Introduction
As the year draws to a close, 2024 stands out as a landmark year for cyber security law and regulation in Australia. The past 12 months have been marked by significant legislative reforms, the first ever use of cyber sanctions, new reporting requirements and information sharing provisions and a record number of data breach notifications. Regulators have also continued to raise the bar, setting high expectations for organisations to enhance their resilience against growing cyber threats.
Incident response strategies also evolved this year, with the increased involvement and assistance offered by government agencies and the introduction of innovative tools such as injunctions against hackers to block the publication of stolen data, marking a shift in how organisations respond to cybercrime.
In this special “Twelve Days of Christmas” edition of Cyber Bytes, we take a closer look at twelve key developments that defined 2024, all of which have shaped the ever evolving cyber legal landscape and impact how organisations ought to respond in 2025 and beyond.
1. Privacy Act reforms
On 29 November 2024, long awaited reforms under the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) passed both Houses of Parliament.
The key changes include the introduction of a statutory tort for the invasion of privacy, the new criminal offence of ‘doxxing’, expanded civil penalty provisions for privacy breaches (including the introduction of mid-tier penalties and infringement notices) and amendments to the Australian Privacy Principles to ensure entities take ‘technical and organisational measures’ as part of the reasonable steps they are obliged to take to protect the security of personal information.
These changes only mark the first phase of reforms, with consultation shortly to begin on a second tranche of privacy measures. This will be the most significant overhaul of Australian privacy law since the regime’s inception and increases the privacy compliance stakes for businesses. For more information about the changes, view our article ‘Long-awaited privacy laws hit Commonwealth Parliament’.
2. Cyber Security Act 2024 (Cth)
The Cyber Security Act 2024 (Cth) was also passed in November, and is Australia’s first stand-alone piece of cyber security legislation. The Act establishes mandatory ransomware payment reporting for certain businesses, minimum cyber security standards for smart devices ‘limited use’ obligations in respect of information shared with the National Cyber Security Coordinator and an independent Cyber Incident Review Board that will conduct no-fault post-incident reviews of significant incidents.
Similar ‘limited use’ obligations have been enacted under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth) to protect information that is voluntarily shared with the Australian Signals Department. These initiatives are designed to encourage greater sharing of information during and after incidents.
More information can be found in our article ‘Australia’s Cyber Security Bill 2024 – Ransomware reporting, safeguards for voluntary co-operation and more’.
3. Security of Critical Infrastructure Act (Cth) reforms
In circumstances where the Australian Signals Directorate’s Annual Threat Report this year continued to highlight the ongoing threat of state-sponsored cyber actors targeting critical infrastructure, the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) remains as vital as ever. This year, the SOCI Act was amended to expand information gathering and direction powers to include a broader range of incidents that are deemed “serious” and impact national security or economic stability. The new legislation also:
- enhances the sharing of “protected information” for more effective collaboration;
- strengthens enforcement powers by enabling regulators to direct entities to address gaps in their Critical Infrastructure Risk Management Plans;
- transfers telecommunications security obligations from the Telecommunications Act 1997 to the SOCI Act; and
- broadens the definition of ‘critical infrastructure’ to include data storage systems that process or store business-critical data.
Read about the changes in more detail here: ‘SOCI-ally aware: More Security of Critical Infrastructure Act reforms on the way’
4. Digital ID Act 2024 (Cth)
In the wake of large-scale cyber incidents impacting the data of millions of Australians, particularly core identity documents, the Digital ID Act 2024 (Cth) was introduced with an aim to avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain such documents.
The new legislation became law on 30 May 2024 and established a framework for digital identity across Australia. Key provisions include:
- introducing a new accreditation scheme to replace and enhance the 2015 Trusted Digital Identity Framework;
- expanding the Australian Government’s Digital Identity System to include states, territories, and the private sector (within 2 years); and
- strengthening privacy protections for personal information in line with the Privacy Act.
The Act also designates the Australian Competition and Consumer Commission as the Digital ID Regulator, with the OAIC regulating the scheme’s privacy safeguards.
5. ASIC regulatory enforcement
ASIC recently announced its enforcement priorities for 2025. Amongst these priorities, is a continued focus on Australian Financial Services licensees that fail to remain vigilant to guard against cyber risks.
ASIC has also again emphasised the key role of directors’ duties when it comes to cyber risk. ASIC’s expectation is that boards and directors should be implementing and improving cyber risk management and cyber resilience processes. Failing to do so will risk enforcement actions being taken for breach of either AFSL obligations or directors’ duties.
To date, ASIC has only brought one enforcement proceeding in relation to cyber risk being the case against RI Advice, an AFSL holder, which ASIC won in 2022. After years of warning that ASIC’s next target would be directors, this year ASIC publicly confirmed it had active investigations underway into company directors and the adequacy of cyber risk measures they had taken.
6. OAIC regulatory enforcement
In its 2024-25 Corporate Plan the OAIC continues to prioritise regulatory action where there may be serious failures to take reasonable steps to protect personal information, the use of inappropriate data retention practices or failures to comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC.
This year, the OAIC commenced civil penalty proceedings against Medibank Private Limited, only the third civil penalty proceeding ever to have been brought.
On 17 December 2024 the OAIC announced that its first ever civil penalty proceeding, commenced in 2020 against Meta Platforms, Inc (previously Facebook), had been resolved. The OAIC has accepted an enforceable undertaking from Meta which includes a provision for a $50 million payment program for affected individuals, and the civil penalty proceeding has been withdrawn.
7. ASX guidance on continuous disclosure of data breaches
On 27 May 2024, the ASX revised its Listing Rules Guidance Note 8: Continuous Disclosure to include a detailed case study illustrating a listed entity’s disclosure obligations following a cyber incident or data breach.
The case study and accompanying commentary provides guidance as to various decision points when potential disclosure may need to be considered such as the initial discovery of an incident, confirmation a of data exfiltration, the decision to notify the OAIC and/or affected individuals or the release by a cybercriminal of a large volume of data on the dark web.
The revised guidance comes in an environment where listed entities are often the subject of cyber incidents, and in the wake of Australia’s first continuous disclosure shareholder class action arising from a cyber incident which was filed last year.
More information can be found in our article ‘ASX provides market participants with enhanced disclosure guidance for cyber breaches’
8. Cyber sanctions used for the first time
Australia’s thematic autonomous sanctions scheme, first introduced in 2021, was used in connection with significant cyber incidents for the first time in early 2024 when Australia imposed sanctions on Aleksandr Ermakov, a Russian national implicated in the 2022 Medibank cyber-attack. This means that it is an offence to directly (or indirectly) make assets available to, or for the benefit of, Ermakov.
This was followed by additional cyber themed sanctions imposed on a senior leader of the Lockbit ransomware group (May 2024) and on senior members of the cybercriminal group Evil Corp (October 2024), each time in concert with parallel action taken by the US and UK.
This use of cyber themed sanctions increases the legal complexity for Australian businesses navigating ransomware incidents, in particular the risk of running afoul of sanctions legislation by engaging with threat actors who demand payment of a ransom.
9. Law enforcement successes against cyber criminals
It’s easy to think the crooks always win in the world of cyber breaches, but 2024 saw further evidence that crime doesn’t always pay. Here are some highlights:
- Significant law enforcement efforts against the LockBit ransomware group saw two LockBit affiliates charged in the US and pleading guilty in July, facing up to 25 years or 45 years imprisonment respectively.
- A 25-year-old Canadian man accused of being behind the Ticketek and Ticketmaster hacks is facing an extradition hearing after criminal charges (including conspiracy, computer fraud and abuse, extortion, wire fraud, and aggravated identity theft) were filed against him in the United States District Court in October.
- Closer to home, a Western Australian man, who accessed and misused for financial gain around 20,000 stolen credentials on the dark web, was charged with a range of fraud offences and in April was sentenced to two years in prison.
10. Notifiable data breaches
Data breach notifications grew in 2024, both in number of breaches and in the number of notification schemes across Australian jurisdictions.
Under the Commonwealth scheme, the OAIC’s latest Notifiable Data Breaches Report for January–June 2024 revealed 527 data breach notifications, the highest since 2020 (see ‘The Year in Numbers’ below). The report highlights key themes such as supply chain risks, human error, cloud-based data vulnerabilities and the importance of proactive cybersecurity measures.
Meanwhile, in other jurisdictions:
- NSW had its first full year of the operation of the Mandatory Notification of Data Breach Scheme which applies to state government agencies, local councils and universities.
- Queensland, having passed its own amending legislation in November 2023, prepared itself for the commencement of its breach notification scheme in July 2025.
- Western Australia became the third state to introduce a similar scheme with the passing of the Privacy and Responsible Information Sharing Act 2024 in the last parliamentary sitting week of the year.
11. Injunctions against ‘persons unknown’
In February, a landmark decision established a new precedent in Australia when HWL Ebsworth was granted final injunctive relief by the Supreme Court of New South Wales (confirming interim orders made last year) to restrain unknown hackers and other third parties from publishing or using stolen data.
Since then, injunctions of this nature have become a common addition to the cyber incident response toolkit and have been utilised by a range of organisations (including entities as diverse as a local council, a university, a not-for-profit, and a ticketing company) in response to their own cyber incidents.
Injunctions of this nature have the practical utility of limiting the dissemination of stolen data, including by notifying third parties who may seek to access or publish the information, thereby minimising the harm to affected individuals, and signalling to the world at large that the entity continues to treat seriously the confidentiality of the data.
12. Legal professional privilege over forensic investigation reports
This year, the Full Court of the Federal Court of Australia affirmed the first instance decision in Robertson v Singtel Optus Pty Ltd [2023] FCA 1392 that a forensic investigation report prepared by Deloitte following a cyber-attack on Optus was not privileged. The Full Court held that the report was prepared for multiple purposes and not for the dominant purpose of obtaining legal advice.
This decision serves as a useful guide to the relevant principles applicable to claims for legal professional privilege in the context of a forensic investigation into a cyber incident. Importantly, legal professional privilege should not be assumed, and careful consideration must be given to the management of forensic investigations and root cause analyses, particularly where these may serve multiple purposes and early involvement of lawyers in the process.
2024: the cyber year in numbersHere are some key statistics and numbers from 2024 that help paint a picture of the cyber landscape:
|
Conclusion
These key developments from the past twelve months offer a taste of the range of different legal and regulatory issues to navigate in the world of cyber, data security and privacy, and give plenty for organisations to reflect on to ensure they are prepared for the challenges of 2025 and beyond.
Contacting our team
If you would like to learn more about the developments above and the potential implications for your organisation, please reach out to our team for advice.
Our cyber incident response team can also assist you in the event of a cyber breach, including advising on relevant regulatory obligations (including notifiable data breaches), ransom demands, stakeholder communications, notifications to impacted individuals and working with other external experts to manage the response to an incident. You can also contact our cyber team if you would like assistance with incident response planning or conducting a cyber simulation exercise.
This article was written by Andrew Miers, Partner, Zoe Tishler, Special Counsel, Matt Kearins, Associate, Luke Roper, Associate, Jimmy Li, Solicitor and Judith Devaraj, Solicitor.
