Cyber attacks on business can lead to the theft of sensitive information, financial loss, reputational damage, and a loss of customer trust. According to a March 2023 OAIC Notifiable data breaches report, millions of Australians’ personal information was compromised through large scale data breaches in the second half of 2022, as part of a 26% increase in breaches overall.

With the increasing digitisation of business operations, cyber security risks have become a major concern for Australian businesses. To mitigate these risks, it is essential that businesses take steps to protect themselves from cyber threats. From a legal perspective, there are a number of Australian laws and regulations that businesses need to be aware of and comply with to effectively manage cyber security risks.

What regulation covers cyber security in Australia?

The primary legislation that governs cyber security in Australia is the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme. The Privacy Act 1988 (Cth) outlines the legal requirements for businesses that collect, use, and store personal information. It requires businesses to take reasonable steps to protect personal information from unauthorised access, use, or disclosure. The NDB scheme, which was introduced in 2018, requires businesses to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if there has been a data breach that is likely to result in serious harm.

In addition to the Privacy Act 1988 (Cth) and the NDB scheme, there are a number of other Australian guidelines that businesses should be aware of, depending on their industry and the type of data they collect and store. For example, the Australian Cyber Security Centre (ACSC) provides guidance and best practices for businesses in specific industries, such as the energy sector and the finance sector.

How can businesses ensure they’re compliant? 

To ensure compliance with these laws and regulations, businesses should implement a comprehensive cyber security strategy. This strategy should include a range of measures to protect against cyber threats, such as:

1. Conducting regular risk assessments: Businesses should conduct regular risk assessments to identify potential vulnerabilities and threats. This will enable them to develop a risk management plan that includes appropriate controls and mitigation strategies.
2. Implementing access controls: Access controls are essential for protecting sensitive information from unauthorised access. This includes implementing strong passwords and two-factor authentication, as well as limiting access to sensitive data to only those employees who require it to perform their job.
3. Using encryption: Encryption is an effective way to protect sensitive information from unauthorised access. Businesses should consider implementing encryption for all sensitive data both in transit and at rest.
4. Implementing a data backup plan: Data backups are essential for protecting against data loss in the event of a cyber attack. Businesses should implement a comprehensive data backup plan that includes regular backups, offsite storage, and regular testing to ensure that backups are working properly.
5. Conducting regular employee training: Employees are often the weakest link in a business’s cyber security strategy. Businesses should conduct regular employee training to educate staff on the risks of cyber threats and how to identify and respond to them.
6. Developing an incident response plan: Businesses should develop an incident response plan that outlines the steps that should be taken in the event of a cyber attack. This should include the roles and responsibilities of different stakeholders, as well as a communication plan for notifying affected parties.
7. Engaging with cyber security professionals: Businesses should consider engaging with cyber security professionals to assess their cyber security posture and provide recommendations for improvement. This may include conducting penetration testing and vulnerability assessments.

By implementing these measures, businesses can significantly reduce their risk of falling victim to a cyber attack. However, it is important to note that cyber threats are constantly evolving, and businesses need to remain vigilant and adapt their cyber security strategies accordingly.

Key considerations

It’s important to treat cyber security as a legal risk as well as a privacy, reputational and operational risk. This will enable you to develop a more holistic approach should things go wrong and ensure your risk management plan covers all bases. With the increased risk of legal action when a company doesn’t adequately protect customer data (such as the Optus Data Breach Class Action), this needs to be factored in as a possible outcome.