This article applies to all organisations.

Cyber Security Act 2024 (Cth)

On 30 November 2024, relevant provisions of the Cyber Security Act 2024 (Cth) (the CS Act) commenced. Additionally, on 30 November 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (Cth) (the Amendment Act) commenced and amended the Intelligence Services Act 2001 (Cth) (the IS Act).

What’s new?

New Part 4 of the CS Act introduces a mechanism for entities to voluntarily provide information to the National Cyber Security Coordinator (the NCSC) in relation to significant cyber security incidents in order for the NCSC to coordinate a whole government response to such incidents. The CS Act and the Amendment Act also introduce limitations on the secondary use, disclosure and communication of this information.

Further Information

New section 9 of the CS Act provides that a cyber security incident is one or more acts, events or circumstances of a kind covered by the meaning of cyber security incidents in the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) or involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication. However, an incident is only a cyber security incident for the purposes of the CS Act if the incident involves a critical infrastructure asset; the incident involves the activities of an entity that is a corporation to which section 51(xx) of the Constitution applies; the incident is or was effected by means of telegraphic, telephonic or other like service within the meaning of section 51(v) of the Constitution (including, for example, by means of the internet); the incident is impeding or impairing, or has impeded or impaired, the ability of a computer to connect to such a service; or the incident has seriously prejudiced or is seriously prejudicing the social or economic stability of Australia or its people, the defence of Australia or national security.

CS Act: Limitations on secondary use and disclosure

New section 40 of the CS Act applies where information:

• has been provided by, or on behalf of, an entity (the impacted entity) under new section 35(2) of the CS Act (being where the impacted entity, or another entity acting on behalf of the impacted entity, has provided information about the incident to the NCSC and the incident is a significant cyber security incident or the incident could reasonably be expected to be a significant cyber security incident) or as referred to in new section 39(1) of the CS Act (being where an incident has occurred, is occurring or is imminent and the impacted entity has provided information to the NCSC in relation to the incident that is either not a cyber security incident, or is a cyber security incident but not a significant cyber security incident); and
• has been obtained by another entity, a Commonwealth body (other than the Australian Signals Directorate (ASD)) or a State body under new section 38(1) or 39(2) of the CS Act (related to the NCSC having made a record of, used or disclosed information provided by the impacted entity) or new section 40 of the CS Act (as discussed in this paragraph and below); and
• is held by the other entity, Commonwealth body or State body.

New section 34 of the CS Act provides that a cyber security incident is a significant cyber security incident if:

• there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice the social or economic stability of Australia or its people; the defence of Australia; or national security; or
• the incident is, or could reasonably be expected to be, of serious concern to the Australian people.

Under the CS Act, a Commonwealth body means a Minister of the Commonwealth, a Department of State of the Commonwealth or a body (whether incorporated or not) that is established, or continued in existence, for a public purpose by or under a law of the Commonwealth, and is not an authority of the Crown. A State body means a Minister of a State or Territory, a Department of State of a State or Territory or a Department of the Public Service of a State or Territory or a body (whether incorporated or not) that is established, or continued in existence, for a public purpose by or under a law of a State or Territory, and is not an authority of the Crown. An entity means an individual, a body corporate, a partnership, an unincorporated association that has a governing body, a trust or an entity that is a responsible entity for a critical infrastructure asset.

Where new section 40 of the CS Act applies, new section 40(2) of the CS Act provides that the other entity, Commonwealth body or State body may only make a record of, use or disclose the information to assist the impacted entity, and other entities acting on behalf of the impacted entity, to respond to, mitigate or resolve the cyber security incident or for a permitted cyber security purpose for a cyber security incident. Under new section 10 of the CS Act, each of the following is a permitted cyber security purpose for a cyber security incident:

• the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) or a State body relating to responding to, mitigating or resolving the cyber security incident;
• the performance of the functions of the NCSC under new Part 4 of the CS Act relating to the cyber security incident;
• informing and advising the Minister, and other Ministers of the Commonwealth, about the cyber security incident;
• preventing or mitigating material risks that the cyber security incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice the social or economic stability of Australia or its people, the defence of Australia or national security;
• preventing or mitigating material risks to a critical infrastructure asset;
• the performance of the functions of an intelligence agency;
• the performance of the functions of a Commonwealth enforcement body.

Additionally, new section 40(3) of the CS Act provides that the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than a contravention by the impacted entity of new Part 4 of the CS Act or a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.

Organisations should note that, under new section 40(6) of the CS Act, where any of the following apply, an entity (not including Commonwealth officers) is liable to a 60-penalty unit fine (currently, $18,780) if it contravenes new section 40(2) of the CS Act (as discussed above):

• the information is sensitive information (which has the same meaning as in the Privacy Act 1988 (Cth)) about an individual and the individual has not consented to the record, use or disclosure of the information;
• the information is confidential or commercially sensitive;
• the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.

IS Act: Limitations on secondary use and communication of limited cyber security information

New section 41BC of the IS Act applies to limited cyber security information that has been acquired under new section 41BB(1) or 41BC of the IS Act by a Commonwealth body, a State body (both as defined in the CS Act discussed above), or an entity (as defined in the CS Act discussed above) that is a corporation to which section 51(xx) of the Constitution applies, and such information is held by the Commonwealth body, State body or entity. Under new section 41BA of the IS Act, limited cyber security information is information that relates to a cyber security incident that has occurred or is occurring or a cyber security incident that may potentially occur and the information has been acquired or prepared by the ASD in a circumstance mentioned in new section 41BA(2) of the IS Act (which includes that the information has been voluntarily provided to the ASD, in the performance of its functions, by, or on behalf of, an entity (the impacted entity)), and the information is not excepted under new section 41BA(3) of the IS Act (e.g. the information has already been lawfully made available to the public, the information has been provided to the Commonwealth about the cyber security incident to comply with certain requirements under the CS Act, SOCI Act, Telecommunications Act 1997 (Cth) or a prescribed law, or the information is about an entity and has been de-identified so that it is no longer about an identifiable entity or an entity that is reasonably identifiable).

Under new section 41BC(2) of the IS Act, the Commonwealth body, State body or entity may only use or communicate limited cyber security information for one or more of the purposes set out in new section 41BC(2) of the IS Act (e.g. informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident or a cyber security incident that may potentially occur, the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving a cyber security incident or a cyber security incident that may potentially occur, etc.).

However, under new section 41BC(3) of the IS Act, the Commonwealth body, State body or entity must not use or communicate the information for the purposes of investigating or enforcing, or assisting the investigation or enforcement of, any contravention of a Commonwealth, State or Territory law that:

• is a contravention by the impacted entity that originally voluntarily provided the information to the ASD (as referred to in new section 41BA(2)(a) of the IS Act); or consented to the information being acquired or prepared by the ASD (as referred to in new section 41BA(2)(b) of the IS Act); or originally voluntarily provided the information to the NCSC (under new section 35(2) of the CS Act or as referred to in new section 39(1) of the CS Act discussed above); and
• is not a contravention by the impacted entity of new Division 1A of Part 6 of the IS Act or a law that imposes a penalty or sanction for a criminal offence.

Organisations should also note that, under new section 41BC(6) of the IS Act, where any of the following apply, an entity (not including Commonwealth officers within the meaning of Part 5.6 of The Criminal Code) is liable to a 60-penalty unit fine (currently, $18,780) if it contravenes new 41BC(2) of the IS Act (as discussed above):

• the information is sensitive information (within the meaning of the Privacy Act 1988 (Cth)) about an individual and that individual has not consented to the use or communication of the information;
• the information is confidential or commercially sensitive;
• the use or communication of the information would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth.

What you should do

In light of the newly introduced regime in relation to the voluntary sharing of information with the National Cyber Security Coordinator concerning significant cyber security incidents; your organisation should ensure relevant staff are made aware of the limitations in which the shared information may be recorded, used and disclosed. To that end, your organisation may wish to provide staff training in relation to these new limitations around the use or disclosure, as discussed above.