New Cyber Security Bill to be brought before Australian parliament

The Bill, which has undergone a period of consultation, will be the latest step in the government’s plans to strengthen cyber security, as outlined in its 2023-2030 Australian Cyber Security Strategy (64-page / 13.4MB PDF) published last year.

The proposed legislation was flagged by the former Minister for Cyber Security, Clare O’Neil, before recent Cabinet changes. Cyber security is now part of Tony Burke’s portfolio of Ministries as well as Home Affairs and Immigration.

One of the stated objectives of the planned Bill is to enable a better understanding of the scale of ransom payments and help government and businesses respond to the issue more effectively. It aims to do this by requiring Australian businesses with an annual turnover of more than AU$3 million (US$1.9 million) to disclose payments they make in response to ransomware demands or other cyber extortion. The disclosure would need to be made within a short period after making the payment.

Voluntary notifications can already be made through the government’s ReportCyber portal supported by the Australian Cyber Security Centre.

While the proposed reporting threshold would align with the small business exemption in Australia’s Privacy Act, some industry bodies have expressed a preference for a higher threshold of AU$10 million, anticipating that a lower reporting threshold could impose requirements on businesses that do not have the resources to comply.

It is also expected that ‘no-fault’ and ‘no-liability’ protection provisions will be included, to encourage transparent disclosure. These provisions would aim to assure businesses who disclose payments that they will not be prosecuted as a result. Existing mechanisms will remain in place, enforcing regulatory obligations that apply to cyber incident and data breach reporting.

As part of the uplift plan outlined in the Strategy, the Bill is also expected to see Australia adopt international standards for connected ‘internet of things’ (IoT) consumer products such as home security cameras, smartphone-controlled appliances and baby monitors.

Veronica Scott, a cyber and data law expert at Pinsent Masons and co-lead of the firm’s Australian Technology, Media & Telecommunications team, said: “The Bill will mark a significant step in Australia’s efforts to continue to bolster cyber security and help protect business and consumers from the growing threat of cyber extortion and ransomware, which is a full-scale criminal enterprise of its own. In an environment of persistent and escalating cyber risks and regulatory change, being prepared to respond to and manage cyber attacks and to adapt to the changing regulatory landscape is essential and should be part of ‘business as usual’.”

Elly Krambias, a cyber security law expert at Pinsent Masons, said: “The proposed disclosure regime would add another complexity and reporting obligation for organisations who are impacted by ransomware or other cyber extortion attacks and decide to pay. It is critical for organisations to stay informed as the Bill’s details become clearer and understand how these changes will impact on their incident and data breach response plans and reporting processes.”

The Bill is part of a suite of proposed reforms aimed at modernising the law for a digital age, including major reforms planned for the Privacy Act 1988 - which were to be introduced in parliament in August but could be delayed to later this year - and implementing reforms to the Security of Critical Infrastructure Act 2018.

The final details of the new Bill are yet to be confirmed.