New cyber security and privacy regulation

At the end of 2024, the federal government passed significant new cyber security and privacy regulatory reforms which reflect the government’s focus on enhancing cyber security and data protection resilience across the economy. These new requirements also heighten the necessity for boards to actively oversee the cyber security and data protection controls at their organisations.

Cyber security reforms

The cyber security legislation that passed Parliament in late November 2024 is the culmination of several years of policy development, including publication of the 2023-30 Australian Cyber Security Strategy in 2023. The momentum behind these new regulations reflects the widespread concern in the ranks of government, regulators and the broader community with high profile cyber security attacks and resulting data breaches that occurred in recent years.

For most organisations that are not under the Security of Critical Infrastructure Act 2018 (SOCI Act) umbrella these new regulatory requirements will not have an immediate impact. However, we encourage boards to be aware of these changes and to engage with management and include updates to the organisation’s cyber incident response plan to reflect that any ransomware payment will have to be reported. The reforms will commence from the end of May 2025.

Australia has for the first time standalone cyber security legislation in the form of the Cyber Security Act 2024 (CS Act). The CS Act has four key components:

4. A requirement to report to the Department of Home Affairs (Home Affairs) and Australian Signals Directorate (ASD) any ransomware payments made in connection with a cyber security incident. The requirement will apply to all entities subject to the SOCI Act and all organisations above a set revenue threshold. Home Affairs is currently consulting on whether this revenue threshold should be set at $3 million per annum (a level AICD considers too low).
5. A limited use obligation on information voluntarily provided by an organisation during a critical cyber incident to the ASD and the National Cyber Security Coordinator. The framework limits how this information can be used by other Commonwealth agencies and is intended to facilitate trust and collaboration between an organisation and the government during the immediate response phase of a critical cyber incident.
6. Establishes a Cyber Incident Review Board to conduct no-fault and expert led reviews of significant cyber incidents.
7. Introduces mandatory security standards on consumer Internet of Things devices. The standards are likely to mirror or align with existing international standards.

The legislative package also includes amendments to the SOCI Act. The key changes to this legislation that applies to critical asset owners in Australia are:

1. Data storage systems that hold ‘business critical data’ are now within the definition of ‘asset’ under the SOCI Act and the risks to business-critical data are required to be specifically covered in risk management settings;
2. New Ministerial powers that will empower the Minister to direct an entity to take certain actions following a critical asset incident;
3. New Home Affairs powers to direct an entity to address deficiencies in a risk management program; and
4. Consolidating telecommunications industry security requirements under the SOCI Act

As with the cyber security legislation, these changes to the SOCI Act will come into effect at the end of May 2025.

Privacy Act reforms

The flurry of legislation at the end of 2024 included the first tranche of Privacy Act 1988 (Privacy Act) reforms resulting from the multi-year Privacy Act Review (the Review). The government had previously agreed, or agreed in-principle, with 106 of the 116 recommendations of the Privacy Act Review in September 2023.

This tranche is a limited first step in comparison to the wide-ranging reforms s contemplated under the review. Key measures include:

1. The introduction of a new statutory tort for serious intentional or reckless invasions of privacy; 
2. New transparency requirements for the use of automated decision-making (ADM);  
3. Expanding Office of the Australian Information Commissioner (OAIC) monitoring and investigation powers; and
4. New civil and criminal penalties, including associated with doxing (unauthorised release of personal information on a carriage service).

The statutory tort will commence in June 2025 and the ADM transparency requirements in December 2026. The other changes are now in effect.

While the legislation did not include more contentious proposed changes, such as the removal of the small business exemption, its passage does heighten the need for boards to effectively oversee how personal information is collected, stored and protected at their organisations. Greater powers for the OAIC and its ability to issue penalty notices does increase regulatory risk associated with data governance failures.

While a direct right of action for individual redress (expected to result in the greatest class action risk) was not introduced, we do expect that the statutory tort will be tested as a new avenue for class actions associated with large scale data breaches.  How the current government and a new Government post-election progresses with privacy reform will be a key regulatory area to watch in 2025.