Australia: Cybersecurity Comparative Guide

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

These concepts are not expressly defined under Australian law, but different legislation is directed towards each.

The Privacy Act 1988 (Cth) is the main legislation directed towards data protection and governs the collection and handling of personal information about individuals. Most states and territories also have data protection legislation.

Recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) ('SOCI Act') make this statute Australia's first 'cybersecurity law', in the sense of a law which expressly requires organisations to adopt particular measures to protect and defend their computer systems and networks from attacks and report incidents to the authorities. There are also a range of other industry-specific laws, codes, standards and guidelines which mandate standards for cybersecurity for particular types of business.

The Criminal Code Act 1995 (Cth) ('Criminal Code') is the main legislation directed towards 'cybercrime', which is a term used to describe a range of offences committed by unauthorised use of or interference with computer systems and networks. State and territory criminal law also features cybercrime offences.

Of course, the three concepts are closely related and these laws overlap in their effects.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The key legislation addressing data protection in Australia is the Privacy Act, which applies to the handling of personal information by private sector organisations and Commonwealth public sector bodies. Each state and territory also has data protection legislation which governs the handling of personal information by state and territory public sector bodies and healthcare providers.

There is no broad-based cybersecurity legislation in Australia which applies across all industries. The SOCI Act imposes obligations on operators of critical infrastructure. The Privacy Act and state and territory data protection laws impose obligations in relation to the security of personal information. There are also a range of other industry-specific laws, codes, standards and guidelines which mandate standards for cybersecurity for particular types of businesses.

The key statute addressing cybercrime in Australia is the Criminal Code, which creates a range of cybercrime offences, including:

• accessing, modifying or impairing computer systems without authorisation;
• creating malicious software; and
• dishonestly obtaining or dealing in personal financial information.

Each state and territory has its own criminal law covering a range of computer-related offences, as well as online fraud.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

In April 2022, the SOCI Act was amended to introduce a new framework for enhanced cybersecurity obligations required for operators of critical infrastructure. Under the SOCI Act, the minister for home affairs may privately declare a critical infrastructure asset to be a 'system of national significance'. Operators of systems of national significance are subject to obligations to:

• develop cybersecurity incident response plans;
• undertake cybersecurity preparedness exercises;
• undertake cybersecurity vulnerability assessments; and
• provide system information to the Australian Cyber Security Centre (ACSC).

Providers of financial services in Australia must hold an Australian financial services licence (AFSL). The obligations of AFSL holders in relation to cybersecurity and cyber resilience have recently been the subject of legal action (see question 3.1).

All Australian healthcare providers are subject to the Privacy Act, even if they would otherwise be exempt as a 'small business operator' (see question 2.3). Victoria and New South Wales also have legislation which applies to the handling of health information in those states. The My Health Records Act governs the collection and handling of health information through Australia's national electronic health records system.

Credit reporting agencies and credit providers are subject to special rules for the handling of credit information in Part IIIA of the Privacy Act.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The Privacy Act governs the collection and handling of personal information, which includes health information and credit information, by the Commonwealth government entities and the private sector.

Specific Commonwealth legislation exists in relation to the My Health Records system, healthcare identifiers, criminal records and telecommunications data.

Most states and territories have legislation which governs the collection and handling of personal information by state and territory government entities. Victoria and New South Wales also have legislation which applies to the handling of health information by the state and territory government entities and the private sector.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The Privacy Act applies to foreign entities which "carry on business in Australia".

Whether an entity carries on business in Australia depends on whether any of its business activities are undertaken in Australia. There is "a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business" (Gebo Investments (Labuan) Ltd v Signatory Investments Pty Ltd [2005] NSWSC 544). However, this does not necessarily require a permanent place of business in Australia.

Factors that may be considered in assessing whether an entity carries on business in Australia include whether:

• the entity has a place of business in Australia;
• people who undertake business acts for the entity are located in Australia;
• the entity has a website that offers goods or services to countries including Australia;
• Australia is one of the countries on the dropdown menu appearing on the entity's website;
• web content that forms part of carrying on the business, was uploaded by or on behalf of the entity, in Australia;
• business or purchase orders are assessed or acted upon in Australia; or
• the entity is the registered proprietor of trademarks in Australia

(Australian Wool Innovation Ltd v Newkirk (no 3) [2005] FCA 1308).

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Australia is a signatory to several international instruments that recognise a general right to privacy (eg, the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights).

However, Australia is not a signatory to any international instruments specifically regarding data protection or cybersecurity. Notably, Australia has not been granted an adequacy decision by the European Commission and is not a signatory to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108).

Australia ratified the Council of Europe Convention on Cybercrime (CETS 185) in 2013. The convention seeks to harmonise domestic criminal law regarding cybercrime and facilitates international cooperation between law enforcement.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

The maximum penalty for a computer offence under the Criminal Code is 10 years' imprisonment. Penalties under state and territory legislation vary; several serious computer offences under state and territory law also carry a maximum penalty of 10 years' imprisonment.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

The Office of the Australian Information Commissioner (OAIC) is responsible for enforcing the Privacy Act. The OAIC has the power to investigate potential breaches of the Privacy Act, either as a result of a complaint lodged by an individual or on its own initiative. The OAIC can only take action against an organisation to which the Privacy Act applies (see question 1.4).

The OIAC has a broad range of investigatory powers. Following an investigation, the OAIC can make a determination, which may require the organisation to take specified actions and may include the payment of compensation to a complainant.

The OAIC may also apply to the Federal Court of Australia to seek a civil penalty, enforceable undertaking or injunction against an organisation. An organisation which commits a serious or repeated interference with the privacy of one or more individuals may face a civil penalty under the Privacy Act of up to A$444,000. There is no provision under the Privacy Act for civil penalties against directors or employees of an organisation or for criminal penalties against any person.

Each state and territory has a privacy regulator which is responsible for enforcing its state or territory privacy law. These generally have similar enforcement powers to the OAIC.

The Criminal Code is enforced by the Australian Federal Police and the director of public prosecutions. The criminal laws of the states and territories are enforced by state and territory police and prosecutors. They have extensive powers to investigate suspected criminal conduct and prosecute alleged perpetrators through the courts.

The Australian Cyber Security Centre (ACSC) is the Australian government's agency responsible for cybersecurity. It accepts reports under the Security of Critical Infrastructure Act. It also:

• gathers information on and monitors cybersecurity threats;
• provides advisories and information to Australian businesses and individuals on threats and security measures; and
• works with law enforcement to combat cybercrime.

Businesses can report cyber incidents to the ACSC in lieu of reporting to law enforcement; the ACSC will refer reported matters to police in the appropriate jurisdiction and also uses the reports to monitor cyber threats.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

The only right of action which is available to a private party under the Privacy Act is the right to apply for an injunction against an organisation to prevent conduct which is in breach of the Privacy Act. The Privacy Act does not provide a right for an individual whose privacy is interfered with to take action seeking compensation or any other form of relief.

Such an individual could complain to the OAIC, which may choose to conduct an investigation in relation to the matter complained of (see question 2.1). Depending on the circumstances, an aggrieved individual may also have a right of action based on negligence, breach of contract or breach of statutory duty.

2.3 What defences are available to companies in response to governmental or private enforcement?

The Privacy Act does not feature any defences as such.

However, many of the provisions under the Privacy Act involve a requirement to act "reasonably" or to take specified action "as soon as practicable". For example, an organisation must:

• conduct a reasonable and expeditious assessment to determine whether there was a notifiable data breach; and
• if so, notify the OAIC of that data breach as soon as practicable.

As such, an organisation may be able to avoid a breach by arguing that its actions were reasonable, or that it acted as quickly as was practical, taking into account all the circumstances.

An organisation is liable to a civil penalty under the Privacy Act only in respect of a serious or repeated interference with an individual's privacy. A single breach of the act that is not considered sufficiently serious in nature will not be punishable by civil penalties (although it will still constitute a basis for a complaint by an affected individual).

In addition, the Privacy Act features a number of exemptions which may apply to an organisation in some situations. Most significantly, the act does not apply to:

• small business operators, meaning businesses with an annual turnover of less than A$3 million (although this is subject to several exceptions); or
• employee records concerning current or former employees, held by an organisation for the purposes of its employment relationship with those employees.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

The most recent landmark enforcement action in the Australian cybersecurity landscape is the recent legal action taken by the Australian Securities and Investments Commission (ASIC) against a financial adviser, RI Advice Group, in the Federal Court (ASIC v RI Advice Group Pty Ltd [2022] FCA 496).

ASIC alleged that RI Advice had failed to comply with its 'core obligations' as an Australian financial services licence (AFSL) holder under Section 912A of the Corporations Act 2001 (Cth). Among other obligations, Section 912A requires AFSL holders to:

• have adequate resources (including financial, technological and human resources);
• provide financial services;
• carry out supervision of their authorised representatives; and
• have adequate risk management systems.

ASIC argued that these core obligations extend to cybersecurity and cyber resilience, and require AFSL holders to "have strategies, frameworks, policies, plans, procedures, standards, guidelines, systems, resources and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience for itself and across its network of authorised representatives". ASIC argued that RI Advice had not met these requirements and, as evidence of this, cited its handling of and response to 10 cybersecurity incidents experienced by its authorised representatives between 2014 and 2020.

In May 2022, the parties resolved the action through consent orders. In those orders, RI Advice admitted that it had breached the Corporations Act "as a result of its failure to have documentation and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across its authorised representative network". The consent orders required that RI Advice:

• engage a cybersecurity consultant to conduct a cybersecurity audit, and implement any further measures recommended by that consultant; and
• pay ASIC's costs in the amount of A$750,000.

While the matter was resolved by consent orders, rather than through a full trial and judgment, the case is important because it goes some way towards establishing that the 'core obligations' under Section 912A of the Corporations Act do require AFSL holders to have adequate cybersecurity and cyber resilience measures, and to manage cybersecurity risk for their authorised representatives.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

Today, so many Australian businesses and government agencies have experienced cyber incidents that single incidents – however severe – rarely attract a great deal of media or public attention. The incidents that tend to attract particular attention are attacks on government entities – both because of their size and wide impact, and because of the possibility that such attacks might be politically motivated. In the past few years, Australian Parliament House, the Western Australian Parliament, Service NSW, Services Australia, Ambulance Tasmania and the Department of Home Affairs have all experienced largescale data breaches. High-profile breaches affecting Australian businesses include those against Toll Holdings, Landmark White, the Nine Network and Canva.

The recent amendments to the Security of Critical Infrastructure Act (see question 1.3(a)) represent the first time Australia has expressly imposed cybersecurity obligations on operators of critical infrastructure – a measure that many other countries have had in place for some time.

There have been recent legislative discussions regarding the threat of ransomware, including the now-discontinued Ransomware Payments Bill 2021 (Cth), which would have required Australian businesses that opt to pay a ransomware ransom to report that payment to the Australian Cyber Security Centre.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

The Australian Cyber Security Centre (ACSC) has developed a cybersecurity framework known as the "Essential Eight", which it recommends for all Australian businesses: www.cyber.gov.au/acsc/view-all-content/essential-eight.

The ACSC also publishes the Information Security Manual – a cybersecurity framework that organisations can apply to protect their information and systems from cyber threats: www.cyber.gov.au/acsc/view-all-content/ism.

The Protective Security Policy Framework was developed by the Australian government for use by Australian government entities: www.protectivesecurity.gov.au/.

Prudential Standard CPS 234 is a regulation made by the Australian Prudential Regulatory Authority (APRA) that applies to APRA-regulated organisations such as financial institutions and insurers, and requires them to implement cybersecurity measures against cyberattacks and incidents: www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf.

ISO/IEC 27001 is an international standard for information security which has been widely adopted by Australian organisations: www.iso.org/isoiec-27001-information-security.html. A recent extension to ISO 27001 is ISO 27701, which covers the handling and protection of personal information. ISO 38500 is also a commonly adopted standard for IT governance.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

The Office of the Australian Information Commissioner website has detailed guidance in relation to the Privacy Act and data privacy issues on its website: www.oaic.gov.au.

The ACSC website has detailed guidance in relation to cybersecurity threats, cybercrime and protective measures issues on its website: www.cyber.gov.au.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

There is no duty on directors of Australian companies that relates specifically to cyber compliance.

However, under Section 180 of the Corporations Act and at common law, directors have a general duty to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise in the circumstances. In practice, this duty requires directors:

• to be familiar with the business of the company;
• to stay informed and make appropriate inquiries about the company's activities; and
• to generally monitor the company's affairs and policies.

Australian courts have taken a broad approach in interpreting these duties to include new risks that face modern businesses. In the modern business environment, this duty obliges directors:

• to inform themselves about whether the company has adequate cybersecurity measures in place and an adequate plan to respond to cyber incidents; and
• if not, to ensure that the company takes steps to put such measures and plans in place.

Failure to comply with this duty can result in:

• civil penalties;
• a requirement to pay compensation to the company; and
• a ban from managing a company.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Under the Australian Stock Exchange Listing Rules 3.1 and Section 674 of the Corporations Act, listed public companies are subject to continuous disclosure obligations which require them to notify the Australian Stock Exchange of any information that is not generally available that would reasonably be expected to have a material effect on the price or value of the securities of the company. Unlisted public companies have a similar obligation under Section 675 of the Corporations Act to notify such information to the Australian Securities and Investments Commission. A cyber incident experienced by the company may be notifiable under these rules if it could reasonably be expected to have a material effect on the price or value of the securities of the company.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

Australian businesses can report cyber incidents to the ACSC. The ACSC will refer reported matters to police in the appropriate jurisdiction, and also uses the reports to monitor cyber threats.

AusCERT is a not-for-profit organisation which issues regular security bulletins to Australian businesses, as well as providing security incident notification, monitoring and response services: https://auscert.org.au/.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

The Privacy Act requires most private sector organisations and Commonwealth government agencies to notify 'eligible data breaches' – that is, a breach where:

• there has been unauthorised access to, or unauthorised disclosure or loss of, personal information held by an entity; and
• the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the personal information relates.

The obligation applies only when 'personal information' is affected by the breach, which means information or an opinion about an identified individual or an individual who is reasonably identifiable.

Notification is not required if:

• there is unauthorised access or disclosure of personal information and the entity can take remedial action, such that the access or disclosure would not be likely to result in serious harm to any individual (eg, by changing compromised access credentials); or
• there is loss of personal information and the entity can take remedial action, such that there is no unauthorised access or disclosure to the personal information or that access or disclosure would not be likely to result in serious harm to any individual (eg, by remotely wiping a lost laptop).

There are various other exceptions to the notification requirement, including:

• an exception for 'small business operators;' and
• an exception in relation to employment records (see question 2.3).

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

Under the Privacy Act, an organisation that has reasonable grounds to suspect that an eligible data breach may have occurred must carry out a reasonable and expeditious assessment of whether an eligible data breach has occurred. It must take all reasonable steps to complete this assessment within 30 days.

An organisation that has reason to believe that an eligible data breach has occurred must provide a statement to the Office of the Australian Information Commissioner (www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach) as soon as practicable. This statement must contain at least the following details:

• the entity's identity and contact details;
• a description of the eligible data breach;
• the types of personal information involved in the eligible data breach; and
• recommendations about the steps that affected individuals can take to protect themselves against harm.

The organisation must also provide the above details to any affected individuals as soon as practicable. The Privacy Act provides three options for this notification:

• Notice can be provided to every individual whose personal information was involved in the eligible data breach;
• Notice can be provided just to those individuals who are at likely risk of serious harm from the eligible data breach; or
• If it is not practicable for the entity to contact the affected individuals directly, the entity can post the notice on its website and use reasonable efforts to publicise that notice.

There are some circumstances in which notification is not required (see question 5.1).

There is no obligation to provide any form of protective services or compensation to affected individuals. However, there are a range of voluntary steps that an organisation may take, which may lessen the risk of subsequent regulatory action by the OAIC or legal action by affected individuals:

• Equifax offers credit monitoring services for individuals;
• ID Care offers identity theft support services; and
• The Australian Taxation Office and Services Australia can receive reports of data breaches and apply protective measures to the accounts of affected individuals.

5.3 What steps are companies legally required to take in response to cyber incidents?

The data breach notification requirements under the Privacy Act are set out in questions 5.1 and 5.2.

Public companies are subject to continuous disclosure obligations under the Australia Stock Exchange Listing Rules and the Corporations Act – see question 4.4.

Under Section 912D of the Corporations Act, Australian financial services licence (AFSL) holders must notify the Australian Securities and Investments Commission (ASIC) of any significant breach of their 'core obligations' under Section 912A of the act. Based on ASIC's recent enforcement action (see question 3.1), it appears that this would include a cyber incident that results from a failure of the AFSL holder to have adequate cybersecurity and cyber resilience measures in place, or to properly supervise its authorised representatives.

Other industry-specific codes may require the notification of data breaches to industry regulators or other bodies.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

There is no duty on directors in Australia that relates specifically to cyber-incident response.

However, under Section 180 of the Corporations Act and the common law, directors have a general duty to exercise their powers and discharge their duties with a degree of care and diligence that a reasonable person would exercise in the circumstances. In practice, this duty requires directors:

• to be familiar with the business of the company;
• to stay informed and make appropriate inquiries about the company's activities; and
• to generally monitor the company's affairs and policies.

Australian courts have taken a broad approach in interpreting these duties to include new risks which face modern businesses. In the modern business environment, this duty obliges directors:

• to inform themselves about whether the company has adequate cybersecurity measures in place and an adequate plan to respond to cyber incidents; and
• if not, to ensure that the company takes steps to put such measures and plans in place.

Failure to comply with this duty can result in:

• civil penalties;
• a requirement to pay compensation to the company; and
• a ban from managing a company.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

Cyber insurance policies are becoming increasingly common for Australian companies of all sizes, as the risks of a cyber incident become increasingly apparent. Cyber insurance is available as a standalone policy or as a part of a more general business insurance policy for small and medium-sized enterprises.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Commonwealth government has been proposing to review the Privacy Act for some time; although following the change of government in May 2022, it is still unclear whether this will be a priority for the new government. It also remains to be seen whether the new government proposes to increase the Office of the Australian Information Commissioner's funding or enforcement powers.

In the wake of the result in its Federal Court action against RI Advice Group (see question 3.1), it seems probable that the Australian Securities and Investments Commission will continue to take enforcement action against Australian financial services licence holders in relation to cybersecurity.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

Ransomware and business email compromise are the most common forms of cyber incident in Australia. Australian businesses should focus on securing their systems against these threats by adopting:

• technical measures (eg, introducing multi-factor authentication, blocking unfamiliar overseas IP addresses and installing phishing email detection software); and
• organisational measures (eg, procedures for patching of systems, data management policies and cybersecurity training for employees).

Having a cyber insurance policy in place also gives a business access to an established network of service providers to assist with the response to a cyber incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.