The following laws in Australia relate to cybersecurity: the Privacy Act (Cth) (“Privacy Act”); the Crimes Act 1914 (Cth); the Security of Critical Infrastructure Act 2018 (Cth); the Code (Cth); and the Telecommunications (Interception and Access) Act 1979 (Cth).
A failure by a company to prevent, mitigate, manage or respond to an Incident may result in breaches of provisions of the Corporations Act 2001 (Cth). The Corporations Act 2001 (Cth) imposes duties on directors to exercise powers and duties with the care and diligence that a reasonable person would. A director who ignores the real possibility of an Incident may be liable for failing to exercise their duties with care and diligence.
Electricity, gas, water, ports, defence, space, transport, food and grocery, higher education and research, healthcare and medical services, energy, financial services and markets, data storage or processing, water and sewerage, and communication sectors
The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022 to introduce the following key measures:
A new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
A new framework for enhanced cyber security obligations required for operators of systems of national significance.
Privacy Act to require Australian Privacy Principles (“APP”) entities to, as soon as practicable, provide notice to the OAIC and affected individuals of an “eligible data breach”, where there are reasonable grounds to believe that an “eligible data breach” has occurred.
The maximum penalties for serious or repeated privacy breaches is the greater of:
The entities are required to report the cybersecurity incident to the ACSC. In the report, the entity is to provide the date and time of the incident, identify whether the incident is ongoing, identify what systems are being impacted and identify the type of incident (such as denial of service, unauthorised access to network or device, data exposure, malicious code, ransomware, phishing or scanning). [Applicable to CI entities]
An entity responsible for a system of national significance must adopt and maintain an incident response plan for cybersecurity incidents. [Applicable to CI entities]
A significant impact on the availability of the asset, the entity must report it to the relevant Commonwealth body as soon as practicable, and in any event within 12 hours after the entity becomes aware. [Applicable to CI entities]
A relevant impact on the asset, the entity must report it to the relevant Commonwealth body as soon as practicable, and in any event within 72 hours after the entity becomes aware. [Applicable to CI entities]
An entity responsible for a system of national significance may be required to undertake a cybersecurity exercise, to test the entity’s ability and preparedness to appropriately respond to and mitigate the impact of cybersecurity incidents. [Applicable to CI entities]
An entity responsible for a system of national significance may be required to undertake a vulnerability assessment in relation to all types of cybersecurity incidents, and/or;
Providing system information to develop and maintain a near-real time threat picture. [Applicable to CI entities]
Crana Consulting does not provide legal advice. We recommend you seek formal counsel for your specific legal obligations.
Copyright © 2023 Crana Consulting - All Rights Reserved.
2023
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.