In the wake of increasing data breaches,[1] on 29 November 2024, the Government passed its new tranche of legislative measures under its 2023-2030 Australian Cyber Security Strategy seeking to address legislative gaps, and bring Australia in line with international standards.[2]
The Cyber Security Act 2024 (“Act”) introduces several key measures aimed at strengthening Australia’s cyber security space.[3] These changes include:
- Mandatory Ransomware Reporting Mechanism – Entities carrying on business in Australia, with an annual turnover that exceeds the turnover threshold[4] for the previous financial year, or who are a reporting entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies,[5] and affected by a “cyber-security incident” (as defined under the Act)[6] and have provided, or are aware that another entity has provided on their behalf, a ransomware payment to an entity that is seeking to benefit from the cyber security incident or impact, are required to report the incident within 72 hours of the incident occurring;
- Cyber Incident Review Board – A newly established body whose responsibility includes conducting reviews in relation to significant cyber security incidents or other cyber security incidents which include novel or complex methods or technologies, as well as compelling organisations to produce information and documents to assist a review.
- Limited Use Obligation – To promote full and frank disclosure of information, and so where information is provided to the National Cyber Security Coordinator, that information cannot be used for the purpose of investigating or enforcing any contravention by the reporting entity of a Cth, State or Territory law other than a contravention of its mandatory ransomware reporting obligations or a law that imposes a penalty or sanction for a criminal offence.
- Cyber Security Standards for Digital Devices – Allows the relevant Minister to mandate security standards for devices that can connect to the internet or internet connectable devices.
While the new tranche of legislative measures have been passed, each change will take effect on different dates. [7]
__________________________________________________________________________________________________________
[1] ‘Optus notifies customers of cyberattack compromising customer information’, Optus (Media Release, 22 September 2022) < https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack>; See also Tiffanie Turnbull, ‘Medibank hack: Russian sanctioned over Australia’s worst data breach’, BBC (Article, 23 January 2024) < https://www.bbc.com/news/world-australia-68064850>.
[2] ‘2023-2030 Australian Cyber Security Strategy’, Department of Home Affairs (Media Release) < https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy >.
[3] Parliament of Australia: Cyber Security Bill 2024 < https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r7250>.
[4] Currently the Exposure Draft for the Cyber Security (Ransomware Reporting) Rules 2024 indicates that this is to be $3 million; See also Cyber Security (Ransomware Reporting) Rules 2024.
[5] Security of Critical Infrastructure Act 2018.
[6] *see section 9 of the Cyber Security Act 2024.
[7] *see section 2 of the Cyber Security Act 2024.
Authors
