Cyber Security Bill 2024 – be alert, not alarmed

On 9 October 2024, the Cyber Security Bill 2024 (the Bill) was introduced to Parliament. The Bill was introduced as part of the Australian Cyber Security Legislative Package, which implements initiatives under the Australian Cyber Security Strategy (2023-2030). It marks a key step towards the Australian Government’s vision of Australia being a world leader in cyber security by 2030.

Key elements of the Bill include:

• mandatory reporting for ransomware payments; and
• limitations on how the Australian Signals Directorate (ASD) and National Cyber Security Coordinator (NCSC) can use information reported to them about cyber incidents.

Businesses with a turnover greater than $3 million will be required to report certain details if they make ransomware payments.

Information provided to the ASD or NCSC in connection with the reporting of cyber incidents will be protected from use in any enforcement action that may be taken regarding the incident.

Importantly, businesses will still need to take steps to protect information gathered as part of a cyber incident investigation they are involved with by ensuring the investigation is covered by legal professional privilege and therefore cannot be accessed by regulators under regulatory powers or third parties for use in legal proceedings. We have previously discussed legal professional privilege and the protection of information here.

The Bill introduces mandatory ransomware payment reporting requirements together with protections against the use of information about cyber security incidents provided under a ransomware payment report, or which is provided voluntarily to the NCSC or ASD, or to the Cyber Incident Review Board (which is to be established under the legislation).

In essence these protections restrict the disclosure of this information and prevent the use of this information by government agencies in any action against the entity that provided it. The protections are intended to encourage organisations affected by a cyber security incident to share information with those agencies.

Improved visibility of the national threat landscape will assist agencies to develop appropriate responses and support for impacted businesses and strengthen Australia’s overall cyber resilience.

The Bill will make it mandatory for businesses with a turnover greater than $3 million to report if they make ransomware payments, down from a previously proposed $10 million turnover requirement.

The obligations will apply if:

• an incident has occurred, is occurring or is imminent;
• the incident is a cyber security incident;
• the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• the extorting entity makes a demand of the reporting business entity, or any other entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity has provided on its behalf, a payment or benefit to the extorting entity that is directly relation to the demand.

Businesses will have a 72 hour period to make the report after making a ransomware payment, making the Bill consistent with reporting frameworks in the Security of Critical Infrastructure Act and Privacy Act. Businesses who fail to report ransomware payments will face a $15,000 fine.

The Bill introduces limits on how the ASD and NCSC can use information obtained through cyber incident reporting. The aim of this provision is to encourage businesses to cooperate with cyber security agencies by ensuring that the information provided to the ASD and NCSC cannot be used to take enforcement action against businesses.

The information can only be used for assisting businesses who have reported a cyber security incident to respond, mitigate or resolve the incident, or for limited permitted cyber security purposes.

However, this provision will not make businesses immune from enforcement actions from regulators if they obtain the same information through regulatory powers or from disclosure to and use by other litigants.

The Bill also stipulates that the disclosure of information does not otherwise affect a claim of legal professional privilege in relation to that information.

It therefore remains important for organisations to take steps to ensure that cyber incident investigations are protected by legal professional privilege and thus immune from disclosure.

The Bill expressly provides that the disclosure of information under the protected disclosure provisions will not in itself affect any legal professional privilege which would otherwise apply to that information.

When providing information under the protected disclosure provisions it would be prudent for organisations to do so expressly on the basis that the disclosure is not intended to waive any legal professional privilege in that information.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Co-author

Name: Mia Doherty

Position: Law Clerk

Practice: Disputes

DMAW Lawyers has you covered when it comes to identifying your legal obligations, assessing risk and exposure, and putting in place strategies to manage legal risks and meet regulatory obligations, whether that be:

• digital information security obligations and protections in your supply chain contracts;
• privacy, data breach assessment, incident response and notification laws;
• on-boarding and off-boarding processes; or
• fit for purpose employment contracts and digital security policies.

Find out more about how our cyber and information security legal experts can assist your business.