Bell & Senior Logo

What are my legal obligations under Australia's cyber security laws?

Cyber Risk

Australia’s cyber security legal framework has evolved rapidly in response to increasing threats to critical infrastructure and personal data. Understanding your obligations is essential to avoiding penalties and protecting your business.

1. The Privacy Act 1988 (Cth)

The Privacy Act applies to most businesses with annual turnover exceeding $3 million (and certain smaller businesses). It requires you to:

  • Collect and handle personal information in accordance with the Australian Privacy Principles (APPs).
  • Take reasonable steps to protect personal information from misuse, interference, and unauthorised access.
  • Notify the OAIC and affected individuals of eligible data breaches under the Notifiable Data Breaches (NDB) scheme.

Penalties: Up to $50 million for serious or repeated interferences with privacy.

2. Security of Critical Infrastructure Act 2018 (SOCI Act)

The SOCI Act applies to operators of critical infrastructure assets across 11 sectors, including:

  • Communications, data storage, and processing
  • Financial services and markets
  • Healthcare and medical
  • Energy, water, and transport
  • Defence industry and space technology

Key obligations include:

  • Adopting and maintaining a Critical Infrastructure Risk Management Program.
  • Reporting cyber security incidents to the Australian Signals Directorate within specified timeframes (as little as 12 hours for critical incidents).
  • Potentially allowing government intervention during significant cyber incidents.

3. APRA CPS 234 (Financial Services)

If you are regulated by APRA (banks, insurers, superannuation funds), Prudential Standard CPS 234 requires you to:

  • Maintain an information security capability commensurate with the size and nature of threats.
  • Clearly define information security roles and responsibilities.
  • Implement controls to protect information assets.
  • Notify APRA of material information security incidents.

4. Industry-Specific Obligations

Additional requirements may apply depending on your sector:

  • Healthcare: My Health Records Act, APHRA registration requirements, and state health information privacy laws.
  • Telecommunications: Carrier obligations under the Telecommunications Act 1997.
  • Defence industry: Defence Industry Security Program (DISP) requirements.

5. Emerging Obligations

Australia’s cyber security regulatory landscape continues to evolve. Recent and upcoming changes include:

  • Mandatory ransomware reporting requirements.
  • Stricter obligations for “systems of national significance.”
  • Reform of the Privacy Act to introduce more prescriptive security requirements.

Cyber Compliance Advice

We help businesses understand and meet their cyber security legal obligations, from Privacy Act compliance to SOCI Act risk management programs.

Need a compliance review? Contact Bell & Senior today. Call (07) 5532 8777.

Previous Question How should my business conduct a cyber risk assessment? Next Question What is business email compromise (BEC) and how can I protect my business?
← Back to Technology