Get the inside scoop with LoginTC and learn about relevant security news and insights.

Everything you need to know about Australia’s cybersecurity laws

May 09, 2024Victoria Savage

australia cybersecurity law

In the past year, the parliament of Australia has passed a new cybersecurity laws aimed at cracking down on increasingly harmful ransomware attacks and data breaches that have shaken the country since 2022.

Australia now seeks to be a global leader in cybersecurity by 2030, and has introduced sweeping reforms tackling every part of the country’s economy and business sector in order to achieve this goal.

In this article, we’ll discuss what cybersecurity legislation in Australia includes, and what ramifications it has for your organization.

What does cybersecurity legislation in Australia cover?

Privacy Legislation Amendment Bill 2022

On November 28, 2022, Australia amended its existing Privacy Act with a bill known as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to include substantial changes related to cybersecurity.

Firstly, it raised fines for companies that suffer “serious” or “repeated” data breaches from $2.2 million to whichever is the highest of:

  • $50 million Australian dollars;
  • Three times the financial benefit the hackers received from the breached data; or
  • If either of those can’t be determined, 30% of the company’s adjusted turnover.

Secondly, it gave the Office of the Australian Information and Privacy Commissioner (OAIC) new regulatory and oversight powers, including:

  • New authority to investigate privacy breaches.
  • Information-gathering powers to properly assess the privacy risk of breaches.
  • Information sharing between the OAIC and the Australian Communications and Media Authority.

The law affects any organization that does business in Australia, even if they don’t collect the personal information of Australians.

Australian Cyber Security Strategy 2023-2030

The Australian Cyber Security Strategy 2023-2030 laid out six high-level goals to achieving cyber resilience in Australia.

  1. Strengthen businesses and citizens from attacks
  2. Improve security of devices and technology
  3. Improve threat sharing and blocking
  4. Protect critical infrastructure
  5. Empower a thriving domestic cybersecurity industry
  6. Become a global cybersecurity leader

The strategy is planned to unfold in three stages: Horizon 1, strengthening foundations; Horizon 2, scale cyber maturity; Horizon 3, advance global cyber security.

Legislative reforms of 2024

To implement the Cyber Security Strategy 2023-2030, the government has introduced a series of legislative reforms in two parts.

The first is to introduce new cybersecurity legislation to bridge gaps for things like secure-by-design principles, ransomware reporting, and establishing a Cyber Incident Review Board.

The second part is to amend the existing Security of Critical Infrastructure Act 2018 (SOCI Act). This will introduce new regulations about data retention, allow the government to manage critical infrastructure businesses in the event of major cyber incidents, simplify information sharing, and consolidate security requirements in the telecommunications sector.

Why has this legislation been introduced?

This new legislation comes in the wake of several major and significantly damaging ransomware attacks and data breaches in Australia.

Optus 2022

The first was the Optus attack in September of 2022. Optus, a large telecoms provider, was breached and the personal data of more than 11 million Australians was stolen, held for ransom, and sections of it sold on the dark web.

According to Optus’ official statement, the data included “names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.”

Despite initially asking for a ransom payment of $1 million USD, the hackers allegedly later rescinded the offer and claimed to have deleted the stolen data (other than the 10,000 records initially leaked) owing to too much scrutiny from law enforcement officials.

Medibank 2022

Just over one month later, the Optus attack was overshadowed by the even more damaging hack of Medibank, a large health insurer in Australia.

9.7 million Medibank customers had their data stolen and released on the dark web, including names, birthdays, addresses, phone numbers, and email addresses, as well as details of individuals’ health service providers, claims information, diagnosis, and procedures.

In the weeks after the breach, Medibank customers are now reporting having to prove their identity with two-factor authentication, seeming to indicate that it was not previously a requirement.

DP World 2023

That same month, a cyber attack hit the Dubai-based shipping and logistics company, DP World, which shuttered operations at four major Australian ports.

Those ports make up 40% of all freight in and out of Australia, and the outage lasted an entire weekend. It impacted supply chain operations, with 30,000 containers backlogged in the ports, and the personal information of employees at the company was stolen in the attack.

Breaches are a “wake-up call” for Australians

Australia has lagged behind many other countries when it comes to cybersecurity and privacy protection. The new Minister of Cybersecurity, Clare O’Neill, has been outspoken about Australia’s need to strengthen its cybersecurity regulations.

She has said that Australia needs to “wake up out of the cyber-slumber” when it comes to data privacy regulations and cybersecurity standards. On November 12, 2022 O’Neill announced a new task force to “hack the hackers”, aiming to hunt down, arrest, and jail cybercriminals.

The Prime Minister of Australia, Anthony Albanese, has also spoken up about the recent high-profile attacks, saying that they have been a “wake-up call” for businesses.

What does the new legislation mean for your organization?

If your organization is located in Australia or does business in Australia, then these laws could have serious implications for you.

Organizations are being urged to take a hard look at their data information policies, including what kind of personal data is held and for how long. Understanding the details of your organization’s data collection and retention policies is now a top priority for IT departments, CISOs, and MSSPs.

Most importantly though, organizations need to develop strong cybersecurity protocols in order to significantly reduce the likelihood of attacks and data breaches. Few businesses can afford a $50 million fine for breaches, certainly not small to medium-sized businesses, which are common targets of low-level attacks, even if they don’t make headlines the way large breaches do.

Improve your organization’s cybersecurity

Implementing minimum cybersecurity controls such as multi-factor authentication, end-point detection, comprehensive patching procedures, and cybersecurity training for employees are all must-haves to prevent your organization from being attacked and incurring significant fines.

While improving your cybersecurity posture may require some time and money in the short term, that effort now pales in comparison to the consequences of a data breach.

If you aren’t sure where to get started with your multi-factor authentication protocols, contact us today for a no-commitment consultation call.

Start your free trial today. No credit card required.

Sign up and Go