This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
In Australia, the current cybersecurity regime is a patchwork result of several distinct legal developments occurring over the past 20 years. One major tranche of developments began at the turn of the century with the Australian response to the Council of Europe’s Convention on Cybercrime (the Convention), which set the scene for reform of Australia’s criminal law response to cybercrime. Separately, Australia has developed an information privacy framework that regulates the cybersecurity of personal information. More recently, the Australian government has overhauled its regime dealing with the security of critical infrastructure (largely to address the rapidly increasing threat of cyberattack against key infrastructure assets) and we have seen recent cybersecurity incidents impact directors’ duties in the corporate law arena.
This chapter seeks to identify the Australian cybersecurity regime by outlining these key areas of law, as well as identifying the bodies tasked with oversight of the regime. It also addresses the impact of the regime on foreign entities and recent trends, updates and case law.
The Council of Europe’s Convention on Cybercrime and subsequent developments in Australian law
A significant part of the cybersecurity regime in Australia responds to the Convention that came into force on the international level in 2004. The Convention was the first international treaty on internet and computer network crime, and covers copyright infringement, computer-related fraud, child pornography and network security violations, as well as procedural issues, such as (for example) the search and seizure of data, extradition, and trans-jurisdictional data access. The Convention remains ‘the most comprehensive and coherent international agreement on cybercrime and electronic evidence to date’.
There are two additional protocols to the Convention. The first, the Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No. 189), entered into force in 2006 but was never signed or ratified by Australia. A further protocol, the Second Additional Protocol on enhanced international cooperation and disclosure of electronic evidence (CETS 224), was opened for signature on 12 May 2022 and has not been ratified by Australia as yet.
In 2001, largely in response to the Convention (which was in draft at the time), Australia’s federal parliament passed the Cybercrime Act 2001, which added updated computer offences into the Commonwealth Criminal Code and enhanced investigation powers in the Crimes Act 1914 and Customs Act 1901 for the search and seizure of electronically stored data.
In 2011, the Cybercrime Legislation Amendment Bill was enacted to bring domestic legislation in line with the requirements of the Convention. This included amendments to the Telecommunications (Interception and Access) Act 1979, the Criminal Code Act 1995 and the (then-current) Mutual Assistance in Criminal Matters Act 1987. Australia ratified the Convention in 2012.
The Commonwealth Criminal Code (the Criminal Code), located in the Criminal Code Act 1995 (Cth), remains the key Australian legislation that criminalises cyberattack. Part 10.7 of the Criminal Code deals with computer offences. Significant offences under this part are:
- unauthorised access to, or modification of, restricted data, which carries a maximum penalty of two years’ imprisonment;
- unauthorised impairment of electronic communication, which carries a maximum penalty of 10 years’ imprisonment; and
- using a carriage service to menace, harass or cause offence, which carries a maximum penalty of five years’ imprisonment.
The Telecommunications (Interception and Access) Act 1979 (the TIA Act) assists the Australian cybersecurity regime as it makes it an offence for a person to intercept telecommunications passing over a telecommunications system or covertly access stored telecommunications. In order to accede to the Convention, the TIA Act was amended so that carriers and carriage service providers became obligated to preserve stored communications in certain circumstances, facilitating the mutual assistance programme (ie, when required by domestic agencies or foreign countries).
The Commonwealth Privacy Act 1988 (the Privacy Act) is generally relevant to privacy law and deals largely with the collection, use and disclosure of personal information. However, the Privacy Act also imposes a mandatory reporting regime for ‘eligible’ data breaches – which could occur as a result of cybersecurity issues.
An eligible data breach occurs where:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must report an eligible data breach to the Australian Privacy Commissioner if it has reasonable grounds to believe that one has occurred, or is directed to do so by the Commissioner.
While the reporting obligation under the Privacy Act for data breach is limited to the disclosure or loss of ‘personal information’, many hacking events involve the disclosure or loss of such information and, for that reason, this obligation is relevant for entities considering their cyber liabilities in Australia.
Failure to comply with the mandatory reporting obligation may result in a complaint being made to the Privacy Commissioner. Where the failure amounts to a serious or repeated interference with privacy, the Commissioner has the power to apply penalties of up to A$2.22 million against body corporates.
Security of Critical Infrastructure Act 2018
The Australian government also addresses cybersecurity risk through an oversight regime of Australian critical infrastructure assets, currently enshrined in the Security of Critical Infrastructure Act 2018 (the SOCI Act).
The current regulatory framework for Australia’s critical infrastructure began in 2017 with the launch of the Critical Infrastructure Centre, which fell under the purview of the Australian Department of Home Affairs. The mandate of this centre was initially focused on identifying risks in five key sectors: ports, electricity, gas, water and telecommunications.
In February 2017, the Centre released a discussion paper that identified two issues with carrying out its mandate. The first was the fact that Australia did not have an asset register to capture and track information about who owns and operates Australia’s most critical assets in these high-risk sectors. The second was that the federal minister did not have the power to step in and seek information or issue directions to owners and operators of critical assets when a risk arose that was prejudicial to security that could not otherwise be mitigated.
This discussion paper was the catalyst for the introduction of a bill to parliament to address these two issues, and on 11 April 2018 the SOCI Act gained assent.
The original scope of the SOCI Act imposed requirements on entities responsible for or operating critical electricity, port, water or gas assets, or other assets as declared or prescribed under the SOCI Act’s subordinate legislation. It established mandatory reporting requirements, established a Register of Critical Infrastructure Assets and gave the Commonwealth the power to require information from an entity or direct that entity, if necessary.
From 2018 to 2020, Australia was subject to several cyberattacks, including attacks on the federal parliamentary network. Key supply chain businesses transporting groceries and medical supplies were also targeted by malicious actors.
The Australian Signals Directorate (ASD) stated that ‘Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government’ and that ‘malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, and sophistication.’
The Parliamentary Joint Committee on Intelligence and Security also noted that it has ‘received compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate’.
Disruptions resulting from cybercrime (as well as further, pandemic-related disruptions) led to the then-Minister for the Department of Home Affairs introducing a bill to enhance the regulatory framework under the SOCI Act in December of 2020. Following extensive consultation with industry, the bill split in two so as to fast-track urgent cybersecurity amendments. The first tranche of amendments came into force on 2 December 2021, with the second tranche following on 2 April 2022.
The SOCI Act now includes a significantly broadened definition of ‘critical infrastructure asset’. Entities that have a prescribed relationship to critical infrastructure assets are now required to undertake mandatory cyber incident reporting within 12 or 72 hours (depending on the severity of the incident).
The SOCI Act now also provides powers for the Commonwealth to direct entities or intervene in an entity’s operations if cyber incidents impact on a critical infrastructure asset.
Responsibilities of directors
Cybersecurity has recently arisen in the context of company directors’ duties. Directors may be held personally liable for cybersecurity failures through their general duties, such as:
- the duty to exercise powers with due care and diligence; and
- the duty to exercise powers in good faith in the best interest of the company or organisation.
Australian courts have interpreted these duties widely to extend to the cybersecurity context. The Australian Securities and Investments Commission (ASIC) affirmed this understanding, stating that cybersecurity is a high-risk aspect of conducting business.
The Australian Institute of Company Directors specifically issued A Director’s Guide to Governing Information Technology and Cybersecurity, which emphasised that companies should, where possible, seek IT expertise and implement policies to manage cybersecurity breaches to ensure compliance with director duties. Directors who fail to ensure adequate cyber resilience are likely to also suffer reputational harm, particularly given the increased focus on maintaining a minimum standard for cybersecurity measures.
Regulatory bodies responsible for enforcement of cybersecurity rules, their powers, enforcement track record, etc
Australia has a complex web of government and statutory bodies monitoring cybersecurity issues, including:
- the Australian Federal Police (AFP);
- state and territory police;
- the Australian Criminal Intelligence Commission (ACIC);
- the Australian Security Intelligence Organisation (ASIO);
- the ASD (referred to above);
- the Australian Competition and Consumer Commission (ACCC);
- the ASIC (referred to above);
- the Office of the Australian Information Commissioner (OAIC);
- the Australian Prudential Regulation Authority (APRA); and
- the Department of Home Affairs.
The Australian Cyber Security Centre (ACSC) within the ASD leads the Australian government’s efforts on national cybersecurity.
Aside from the ACSC, many of the above are ad hoc regulators from a cybersecurity perspective, in that they only regulate isolated aspects of cybersecurity as an aspect of their general responsibilities.
For example, the ACCC, a competition and consumer law regulator, plays a role in regulating cybersecurity by enforcing general sections of the Australian Consumer Law that require businesses to make accurate representations about the cybersecurity of their goods and the collection of consumers’ data. Similarly, ASIC can take action against companies and directors should they breach their duties with respect to corporate cybersecurity issues and the OAIC must be notified by particular entities should certain personal information be lost or disclosed without authorisation. The APRA also plays a role with respect to how APRA-regulated entities comply with cybersecurity obligations.
The police, ASIO and ACIC all play roles with respect to dealing with cybercrime. The AFP and state and territory police investigate and prosecute cybercrime at differing levels. ASIO engages in counter-espionage and foreign interference operations, including providing cybersecurity advice to key stakeholders and investigating, uncovering and responding to cyberthreats to national security. The ACIC discovers and works to understand cyberthreats to Australia and associated criminal networks, coordinating with aforementioned entities to assist the Australian government in responding to such threats.
The Department of Home Affairs now plays an important role in administering the SOCI Act (discussed above).
Best practices for responding to breaches
As the primary body responsible for cybersecurity in Australia, the ACSC provides the following guidance on responding to breaches in its ACSC Annual Cyber Threat Report 2020–21:
Be prepared for a cybercrime or cybersecurity incident and know how to respond
Have an incident response plan and arrangementsOrganisations should prepare for a cybersecurity incident by having incident response, business continuity and disaster recovery plans in place, and testing them. A cyber incident response plan transparently outlines agreed organisational responses to a range of cybersecurity incidents (see the Cyber Incident Response Plan section below). Testing through cyber exercises in a controlled environment enables organisations to respond decisively and consistently to real-world cybersecurity incidents, limiting potential impacts and supporting organisational recovery.
Cyber Incident Response PlanWhile no set of mitigation strategies are guaranteed to protect against all cyberthreats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for malicious cyber actors to compromise systems. Furthermore, proactively implementing these strategies can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cybersecurity incident.
The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyberthreat intelligence, responding to cybersecurity.
Conduct cybersecurity exercisesA cybersecurity exercise is a controlled activity using a scenario in order to simulate a real-life cybersecurity incident. Regularly conducting cybersecurity exercises provides organisations with an opportunity to review plans, policies, capabilities, roles and responsibilities in a simulated and safe environment. As a result, cybersecurity exercises may prove invaluable in the development of an organisation’s ability to respond to and recover from cybersecurity incidents.
The OAIC also provides some guidance for organisations responding to cyberattacks which, although not binding, may prove to inform the reasonable standard required when responding to a data breach (see the discussion below in relation to the Red Cross data breach).
Relevant obligations for companies to protect IT systems and data from cyberthreats
While there are no general legislative cybersecurity obligations that apply to all companies operating in Australia, as noted above, there are a range of cybersecurity obligations that could apply to a company, depending on the scope and scale of its operations.
Notable obligations include:
- mandatory cybersecurity incident reporting if a company is subject to the SOCI Act; and
- if a company holds personal information and is subject to the Privacy Act, an obligation to take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Effect of local laws on foreign businesses
The effect of Australia’s laws on foreign businesses is generally dependent on the specific circumstances of the foreign business (eg, whether it carries on business in Australia, whether it has a local entity and the industry it operates in) and the relevant legislation.
An example of how local cyber laws may apply to foreign entities can be found in the SOCI Act. The SOCI Act expressly applies to unincorporated foreign companies, and, to overcome enforcement issues, obligations under the SOCI Act are specifically imposed on each appointed officer of the foreign company. Any offence against the SOCI Act by a foreign company is taken to be committed by each appointed officer who:
- performed the relevant act or made the relevant omission; or
- aided, abetted, counselled or procured the relevant act or omission; or
- was in any way knowingly concerned with, or a party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the appointed officer).
Those individual appointed officers are liable to the civil penalties imposed upon companies (which are higher than those imposed on individuals).
As an example of how this may impact foreign entities in practice, if a foreign business is responsible for a critical infrastructure asset and that asset suffers a cybersecurity breach of significant impact, that business would be required under the SOCI Act to report the breach. Failure to report the breach can lead to civil penalties being sought against the entity. These penalties can be up to A$55,500 for bodies corporate. If the foreign business is subject to a governmental direction to do or refrain from doing something in relation to a cybersecurity incident, and it fails to comply with that direction, pecuniary liability can be up to A$26,640 for individuals and A$133,200 for bodies corporate., Penalties for failure to report or failure to comply with a direction apply per day of non-compliance.
Another example of how Australian cybersecurity laws may impact on foreign businesses is found in the Privacy Act. The obligation to report data breaches will apply to an act done or practice engaged in outside Australia by an organisation, provided that organisation has an Australian ‘link’. There are several prescribed circumstances in which an organisation will be taken to have an Australian link under the Privacy Act. One example is where personal information gathered by the organisation in Australia is disclosed through cyberattack that occurs wholly overseas.
The Privacy Act can also apply to foreign businesses in various situations – for example where it carries on business in Australia, or collects or holds personal information in Australia.
Private redress options for unauthorised cyberactivity; recent examples of private litigation
There are limited specific private redress options for unauthorised cyberactivity. Cases to date have focused on actions by government entities (as highlighted in the case examples below).
The ACSC provides a reporting mechanism (ReportCyber) as the central place to report cybersecurity incidents, cybercrime or cybersecurity vulnerability.
Recent trends and updates
In its Annual Cyber Threat Report 2020–21, the ACSC noted that:
Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of cyber attack every 8 minutes compared to one every 10 minutes last financial year. A higher proportion of cybersecurity incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline. The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services – such as ransomware-as-a-service (RaaS) – via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.
Self-reported losses from cybercrime totalled more than A$33 billion.
The ACSC identified the following key threats and trends:
- exploitation of the pandemic environment, targeting increased desire for digitally accessible information relating to covid-19;
- significant targeting of essential services and critical infrastructure, with more than a quarter of reported incidents affecting entities associated with critical infrastructure;
- growth in the profile and impact of ransomware;
- rapid exploitation of security vulnerabilities;
- targeting of supply chains by malicious actors; and
- business email compromise continuing to present a major threat.
There are clear global trends towards increasing cybersecurity regulation. In particular, many countries are moving rapidly to address the global concern of ransomware. The Australian government, having adopted a Ransomware Action Plan in 2021, considered various parliamentary bills targeting ransomware in 2021 and 2022. This action coincided with an agreement by 32 countries, including Australia, to improve law enforcement, international cooperation and the response of regulators in relation to ransomware. Australia, along with the rest of the world, is moving towards comprehensive cybersecurity legislation that is, in general, better equipped to manage ransomware and cybersecurity threats than the current ad hoc regime.
In 2019, the Australian government committed A$27 million over four years to the ACCC to implement a Digital Platforms Branch to counter cybersecurity issues by improving enforcement and monitoring. In recent years, regulators such as the OAIC, ASIC and APRA have increasingly voiced support for a stronger and more targeted focus on regulating cybersecurity. The decision in the RI Advice case (discussed below) demonstrates that courts are prepared to extend general duties and obligations to the cybersecurity context and regulators are increasingly equipped and willing to hold to account those who fall below the requisite standard. The outcome of this case should serve as a warning to companies and directors that regulators and courts regard cyber resilience as a highly serious, non-optional matter.
Relevant case studies
Australian Securities and Investments Commission v RI Advice Group Pty Ltd
The case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (2022) FCA 496, a landmark decision by the Federal Court of Australia in May 2022, is the first Federal Court case brought by the ASIC alleging defective cybersecurity practices. RI Advice’s network experienced nine cybersecurity incidents between 2014 and 2020, including fraudulent emails being sent, hacking, phishing, ransomware and unauthorised server access compromising clients’ confidential and sensitive personal information. The Federal Court determined that RI Advice breached its obligations under subsections 912(1)(a) and (h) of the Corporations Acts 2001 (Cth) as a financial services licensee by lacking adequate risk management systems in relation to cybersecurity incidents and failing to ensure that the financial services provided were exercised efficiently and fairly.
ASIC issued the following media release following the decision:
These cyber-attacks were significant events that allowed third parties to gain unauthorised access to sensitive personal information. It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access.
The OAIC provided some guidance for organisations responding to cyberattack which, although not binding, may prove to inform the reasonable standard required from directors when responding to a data breach.
Red Cross data breach
In 2016, a database of the Australian Red Cross Blood Service containing information about approximately 550,000 prospective blood donors, including some highly sensitive personal information, was accidentally saved to a part of a web server that could be publicly accessed. The Australian Cyber Emergency Response Team (AusCERT) was contacted, and subsequently informed the Australian Red Cross more than one month after the breach.
In response, the Australian Red Cross undertook the following measures:
- it cooperated and coordinated with AusCERT to more efficiently respond to the breach;
- it confirmed that the copies of the databases that had been obtained by the individuals who initially reported the breach to AusCERT were deleted;
- it engaged a cyber support service to conduct an independent inquiry to identify risks associated with the breached personal information;
- two days after being notified of the breach, it informed affected parties and the public about the incident; and
- it collaborated with a specialist organisation to forensically analyse the server on which the information was published and monitor the dark web and the Australian Red Cross website for abnormal activity.
The OAIC deemed that these quick and efficient measures were appropriate and set an effective model for other organisations to follow in the event of a cybersecurity breach.
 Council of Europe, ‘Joining the Convention on Cybercrime: Benefits’ (16 June 2022) available at https://rm.coe.int/cyber-buda-benefits-june2022-en-final/1680a6f93b.
 Council of Europe, Chart of signatures and ratifications of Treaty 224 (29 July 2022), available at https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=224.
 Explanatory Memoranda to the Cybercrime Bill 2001.
 Council of Europe, Chart of signatures and ratifications of Treaty 185 https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=185.
 Criminal Code, section 478.1.
 Criminal Code, section 477.3.
 Criminal Code, section 474.17.
 TIA Act, section 7.
 TIA Act, section 108.
 Privacy Act, section 26WA.
 Privacy Act, section 13G.
 SLACIP Bill (2022) Digest.
 Australian Securities and Investments Commission, ‘Cyber resilience: Health check’ (March 2015), available at https://download.asic.gov.au/media/3062900/rep429-published-19-march-2015-1.pdf.
 Australian Consumer Law sections 29, 33–34.
 Privacy Act 1988 (Cth) pt IIIC.
 Prudential Standard CPS 234 (Information Security).
 Australian Cyber Security Centre, ‘ACSC Annual Cyber Threat Report 2020–21’ (15 September 2021), available at https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21.
 SOCI Act, section 56.
 SOCI Act, section 56(4).
 See Part 3A, Division 4 of the SOCI Act.
 Crimes Act 1914, section 4B(3).
 Crimes Act 1914, section 4K.
 Privacy Act, section 5B.
 The White House, ‘Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021’ (2021); Melissa Coade, ‘Australia Signs Up To White House Counter Ransomware Agenda’ (2021) The Mandarin.
 Australian Government, Regulating in the Digital Age (2019).
 Office of the Australian Information Commissioner, Submission to Department of Home Affairs, Australia’s 2020 Cyber Security Strategy – A Call for Views (11 November 2019) 40–41.
 ASIC, ASIC Corporate Plan 2021–25 (2021); Karen Chester, ‘Australian Institutional Investor Roundtable’ (Speech, Australian Institutional Investor Roundtable, 22 April 2021); Sean Hughes, Conversation with ASIC: AFIA Risk Summit (2021) ASIC, available at https://asic.gov.au/about-asic/news-centre/speeches/conversation-with-asic-afia-risk-summit/.
 Geoff Summerhayes, Speech to Financial Services Assurance Forum (2020) APRA, available at https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services.
 ASIC, Court Finds RI Advice Failed to Adequately Manage Cybersecurity Risks (2022), available at https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/.