Optus hack exposes Australia’s ‘lagging’ cyber law framework

“A well-considered obligation that requires businesses to notify a suitably funded government body of a cyberattack (which should not be limited to just ransomware) could assist to combat cyberattacks,” Patel said. “There has also been a push to impose minimum security standards such as the ACSC’s Essential Eight or provide further guidance around existing obligations to uplift cyber security postures.”

He also highlighted draft legislation that outlined new cybercrime offences with increased penalties as well as amendments that enable enforcement agencies to “investigate and prosecute criminal offences where perpetrators do their work outside of Australia but impact Australian individuals and businesses.”

Legal push to make cybersecurity a priority

While laws are not a foolproof plan against cyberattacks, they can limit such breaches by driving organisations to prioritise cybersecurity, Alison Cripps, practical guidance legal writer | cybersecurity, data protection and privacy at LexisNexis Australia, told Australasian Lawyer.

She outlined three factors that enable laws to effectively mitigate cyber risk:

  • the legislation must impose obligations that, when implemented, will mitigate security risks (and legislation must then adapt to the changing threats imposed by cyber criminals – as new mechanisms for cybercrime evolve, so too should legislation)
  • regulators must effectively enforce the legislation (including that penalties are applied, even where there is no cyber event) (I am not in a position to comment on whether regulators are effectively enforcing existing legislation)
  • the consequences of breaching the legislation must be significant, in order to incentivise organisations to comply with the legislation. Often these consequences are financial – but directors can also be personally liable for cyber events under their AFSL licensing obligations or licences to operate a business can be tied to compliance

“The proposed amendments to the SOCI Act will also see increased obligations relating to data management imposed on critical infrastructure organisations such as, water, electricity, sewage, telecommunications assets,” she added.