Cybersecurity 2025

AUSTRALIA Trends and Developments Contributed by: Dennis Miralis and Jack Dennis, Nyman Gibson Miralis

compliance burden and costs. Nevertheless, it will likely still see a lot of incidents pass under the radar, leaving a widespread and fertile ground for malicious actors to test ransomware largely undetected and non-ransomware cyber- incidents more generally. With no safe harbour protections and heightening reputational con - cerns over breaches, an over-reliance on volun - A key premise of Australia’s strategy in obtaining information on incidents is to better understand vulnerabilities/targets, methods and techniques, and ultimately generate tools and strategies to proactively and reactively respond to future incidents. Australia has sought to increase the open and frank communications of ransomware reporting by restricting the use of the informa - tion. These purposes primarily relate to respond - ing to, mitigating or resolving cybersecurity inci - dents. How far these express purposes extend may be the subject of future proceedings. tary reporting may be insufficient. Use of reports and other data shared Taking a closer look at ransomware reporting, the Act implements “limited use” obligations on the bodies who receive the information (primar - ily or secondarily). In doing so, the Act excludes the use of the information for investigations or enforcement action unless it is a contravention of the reporting obligations themselves or a law attracting “a penalty or sanction for a criminal offence”. This prevents the information from being used in most regulatory enforcement actions, but leaves the entities exposed to crimi - nal law provisions. While individuals (including directors) may be able to rely on the privilege against self-incrimination where criminal law issues become live, the business entity itself is unlikely to have such protections given corpo - rate entities do not have such a privilege under Australian law. Public suggestions of including

a safe harbour provision were dismissed by the Australian government. In fact, the govern - ment expressly stated the intention was not to “shield a reporting entity from legal liability” or “to restrict law enforcement […] from gathering this information through another passage using their own existing powers” raising the concern of secondary methods of obtaining the obligatorily shared information by even civil regulators. This may complicate compliance with this obligation, particularly should the Australian government rely on criminal sanctions (alone or as alterna - tives to civil penalties) to enforce cybersecurity legislation. There are expanded protections for any informa - tion voluntarily provided to the NCSC concern - ing an actual or potential cybersecurity incident, with Section 42 rendering such information inad - missible in criminal proceedings (except very specific circumstances) and any “proceedings for breach of any other Commonwealth, State or Territory law (including the common law)”. Yet, these protections do not prevent authorities from obtaining the information via other methods and relying on it thereafter. Online Safety Act Surpassing the ranks of Russia’s ban of Discord and the United States’ (incredibly short) ban of TikTok, Australia passed a world-first age restriction on social media platforms for those under 16 years by introducing the Online Safety Amendment (Social Media Minimum Age) Act 2024 (Cth). The obligation is to take “reason - able steps” to prevent age-restricted users from having an account, but will impose restrictions on the kind of information that can be collected and how this information is stored, used and protected. Specific platforms are still to be con - firmed, but the government initially intends to include Snapchat, TikTok, Facebook, Instagram

CHAMBERS.COM