As part of the 2023–30 CS, the government established an Executive Cyber Council on November 2023. The council is comprised of executives across relevant industries and enables broader collaboration on national cybersecurity priorities. The council’s role includes supporting the government’s targeted consultation process, to co-design specific 2023–30 CS initiatives with specific industries.

The Australian government’s 2023–30 CS (detailed at 1.7 Key Developments) and its response to the Attorney-General’s Privacy Act Review Report (PA Report) are likely to herald notable changes to data protection, cybersecurity and cybercrime legislation in the coming year. The latter, published on 28 September 2023, saw the government agree to 38 proposals, which include reforming the Privacy Act to require entities to identify types of personal information they use, increasing OAIC’s enforcement powers and broadening the courts’ powers to make orders in civil penalty proceedings.

Data Protection

The Privacy Act

The Privacy Act regulates the handling of personal information federally.

“Personal information” under the Privacy Act is defined broadly as information or an opinion about an identified or reasonably identifiable individual. It is not required to be true or recorded in a material form. Personal information also includes “sensitive information”, which includes information or opinions on an individual’s race, ethnicity, politics, religion, sexual orientation, health, trade associations and criminal records. Sensitive information is often afforded a higher level of protection than other personal information.

The Privacy Act applies to “APP entities” which, subject to some exceptions, include federal government agencies, private sector organisations with an annual turnover of over AUD3 million and smaller entities with data-intensive business practices (including private health providers, businesses that sell or purchase personal information and service providers to the federal government).

Schedule 1 of the Privacy Act sets out 13 APPs, which provide minimum standards for the processing of personal information; it is detailed at 3.3 Legal Requirements and Specific Required Security Practices.

Breach notification schemes

At a federal level, the Privacy Act includes the NDB scheme, which requires APP entities to notify both affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred.

There are also schemes at the state/territory level. At the time of writing (March 2024), both New South Wales (NSW) and Queensland (Qld) had introduced mandatory notification of data breach schemes via, respectively, the Privacy and Personal Information Protection Amendment Act 2022 (NSW) (entered into force 28 November 2023) and Information Privacy and Other Legislation Amendment Act 2023 (Qld) (commencement date to be set by proclamation). These largely mirror the federal scheme.

Further details on the federal NDB scheme are at 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, 5.2 Data Elements Covered, 5.3 Systems Covered, 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards.

Other data protection laws

Entities dealing with personal information in Australia should also be aware of their obligations with respect to:

• privacy legislation enacted at the state and territory level;
• the My Health Records Act, which imposes specific obligations for health information collected and stored in Australia’s national online health database;
• state and territory health records legislation enacted in NSW, Victoria (Vic) and the Australian Capital Territory (ACT); and
• federal, state and territory surveillance legislation, which regulates video surveillance, computer and data monitoring, GPS tracking and the use of listening devices on individuals.

Cybersecurity

Critical infrastructure

The SOCI currently regulates assets in various fields, including communications, data storage, financial services, energy and the defence industry by requiring owners and operators of such assets to register with the Register of Critical Infrastructure Assets and provide ownership and operational information.

The SOCI Act includes:

• an information gathering power for the Secretary of the Department of Home Affairs (DoHA) to monitor compliance; and
• a directions power for the Home Affairs Minister (HA Minister) to direct regulated entities to do or not do a specified thing that is reasonably necessary to protect critical infrastructure from national security risks.

Telecommunications

The Telecommunications Act regulates the use of personal information by carriers, carriage service providers and intermediaries and prohibits disclosure of certain telecommunications data. Since September 2018, the Telecommunication Sector Security Reforms (TSSR) have been in force, providing for:

• positive security obligations that require regulated entities to protect against access and interference of telecommunications networks and systems, including through maintaining “competent supervision” and “effective control”; and
• notification obligations that require regulated entities to notify government of changes which may affect their security obligations.

The TSSR also endows the Secretary of DoHA with an information-gathering power and the HA Minister with a directions power.

Chapter 5 of the TIA Act obliges Australian telecommunications service providers to collect and retain certain types of data for a minimum of two years, to build systematic capabilities to intercept such data, and to provide law enforcement and security agencies with access to such data for certain law enforcement and national security purposes.

Broadcasting and marketing

The Broadcasting Act regulates broadcasting services through internet and other means in Australia and enables the creation of industry codes of practice regulating the content of such services.

The OSA establishes complaint systems for cyberbullying of children, non-consensual sharing of intimate images, cyber-abuse of adults, and the online/social media availability of content that would be subject to broadcasting classifications (restricted or age 18+).

The Spam Act prohibits the use of electronic communications for the purpose of sending unsolicited marketing materials to individuals.

Similarly, the Do Not Call Register Act prohibits unsolicited telemarketing calls being made to phone numbers registered on a Do Not Call Register.

Corporations, consumers and financial services

Regulations governing the corporate sectors deal with cybersecurity in certain circumstances. For example:

• Section 180 of the Corporations Act imposes a director’s duty to exercise “care and diligence”, which would apply in the context of cybersecurity;
• Section 912A of the Corporations Act requires corporations holding financial licences to have adequate risk management systems, which would include those relating to cybersecurity;
• Part IVD of the Consumer Act, detailed at 4.2 Material Business Data and Material Non-public Information, provides for the Consumer Data Right (CDR), which seeks to regulate how business can share consumer data; and
• CPS 234, detailed at 3.1 De Jure or De Facto Standards, regulates information security standards for APRA-regulated financial, insurance and superannuation entities.

Cybercrime

Criminal Code

Part 10.6 of the Criminal Code provides for federal offences regarding the misuse of telecommunication networks and “carriage services” (a term encompassing the internet and online, wired and mobile services). These include offences relating to dishonesty, interference with telecommunications, harassment, child abuse material, making threats, or causing menace/harassment/intimidation and have maximum penalties ranging from one to 30 years’ imprisonment. This Part of the Criminal Code also places obligations on providers of content or hosting services to notify the AFP as to the existence of material displaying “abhorrent violent conduct” (if occurring in Australia) and, in any event, to expeditiously remove or cease to host such material.

Part 10.7 of the Criminal Code sets out computer offences. Serious offences include the misuse of data to commit serious offences or impair data security and the impairment of electronic communications. These offences carry maximum penalties ranging from five to ten years’, as well as life, imprisonment. Other computer offences include preparing for or engaging in unauthorised access and modification or impairment of data, which carry maximum penalties of two to three years’ imprisonment.

Other offences

Organisations should note that in addition to the Criminal Code:

• the TIA Act also makes it a federal offence for an individual to (without authorisation ) intercept or access private telecommunications without the knowledge of those involved; and
• state and territory laws criminalise computer offences similar to those criminalised under the Criminal Code (eg, Part 6 of the Crimes Act 1900 (NSW) provide for multiple computer offences regarding unauthorised access, modification or impairment of restricted data and electronic communications).

Data Protection and the OAIC

Federally, the OAIC administers the Privacy Act and the My Health Records Act, and also has a range of powers regarding privacy considerations under the Telecommunications Act and the TIA Act. The OAIC can investigate breaches of these acts that arise from privacy complaints and NDBs under federal privacy laws. The OAIC can also investigate federal privacy law breaches of its own volition.

The OAIC has powers under the Privacy Act to investigate, resolve complaints, make determinations and provide remedies for breaches under the NDB scheme. The remedies range from enforceable undertakings to civil penalties of 2,000 penalty units (approximately AUD626,000); but may also involve imprisonment. Since December 2022, serious and repeated interferences with privacy may attract a penalty of up to:

• for entities, not body corporates – AUD2.5 million; or
• for body corporates – the greater of AUD50 million, three times the value of the benefit attributable to the conduct or 30% of the adjusted turnover for the relevant period.

Cybersecurity

Critical infrastructure

The CIC sits within the DoHA. The CIC assists with the administration of the SOCI Act and certain provisions of the Telecommunications Act and has certain investigative and auditing powers to ensure compliance with these acts. The CIC also has the ability to make recommendations to DoHA and the HA Minister on whether their information-gathering powers and directions powers should be exercised. The CIC also has enforcement powers which allows it to issue penalties for non-compliance that range from performance injunctions, enforceable undertakings, civil penalties of up to 250 penalty units (AUD78,250) or seek two years’ imprisonment. 

Telecommunications, broadcasting and marketing

ACMA has powers under the Telecommunications Act, TIA Act, Broadcasting Act, Spam Act, and the Do Not Call Register Act to undertake discretionary administrative action. In dealing with non-compliance, ACMA is empowered to issue warnings, infringement notices, enforceable undertakings and remedial directions. ACMA is further able to cancel or impose conditions on licences and accreditations. ACMA also has the ability to commence civil proceedings or refer matters for criminal prosecution.

The eSafety Commissioner has powers to investigate online content that promotes, incites, or instructs in crime. However, the Commissioner cannot investigate matters of cybercrime. Penalties range from takedown notices and blocking directions.

Corporations, consumers and the finance services

Relevant regulators are detailed at 2.5 Financial or Other Sectoral Regulators.

Cybercrime

The below intelligence organisations assist federal and state law enforcement agencies in investigating cybercrime.

• ACIC is Australia’s national criminal intelligence agency; it has broad investigative and coercive powers and shares information between all levels of law enforcement.
• AUSTRAC is the domestic watchdog for Australia’s anti-money laundering and counter-terrorism measures; it supports law enforcement operations involving cybercrime financing.
• ASIO investigates cyber-activity involving espionage, sabotage and terrorism related activities; ASIO also contributes to the investigation of computer network operations directed against Australia’s systems.
• The ASD sits within the Department of Defence and has responsibility for foreign signals intelligence, cybersecurity and offensive cyber-operations; ASD provides assistance and advice to law enforcement and can collaborate with police forces on national security matters including on cyber-attacks and cyberterrorism. See 2.3 Over-Arching Cybersecurity Agency for further information.

DoHA

The DoHA is the lead government department for cyberpolicy. The DoHA develops cybersecurity and cybercrime law and policy, implements Australia’s national cybersecurity strategy and responds to international and domestic cybersecurity threats and opportunities, including in the areas of critical infrastructure and emerging technologies. The DoHA also has responsibility for cybersecurity and cybercrime operational agencies including the AFP, ACIC, AUSTRAC, and ASIO.

ASD

The ASD is Australia’s operational lead on cybersecurity and plays both a signals intelligence and information security role. The ASD undertakes cyberthreat monitoring and conducts defensive, disruption and offensive cyber-operations offshore to support military operations and to counter terrorism, cyber-espionage and serious cyber-enabled crime. The ASD also advises and co-ordinates operational responses to cyber-intrusions on government, critical infrastructure, information networks and other systems of national significance.

The ACSC

The ACSC sits within the ASD. It drives cyber-resilience across the whole Australian economy including with respect to critical infrastructure, government, large organisations and small to medium businesses, academia, NGOs and the broader Australian community. The ACSC provides general information, advice and assistance to Australian organisations and the public on cyberthreats and it collaborates with business, government and the community to increase cyber-resilience across Australia.

The ACSC also runs the Computer Emergency Response Team (CERT), which provides advice and support to industry on cybersecurity issues affecting Australia’s critical infrastructure and other systems of national significance.

As detailed in 1.2 Regulators and 2.2 Regulators, the OAIC administers federal privacy and health information laws.

The OAIC also acts as the privacy regulator for territory-based privacy complaints in the ACT.

Apart from the ACT, other states and territories have their own privacy regulators who administer state and territory laws governing personal and health information. For example:

• the NSW Information and Privacy Commission administers, inter alia, the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW); and
• the Office of the Victorian Information Commissioner administers the Privacy and Data Protection Act 2014 (Vic) and the Victorian Health Complaints Commissioner handles breaches of the Health Records Act 2001 (Vic).

Credit Reporting

The OAIC regulates the aspects of the Privacy Act which deal with credit reporting obligations and the credit reporting code, which imposes certain conditions on entities that hold credit-related personal information.

Corporations, Consumers and Financial Services

As referred to in 1.2 Regulators, corporate, consumer and financial regulators include ASIC, the ACCC and APRA.

ASIC

ASIC, which is Australia’s corporate, market and financial services regulator, is empowered under the Corporations Act to investigate and bring actions against corporations, directors and officers for non-compliance with the Corporations Act, which, in some circumstances, may involve cybersecurity issues.

ACCC

The ACCC, which is Australia’s competition regulator and consumer protector, may, where appropriate, undertake enforcement action against breaches of the Consumer Act, including breaches involving cybersecurity and cybercrime issues.

The ACCC administer the CDR (detailed at 4.2 Material Business Data and Material Non-public Information) and also hosts the SCAMwatch website, which provides public information, alerts and access to complaints mechanisms on a wide range of consumer scams, including scams perpetrated online.

APRA

APRA, which regulates entities in the banking, insurance and superannuation sector, issued legal standards for information security under Prudential Standard CPS 234 in 2019 (detailed in 3.3 Legal Requirements and Specific Required Security Practices).

APRA has powers to supervise, monitor and intervene in matters of cybersecurity for regulated entities and has a range of enforcement powers to deal with breaches of its standards. Such powers involve APRA issuing infringement notices, providing directions or enforceable undertakings, imposing licensing conditions, disqualifying senior officials and commencing court-based action.

In addition to the regulators and agencies detailed at 1.2 Regulators and those already addressed in this 2. Key Laws and Regulators at National and Subnational Levels, the following agencies deal with cybersecurity and cybercrime.

• The AFP have a dedicated Cybercrime Operations team comprising investigators, technical specialists and intelligence analysts who operate across multiple jurisdictions to conduct cyber-assessments and to triage, investigate and disrupt cybercrime.
• The Attorney-General’s Department (AGD) advises government on cybersecurity policies and law, including in relation to human rights, privacy, protective security, international law, administration of criminal justice, and oversight of intelligence, security and law enforcement agencies.
• The Department of Defence contributes to Australia’s whole-of-government cybersecurity policy and operations and houses ASD; it also houses the Information Warfare Division, which develops information warfare capabilities for the Australian Defence Force (ADF).
• The Department of Foreign Affairs and Trade (DFAT) advances Australia’s international cyber-affairs agenda, which includes digital trade, cybersecurity, cybercrime, international security, internet governance and co-operation, human rights and democracy online, and technology for development.

Data Protection Standards

De jure standards

Organisations should have regard to their obligations under the Privacy Act, Archives Act 1983 (Cth) (Archives Act), and TIA Act when creating standards for the collection, use, and storage of particular information.

De facto standards

The OAIC’s Privacy Management Framework, detailed at 3.2 Consensus or Commonly Applied Framework, may be considered a de facto standard for data protection.

Cybersecurity Standards

De jure standards

In July 2019, APRA issued Prudential Standard CPS 234 on Information Security. This regulation requires APRA-regulated financial, insurance and superannuation entities to comply with legally binding minimum standards of information security, including by:

• specifying information security roles and responsibilities for the entities’ board, senior management, governing bodies and individuals;
• implementing and maintaining appropriate information security capabilities;
• maintaining tools to detect and respond to information security incidents in a timely way; and
• notifying APRA of any material information security incidents.

These standards provide that an entity’s board is ultimately responsible for information security and that the board must ensure that its entity maintains information security in a manner that is commensurate with the size and vulnerability of that entity’s information assets.

APRA-regulated entities are required to externally audit their organisation’s compliance with CPS 234 and report to APRA in a timely manner.

If organisations are non-compliant, they may be required to issue breach notices and create rectification plans. If organisations are unable to comply with the standards following this process, APRA may undertake a more formal enforcement process which may include enforceable undertakings or court proceedings.

De facto standards

ISO/IEC 27001 (revised in 2022) is an international standard on management of information security. While the Australian government recommends that organisations comply with this standard, it is not mandatory.

ASIC’s “Cyber reliance good practices” provides guidance to Australian corporations on information security. The guide includes recommendations for periodic reviews, management tools, cybersecurity governance, risk management and continuous monitoring.

The ASD’s Information Security Manual (ISM) (updated 1 December 2023) outlines a voluntary cybersecurity framework for organisations based on ACSC advice and includes security protection principles for designing, implementing, and reviewing appropriate security systems, policies, and practices. Alongside this ISM, the ASD also published resources and standards for cyberthreat protection and mitigation strategies, including most recently in 2023, the Essential Eight Assessment Process Guide; which provides guidance on assessing both the implementation and effectiveness of controls that underpin the Essential Eight strategies.

Data Protection

The Privacy Act APPs provide a legally binding framework for APP entities with respect to the collection, processing, use, storage, and dissemination of personal information (details of which are outlined at 3.3 Legal Requirements and Specific Required Security Practices).

APP entities are obliged to take “reasonable steps” to implement policies, practices and systems to ensure compliance with APPs. The “Privacy Management Framework”, developed by the OAIC, provides governance steps that APP entities should undertake to meet their privacy compliance obligations including by embedding a privacy compliant culture and by establishing and evaluating privacy practices and systems.

Cybersecurity

De facto cybersecurity frameworks are detailed at 3.1 De Jure or De Facto Standards.

Data Protection and the APPs

The Privacy Act APPs comprise legally binding obligations for APP entities with respect to:

• managing personal information openly and transparently (APP1);
• permitting individuals the right to anonymity/pseudonymity (APP2);
• collecting solicited personal information (APP3);
• dealing with unsolicited personal information (APP4);
• notifying individuals about their collected personal information (APP5);
• using or disclosing personal information (APP6), including for direct marketing (APP7);
• disclosing personal information overseas (APP8);
• using government-issued identifiers of individuals (APP9);
• ensuring the accuracy, currency completeness of personal information (APP10);
• securing personal information (APP11); and
• permitting individuals to access (APP12) and correct (APP13) their personal information.

Breaches of these APP’s may be subject to reporting under the federal NDB scheme (as detailed in 2.1 Key Laws, 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, 5.2 Data Elements Covered, 5.3 Systems Covered, 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards).

Cybersecurity and the Cyber Strategy

As previously noted in 1.7 Key Developments, the Australian government released the 2023–30 CS, which set out a plan for the government to work with industry “to enhance the cyber shields and build our national cyber resilience”.

Also as previously noted in 3.1 De Jure or De Facto Standards, the ASD released the Essential Eight Assessment Process Guide to assess cybersecurity threat mitigation strategies in line with the Essential Eight strategies, which comprise application control, patch applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular back-ups.

Refer to 1.1 Laws, 2.1 Key Laws, 3.1 De Jure or De Facto Standards and 4.3 Critical Infrastructure, Networks, Systems for details on sector-specific cybersecurity legal requirements and standards.

Data Protection

Australia is a member of the APEC Data Privacy Subgroup. This group developed the APEC Privacy framework and meets biannually to discuss privacy issues.

Cybersecurity

The “Five Eyes” is an intelligence sharing alliance between Australia, the USA, the United Kingdom, Canada and New Zealand. These countries are party to the UKUSA Agreement, which is a treaty for joint signals intelligence co-operation. The cybersecurity representatives of Five Eyes collaborate on joint cyber-incident response. In September 2020, Five Eyes published a best practice guide for cyber-incident investigation and responses.

Australia also engages in a range of other international groups to address cybersecurity issues including the UN Group of Governmental Experts and OWEG (as detailed at 1.4 Multilateral and Subnational Issues), the East Asia Summit and the ASEAN Regional forum. Australia also undertakes cybercapacity building efforts and knowledge sharing in the Pacific Region.

Cybercrime

Parties to the Budapest Convention, including Australia, are members of the Cybercrime Convention Committee (T-CY), which currently is the most relevant intergovernmental body dealing with cybercrime.

As referred to in 3.3 Legal Requirements and Specific Required Security Practices, APP11 deals with the security of personal information and requires APP entities to actively take “reasonable steps in the circumstances to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure”. An APP entity must also take reasonable steps to destroy or de-identify information that is no longer needed.

“Reasonable steps” will vary according to each APP entity and will depend on circumstances that include:

• the size, complexity and business model of an APP entity;
• the sensitive nature of the personal information;
• the possible adverse consequences of a privacy breach; and
• practical implications of implementing security measures.

The OAIC’s Guide to Securing Personal Information provides further discussion of affirmative personal information security. The OAIC is in the process of updating this guide.

Part IVD of the Consumer Act provides for the Consumer Data Right (CDR), which seeks to regulate how business can share consumer data. Implementation of the CDR is occurring progressively by industry. The CDR has been rolled out to the banking and energy sectors. The Australian Treasury is currently consulting on CDR rules and data standards for non-bank lending sector. 

In November 2023, the Privacy Commissioner updated its CDR Privacy Safeguard Guidelines to reflect the amendments to the CDR.

SOCI Act

The SOCI Act requires owners and operators of critical infrastructure to register under the Register of Critical Infrastructure Assets (a non-public register) and disclose particular information to the Secretary of the DoHA.

“Responsible entities”, which are the entities that hold the relevant licensing or approvals to operate critical infrastructure, must provide operational and asset information to DoHA. “Direct interest holders” (which are typically entities that own at least 10% of the critical infrastructure asset or hold an interest in the asset that puts the entity in a position to directly/indirectly influence or control the asset) must provide interest and control information. Any updates to this information must occur within 30 days. Failure to fulfil these reporting obligations may result in a penalty of up to 50 penalty units (AUD15,650).

The SOCI Act also requires critical infrastructure owners and operators to comply with Ministerial directions or Secretarial requests for information where necessary. In March 2022, the SOCI Act was amended to oblige responsible entities to create and maintain a critical infrastructure risk management programme. This amendment also included a new framework for enhanced cybersecurity obligations for operators of systems of national significance. Further cybersecurity-related amendments were flagged in November 2023, but the contents and timing remain unconfirmed at the time of writing (March 2024).

Telecommunications Act

The Telecommunications Act requires network operators to safeguard Australian communications from unauthorised access or interference that might prejudice Australia’s national security.

There are no legally mandated requirements with respect to securing against denial of service (DoS) or distributed DoS (DDoS) attacks. The ACSC recommends that organisations can prevent such attacks through steps such as:

• regularly monitoring and patching IT and website security systems;
• using a Content Delivery Network (CDN) or DDoS mitigation provider; and
• having DoS-specific incident response plans.

Looking Forward: 2023–2033 Strategy and Action Plan

Under the 2023–30 CS (see 1.7 Key Developments), the Australian government is planning a range of things in terms of the internet of things (IoT), software, supply chain, other data or systems.

IoT

In 2020, the government developed a voluntary code of practice with 13 principles, which set out the government’s expectations for IoT consumer devices. The ACSC provides associated guidance on this code, providing practical examples for individuals and businesses.

Under the 2023–30 CS, the Australian government will collaborate with industry experts and international partners to develop mandatory cybersecurity standards for IoT devices and co-design a voluntary code of practice for app stores and app developers in an effort to shape the development and adoption of international software security standards. Additionally, the government aims to develop a voluntary labelling scheme for consumer-grade smart devices.

Supply chains

Previously, the ACSC has released numerous publications as part of its “Cyber Supply Chain Guidance”. These include publications concerning risk identification, management of security, and issues when engaging a managed service provider, all of which provide technical guidance on key cybersecurity issues.

In the 2020 Cyber Strategy the government attempted to uplift businesses’ cybersecurity capabilities by:

• adopting a security-by-design approach to supply chains;
• promoting further innovation in sovereign cybersecurity research and development;
• establishing a Cyber Security Best Practice Regulation Task Force; and
• encouraging large businesses to share cybersecurity information and tools with small businesses.

In 2021, the DoHA published “Critical Technology Supply Chain Principles”, outlining ten agreed principles for supply chain security, categorised under three pillars security-by-design, transparency, and autonomy and integrity.

The 2023–30 CS aims to continue this progress, including by developing a framework for assessing the national security risks presented by vendor products and services so as to manage supply chain risks, make procurement decisions and limit non-secure products.

The ACSC regularly publishes guidance and advice to assist with preparing for and responding to a ransomware attack. The ACSC recommends to never pay a ransom in the case of a ransomware attack.

Business owners that hold sensitive information or form part of a government supply chain are obliged to report data breaches under the federal NDB scheme in the Privacy Act. This extends to instances of ransomware attacks. The federal NDB scheme is outlined in further detail at 2.1 Key Laws and 5. Data Breach or Cybersecurity Event Reporting and Notification.

NDB Scheme

As outlined in 2.1 Key Laws, Part IIIC of the Privacy Act sets out a scheme for “notification of eligible data breaches”. In short, as per Section 26WE(2) of the Privacy Act, an “eligible data breach” occurs where:

• there is unauthorised access to/disclosure of personal information and a reasonable person would conclude that this “would be likely to result in serious harm to any of the individuals to whom the information relates”; or
• personal information is lost in circumstances where a reasonable person would conclude that unauthorised access to/disclosure of it is likely to occur and, were it to occur, it “would be likely to result in serious harm to any of the individuals to whom the information relates”.

However, Section 26WF of the Privacy Act creates an exception to reporting such an incident, where the entity in question takes remedial action to ensure that the breach does not cause serious harm to the individuals concerned.

The ACSC provides an overarching definition for cybersecurity events in its Guidelines for Cyber Security Incidents. In these guidelines, a cybersecurity event is “an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security”. While there is no general legislative definition of a cybersecurity event, the SOCI Act, at Section 12M, provides a limited, more complex definition.

The types of data covered by the federal NDB scheme, described in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, are all those falling within the definition of “personal information”.

“Personal information” is defined in Section 6 of the Privacy Act to mean “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. It does not matter whether the information/opinion is true or is recorded “in a material form”. Personal information also includes sensitive information as outlined in 2.1 Key Laws.

The systems covered by the federal NDB scheme are those:

• administered by APP entities holding personal information (see 5.2 Data Elements Covered);
• administered by credit reporting bodies holding credit reporting information (including, for example, personal solvency information, and repayment history information);
• administered by credit providers (eg, banks) holding credit eligibility information; and
• administered by file number recipients holding Tax File Number information (ie, anyone in possession or control of a record containing tax file number information).

Information that is covered by the specific data breach notification scheme set out in section 75 of the My Health Records Act is not included in disclosure obligations under the Privacy Act scheme.

Under Section 75 of the My Health Records Act, any compromise (including potential compromise) or unauthorised collection/disclosure of data held under a My Health Record requires reporting to the relevant system operator and/or the OAIC. Subsequently, all “affected healthcare recipients” must also be notified of the compromise or unauthorised disclosure.

Other than those data breaches to which the My Health Records Act applies, medical data would generally be personal information and covered by the federal NDB scheme detailed in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.2 Data Elements Covered.

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.2 Data Elements Covered.

Please see 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems.

The voluntary code of practice concerning IoT devices (see 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems) sets out requirements which apply to the security software lifecycle. Principle 3 of the code generally sets out requirements for ensuring software is securely updated. Additionally, the code requires that devices and services operate on the “principle of least privilege” and requires all certifications be managed securely.

The ACSC’s ISM chapter on Guidelines for Software Development provides detailed, technical guidance on the development of a secure software lifecycle for traditional, mobile and web applications.

The relevant reporting “trigger” is belief that an “eligible data breach” (see 5.1 Definition of Data Security Incident or Breach) has occurred.

When such a breach occurs, the entity must report to both the OAIC (detailing the breach, the kind/s of information concerned, and recommendations for steps individuals should take in response to the breach) as well as individuals whose data has been subject to the breach. If it is not practicable for the entity to notify the individuals concerned, it must publish (including on its website) a copy of the aforementioned statement to the OAIC concerning the breach.

The reporting “trigger” threshold is consistent across all entities relevant to the “notification of eligible data breaches” scheme, both public and private.

It is also noted that (pursuant to Section 26WH of the Privacy Act) where an entity merely suspects (but doesn’t necessarily believe) that an eligible data breach has occurred, it has 30 days to “carry out a reasonable and expeditious” assessment of the matter, in order to determine whether its reporting obligations are enlivened.

As noted in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, to meet the legislative threshold necessary to trigger mandatory reporting obligations, a data breach must be “likely to cause serious harm”.

The meaning of the phrase “serious harm” is informed by a list of factors set out in Section 26WG of the Privacy Act. Those factors include:

• the kind of information involved;
• the information’s sensitivity;
• whether the information is protected by security measures (and, if so, the nature of such security);
• the kinds of persons who might have obtained the information;
• the likelihood of persons who obtain the information having harmful intent towards any persons to whom the information relates; and
• the nature of harm in issue.

In general, Australia has no laws that restrict the capacity for network monitoring and taking other defensive cybersecurity measures. The ACSC’s “Strategies to Mitigate Cyber Security Incidents” publication sets out a number of recommended measures that involve a monitoring or active defensive component, such email/web content filtering and analysis.

Data Protection in Employment

In the employment context, regulation varies between state and territory jurisdictions. New South Wales is a jurisdiction that regulates such monitoring. The Workplace Surveillance Act 2005 (NSW) stipulates that employees must be given 14 days’ notice before surveillance can be conducted at the workplace. Computer surveillance must only be carried out when in compliance with an employer policy of which the employee is aware and understands

These issues can give rise to multi-faceted conflicts, which includes the operation of cybersecurity (eg, monitoring) measures in the workplace inevitably involving potential conflict with employee privacy. Though there is no comprehensive or consistent legal position across Australia on this matter, the Commonwealth Fair Work Ombudsman – in seeking to ensure the appropriate balance is struck – recommends that it is best practice for employers to adhere to the APPs and to clearly set out company policy on these matters.

Information Sharing under the Telecommunications Act

The Telecommunications Act covers the sharing of cybersecurity information. Under the Act, carriers and carriage service providers have broad obligations relating to the provision of assistance to the government. Specifically, Section 313(3) of the Telecommunications Act requires those entities to provide Commonwealth, state, and territory governments with “such help as is reasonably necessary for” purposes primarily connected to criminal law enforcement, “protecting the public revenue”, and protection of national security.

The Telecommunications Act also includes a provision regarding the issuing of technical assistance notices and technical capability notices. These notices can require the communications provider in question to do things such as removing security (eg, encryption) on data, providing technical information, or facilitating access to electronic services.

Information Sharing under the SOCI Act

The amendments to the SOCI Act in December 2021 included the introduction of compulsory information gathering provisions. The Minister can only utilise this power if a cybersecurity event has been triggered, which requires the following conditions to be met (Section 35AB(1)):

• a cybersecurity incident has occurred, is occurring or is imminent;
• that incident has or is likely to have a “relevant impact” on a “critical infrastructure asset”; and
• there is a material risk to social/economic stability, defence or national security of Australia.

If a cybersecurity event is triggered, the Minister of Cybersecurity may authorise the Secretary to issue information gathering directions in relation to the incident and/or impact to the relevant entity for the impacted asset or another specified “critical infrastructure sector asset” (Section 35AB(5)). The Minister must only authorise the issuance of information gathering directions if the Minister is satisfied that the directions “are likely to facilitate a practical and effective response to the incident” (Section 35AB(6)).

Government Information Sharing

In terms of information sharing within government departments and agencies, those entities may authorise the ACSC to carry out “network protection” activities on their behalf. When that occurs, the TIA Act authorises information to be collected by the ACSC as part of the network protection.

The ACSC also has a variety of other information gathering powers, including via ASIO (including action related to the collection of foreign intelligence) and the AFP, such as seeking the sharing of information obtained by warrant.

Soon, there may also be a new “limited use obligation for ASD and the Cyber Coordinator” (see 1.7 Key Developments).

Voluntary Disclosure to the ACSC

In addition to the legislative arrangements outlined in 7.1 Required or Authorised Sharing of Cybersecurity Information, voluntary sharing of information remains a major avenue through which the ACSC gathers information. As noted at paragraph 36.40 of the government’s 2020 Comprehensive Review of the Legal Framework of the National Intelligence Community, “the ACSC relies on organisations it is assisting to voluntarily provide critical information ‒ such as data samples and log files ‒ that might help uncover the extent of a compromise of their cyber security, or that might assist the ACSC to attribute a cyber security incident to a particular malicious actor”.

Telecommunications Act

It is worth noting that, in addition to the technical assistance and capability notices regime noted in 7.1 Required or Authorised Sharing of Cybersecurity Information, the Telecommunications Act also indemnifies communications providers from civil liability relating to voluntary assistance to, and at the request of, the Director-General of Security, the ASIS, the ASD, the AFP, the ACIC, or any state/territory police force.

OAIC Enforcement Action

The OAIC has commenced civil penalty proceedings in the federal court against Australian Clinical Labs Limited (ACL) following an investigation into its privacy practices. The proceedings relate to a data breach of ACL’s information technology systems in February 2022 which resulted in the unauthorised access and disclosure of personal information of hundreds of thousands of ACL’s patients including Medicare numbers, sensitive health information, and credit card information.

The OAIC allege that from May 2021 to September 2022, ACL failed to take reasonable steps to protect personal information in breach of the Privacy Act and that following the data breach, ACL failed to carry out a reasonable assessments and notify the Commissioner per Part IIIC of the Privacy Act.

If the OAIC is successful, the federal court could impose a penalty of up to AUD2.22 million for each contravention of the Privacy Act.

Proceedings are currently yet to commence in the federal court. Being the first case of its kind, any decision will have significant consequences concerning businesses’ cybersecurity obligations.

OAIC Determinations

In 2023, the OAIC has made nine determinations regarding privacy complaints made against both public and private entities.

In June 2023, the OAIC found that Pacific Lutheran College, an independent private school, interfered with individuals’ privacy in relation to a data breach incident that occurred on 28 May 2020. An unidentified third party accessed approximately 180,000 emails through the email account of an individual with unauthorised access. The incident resulted in the sending of phishing emails to 8,332 contacts of the email account. The College became aware of the incident the following day but did not notify the OAIC until 15 December 2020.

The OAIC determined that the College had interfered with individuals’ privacy by failing to conduct expeditious assessments, to notify OAIC of a breach and to take reasonable protective steps.

As an example of a determination concerning a public sector entity, on 26 April 2023, the OAIC held that the Secretary to the Department of Veterans’ Affairs breached APP 3 and 6 by failing to obtain the complainant’s consent and using the complainant’s personal information for a secondary purpose without the complainant’s consent or prior notification. 

Penalties Under OAIC Determinations

In respect of the OAIC’s determination, as discussed at 8.1 Regulatory Enforcement or Litigation, regarding Pacific Luther College’s breach of Principle 11.1, the College was ordered to not repeat or continue its failures and, within six months, to prepare and implement an incident response plan containing minimum conditions listed by the OAIC.

In the Department of Veterans’ Affairs matter referred to at 8.1 Regulatory Enforcement or Litigation, the OAIC awarded the complainant AUD5,000 for non-economic loss and ordered that the complainant be provided a written apology from the Department. The Department was also ordered not to repeat this conduct.

Additionally, the OAIC has reported that, between 2022 and 2023, a total of nine privacy complaints were resolved. The outcomes included apologies, records being amended, and compensation being paid. Finally, the OAIC has also, from time to time, used enforceable undertakings as a means of ensuring future compliance by erring entities with the Privacy Act, though none were publicly reported for the 2022–23.

This is not relevant in this jurisdiction.

No significant private litigation has been recently conducted in Australia concerning data security incidents and breaches. It should be noted that, in 2019, the ACCC recommended that the Privacy Act be reformed to introduce a direct right of action for persons against those who are alleged to have interfered with their privacy.

There is minimal class action litigation activity in Australia concerning alleged data breaches.

Class action litigations concerning the Medibank data breach and Optus data breach have continued to develop over the last year, with Medibank’s data breach in October 2022 resulting in the company facing four separate class action lawsuits while Optus is facing one class action lawsuit. However, there has been limited movement in both lawsuits.

As detailed in 3. Key Frameworks, the Australian regulatory framework has a number of mandatory requirements, such as the APP, which establish minimum standards for corporate cybersecurity governance.

As a result of the recommendations in the 2023–2030 CS, discussed in 1.7 Key Developments, the SOCI Act is likely to see amendments, incorporating security regulations from the Telecommunications Act 1997 (Cth). These potential amendments may subject telecommunications corporations to stricter cyber-reporting requirements under the SOCI Act.

In November 2023, at ASIC’s Annual Forum, ASIC’s Chair, Joe Longo, called on corporations to prioritise their cybersecurity and cyber-resilience as a top priority; and warned that ASIC was prepared to take legal action where director boards fail to adequately prepare against cybersecurity breaches.

Due diligence processes in Australia involves parties to transactions undertaking a comprehensive assessment of any aspects of the transaction that may have flow-on effects on parties’ liabilities and obligations for compliance with the Australian regulatory and legal framework regarding cybersecurity and privacy issues. It is important that this assessment is holistic, covering the following.

• Whether the other parties are APP entities.
• The targeted entities’ contemporary (formal and informal) policies and practices in dealings with cybersecurity, data (particularly personal information) and risk management.
• Whether the targeted asset constitutes personal information. This aspect is particularly important for the selling entity’s disclosure obligations.
• The targeted entities’ public and private history in respect of cybersecurity and privacy issues, and if their response was adequate to any previous breaches. To properly assess this aspect, a proper understanding of the policies and practices of a target entity is necessary (eg, their procedures in identifying, investigating, classifying and handling any potential/actual cybersecurity and privacy issues).
• Whether cybersecurity insurance and professional liability policies are in place for the target company or are otherwise required.

For avoidance of doubt, the above list is not exhaustive.

Additionally, for any foreign or cross-border transactions, Australian parties should also consider the applicability of any other relevant foreign laws (eg, whether the target entity is subject to any international/foreign obligations such as the EU GDPR).

A general obligation of care and diligence is imposed on company directors in the discharge of their duties, under Section 180 of the Corporations Act. Plainly, this would appear to cover taking necessary and adequate steps to protect the company from cybersecurity threats.

Additionally, an organisation that misrepresents its cybersecurity profile may be liable to proceedings for misleading and deceptive conduct under the Australian Consumer Law.

Separately, if an entity holds an Australian financial services or Australian credit licence, a cybersecurity issue may constitute a “reportable situation” and ASIC may need to be notified.

Moreover, companies listed on the Australian Stock Exchange have a continuing obligation of disclosure concerning any information that is reasonably expected to have an effect on the price of their shares: the strength or otherwise of a company’s cybersecurity profile would arguably (and, in some circumstances, almost certainly) fit that criterion.

Further, and as detailed in 5. Data Breach or Cybersecurity Event Reporting and Notification, the occurrence of an eligible data breach can enliven an obligation on the entity in question to make public details of the breach incident.

Cybercrime Awareness Programme

In addition to the various international engagements outlined above in the area of cybercrime (eg, 3.4 Key Multinational Relationships in relation to the Five Eyes alliance), Australia also takes a regional approach to this issue. In particular, the AFP leads a cybercrime awareness programme called Cyber Safety Pasifika, engaging with authorities from Pacific Island nations on the topics of cybercrime and cybersafety.

Insurance

Cybersecurity insurance, while not mandatory, is taking on a more prominent role in the cybersecurity landscape as the risk of cyberthreats and cybercrime increases. As part of its 2020–2024 Cyber Security Strategy, APRA has begun implementing greater regulations and governance regarding general insurers, to ensure the development of secure cyber-insurance practices and accountability. This is a unified step by government agencies to continue developing the government’s “cyber-resilience first” approach in tackling cybersecurity threats.

AI Development

The rise of AI has led to growing concern over its potential misuse for malicious actions and an increased risk to confidentiality. In November 2023, The ASD, along with 19 other international partners, published the Guidelines for secure AI system development. These guidelines provide recommendations for providers of AI systems concerning “design, development, deployment, and operation of their AI systems”.