Commonwealth Numbered Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Download] [Help]

CYBER SECURITY ACT 2024 (NO. 98, 2024) - NOTES

No. 98, 2024

 

 

 

 

 

 

 

 

Contents

Part 1--Preliminary

1 Short title

2 Commencement

3 Objects

4 Simplified outline of this Act

5 Extraterritoriality

6 Act binds the Crown

7 Concurrent operation of State and Territory laws

8 Definitions

9 Meaning of cyber security incident

10 Meaning of permitted cyber security purpose

11 Disclosure to State body

Part 2--Security standards for smart devices

Division 1--Preliminary

12 Simplified outline of this Part

13 Application of this Part

Division 2--Security standards for relevant connectable products

14 Security standards for relevant connectable products

15 Compliance with security standard for a relevant connectable product

16 Obligation to provide and supply products with a statement of compliance with security standard

Division 3--Enforcement

17 Compliance notice

18 Stop notice

19 Recall notice

20 Public notification of failure to comply with recall notice

Division 4--Miscellaneous

21 Revocation and variation of notices given under this Part

22 Internal review of decision to give compliance, stop or recall notice

23 Examination to assess compliance with security standard and statement of compliance

24 Acquisition of property

Part 3--Ransomware reporting obligations

Division 1--Preliminary

25 Simplified outline of this Part

Division 2--Reporting obligations

26 Application of this Part

27 Obligation to report following a ransomware payment

28 Liability

Division 3--Protection of information

29 Ransomware payment reports may only be used or disclosed for permitted purposes

30 Limitations on secondary use and disclosure of information in ransomware payment reports

31 Legal professional privilege

32 Admissibility of information in ransomware payment report against reporting business entity

Part 4--Coordination of significant cyber security incidents

Division 1--Preliminary

33 Simplified outline of this Part

34 Meaning of significant cyber security incident

Division 2--Voluntary information sharing with the National Cyber Security Coordinator

35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident

36 Voluntary provision of information in relation to other incidents or cyber security incidents

37 Role of the National Cyber Security Coordinator

Division 3--Protection of information

38 Information provided in relation to a significant cyber security incident--use and disclosure by National Cyber Security Coordinator

39 Information provided in relation to other incidents--use and disclosure by National Cyber Security Coordinator

40 Limitations on secondary use and disclosure

41 Legal professional privilege

42 Admissibility of information voluntarily given by impacted entity

43 National Cyber Security Coordinator not compellable as witness

Division 4--Miscellaneous

44 Interaction with other requirements to provide information in relation to a cyber security incident

Part 5--Cyber Incident Review Board

Division 1--Preliminary

45 Simplified outline of this Part

Division 2--Reviews

46 Board must cause reviews to be conducted

47 Board may discontinue a review

48 Chair may request information or documents

49 Chair may require certain entities to produce documents

50 Civil penalty--failing to comply with a notice to produce documents

51 Draft review reports

52 Final review reports

53 Certain information must be redacted from final review reports

54 Protected review reports

Division 3--Protection of information relating to reviews

55 Limitations on use and disclosure by the Board

56 Limitations on secondary use and disclosure

57 Legal professional privilege

58 Admissibility of information given by an entity that has been requested or required by the Board

59 Disclosure of draft review reports prohibited

Division 4--Establishment, functions and powers of the Board

60 Cyber Incident Review Board

61 Constitution of the Board

62 Functions of the Board

63 Independence

Division 5--Terms and conditions of appointment of the Chair and members of the Board

64 Appointment of Chair

65 Remuneration of the Chair

66 Appointment of standing members of the Board

67 Remuneration of standing members of the Board

68 Acting Chair

69 Terms and conditions etc. for standing members

Division 6--Expert Panel, staff assisting and consultants

70 Expert Panel

71 Arrangements relating to staff of the Department

72 Consultants

Division 7--Other matters relating to the Board

73 Board procedures

74 Liability

75 Certification of involvement in review

76 Annual report

77 Rules may prescribe reporting requirements etc.

Part 6--Regulatory powers

Division 1--Preliminary

78 Simplified outline of this Part

Division 2--Civil penalty provisions, enforceable undertakings and injunctions

79 Civil penalty provisions, enforceable undertakings and injunctions

Division 3--Monitoring and investigation powers

80 Monitoring powers

81 Investigation powers

Division 4--Infringement notices

82 Infringement notices

Division 5--Other matters

83 Contravening a civil penalty provision

Part 7--Miscellaneous

84 Simplified outline of this Part

85 How this Act applies in relation to non-legal persons

86 Delegation by Secretary

87 Rules

88 Review of this Act

 

Commonwealth Coat of Arms of Australia

 

 

Cyber Security Act 2024

No. 98, 2024

 

 

 

An Act relating to cyber security for Australians, and for other purposes

[Assented to 29 November 2024]

The Parliament of Australia enacts:

 


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback