Get the inside scoop with LoginTC and learn about relevant security news and insights.

Everything you need to know about Australia’s new cybersecurity law

December 06, 2022Victoria Savage

Last month, the Australian parliament passed a new cybersecurity law aimed at cracking down on increasingly harmful ransomware attacks and data breaches that have shaken the country in recent months. 

In this article, we’ll discuss what this new law contains, why it was created, and what ramifications it has for your organization. 

What is Australia’s new cybersecurity legislation all about?

On November 28, 2022, Australia amended its existing Privacy Act with a bill known as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. The legislation introduced some substantial changes.

Firstly, it raised fines for companies that suffer “serious” or “repeated” data breaches from $2.2 million to whichever is the highest of:

  • $50 million Australian dollars;
  • Three times the financial benefit the hackers received from the breached data; or
  • If either of those can’t be determined, 30% of the company’s adjusted turnover.

Secondly, it gave the Office of the Australian Information and Privacy Commissioner (OAIC) new regulatory and oversight powers, including:

  • New authority to investigate privacy breaches.
  • Information-gathering powers to properly assess the privacy risk of breaches. 
  • Information sharing between the OAIC and the Australian Communications and Media Authority.

The new law affects any organization that does business in Australia, even if they don’t collect the personal information of Australians. Furthermore, the government has signaled that more legislation will be coming, possibly before the end of the year. That additional legislation could include banning the payment of ransomware demands

Why has this legislation been introduced?

This new legislation comes in the wake of two major and significantly damaging ransomware attacks and data breaches in Australia. 

The first was the Optus attack in late September. Optus, a large telecoms provider, was breached and the personal data of more than 11 million Australians was stolen, held for ransom, and sections of it sold on the dark web. 

According to Optus’ official statement, the data included “names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.”

Despite initially asking for a ransom payment of $1 million USD, the hackers allegedly later rescinded the offer and claimed to have deleted the stolen data (other than the 10,000 records initially leaked) owing to too much scrutiny from law enforcement officials. 

Just over one month later, the Optus attack was overshadowed by the even more damaging hack of Medibank, a large health insurer in Australia. 

9.7 million Medibank customers had their data stolen and released on the dark web, including names, birthdays, addresses, phone numbers, and email addresses, as well as details of individuals’ health service providers, claims information, diagnosis, and procedures. 

In the weeks after the breach, Medibank customers are now reporting having to prove their identity with two-factor authentication, seeming to indicate that it was not previously a requirement. 

The breaches, along with seven more since September, have begun to call into question Australia’s current cybersecurity legislation.

Breaches are a “wake-up call” for Australians

Australia has lagged behind many other countries when it comes to cybersecurity and privacy protection. The new Minister of Cybersecurity, Clare O’Neill, has been outspoken about Australia’s need to strengthen its cybersecurity regulations. 

She has said that Australia needs to “wake up out of the cyber-slumber” when it comes to data privacy regulations and cybersecurity standards. On November 12, O’Neill announced a new task force to “hack the hackers”, aiming to hunt down, arrest, and jail cybercriminals.

The Prime Minister of Australia, Anthony Albanese, has also spoken up about the recent high-profile attacks, saying that they have been a “wake-up call” for businesses.

What does the new legislation mean for your organization?

If your organization is located in Australia or does business in Australia, then this new law could have serious implications for you. 

Organizations are being urged to take a hard look at their data information policies, including what kind of personal data is held and for how long. Understanding the details of your organization’s data collection and retention policies is now a top priority for IT departments, CISOs, and MSSPs.

Most importantly though, organizations need to develop strong cybersecurity protocols in order to significantly reduce the likelihood of attacks and data breaches. Few businesses can afford a $50 million fine for breaches, certainly not small to medium-sized businesses, which are common targets of low-level attacks, even if they don’t make headlines the way large breaches do. 

Implementing minimum cybersecurity controls such as multi-factor authentication, end-point detection, comprehensive patching procedures, and cybersecurity training for employees are all must-haves to prevent your organization from being attacked and incurring significant fines. 

While improving your cybersecurity posture may require some time and money in the short term, that effort now pales in comparison to the consequences of a data breach. 

If you aren’t sure where to get started with your multi-factor authentication protocols, contact us today for a no-commitment consultation call.

Start your free trial today. No credit card required.

Sign up and Go