Legislative Compliance

Aegis Cybersecurity Services

What are your legal cybersecurity obligations?

The following is not legal advice, we partner with specialist legal practitioners to address specific legal requirements and questions. With our experience in cybersecurity we can support your organisation in meeting specific obligations and complying with regulatory requirements.

Within Australia there are several pieces of legislation that have direct and indirect cybersecurity impacts. These obligations require your organisation depending on your industry to establish and maintain specific processes, controls, or make reports to government regulators periodically. The complexity of the reporting requirements, and the underpinning systems to enable them is becoming increasingly complex – with still more legislation being proposed. Below is a selection of legislation that we commonly support clients in meeting their obligations.

Privacy Act 1988 (Cth)

The Privacy Act establishes guidelines for the collection, use, disclosure, and storage of personal information. Organisations must comply with the Australian Privacy Principles (APPs), which are a key part of the Privacy Act.

Note: there are substantial changes coming to the Privacy Act in late 2024.

Notifiable Data Breaches (NDB) Scheme

Part of the Privacy Act, the NDB scheme requires organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

Security of Critical Infrastructure Act 2018 (Cth)

This act aims to manage risks related to critical infrastructure in Australia, including the security of data and systems. It contains enhanced testing and reporting obligations for industries deemed to be critical to national safety and security.

Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

Also known as the “Encryption Act,” it requires telecommunications and technology companies to provide access to encrypted communications under specific circumstances to assist law enforcement agencies.

Australian Securities and Investments Commission (ASIC) Regulations

ASIC has guidelines and requirements for financial services companies to ensure they maintain robust cybersecurity practices, particularly in relation to data protection and incident reporting.

Corporations Act 2001 (Cth)

This act includes requirements for directors and officers of companies to ensure they are managing cybersecurity risks appropriately as part of their duty to act with due care and diligence.

Australian Prudential Regulation Authority (APRA) CPS 234

APRA CPS 234 sets out minimum standards for information security for APRA-regulated entities, including banks, insurers, and superannuation funds, to protect against cybersecurity threats.

Defence Trade Controls Act 2012 (Cth)

This act controls the transfer of defence and strategic goods and technologies, including certain cyber-related technologies.

Essential Eight from the Australian Cyber Security Centre (ACSC)

While not legislation, the Essential Eight is a set of baseline mitigation strategies recommended by the ACSC to help organisations improve their cybersecurity posture.

Health Records and Information Privacy Act 2002 (NSW)

This act specifically addresses the handling of health information in New South Wales, requiring organisations to comply with specific privacy principles.

General Data Protection Regulation (GDPR)

Although not Australian legislation, Australian companies dealing with European customers may need to comply with the GDPR requirements for data protection and privacy if they have operations in the EU.

Industry-Specific Legislation and Standards:

Various industries may have additional specific requirements, such as those in the financial sector (e.g., the Banking Act 1959) or health sector (e.g., My Health Records Act 2012).

Compliance and Reporting

Mandatory Breach Reporting: Companies must report certain types of data breaches to the OAIC and affected individuals.
Security Assessments: Regular security assessments and audits are required to ensure compliance with relevant laws and standards.
Training and Awareness: Ongoing training for staff on cybersecurity best practices and legal obligations is essential.

Read how we improved our client’s cybersecurity posture.

Read Case Study

Your most intelligent cybersecurity defence starts with Aegis.

Leading Provider of Cyber Security Services

1300 791 965

info@aegiscyber.com.au