Australia has a broad system of federal, state and territory-based laws which govern data protection, cybersecurity and cybercrime. Further details on these laws are at 2.1 Key Laws.
Data Protection
Privacy Act
Federally, data containing personal information is protected under the Privacy Act 1988 (Cth) (Privacy Act). Schedule 1 of the Privacy Act contains the Australian Privacy Principles (APPs), which regulate the way in which private organisations and federal agencies are required to handle personal information. The Privacy Act also requires mandatory reporting for certain APP breaches under the notifiable data breach (NDB) scheme. Breaches of the Privacy Act may result in investigation and enforcement action by the Office of the Information Commissioner (OAIC).
Health information
Health information recorded in Australia’s online “My Health Records” system is protected under the My Health Records Act 2012 (Cth) (My Health Records Act) and Privacy Act.
States and territories
Australia also has various state and territory-based legislation which protects privacy and health information.
Cybersecurity
Cybersecurity laws in Australia are primarily governed under sector-specific federal laws.
Critical infrastructure
Critical infrastructure is regulated under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), which imposes registration, reporting and notification obligations on owners and operators of critical infrastructure and empowers the Australian government to gather information and issue directions where there is a risk to security.
Telecommunications
Telecommunications is regulated under the Telecommunications Act 1997 (Cth) (Telecommunications Act), which imposes security and notification obligations on Australian telecommunications providers and empowers the Australian government to gather information and issue directions.
The Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) also regulates telecommunications by prohibiting the interception of communication and access to stored communication data, except for certain law enforcement and national security purposes.
Corporations, consumers and financial services
Cybersecurity aspects of:
Cybercrime
Cybercrime offences in Australia broadly encompass two categories:
Federally, cybercrime is criminalised under Parts 10.6 and 10.7 of the Schedule to the Criminal Code Act 1995 (Cth) (Criminal Code), which set out a variety of offences with maximum penalties ranging from fine-only through to life imprisonment.
Australian states and territories also have their own criminal laws which govern cybercrime offences.
Australia has a range of federal, state and territory regulators which deal with cybersecurity. Further details of these regulators are at 2.2 Regulators.
Data Protection
The OAIC is the federal privacy and information regulator with a range of functions and powers to investigate and resolve privacy complaints and enforce privacy compliance.
There are also state and territory privacy commissioners which administer state and territory-based privacy and health information laws.
Cybersecurity
There are a range of sector-specific federal regulators as outlined below.
Critical infrastructure
The Critical Infrastructure Centre (CIC) is the federal regulator of the SOCI Act and certain provisions of the Telecommunications Act with powers to investigate, audit and enforce on compliance matters.
Telecommunications, broadcasting and marketing
The Australian Communications and Media Authority (ACMA) is Australia’s regulator for broadcasting, telecommunication and certain online content and provides licensing to industry providers. ACMA has specific regulatory powers under the Telecommunications Act, the TIA Act, the Spam Act, and the Do Not Call Register Act to investigate and resolve complaints and enforce compliance.
Additionally, the Office of the eSafety Commissioner (eSafety Commissioner) has powers to promote and regulate online safety with respect to telecommunications, broadcasting and other online industries.
Corporations, consumers and financial services
The Australian Securities and Investments Commission (ASIC) regulates publicly listed corporations under the Corporations Act and may investigate issues which touch on cybersecurity.
APRA regulates certain finance, insurance and superannuation entities and issued information security standards CPS 234.
The Australian Competition and Consumer Commission (ACCC) deals with consumer affairs, including consumer data protection and cyberscams.
Cybercrime
Cybercrime at the federal level is investigated and enforced by the Australian Federal Police (AFP) and prosecuted by the Commonwealth Director of Public Prosecutions (CDPP).
State and territory-based police and prosecution agencies investigate, enforce and prosecute state and territory cybercrimes.
Law enforcement agencies may be supported by criminal intelligence agencies including the Australian Criminal Intelligence Commission (ACIC), Australian Security Intelligence Organisation (ASIO), Australian Signals Directorate (ASD) and Australian Transaction Reports and Analysis Centre (AUSTRAC). More details are at 2.2 Regulators.
Data Protection and Cybersecurity
Broadly, federal data protection and cybersecurity regulators handle complaints and commence their own investigations into non-compliance matters. These regulators will initially seek to collaborate with regulated entities and seek voluntary compliance. If these efforts fail, the regulators may consider taking enforcement action. Decisions made by these regulators can often be reviewed internally and can also be referred to certain federal tribunals and courts including the Administrative Appeals Tribunal (AAT), the Federal Circuit and Family Court of Australia (FCFCA), or the Federal Court of Australia (FCA). Complaints about federal regulators, including complaints about unfair treatment, can be referred to the Commonwealth Ombudsman.
Details regarding the specific administrative and enforcement powers of specific regulators are provided in 2.2 Regulators.
Cybercrime
Law enforcement and intelligence agencies that deal with cybercrime have a broad range of investigative and enforcement powers, including investigative and disruption powers executed through warrants.
The passing of the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth) (SLAID Act) enabled law enforcement to obtain “data disruption warrants”, which, if issued, permit law enforcement to intervene in order to frustrate the commission of cybercrime.
There are various oversight and review processes for decisions and actions undertaken by law enforcement and intelligence agencies, including through Australian courts and complaints to statutory bodies such as:
Australia engages in a variety of multilateral processes to address data protection, cybersecurity and cybercrime matters which are outlined below. Details of subnational issues are detailed at 2. Key Laws and Regulators at National and Subnational Levels.
Data Protection
Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System
Australia acceded to the CBPR in 2018. The CBPR is a voluntary accountability framework and requires participating businesses to implement data privacy policies and practices consistent with the APEC Privacy Framework, a principle-based model for national privacy laws that account for cross-border information flows. Business compliance with the CBPR is assessed by an independent Accountability Agent recognised by APEC. Non-compliance with the CBPR may result in a loss of CBPR certification, referral to government enforcement authorities and other penalties.
Cybersecurity
Norms of state behaviour in cyberspace
Australia participates in the UN General Assembly’s two parallel processes that were established to foster responsible state behaviour in cyberspace.
Australia, New Zealand, United States Security Treaty (ANZUS Treaty)
In September 2011, Australia and the USA agreed that the ANZUS Treaty could be invoked in response to a cyber-attack.
The ANZUS treaty is a non-binding collective security agreement between Australia and New Zealand and between Australia and the USA, which facilitates state co-operation on military matters in the Pacific Ocean region.
Cybercrime
International crime co-operation
Australia engages in extradition, mutual assistance and international transfer of prisoners with other countries as part of its international crime co-operation efforts, which also apply in relation to cybercrime.
International crime co-operation relationships in Australia are regulated under bilateral and multilateral treaties, or through non-treaty arrangements with particular countries.
On 31 January 2024, Australia and the USA brought into force the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 15 December 2021. The Agreement is incorporated into Australian law by Schedule 1 of the TIA Act.
The Agreement enables Australian and US law enforcement and national security authorities to issue orders directly to communications providers in the other country for the production of electronic data relevant to investigations or prosecutions of criminal activity. Australia may also engage in direct police-to-police co-operation and intelligence information sharing in respect of cybercrimes.
Budapest Convention
Australia is party to the Convention on Cybercrime of the Council of Europe of 2001 (CETS No 185) (Budapest Convention), which provides for:
Australia participated in the development of the Second Additional Protocol to the Budapest Convention that deals with cross-border access to information. With Armenia signing in November 2023, there are 43 state signatures to this Protocol, which details co-operation requirements between state parties on cybercrime information sharing. The Protocol includes provisions regarding direct co-operation with service providers registrars in other jurisdictions to obtain registration and subscriber information, and government co-operation to obtain this data.
Data Protection
The OAIC works collaboratively with public and private sector organisations to share information about privacy issues and encourage privacy compliance.
Cybersecurity and Cybercrime
The Australian Cyber Security Centre (ACSC) facilitates information and collaboration across private, public and NGO sectors to develop collective cyber-resilience and to respond to cyber-incidents. In this regard, the ACSC has commenced:
The Joint Cyber Security Centres (JCSC) are state-based agencies which collaborate with organisations across the private, public and NGO sectors on cybersecurity and cybercrime threats and response options.
Data Protection
Australia’s privacy framework is largely centralised under the Privacy Act and involves a principle-based approach to privacy. The centralised principle-based model is similar to the approach undertaken by the EU’s General Data Protection Regulation (GDPR) and can be contrasted to the US approach to privacy laws, which relies on less centralised privacy governance.
The GDPR and Australia’s privacy framework share some commonalities including principles framework, transparent information handling practices, and protected information types. However, the GDPR is broader in scope, provides more robust enforcement mechanisms and affords additional privacy rights to individuals (such as the right to be forgotten).
Cybersecurity and Cybercrime
Australia’s approach to cybersecurity and cybercrime governance appears largely consistent with global governance trends, in which we see more and more states focus on:
Data Protection and Privacy Proceedings
In July 2023, the Federal Court of Australia ordered two subsidiaries of Meta, Facebook Israel and Onavo Inc, to each pay AUD10 million for engaging in misleading conduct in breach of the Australian Consumer Law, in an action brought by the ACCC. The Federal Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes.
Further significant privacy proceedings are set out at 8.1 Regulatory Enforcement or Litigation.
Australia’s Cybersecurity Reform
On 22 November 2023, the Australian government released the 2023–2030 Australian Cyber Security Strategy, and supplementary 2023–2030 Australian Cyber Security Action Plan (2023–30 CS). Together, they detail the federal government’s key cybersecurity initiatives that will be delivered over the next two years.
The 2023–30 CS describes “six cybershields” that provide layers of defence against cyberthreats. These shields include strengthening Australian citizens, improving safety of smart technology, further protection of critical infrastructure, and building regional cyber-resilience.
Under each shield, the Australian government intends to carry out initiatives of legislative reform, policy reform, capacity-building and awareness-raising. Some relevant initiatives include:
As part of the 2023–30 CS, the government established an Executive Cyber Council on November 2023. The council is comprised of executives across relevant industries and enables broader collaboration on national cybersecurity priorities. The council’s role includes supporting the government’s targeted consultation process, to co-design specific 2023–30 CS initiatives with specific industries.
The Australian government’s 2023–30 CS (detailed at 1.7 Key Developments) and its response to the Attorney-General’s Privacy Act Review Report (PA Report) are likely to herald notable changes to data protection, cybersecurity and cybercrime legislation in the coming year. The latter, published on 28 September 2023, saw the government agree to 38 proposals, which include reforming the Privacy Act to require entities to identify types of personal information they use, increasing OAIC’s enforcement powers and broadening the courts’ powers to make orders in civil penalty proceedings.
Data Protection
The Privacy Act
The Privacy Act regulates the handling of personal information federally.
“Personal information” under the Privacy Act is defined broadly as information or an opinion about an identified or reasonably identifiable individual. It is not required to be true or recorded in a material form. Personal information also includes “sensitive information”, which includes information or opinions on an individual’s race, ethnicity, politics, religion, sexual orientation, health, trade associations and criminal records. Sensitive information is often afforded a higher level of protection than other personal information.
The Privacy Act applies to “APP entities” which, subject to some exceptions, include federal government agencies, private sector organisations with an annual turnover of over AUD3 million and smaller entities with data-intensive business practices (including private health providers, businesses that sell or purchase personal information and service providers to the federal government).
Schedule 1 of the Privacy Act sets out 13 APPs, which provide minimum standards for the processing of personal information; it is detailed at 3.3 Legal Requirements and Specific Required Security Practices.
Breach notification schemes
At a federal level, the Privacy Act includes the NDB scheme, which requires APP entities to notify both affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred.
There are also schemes at the state/territory level. At the time of writing (March 2024), both New South Wales (NSW) and Queensland (Qld) had introduced mandatory notification of data breach schemes via, respectively, the Privacy and Personal Information Protection Amendment Act 2022 (NSW) (entered into force 28 November 2023) and Information Privacy and Other Legislation Amendment Act 2023 (Qld) (commencement date to be set by proclamation). These largely mirror the federal scheme.
Further details on the federal NDB scheme are at 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, 5.2 Data Elements Covered, 5.3 Systems Covered, 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards.
Other data protection laws
Entities dealing with personal information in Australia should also be aware of their obligations with respect to:
Cybersecurity
Critical infrastructure
The SOCI currently regulates assets in various fields, including communications, data storage, financial services, energy and the defence industry by requiring owners and operators of such assets to register with the Register of Critical Infrastructure Assets and provide ownership and operational information.
The SOCI Act includes:
Telecommunications
The Telecommunications Act regulates the use of personal information by carriers, carriage service providers and intermediaries and prohibits disclosure of certain telecommunications data. Since September 2018, the Telecommunication Sector Security Reforms (TSSR) have been in force, providing for:
The TSSR also endows the Secretary of DoHA with an information-gathering power and the HA Minister with a directions power.
Chapter 5 of the TIA Act obliges Australian telecommunications service providers to collect and retain certain types of data for a minimum of two years, to build systematic capabilities to intercept such data, and to provide law enforcement and security agencies with access to such data for certain law enforcement and national security purposes.
Broadcasting and marketing
The Broadcasting Act regulates broadcasting services through internet and other means in Australia and enables the creation of industry codes of practice regulating the content of such services.
The OSA establishes complaint systems for cyberbullying of children, non-consensual sharing of intimate images, cyber-abuse of adults, and the online/social media availability of content that would be subject to broadcasting classifications (restricted or age 18+).
The Spam Act prohibits the use of electronic communications for the purpose of sending unsolicited marketing materials to individuals.
Similarly, the Do Not Call Register Act prohibits unsolicited telemarketing calls being made to phone numbers registered on a Do Not Call Register.
Corporations, consumers and financial services
Regulations governing the corporate sectors deal with cybersecurity in certain circumstances. For example:
Cybercrime
Criminal Code
Part 10.6 of the Criminal Code provides for federal offences regarding the misuse of telecommunication networks and “carriage services” (a term encompassing the internet and online, wired and mobile services). These include offences relating to dishonesty, interference with telecommunications, harassment, child abuse material, making threats, or causing menace/harassment/intimidation and have maximum penalties ranging from one to 30 years’ imprisonment. This Part of the Criminal Code also places obligations on providers of content or hosting services to notify the AFP as to the existence of material displaying “abhorrent violent conduct” (if occurring in Australia) and, in any event, to expeditiously remove or cease to host such material.
Part 10.7 of the Criminal Code sets out computer offences. Serious offences include the misuse of data to commit serious offences or impair data security and the impairment of electronic communications. These offences carry maximum penalties ranging from five to ten years’, as well as life, imprisonment. Other computer offences include preparing for or engaging in unauthorised access and modification or impairment of data, which carry maximum penalties of two to three years’ imprisonment.
Other offences
Organisations should note that in addition to the Criminal Code:
Data Protection and the OAIC
Federally, the OAIC administers the Privacy Act and the My Health Records Act, and also has a range of powers regarding privacy considerations under the Telecommunications Act and the TIA Act. The OAIC can investigate breaches of these acts that arise from privacy complaints and NDBs under federal privacy laws. The OAIC can also investigate federal privacy law breaches of its own volition.
The OAIC has powers under the Privacy Act to investigate, resolve complaints, make determinations and provide remedies for breaches under the NDB scheme. The remedies range from enforceable undertakings to civil penalties of 2,000 penalty units (approximately AUD626,000); but may also involve imprisonment. Since December 2022, serious and repeated interferences with privacy may attract a penalty of up to:
Cybersecurity
Critical infrastructure
The CIC sits within the DoHA. The CIC assists with the administration of the SOCI Act and certain provisions of the Telecommunications Act and has certain investigative and auditing powers to ensure compliance with these acts. The CIC also has the ability to make recommendations to DoHA and the HA Minister on whether their information-gathering powers and directions powers should be exercised. The CIC also has enforcement powers which allows it to issue penalties for non-compliance that range from performance injunctions, enforceable undertakings, civil penalties of up to 250 penalty units (AUD78,250) or seek two years’ imprisonment.
Telecommunications, broadcasting and marketing
ACMA has powers under the Telecommunications Act, TIA Act, Broadcasting Act, Spam Act, and the Do Not Call Register Act to undertake discretionary administrative action. In dealing with non-compliance, ACMA is empowered to issue warnings, infringement notices, enforceable undertakings and remedial directions. ACMA is further able to cancel or impose conditions on licences and accreditations. ACMA also has the ability to commence civil proceedings or refer matters for criminal prosecution.
The eSafety Commissioner has powers to investigate online content that promotes, incites, or instructs in crime. However, the Commissioner cannot investigate matters of cybercrime. Penalties range from takedown notices and blocking directions.
Corporations, consumers and the finance services
Relevant regulators are detailed at 2.5 Financial or Other Sectoral Regulators.
Cybercrime
The below intelligence organisations assist federal and state law enforcement agencies in investigating cybercrime.
DoHA
The DoHA is the lead government department for cyberpolicy. The DoHA develops cybersecurity and cybercrime law and policy, implements Australia’s national cybersecurity strategy and responds to international and domestic cybersecurity threats and opportunities, including in the areas of critical infrastructure and emerging technologies. The DoHA also has responsibility for cybersecurity and cybercrime operational agencies including the AFP, ACIC, AUSTRAC, and ASIO.
ASD
The ASD is Australia’s operational lead on cybersecurity and plays both a signals intelligence and information security role. The ASD undertakes cyberthreat monitoring and conducts defensive, disruption and offensive cyber-operations offshore to support military operations and to counter terrorism, cyber-espionage and serious cyber-enabled crime. The ASD also advises and co-ordinates operational responses to cyber-intrusions on government, critical infrastructure, information networks and other systems of national significance.
The ACSC
The ACSC sits within the ASD. It drives cyber-resilience across the whole Australian economy including with respect to critical infrastructure, government, large organisations and small to medium businesses, academia, NGOs and the broader Australian community. The ACSC provides general information, advice and assistance to Australian organisations and the public on cyberthreats and it collaborates with business, government and the community to increase cyber-resilience across Australia.
The ACSC also runs the Computer Emergency Response Team (CERT), which provides advice and support to industry on cybersecurity issues affecting Australia’s critical infrastructure and other systems of national significance.
As detailed in 1.2 Regulators and 2.2 Regulators, the OAIC administers federal privacy and health information laws.
The OAIC also acts as the privacy regulator for territory-based privacy complaints in the ACT.
Apart from the ACT, other states and territories have their own privacy regulators who administer state and territory laws governing personal and health information. For example:
Credit Reporting
The OAIC regulates the aspects of the Privacy Act which deal with credit reporting obligations and the credit reporting code, which imposes certain conditions on entities that hold credit-related personal information.
Corporations, Consumers and Financial Services
As referred to in 1.2 Regulators, corporate, consumer and financial regulators include ASIC, the ACCC and APRA.
ASIC
ASIC, which is Australia’s corporate, market and financial services regulator, is empowered under the Corporations Act to investigate and bring actions against corporations, directors and officers for non-compliance with the Corporations Act, which, in some circumstances, may involve cybersecurity issues.
ACCC
The ACCC, which is Australia’s competition regulator and consumer protector, may, where appropriate, undertake enforcement action against breaches of the Consumer Act, including breaches involving cybersecurity and cybercrime issues.
The ACCC administer the CDR (detailed at 4.2 Material Business Data and Material Non-public Information) and also hosts the SCAMwatch website, which provides public information, alerts and access to complaints mechanisms on a wide range of consumer scams, including scams perpetrated online.
APRA
APRA, which regulates entities in the banking, insurance and superannuation sector, issued legal standards for information security under Prudential Standard CPS 234 in 2019 (detailed in 3.3 Legal Requirements and Specific Required Security Practices).
APRA has powers to supervise, monitor and intervene in matters of cybersecurity for regulated entities and has a range of enforcement powers to deal with breaches of its standards. Such powers involve APRA issuing infringement notices, providing directions or enforceable undertakings, imposing licensing conditions, disqualifying senior officials and commencing court-based action.
In addition to the regulators and agencies detailed at 1.2 Regulators and those already addressed in this 2. Key Laws and Regulators at National and Subnational Levels, the following agencies deal with cybersecurity and cybercrime.
Data Protection Standards
De jure standards
Organisations should have regard to their obligations under the Privacy Act, Archives Act 1983 (Cth) (Archives Act), and TIA Act when creating standards for the collection, use, and storage of particular information.
De facto standards
The OAIC’s Privacy Management Framework, detailed at 3.2 Consensus or Commonly Applied Framework, may be considered a de facto standard for data protection.
Cybersecurity Standards
De jure standards
In July 2019, APRA issued Prudential Standard CPS 234 on Information Security. This regulation requires APRA-regulated financial, insurance and superannuation entities to comply with legally binding minimum standards of information security, including by:
These standards provide that an entity’s board is ultimately responsible for information security and that the board must ensure that its entity maintains information security in a manner that is commensurate with the size and vulnerability of that entity’s information assets.
APRA-regulated entities are required to externally audit their organisation’s compliance with CPS 234 and report to APRA in a timely manner.
If organisations are non-compliant, they may be required to issue breach notices and create rectification plans. If organisations are unable to comply with the standards following this process, APRA may undertake a more formal enforcement process which may include enforceable undertakings or court proceedings.
De facto standards
ISO/IEC 27001 (revised in 2022) is an international standard on management of information security. While the Australian government recommends that organisations comply with this standard, it is not mandatory.
ASIC’s “Cyber reliance good practices” provides guidance to Australian corporations on information security. The guide includes recommendations for periodic reviews, management tools, cybersecurity governance, risk management and continuous monitoring.
The ASD’s Information Security Manual (ISM) (updated 1 December 2023) outlines a voluntary cybersecurity framework for organisations based on ACSC advice and includes security protection principles for designing, implementing, and reviewing appropriate security systems, policies, and practices. Alongside this ISM, the ASD also published resources and standards for cyberthreat protection and mitigation strategies, including most recently in 2023, the Essential Eight Assessment Process Guide; which provides guidance on assessing both the implementation and effectiveness of controls that underpin the Essential Eight strategies.
Data Protection
The Privacy Act APPs provide a legally binding framework for APP entities with respect to the collection, processing, use, storage, and dissemination of personal information (details of which are outlined at 3.3 Legal Requirements and Specific Required Security Practices).
APP entities are obliged to take “reasonable steps” to implement policies, practices and systems to ensure compliance with APPs. The “Privacy Management Framework”, developed by the OAIC, provides governance steps that APP entities should undertake to meet their privacy compliance obligations including by embedding a privacy compliant culture and by establishing and evaluating privacy practices and systems.
Cybersecurity
De facto cybersecurity frameworks are detailed at 3.1 De Jure or De Facto Standards.
Data Protection and the APPs
The Privacy Act APPs comprise legally binding obligations for APP entities with respect to:
Breaches of these APP’s may be subject to reporting under the federal NDB scheme (as detailed in 2.1 Key Laws, 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, 5.2 Data Elements Covered, 5.3 Systems Covered, 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards).
Cybersecurity and the Cyber Strategy
As previously noted in 1.7 Key Developments, the Australian government released the 2023–30 CS, which set out a plan for the government to work with industry “to enhance the cyber shields and build our national cyber resilience”.
Also as previously noted in 3.1 De Jure or De Facto Standards, the ASD released the Essential Eight Assessment Process Guide to assess cybersecurity threat mitigation strategies in line with the Essential Eight strategies, which comprise application control, patch applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular back-ups.
Refer to 1.1 Laws, 2.1 Key Laws, 3.1 De Jure or De Facto Standards and 4.3 Critical Infrastructure, Networks, Systems for details on sector-specific cybersecurity legal requirements and standards.
Data Protection
Australia is a member of the APEC Data Privacy Subgroup. This group developed the APEC Privacy framework and meets biannually to discuss privacy issues.
Cybersecurity
The “Five Eyes” is an intelligence sharing alliance between Australia, the USA, the United Kingdom, Canada and New Zealand. These countries are party to the UKUSA Agreement, which is a treaty for joint signals intelligence co-operation. The cybersecurity representatives of Five Eyes collaborate on joint cyber-incident response. In September 2020, Five Eyes published a best practice guide for cyber-incident investigation and responses.
Australia also engages in a range of other international groups to address cybersecurity issues including the UN Group of Governmental Experts and OWEG (as detailed at 1.4 Multilateral and Subnational Issues), the East Asia Summit and the ASEAN Regional forum. Australia also undertakes cybercapacity building efforts and knowledge sharing in the Pacific Region.
Cybercrime
Parties to the Budapest Convention, including Australia, are members of the Cybercrime Convention Committee (T-CY), which currently is the most relevant intergovernmental body dealing with cybercrime.
As referred to in 3.3 Legal Requirements and Specific Required Security Practices, APP11 deals with the security of personal information and requires APP entities to actively take “reasonable steps in the circumstances to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure”. An APP entity must also take reasonable steps to destroy or de-identify information that is no longer needed.
“Reasonable steps” will vary according to each APP entity and will depend on circumstances that include:
The OAIC’s Guide to Securing Personal Information provides further discussion of affirmative personal information security. The OAIC is in the process of updating this guide.
Part IVD of the Consumer Act provides for the Consumer Data Right (CDR), which seeks to regulate how business can share consumer data. Implementation of the CDR is occurring progressively by industry. The CDR has been rolled out to the banking and energy sectors. The Australian Treasury is currently consulting on CDR rules and data standards for non-bank lending sector.
In November 2023, the Privacy Commissioner updated its CDR Privacy Safeguard Guidelines to reflect the amendments to the CDR.
SOCI Act
The SOCI Act requires owners and operators of critical infrastructure to register under the Register of Critical Infrastructure Assets (a non-public register) and disclose particular information to the Secretary of the DoHA.
“Responsible entities”, which are the entities that hold the relevant licensing or approvals to operate critical infrastructure, must provide operational and asset information to DoHA. “Direct interest holders” (which are typically entities that own at least 10% of the critical infrastructure asset or hold an interest in the asset that puts the entity in a position to directly/indirectly influence or control the asset) must provide interest and control information. Any updates to this information must occur within 30 days. Failure to fulfil these reporting obligations may result in a penalty of up to 50 penalty units (AUD15,650).
The SOCI Act also requires critical infrastructure owners and operators to comply with Ministerial directions or Secretarial requests for information where necessary. In March 2022, the SOCI Act was amended to oblige responsible entities to create and maintain a critical infrastructure risk management programme. This amendment also included a new framework for enhanced cybersecurity obligations for operators of systems of national significance. Further cybersecurity-related amendments were flagged in November 2023, but the contents and timing remain unconfirmed at the time of writing (March 2024).
Telecommunications Act
The Telecommunications Act requires network operators to safeguard Australian communications from unauthorised access or interference that might prejudice Australia’s national security.
There are no legally mandated requirements with respect to securing against denial of service (DoS) or distributed DoS (DDoS) attacks. The ACSC recommends that organisations can prevent such attacks through steps such as:
Looking Forward: 2023–2033 Strategy and Action Plan
Under the 2023–30 CS (see 1.7 Key Developments), the Australian government is planning a range of things in terms of the internet of things (IoT), software, supply chain, other data or systems.
IoT
In 2020, the government developed a voluntary code of practice with 13 principles, which set out the government’s expectations for IoT consumer devices. The ACSC provides associated guidance on this code, providing practical examples for individuals and businesses.
Under the 2023–30 CS, the Australian government will collaborate with industry experts and international partners to develop mandatory cybersecurity standards for IoT devices and co-design a voluntary code of practice for app stores and app developers in an effort to shape the development and adoption of international software security standards. Additionally, the government aims to develop a voluntary labelling scheme for consumer-grade smart devices.
Supply chains
Previously, the ACSC has released numerous publications as part of its “Cyber Supply Chain Guidance”. These include publications concerning risk identification, management of security, and issues when engaging a managed service provider, all of which provide technical guidance on key cybersecurity issues.
In the 2020 Cyber Strategy the government attempted to uplift businesses’ cybersecurity capabilities by:
In 2021, the DoHA published “Critical Technology Supply Chain Principles”, outlining ten agreed principles for supply chain security, categorised under three pillars security-by-design, transparency, and autonomy and integrity.
The 2023–30 CS aims to continue this progress, including by developing a framework for assessing the national security risks presented by vendor products and services so as to manage supply chain risks, make procurement decisions and limit non-secure products.
The ACSC regularly publishes guidance and advice to assist with preparing for and responding to a ransomware attack. The ACSC recommends to never pay a ransom in the case of a ransomware attack.
Business owners that hold sensitive information or form part of a government supply chain are obliged to report data breaches under the federal NDB scheme in the Privacy Act. This extends to instances of ransomware attacks. The federal NDB scheme is outlined in further detail at 2.1 Key Laws and 5. Data Breach or Cybersecurity Event Reporting and Notification.
NDB Scheme
As outlined in 2.1 Key Laws, Part IIIC of the Privacy Act sets out a scheme for “notification of eligible data breaches”. In short, as per Section 26WE(2) of the Privacy Act, an “eligible data breach” occurs where:
However, Section 26WF of the Privacy Act creates an exception to reporting such an incident, where the entity in question takes remedial action to ensure that the breach does not cause serious harm to the individuals concerned.
The ACSC provides an overarching definition for cybersecurity events in its Guidelines for Cyber Security Incidents. In these guidelines, a cybersecurity event is “an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security”. While there is no general legislative definition of a cybersecurity event, the SOCI Act, at Section 12M, provides a limited, more complex definition.
The types of data covered by the federal NDB scheme, described in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, are all those falling within the definition of “personal information”.
“Personal information” is defined in Section 6 of the Privacy Act to mean “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. It does not matter whether the information/opinion is true or is recorded “in a material form”. Personal information also includes sensitive information as outlined in 2.1 Key Laws.
The systems covered by the federal NDB scheme are those:
Information that is covered by the specific data breach notification scheme set out in section 75 of the My Health Records Act is not included in disclosure obligations under the Privacy Act scheme.
Under Section 75 of the My Health Records Act, any compromise (including potential compromise) or unauthorised collection/disclosure of data held under a My Health Record requires reporting to the relevant system operator and/or the OAIC. Subsequently, all “affected healthcare recipients” must also be notified of the compromise or unauthorised disclosure.
Other than those data breaches to which the My Health Records Act applies, medical data would generally be personal information and covered by the federal NDB scheme detailed in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.2 Data Elements Covered.
Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.2 Data Elements Covered.
Please see 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems.
The voluntary code of practice concerning IoT devices (see 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems) sets out requirements which apply to the security software lifecycle. Principle 3 of the code generally sets out requirements for ensuring software is securely updated. Additionally, the code requires that devices and services operate on the “principle of least privilege” and requires all certifications be managed securely.
The ACSC’s ISM chapter on Guidelines for Software Development provides detailed, technical guidance on the development of a secure software lifecycle for traditional, mobile and web applications.
The relevant reporting “trigger” is belief that an “eligible data breach” (see 5.1 Definition of Data Security Incident or Breach) has occurred.
When such a breach occurs, the entity must report to both the OAIC (detailing the breach, the kind/s of information concerned, and recommendations for steps individuals should take in response to the breach) as well as individuals whose data has been subject to the breach. If it is not practicable for the entity to notify the individuals concerned, it must publish (including on its website) a copy of the aforementioned statement to the OAIC concerning the breach.
The reporting “trigger” threshold is consistent across all entities relevant to the “notification of eligible data breaches” scheme, both public and private.
It is also noted that (pursuant to Section 26WH of the Privacy Act) where an entity merely suspects (but doesn’t necessarily believe) that an eligible data breach has occurred, it has 30 days to “carry out a reasonable and expeditious” assessment of the matter, in order to determine whether its reporting obligations are enlivened.
As noted in 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event, to meet the legislative threshold necessary to trigger mandatory reporting obligations, a data breach must be “likely to cause serious harm”.
The meaning of the phrase “serious harm” is informed by a list of factors set out in Section 26WG of the Privacy Act. Those factors include:
In general, Australia has no laws that restrict the capacity for network monitoring and taking other defensive cybersecurity measures. The ACSC’s “Strategies to Mitigate Cyber Security Incidents” publication sets out a number of recommended measures that involve a monitoring or active defensive component, such email/web content filtering and analysis.
Data Protection in Employment
In the employment context, regulation varies between state and territory jurisdictions. New South Wales is a jurisdiction that regulates such monitoring. The Workplace Surveillance Act 2005 (NSW) stipulates that employees must be given 14 days’ notice before surveillance can be conducted at the workplace. Computer surveillance must only be carried out when in compliance with an employer policy of which the employee is aware and understands
These issues can give rise to multi-faceted conflicts, which includes the operation of cybersecurity (eg, monitoring) measures in the workplace inevitably involving potential conflict with employee privacy. Though there is no comprehensive or consistent legal position across Australia on this matter, the Commonwealth Fair Work Ombudsman – in seeking to ensure the appropriate balance is struck – recommends that it is best practice for employers to adhere to the APPs and to clearly set out company policy on these matters.
Information Sharing under the Telecommunications Act
The Telecommunications Act covers the sharing of cybersecurity information. Under the Act, carriers and carriage service providers have broad obligations relating to the provision of assistance to the government. Specifically, Section 313(3) of the Telecommunications Act requires those entities to provide Commonwealth, state, and territory governments with “such help as is reasonably necessary for” purposes primarily connected to criminal law enforcement, “protecting the public revenue”, and protection of national security.
The Telecommunications Act also includes a provision regarding the issuing of technical assistance notices and technical capability notices. These notices can require the communications provider in question to do things such as removing security (eg, encryption) on data, providing technical information, or facilitating access to electronic services.
Information Sharing under the SOCI Act
The amendments to the SOCI Act in December 2021 included the introduction of compulsory information gathering provisions. The Minister can only utilise this power if a cybersecurity event has been triggered, which requires the following conditions to be met (Section 35AB(1)):
If a cybersecurity event is triggered, the Minister of Cybersecurity may authorise the Secretary to issue information gathering directions in relation to the incident and/or impact to the relevant entity for the impacted asset or another specified “critical infrastructure sector asset” (Section 35AB(5)). The Minister must only authorise the issuance of information gathering directions if the Minister is satisfied that the directions “are likely to facilitate a practical and effective response to the incident” (Section 35AB(6)).
Government Information Sharing
In terms of information sharing within government departments and agencies, those entities may authorise the ACSC to carry out “network protection” activities on their behalf. When that occurs, the TIA Act authorises information to be collected by the ACSC as part of the network protection.
The ACSC also has a variety of other information gathering powers, including via ASIO (including action related to the collection of foreign intelligence) and the AFP, such as seeking the sharing of information obtained by warrant.
Soon, there may also be a new “limited use obligation for ASD and the Cyber Coordinator” (see 1.7 Key Developments).
Voluntary Disclosure to the ACSC
In addition to the legislative arrangements outlined in 7.1 Required or Authorised Sharing of Cybersecurity Information, voluntary sharing of information remains a major avenue through which the ACSC gathers information. As noted at paragraph 36.40 of the government’s 2020 Comprehensive Review of the Legal Framework of the National Intelligence Community, “the ACSC relies on organisations it is assisting to voluntarily provide critical information ‒ such as data samples and log files ‒ that might help uncover the extent of a compromise of their cyber security, or that might assist the ACSC to attribute a cyber security incident to a particular malicious actor”.
Telecommunications Act
It is worth noting that, in addition to the technical assistance and capability notices regime noted in 7.1 Required or Authorised Sharing of Cybersecurity Information, the Telecommunications Act also indemnifies communications providers from civil liability relating to voluntary assistance to, and at the request of, the Director-General of Security, the ASIS, the ASD, the AFP, the ACIC, or any state/territory police force.
OAIC Enforcement Action
The OAIC has commenced civil penalty proceedings in the federal court against Australian Clinical Labs Limited (ACL) following an investigation into its privacy practices. The proceedings relate to a data breach of ACL’s information technology systems in February 2022 which resulted in the unauthorised access and disclosure of personal information of hundreds of thousands of ACL’s patients including Medicare numbers, sensitive health information, and credit card information.
The OAIC allege that from May 2021 to September 2022, ACL failed to take reasonable steps to protect personal information in breach of the Privacy Act and that following the data breach, ACL failed to carry out a reasonable assessments and notify the Commissioner per Part IIIC of the Privacy Act.
If the OAIC is successful, the federal court could impose a penalty of up to AUD2.22 million for each contravention of the Privacy Act.
Proceedings are currently yet to commence in the federal court. Being the first case of its kind, any decision will have significant consequences concerning businesses’ cybersecurity obligations.
OAIC Determinations
In 2023, the OAIC has made nine determinations regarding privacy complaints made against both public and private entities.
In June 2023, the OAIC found that Pacific Lutheran College, an independent private school, interfered with individuals’ privacy in relation to a data breach incident that occurred on 28 May 2020. An unidentified third party accessed approximately 180,000 emails through the email account of an individual with unauthorised access. The incident resulted in the sending of phishing emails to 8,332 contacts of the email account. The College became aware of the incident the following day but did not notify the OAIC until 15 December 2020.
The OAIC determined that the College had interfered with individuals’ privacy by failing to conduct expeditious assessments, to notify OAIC of a breach and to take reasonable protective steps.
As an example of a determination concerning a public sector entity, on 26 April 2023, the OAIC held that the Secretary to the Department of Veterans’ Affairs breached APP 3 and 6 by failing to obtain the complainant’s consent and using the complainant’s personal information for a secondary purpose without the complainant’s consent or prior notification.
Penalties Under OAIC Determinations
In respect of the OAIC’s determination, as discussed at 8.1 Regulatory Enforcement or Litigation, regarding Pacific Luther College’s breach of Principle 11.1, the College was ordered to not repeat or continue its failures and, within six months, to prepare and implement an incident response plan containing minimum conditions listed by the OAIC.
In the Department of Veterans’ Affairs matter referred to at 8.1 Regulatory Enforcement or Litigation, the OAIC awarded the complainant AUD5,000 for non-economic loss and ordered that the complainant be provided a written apology from the Department. The Department was also ordered not to repeat this conduct.
Additionally, the OAIC has reported that, between 2022 and 2023, a total of nine privacy complaints were resolved. The outcomes included apologies, records being amended, and compensation being paid. Finally, the OAIC has also, from time to time, used enforceable undertakings as a means of ensuring future compliance by erring entities with the Privacy Act, though none were publicly reported for the 2022–23.
This is not relevant in this jurisdiction.
No significant private litigation has been recently conducted in Australia concerning data security incidents and breaches. It should be noted that, in 2019, the ACCC recommended that the Privacy Act be reformed to introduce a direct right of action for persons against those who are alleged to have interfered with their privacy.
There is minimal class action litigation activity in Australia concerning alleged data breaches.
Class action litigations concerning the Medibank data breach and Optus data breach have continued to develop over the last year, with Medibank’s data breach in October 2022 resulting in the company facing four separate class action lawsuits while Optus is facing one class action lawsuit. However, there has been limited movement in both lawsuits.
As detailed in 3. Key Frameworks, the Australian regulatory framework has a number of mandatory requirements, such as the APP, which establish minimum standards for corporate cybersecurity governance.
As a result of the recommendations in the 2023–2030 CS, discussed in 1.7 Key Developments, the SOCI Act is likely to see amendments, incorporating security regulations from the Telecommunications Act 1997 (Cth). These potential amendments may subject telecommunications corporations to stricter cyber-reporting requirements under the SOCI Act.
In November 2023, at ASIC’s Annual Forum, ASIC’s Chair, Joe Longo, called on corporations to prioritise their cybersecurity and cyber-resilience as a top priority; and warned that ASIC was prepared to take legal action where director boards fail to adequately prepare against cybersecurity breaches.
Due diligence processes in Australia involves parties to transactions undertaking a comprehensive assessment of any aspects of the transaction that may have flow-on effects on parties’ liabilities and obligations for compliance with the Australian regulatory and legal framework regarding cybersecurity and privacy issues. It is important that this assessment is holistic, covering the following.
For avoidance of doubt, the above list is not exhaustive.
Additionally, for any foreign or cross-border transactions, Australian parties should also consider the applicability of any other relevant foreign laws (eg, whether the target entity is subject to any international/foreign obligations such as the EU GDPR).
A general obligation of care and diligence is imposed on company directors in the discharge of their duties, under Section 180 of the Corporations Act. Plainly, this would appear to cover taking necessary and adequate steps to protect the company from cybersecurity threats.
Additionally, an organisation that misrepresents its cybersecurity profile may be liable to proceedings for misleading and deceptive conduct under the Australian Consumer Law.
Separately, if an entity holds an Australian financial services or Australian credit licence, a cybersecurity issue may constitute a “reportable situation” and ASIC may need to be notified.
Moreover, companies listed on the Australian Stock Exchange have a continuing obligation of disclosure concerning any information that is reasonably expected to have an effect on the price of their shares: the strength or otherwise of a company’s cybersecurity profile would arguably (and, in some circumstances, almost certainly) fit that criterion.
Further, and as detailed in 5. Data Breach or Cybersecurity Event Reporting and Notification, the occurrence of an eligible data breach can enliven an obligation on the entity in question to make public details of the breach incident.
Cybercrime Awareness Programme
In addition to the various international engagements outlined above in the area of cybercrime (eg, 3.4 Key Multinational Relationships in relation to the Five Eyes alliance), Australia also takes a regional approach to this issue. In particular, the AFP leads a cybercrime awareness programme called Cyber Safety Pasifika, engaging with authorities from Pacific Island nations on the topics of cybercrime and cybersafety.
Insurance
Cybersecurity insurance, while not mandatory, is taking on a more prominent role in the cybersecurity landscape as the risk of cyberthreats and cybercrime increases. As part of its 2020–2024 Cyber Security Strategy, APRA has begun implementing greater regulations and governance regarding general insurers, to ensure the development of secure cyber-insurance practices and accountability. This is a unified step by government agencies to continue developing the government’s “cyber-resilience first” approach in tackling cybersecurity threats.
AI Development
The rise of AI has led to growing concern over its potential misuse for malicious actions and an increased risk to confidentiality. In November 2023, The ASD, along with 19 other international partners, published the Guidelines for secure AI system development. These guidelines provide recommendations for providers of AI systems concerning “design, development, deployment, and operation of their AI systems”.
Level 9
299 Elizabeth Street
Sydney NSW 2000
Australia
+61 2 9264 8884
+61 2 9264 9797
contact@ngm.com.au www.ngm.com.auIntroduction
In 2023, Australia carried on the reforming and strengthening of its cybersecurity and cyber-resilience, to mixed effect. The drive to reform carries on from the string of high-profile data breach incidents in 2022 that saw the effectiveness of Australia’s cybersecurity and cyber-resilience seriously questioned. While 2023 has seen fewer high-profile incidents, cybercrime and its effects continue to increasingly affect Australia’s citizens and economy. In response, the government has introduced several whole-of-government strategies and plans to strengthen Australia’s cybersecurity and cyber-resilience, the most notable of these being the 2023–2030 Australian Cyber Security Strategy (2023–30 CS).
In line with the 2023–30 CS, the near future will see legislative reform, a shift in regulatory priorities, and a strengthening of regulators as Australia seeks to address cybercrime and strengthen cybersecurity at the national, regional and international levels.
An Overview of Australia’s Mixed Year in Cybersecurity
During 2023, Australia saw a growth in cybercrime incidents and a rise in cyber threats, despite the government’s legislative and regulatory efforts to curb these threats and strengthen Australia’s cyber defences. From the beginning of the 2023 year, national security in the cyber space was front and centre with the Director-General of the Australian Security Intelligence Organisation, confirming in the annual threat assessment that “[m]ore recently, there’s been considerable focus on cyber security” and that “[s]ince the announcement of AUKUS, there’s been a distinct uptick in the online targeting of people working in Australia’s defence industry”. But it is clear that Australia’s focus on cyber threats extends well beyond this defence lens, to national security and the economy more generally.
On 14 November 2023, the Australian Signals Directorate (ASD) announced in its annual cyber threat report that it responded to over 1,100 cybersecurity incidents from Australian entities, similar to the previous financial year. While nearly 94,000 reports were made to law enforcement (around one every six minutes), being a 23% increase from the previous financial year.
These cyber threats affect all Australian sectors, including the government, the private sector and individuals, while the primary targets continue to be small businesses (turnover of less than AUD2 million) and individuals. However, this year also saw Australia’s critical infrastructure “under regular targeted and opportunistic cyber attack”, with the ASD responding to 143 incidents at critical infrastructure entities such as ports, up from 95 incidents in the previous financial year.
The ASD’s annual cyber threat report also identified key cybersecurity trends in FY2022–23.
The ASD also noted its condemnation, with its international partners, of Russia’s Federal Security Service’s use of “Snake” malware for cyber-espionage. The ASD also highlighted activity associated with a People’s Republic of China state-sponsored cyber-actor that used “living-off-the-land” techniques to compromise critical infrastructure organisations.
Legislative and Regulatory Reform
Australia’s 2023–2030 Cyber Security Strategy
On 22 November 2023, the Australian government released the 2023-2030 CS, which is supplemented by the 2023–2030 Australian Cyber Security Action Plan (AP). Together, they detail the government’s key cybersecurity initiatives that will be delivered over the next two years.
Under each shield, the Australian government will carry out initiatives of legislative reform, policy reform, capacity-building and awareness-raising. The initiatives include the following.
The 2023–30 CS and AP will be implemented across three horizons. The first horizon (2023-2025) will focus on the strengthening of foundations. The second horizon (2026-2028) will scale cyber maturity across the whole economy. The final horizon (by 2030) will establish Australia as a world leader in cybersecurity.
As part of the 2023–30 CS, the government also established an Executive Cyber Council in November 2023. The council comprises executives across industry and enables broader collaboration on national cybersecurity priorities. The council’s role includes supporting the government’s targeted consultation process, to co-design specific 2023–30 CS initiatives with specific industries.
Australian government’s response to the Privacy Act Review Report
On 28 September 2023, the Australian government published its response to the Attorney-General’s Department’s Privacy Act Review Report (Review). The Review contained 116 proposals to amend the current Privacy Act 1988 (Cth) (Privacy Act), to better align Australia’s privacy laws with global standards of information privacy protection.
Of the 116 proposals in the Report, the government has:
Relevantly, of the 38 “agreed” proposals, only two will introduce substantive legislative protection for individuals. A majority of the Review’s substantive proposals to protect individuals’ privacy and data have only been “agreed in principle”, these proposals include entities needing to act fairly and reasonably when handling personal information, a direct right of action to enforce individual privacy rights and a statutory tort for serious invasions of privacy.
Both proposals will reform the Privacy Act. First, regulated entities will be required to ensure that their privacy policies set out the types of personal information that will be used in “substantially automated decisions” that have a legal or otherwise significant effect on an individual. Second, individuals will have the right to request meaningful, jargon-free and clear information about how automated decisions are made that have a legal (or similarly significant) effect on an individual’s rights.
A number of the remaining “agreed” proposals go towards broadening regulatory and investigative powers and broadening enforcement action. The enforcement powers and code-making powers of Office of the Australian Information Commissioner (OAIC) will be bolstered. While courts’ powers to make orders in civil penalty proceedings will be broadened.
Australian Securities and Investment Commission (ASIC) focus on Cybersecurity
Australia’s financial market regulator, the Australian Securities and Investment Commission (ASIC), has taken an active stance in enforcing cybersecurity as a critical priority. In September 2023, at the Australian Financial Review Cyber Summit, the Chair of ASIC, Joe Longo, asserted the need for corporations to prioritise cybersecurity and cyber-resilience as a “top priority”.
Mr Longo emphasised that ASIC would focus on organisations where “directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks their business poses”. He further stated that ASIC would take legal action against organisations whose board directors and executives failed to take adequate steps to prevent and prepare for cybersecurity breaches.
In November 2023, ASIC, released Report 776, “Spotlight on cyber: Findings and insights from the cyber pulse survey 2023”. The report provides an overview of trends and discoveries from the Cyber Pulse Survey, identifying areas of improvement and practical instances of best practices that organisations can implement for improvement.
ASIC’s 2023 Cyber Pulse Survey comprised of responses from 697 participants, including 423 proprietary limited companies and 83 publicly listed companies.
The key findings of the report are as follows:
The survey results reveal Australian companies’ lack of cyber-resilience and deficiencies in managing cybersecurity risks, particularly in critical cyber capabilities. In November 2023, at ASIC’s Annual Forum, Mr Longo stated that ASIC’s priority for 2024 will be addressing governance and breach of directors’ duties. This is likely to include ASIC prosecuting directors or officers for breaches of directors’ duties concerning cybersecurity breaches.
The Appointment of an Information Commissioner
The Australian government’s flurry of activity in late 2023 included the appointment of a standalone Privacy Commissioner and a new Freedom of Information Commissioner to the OAIC, these roles were previously performed by the Information Commissioner.
The Attorney-General of Australia, the Honourable Mark Dreyfus KC, stated that the federal government restored the OAIC to a three-commissioner structure, as the appointments were necessary to deal with “the growing threats to data security and the increasing volume and complexity of privacy issues”. Additionally, as part of the 2023/24 Federal Budget, the Australian government increased the OAIC’s allocated budget to AUD45.2 million over four years (and AUD.4 million per year ongoing) to strengthen privacy protection and enforcement.
The Privacy Commissioner, Carly Kind, will perform the privacy functions relating to the privacy of individuals. The role of the Privacy Commissioner will be to ensure government agencies and large organisations – those with an annual turnover of more than AUD3m, with some exceptions – abide by the law when handling personal information. The role commenced on 26 February 2024.
Enforcement and Litigation
Sanctions related to Medibank hack
On 23 January 2024, Australia imposed a cyber sanction under the Autonomous Sanctions Act 2011 (Cth) on Russian national Aleksandr Ermakov for his role in the compromise of Medibank Private in 2022.
This is the first time a cyber sanction has been imposed under the Act, since Australia established the thematic autonomous sanctions regime in relation to significant cyber-incidents on 21 December 2021. Australia’s thematic autonomous sanctions regime targets individuals who engage in sanctionable conduct, irrespective of where they are in the world.
Aleksandr Ermakov was linked to the Medibank data breach and other leads through the ASD and the Australian Federal Police’s Operation Aquila, with the co-operation of other Commonwealth agencies and international partners.
The Russian citizen (and cybercriminal) was sanctioned for his role in the unauthorised release and publication on the dark web of 9.7 million records containing the personal information of Australians, including names, dates of birth, Medicare numbers, and sensitive medical information.
Financial sanctions under the Sanctions Act now make it a criminal offence, punishable by up to ten years’ imprisonment and heavy fines, to provide assets to Mr Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments. Mr Ermakov is also banned from travelling to or remaining in Australia.
Regulatory action against Meta Inc
In July 2023, the federal court of Australia ordered two subsidiaries of Meta, Facebook Israel and Onavo Inc, to each pay AUD10 million for engaging in conduct liable to mislead in breach of the Australian Consumer Law, in an action brought by the Australian Competition and Consumer Commission (ACCC).
The court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes.
Meta, the parent company of Facebook, is also facing civil penalty proceedings at the federal court. The OAIC brought proceedings against two Facebook entities, Facebook Inc. and Facebook Ireland Limited (together, Facebook), in March 2020. The proceedings relate to Facebook’s disclosure of personal information belonging to approximately 300,000 Australian Facebook users during 2014 and 2015 to owners of a third-party application called “This Is Your Digital Life”. The personal information was then sold to Cambridge Analytica, a political consulting firm, and was permitted to be used for political profiling.
Following delays since 2020 due to procedural issues, the OAIC is finally able to serve proceedings on Facebook, and will commence substantive proceedings. These proceedings may have considerable consequences for the privacy obligations of foreign entities operating in Australia.
Australia’s Focus on the Asia-Pacific
The 2023–30 CS highlighted the Australian government’s consistent focus on developing the cybersecurity and cyber-resilience of the Asia-Pacific region. This will be achieved by capacity building, training, technical support and financial investment.
As part of this strategy, on 22 November 2023, the Australian government committed to a number of key goals. The most important of these is the establishing of the “Cyber Rapid Assistance for Pacific Incidents and Disasters (RAPID)” teams led by the Department of Foreign Affairs and Trade with representatives from a range of government agencies and the private sector. These teams will help respond to cyber crises as they happen in the Pacific when Pacific governments request assistance.
In addition, the government intends to (i) build long-term resilience in the Pacific by working with partners to proactively identify vulnerabilities – such as end-of-life hardware and software – and trial secure by design solutions that reduce cyber-incidents; and (ii) work with partners in South-East Asia to hone responses to cyber-incidents, support practical recommendations for uplift and better position regional governments to prevent cyber-incidents.
It is envisioned that these initiatives will supplement Australia’s Cyber and Critical Tech Cooperation Program, which works across the Indo-Pacific to strengthen cyber and critical tech resilience through capacity building projects.
Level 9
299 Elizabeth Street
Sydney NSW 2000
Australia
+61 2 9264 8884
+61 2 9264 9797
contact@ngm.com.au www.ngm.com.au