On 29 November 2024, Australia’s first standalone cyber security law, the Cyber Security Bill, came into effect. This legislation represents a significant milestone in the country’s approach to managing cyber threats, introducing mandatory reporting requirements for ransomware and cyber extortion payments. It is essential for lawyers and conveyancers to understand how this new legislation impacts your business.
The Cyber Security Bill aims to build a clearer picture of the evolving threat landscape by mandating that certain businesses report ransomware payments. The government’s goal is to enhance transparency, improve industry support, and enable better mitigation of ransomware attacks.
The new legislation falls under Part 3 of the Cyber Security Bill, establishing reporting obligations that provide valuable insights into ransomware trends while ensuring sensitive business information is safeguarded.
Given the sensitive nature of client information held by law firms and conveyancers, the risk of ransomware attacks is particularly high. This legislation underscores the importance of robust cyber security measures to protect your practice and clients. Staying informed and compliant with these new requirements can mitigate the impact of cyber threats and uphold trust with your clients.
The new reporting obligations apply to:
If your organisation meets either of these criteria, it is critical to be prepared to comply with the reporting requirements.
Businesses that are required to report must do so to the Australian Signals Directorate and the Department of Home Affairs within 72 hours of making a ransomware payment or becoming aware that such a payment has been made. The report must include:
These reports help authorities understand and respond to ransomware threats more effectively while supporting affected businesses.
The legislation includes robust measures to protect businesses that comply with the reporting obligations:
These safeguards are designed to encourage reporting while protecting businesses from potential misuse of their disclosures.
The legislation respects the confidentiality of communications between legal advisors. This means that legal professional privilege remains intact, ensuring that sensitive discussions about ransomware incidents do not fall under the reporting requirements.
To ensure compliance with the new legislation, you should:
By staying informed and proactive, you can navigate the new cyber security legislation with confidence. Understanding your reporting obligations, implementing strong cyber security measures, and ensuring staff are prepared will help protect your practice and clients from evolving cyber threats. Compliance not only minimises risk but also reinforces trust in an increasingly digital legal landscape.