Australia now has it first stand-alone Cyber Security laws contained in the Cyber Security Legislative Package 2024.
Three separate Bills have been passed and are currently awaiting royal assent which make up these reforms. They are:
- the Cyber Security Bill 2024
- the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024
- the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
Pleasingly the reforms involve a range of initiatives including the mandatory security standards for smart devices and the legal framework for critical infrastructure protection.
The Cyber Security Bill 2024 has four key aspects which are:
- mandatory security standards for smart devices
- mandatory reporting of ransomware payments within 72 hours
- the establishment of a ‘limited use’ obligation that restricts how information provided to the National Cyber Security Coordinator during a cybersecurity incident can be used and shared with other government agencies, including regulators
- the establishment of a Cyber Incident Review Board
The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 amends the Security of Critical Infrastructure Act 2018 with the intention of strengthening the security and resilience of critical infrastructure, and the cooperation of government and infrastructure operators.
The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 amends Intelligence Services Act 2001 and establishes a ‘limited use’ obligation that restricts how cyber security information voluntarily provided to the Australian Signals Directorate can be used and disclosed; and Freedom of Information Act 1982 to exempt cyber security information voluntarily provided to the National Cyber Security Coordinator from the operation of the Act.
How will this impact Australian Businesses?
Whilst it has not been determined what businesses will have to comply it is believed the threshold will be $3 Million turnover which brings the reform packages into line with the reporting threshold for the Privacy Act 1988.
This will impact a significant a number of Australian businesses.
The reform package will require those businesses affected to report:
- a cybersecurity incident which has happened, is happening or imminent
- an extorting entity making a demand of the business, or a third party, directly related to the incident impacting them
- the business provides or is aware that another entity directly related to it has provided, a payment or benefit to the extorting entity that is directly related to the demand.
The report must be made to the Department of Home Affairs within 72 hours of making a payment or becoming aware of such a payment, through a portal which is administered by the Australian Cyber Security Centre.
Failure to report may result in civil penalties of 60 penalty units which equates to $18,780.
Manufacturers and suppliers of smart products will be required to comply with the security standards if they are aware, or could reasonably be expected to be aware, that the products will be acquired in Australia.
Failure to do so will allow the Secretary of Home Affairs to issues compliance notices, stop notices, and recall notices.
What should businesses do?
If you will be affected by these new laws, your business should:
- Have in place protocols and tools to respond to the new regime
- Have in place and/or update any current cyber-attack response plan
- Have clear lines of communication and reporting mechanisms
- Ensure they have sufficient protection including firewalls etc.
- Ensure employees are trained and understand the obligations of the business
There is a lot of excellent information as to what businesses should do to protect themselves and ensure compliance and the following are just a few of those sites:
- Australian Government Business
- Office of the Australian Information Commissioner
- Cyber and Infrastructure Security Centre
- Australian Signals Directorate
- Business Chamber Queensland
How can FC Lawyers help?
We are currently working will many of our business clients to ensure that they are ready for the new reforms and can assist in reviewing and advising on their current organisation ability and what may be needed to ensure they are ready for the new regimes.
Contact our team to discuss your cyber security or business needs.
The information provided in this article is for general information and educative purposes in summary form on legal topics which is current at the time it is published. The content does not constitute legal advice or recommendations and should not be relied upon as such. Whilst every care has been taken in the preparation of this article, FC Lawyers cannot accept responsibility for any errors, including those caused by negligence, in the material. We make no representations, statements or warranties about the accuracy or completeness of the information and you should not rely on it. You are advised to make your own independent inquiries regarding the accuracy of any information provided on this website. FC Lawyers does not guarantee, and accepts no legal responsibility whatsoever arising from or in connection to the accuracy, reliability, currency, correctness or completeness of any material contained in this article. Links to third party websites or articles does not constitute any endorsement or approval of those sites or the owners of those sites. Nothing in this article should be construed as granting any licence or right for you to use that content. You should consult the third party’s terms and conditions of use in relation to any third-party content. FC Lawyers disclaims all responsibility and all liability (including liability for negligence) for all expenses, losses, damages and costs you might incur as a result of the information being inaccurate or incomplete in any way. Appropriate legal advice should always be obtained in actual situations.
Prefer to get in touch?
With offices in Brisbane, Sunshine Coast, North Queensland and Sydney, our team is well equipped to provide both advice and support across a broad range of legal areas.
