The key takeaways from the new Bills are summarised below:

Mandatory ransomware reporting

The Cyber Security Bill 2024 (Cyber Security Bill) introduces a mandatory reporting requirement where a ransomware payment (or other benefit) is paid to an extorting entity. The aim is to give the Australian Government greater visibility over the extent of the threat which ransomware poses to Australian businesses, particularly in light of the Australian privacy regulator’s ongoing concern regarding the under-reporting of ransomware incidents under the notifiable data breach regime in the Privacy Act 1988.

A report will need to be made to the Department of Home Affairs within 72 hours, if the following criteria are met:

• a cyber security incident has occurred, is occurring or is imminent and has had, is having or could reasonably be expected to have, a direct or indirect impact on a reporting business entity;
• an extorting entity makes a demand of the reporting business entity, or some third party directly related to the incident impacting the reporting entity, in order to benefit from the incident or the impact on the reporting business entity; and
• the reporting business entity provides, or is aware that another entity, directly related to the reporting entity, has provided a payment or benefit to the extorting entity that is directly related to the demand.

Some Australian businesses will be exempt from the reporting requirement, if their annual turnover falls below an as-yet unspecified amount.

A two-stage reporting obligation had previously been proposed, which would have required notifications to be made if a request for payment of ransomware was received and additionally if any payment was subsequently made.

Cyber Review Board

Australia is following in the footsteps of other jurisdictions such as the United States by establishing a Cyber Review Board. The Board’s remit will be to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. The intent is to strengthen cyber resilience, by providing recommendations to Government and industry based on lessons learned from previous incidents.

Limited information gathering powers will be granted to the Board, so it will largely rely on cooperation by impacted businesses. 

The Board will be comprised of a Chair, standing members and an Expert Panel. The Expert Panel will be drawn from of a pool of industry members with relevant expertise.

Limited Use Exception

A ‘limited use’ obligation will be established under the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Intelligence Services Bill), designed to encourage engagement and reporting between industry and the Government during cyber incidents.

The regime is designed to assure businesses that any information which is voluntarily provided to the National Cyber Security Coordinator or Australian Signals Directorate (ASD) regarding a cyber incident can only be recorded, used and disclosed by those entities for limited purposes.

Crucially, it guarantees that information which is provided voluntarily or in response to a request within the framework of the limited use regime cannot later be used against the entity by a regulator.

The ‘limited use’ obligation will apply to information provided to, acquired or prepared by the National Cyber Security Coordinator or ASD by an impacted entity during a cyber security incident, as well information which is provided on behalf of the impacted entity (such as by its external advisors).

Mandatory security standards for smart devices

The Cyber Security Bill also establishes a framework under which mandatory security standards for smart devices will be issued.

Suppliers of smart devices will be prevented from supplying devices which do not meet these security standards, and will be required to provide statements of compliance for devices manufactured in Australia or supplied to the Australian market.

The Secretary of Home Affairs will be given the power to issue enforcement notices (including compliance, stop and recall notices) if a certificate of compliance for a specific device cannot be verified.

Security of Critical Infrastructure

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 will amend the Security of Critical Infrastructure Act 2018, by giving effect to the legislative reforms contained in the 2023-2030 Australian Cyber Security Strategy.

The changes are designed to strengthen the security and resilience of critical infrastructure assets in Australia. 

The key change to note for regulated entities is that secondary assets which hold ‘business critical data’ may also be captured as critical infrastructure assets, regardless of the primary purpose of the asset. This is not intended to capture all non-operational systems which hold business critical data, but rather those where there is a material risk that a hazard to the data storage system could have an adverse impact on a critical infrastructure asset.

Other changes to the Security of Critical Infrastructure Act 2018 include the provision of further clarity on the secrecy and disclosure provisions, and the implementation of new powers for the Secretary of the Department of Home Affairs.

We will provide further updates once these Bills are passed. 

Scam Code Act

In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

• platforms to verify their advertisers;

• banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;

• carriers to take certain measures to prevent scams being spread by SMS;

• companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and

• all companies to maintain a “scams defence plan” to assist customers.

It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

Other cyber security measures  

As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

• mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;

• creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;

• creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and

• establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million in spam and telemarketing fines over the past 18 months.

Under the Spam Act 2003 (Cth), businesses must obtain consent from customers (including business customers) before sending any direct marketing communications via email, SMS or other electronic means. Consent can be express or inferred, but should only be inferred where there is an existing commercial relationship between the sender and the customer which relates to the subject matter of the marketing communication.  

ACMA recommends using express consent as it represents a clear and unambiguous decision by a customer to receive direct marketing. Customers can give express consent via filling in a form, ticking a box on a website, over the phone, or face to face.

Records of consent should be maintained and include details such as the method by which consent was obtained, the terms applied to the consent and the date/time of collection. Outsourced providers of marketing services should maintain appropriate consent records on behalf of their customers, and businesses remain responsible for meeting their consent obligations regardless of whether they outsource e-marketing or consent gathering to third parties. 

Based on the ACMA’s expectations regarding the spam laws, best practice includes the following:

• Obtain express consent based on clear terms and conditions which are accessible to the customer at the time of seeking consent. Avoid embedding the references to consent in fine print or long privacy policies.
• Consent terms and conditions should clearly explain what the consent is for, who it is being provided to, for how long, and how a customer may withdraw their consent.
• Make sure that only current consents are relied upon – consent should be refreshed regularly.
• Consider a double opt-in approach to obtaining consent. For example, asking customers via email to confirm their consent by clicking on the link provided (which also helps to identify genuine email addresses).
• Do not use pre-ticked boxes.
• If seeking to relying on inferred consent, carefully evaluate whether there is a clear, current or ongoing relationship with the customer, and that the goods or services being marketed are directly related to that relationship. Consent should not be inferred from a one-off purchase by a customer (even where they have provided a phone number or email to receive a receipt).
• Ensure all electronic messages contain easy to use and functional unsubscribe facilities. Avoid asking customers to log in to accounts or charging customers a fee to unsubscribe.
• Ensure that customers are given the option to unsubscribe from all marketing messages (and not only certain types of messages).
• Ensure to action unsubscribe requests as quickly as possible and within 5 business days.
• Do not continue sending marketing messages after an unsubscribe request has been received, or re-contact consumers encouraging them to resubscribe.

Please reach out to us if you require any further guidance about your obligations under the Spam Act 2003 (Cth).