The Australian legislative landscape for cybersecurity underwent significant updates in 2024. This blog post outlines key changes and their implications for organisations.
Online Safety Amendment (Social Media Minimum Age) Bill 2024
This legislation introduces age restrictions for social media usage:
- Prohibits individuals under 16 from accessing platforms such as Facebook, TikTok, and Snapchat.
- Mandates social media companies to implement age verification measures without relying on government-issued ID.
- Non-compliance can result in significant fines.
Australian Financial Services Licence (AFSL) amendments
AFS licensees must now meet specific cybersecurity requirements, including:
- Maintaining robust technological systems, policies, and procedures.
- Allocating sufficient human and technological resources.
- The Australian Securities and Investments Commission (ASIC) is empowered to enforce these obligations.
For expert guidance, consider partnering with firms specialising in cyber security strategy and compliance, such as Flame Tree.
Scams Prevention Framework
To address the rising threat of scams:
- Banks, telecommunications companies, and digital platforms must implement anti-scam measures.
- Fines of up to $50 million can be imposed for non-compliance.
Privacy Act 1988 amendments
Updates to privacy protections include:
- Expanding the definition of personal information to include IP addresses, device identifiers, and location data.
- Requiring user consent for data usage, along with easy withdrawal mechanisms.
- Mandating prompt data breach notifications to affected individuals and the Office of the Information Commissioner.
- Empowering the Information Commissioner to conduct proactive audits.
- Introducing individual rights to request data deletion.
- Increasing fines for non-compliance to up to $3.3 million for corporations and $660,000 for individuals.
Small businesses with less than $3 million turnover remain exempt.
Security of Critical Infrastructure Act 2018 (SOCI Act) amendments
Critical infrastructure entities face new obligations:
- Risk management programs must include consistent assessments and incident reporting.
- Entities must promptly report cyber security incidents and comply with government directives during emergencies.
- Regulators now have broader powers for audits and enforcing penalties.
Cyber Security Act 2024
This act outlines comprehensive cybersecurity requirements for businesses:
- Internet-connected products must comply with cybersecurity standards before sale.
- Entities must report ransomware payments to authorities, with penalties for non-compliance.
- Continuous monitoring and regular security testing are required to address vulnerabilities.
- Businesses must coordinate with the National Cyber Security Coordinator during major incidents.
Preparing for compliance
To ensure readiness, businesses should:
- Update risk frameworks – Ensure these address new legislative requirements.
- Develop privacy impact assessments – Reflect changes to the definition of personal information.
- Embed security testing in processes – Include mandatory reporting mechanisms.
- Enhance incident response plans – Ensure compliance with new reporting obligations.
- Educate boards and executives – Directors must understand privacy-related legal exposure, including the right to sue for privacy invasions.
Next steps for Australian businesses
The 2024 changes underline the importance of integrating cybersecurity into business operations. Non-compliance is met with stringent penalties, while meeting these obligations fosters trust and resilience.
For expert guidance, consider partnering with firms specialising in cybersecurity strategy and compliance, such as Flame Tree.