AUSTRALIA Trends and Developments Contributed by: Peter Briggs, Christine Wong, Mark Smyth and Tom Dougherty, Herbert Smith Freehills
as well as technical measures. This provides a more explicit basis for potential enforcement action where there is inappropriate governance, emphasising the importance of appropriate oversight and involvement of the board in pri- vacy and cybersecurity risk management. A new tiered civil penalty regime for Privacy Act breaches gives the privacy regulator a more flexible toolkit, as well as the ability to obtain enforcement outcomes and fines without com- mencing court proceedings. Cybersecurity reforms A suite of reforms strengthening cybersecurity laws in Australia were also passed in 2024 to enhance the security of critical assets and to gain a better understanding of the impact on business of cyber-attacks, with a view to ena- bling the government to better mitigate risks across the economy and to formulate future responses. In the context of cyber-extortion attacks, the Cyber Security Act 2024 (Cth) means that busi- nesses should consider reflecting the following in incident response plans: • mandatory obligations to report information about cyber extortion payments (details of the payment process and threat actor communi- cations), where reporting thresholds are met. While information protected by privilege does not need to be disclosed and reported infor- mation is subject to limited use by govern- ment, the protections leave open the possibil- ity that information can be used in a criminal prosecution of a company; and • the government’s enhanced powers to inter- vene in critical infrastructure cyber-incidents.
The government has also introduced enhanced obligations for critical infrastructure. Amend- ments to the Security of Critical Infrastructure Act 2018 (Cth) include: • the expansion of obligations to data storage assets; • enhanced powers to require entities to vary critical infrastructure risk management plans; • enhanced information-sharing criteria; and • security and notification obligations for critical telecommunications assets. Environmental regulatory enforcement As communities, organisations and governments maintain a focus on climate change impacts and related environmental issues, businesses in Aus- tralia are faced with an increased regulation of environmental impacts under state and territory laws. This includes an increased risk of enforce- ment action with regard to business-as-usual operations or in connection with an environmen- tal crisis or legal non-compliance. Australia has a complex environment protec- tion legal system, which is primarily governed by federal and state and territory laws. At a federal level, the Environment Protection and Biodiversity Conservation Act 1999 (Cth) is the overarching regulatory vehicle for the protection of biodiversity in Australia. At a state and terri- tory level, each jurisdiction has its own legisla- tion that governs: • the primary environment protection frame- work for that jurisdiction, which regulates most business activities being carried out in Australia; and • the investigation and enforcement powers of an Environment Protection Authority (EPA) or equivalent for that jurisdiction.
13
CHAMBERS.COM
Powered by FlippingBook