Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2022-2023-2024
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
As passed by both Houses
Cyber Security Bill 2024
No. , 2024
A Bill for an Act relating to cyber security for
Australians, and for other purposes
No. , 2024
Cyber Security Bill 2024
i
Contents
Part 1--Preliminary
1
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Objects ............................................................................................... 3
4
Simplified outline of this Act ............................................................ 4
5
Extraterritoriality ............................................................................... 5
6
Act binds the Crown .......................................................................... 5
7
Concurrent operation of State and Territory laws .............................. 5
8
Definitions ......................................................................................... 5
9
Meaning of
cyber security incident
................................................... 9
10
Meaning of
permitted cyber security purpose
................................. 10
11
Disclosure to State body .................................................................. 11
Part 2--Security standards for smart devices
12
Division 1--Preliminary
12
12
Simplified outline of this Part .......................................................... 12
13
Application of this Part .................................................................... 13
Division 2--Security standards for relevant connectable
products
15
14
Security standards for relevant connectable products ...................... 15
15
Compliance with security standard for a relevant connectable
product ............................................................................................. 15
16
Obligation to provide and supply products with a statement
of compliance with security standard .............................................. 17
Division 3--Enforcement
19
17
Compliance notice ........................................................................... 19
18
Stop notice ....................................................................................... 20
19
Recall notice .................................................................................... 21
20
Public notification of failure to comply with recall notice............... 22
Division 4--Miscellaneous
23
21
Revocation and variation of notices given under this Part ............... 23
22
Internal review of decision to give compliance, stop or recall
notice ............................................................................................... 24
23
Examination to assess compliance with security standard and
statement of compliance .................................................................. 24
24
Acquisition of property .................................................................... 26
Part 3--Ransomware reporting obligations
27
ii
Cyber Security Bill 2024
No. , 2024
Division 1--Preliminary
27
25
Simplified outline of this Part .......................................................... 27
Division 2--Reporting obligations
28
26
Application of this Part .................................................................... 28
27
Obligation to report following a ransomware payment ................... 30
28
Liability ........................................................................................... 31
Division 3--Protection of information
32
29
Ransomware payment reports may only be used or disclosed
for permitted purposes ..................................................................... 32
30
Limitations on secondary use and disclosure of information
in ransomware payment reports ....................................................... 33
31
Legal professional privilege ............................................................ 36
32
Admissibility of information in ransomware payment report
against reporting business entity ...................................................... 37
Part 4--Coordination of significant cyber security incidents
39
Division 1--Preliminary
39
33
Simplified outline of this Part .......................................................... 39
34
Meaning of
significant cyber security incident
................................ 39
Division 2--Voluntary information sharing with the National
Cyber Security Coordinator
40
35
Impacted entity may voluntarily provide information to
National Cyber Security Coordinator in relation to a
significant cyber security incident ................................................... 40
36
Voluntary provision of information in relation to other
incidents or cyber security incidents ................................................ 42
37
Role of the National Cyber Security Coordinator ............................ 42
Division 3--Protection of information
43
38
Information provided in relation to a significant cyber
security incident--use and disclosure by National Cyber
Security Coordinator ....................................................................... 43
39
Information provided in relation to other incidents--use and
disclosure by National Cyber Security Coordinator ........................ 44
40
Limitations on secondary use and disclosure ................................... 46
41
Legal professional privilege ............................................................ 48
42
Admissibility of information voluntarily given by impacted
entity ................................................................................................ 49
43
National Cyber Security Coordinator not compellable as
witness ............................................................................................. 50
Division 4--Miscellaneous
52
No. , 2024
Cyber Security Bill 2024
iii
44
Interaction with other requirements to provide information in
relation to a cyber security incident ................................................. 52
Part 5--Cyber Incident Review Board
53
Division 1--Preliminary
53
45
Simplified outline of this Part .......................................................... 53
Division 2--Reviews
54
46
Board must cause reviews to be conducted ..................................... 54
47
Board may discontinue a review ...................................................... 55
48
Chair may request information or documents .................................. 55
49
Chair may require certain entities to produce documents ................ 56
50
Civil penalty--failing to comply with a notice to produce
documents ........................................................................................ 57
51
Draft review reports ......................................................................... 58
52
Final review reports ......................................................................... 59
53
Certain information must be redacted from final review
reports .............................................................................................. 60
54
Protected review reports .................................................................. 61
Division 3--Protection of information relating to reviews
62
55
Limitations on use and disclosure by the Board .............................. 62
56
Limitations on secondary use and disclosure ................................... 63
57
Legal professional privilege ............................................................ 66
58
Admissibility of information given by an entity that has been
requested or required by the Board .................................................. 67
59
Disclosure of draft review reports prohibited .................................. 68
Division 4--Establishment, functions and powers of the Board
69
60
Cyber Incident Review Board ......................................................... 69
61
Constitution of the Board ................................................................ 69
62
Functions of the Board .................................................................... 69
63
Independence ................................................................................... 70
Division 5--Terms and conditions of appointment of the Chair
and members of the Board
72
64
Appointment of Chair ...................................................................... 72
65
Remuneration of the Chair .............................................................. 72
66
Appointment of standing members of the Board ............................. 72
67
Remuneration of standing members of the Board ........................... 73
68
Acting Chair .................................................................................... 73
69
Terms and conditions etc. for standing members ............................ 74
Division 6--Expert Panel, staff assisting and consultants
75
70
Expert Panel .................................................................................... 75
iv
Cyber Security Bill 2024
No. , 2024
71
Arrangements relating to staff of the Department ........................... 75
72
Consultants ...................................................................................... 76
Division 7--Other matters relating to the Board
77
73
Board procedures ............................................................................. 77
74
Liability ........................................................................................... 77
75
Certification of involvement in review ............................................ 78
76
Annual report ................................................................................... 79
77
Rules may prescribe reporting requirements etc. ............................. 79
Part 6--Regulatory powers
80
Division 1--Preliminary
80
78
Simplified outline of this Part .......................................................... 80
Division 2--Civil penalty provisions, enforceable undertakings
and injunctions
81
79
Civil penalty provisions, enforceable undertakings and
injunctions ....................................................................................... 81
Division 3--Monitoring and investigation powers
84
80
Monitoring powers .......................................................................... 84
81
Investigation powers ........................................................................ 86
Division 4--Infringement notices
89
82
Infringement notices ........................................................................ 89
Division 5--Other matters
91
83
Contravening a civil penalty provision ............................................ 91
Part 7--Miscellaneous
92
84
Simplified outline of this Part .......................................................... 92
85
How this Act applies in relation to non-legal persons ..................... 92
86
Delegation by Secretary................................................................... 93
87
Rules ................................................................................................ 94
88
Review of this Act ........................................................................... 95
No. , 2024
Cyber Security Bill 2024
1
A Bill for an Act relating to cyber security for
1
Australians, and for other purposes
2
The Parliament of Australia enacts:
3
Part 1--Preliminary
4
5
1 Short title
6
This Act is the
Cyber Security Act 2024
.
7
2 Commencement
8
(1) Each provision of this Act specified in column 1 of the table
9
commences, or is taken to have commenced, in accordance with
10
Part 1
Preliminary
Section 2
2
Cyber Security Bill 2024
No. , 2024
column 2 of the table. Any other statement in column 2 has effect
1
according to its terms.
2
3
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. Part 1 and
anything in this
Act not elsewhere
covered by this
table
The day after this Act receives the Royal
Assent.
2. Part 2
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 12 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
3. Part 3
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 6 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
4. Part 4
The day after this Act receives the Royal
Assent.
5. Part 5
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 6 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
6. Parts 6 and 7
The day after this Act receives the Royal
Assent.
Note:
This table relates only to the provisions of this Act as originally
4
enacted. It will not be amended to deal with any later amendments of
5
this Act.
6
Preliminary
Part 1
Section 3
No. , 2024
Cyber Security Bill 2024
3
(2) Any information in column 3 of the table is not part of this Act.
1
Information may be inserted in this column, or information in it
2
may be edited, in any published version of this Act.
3
3 Objects
4
The objects of this Act are to:
5
(a) improve the cyber security of products that:
6
(i) can connect directly or indirectly to the internet; and
7
(ii) will be acquired in Australia;
8
by requiring manufacturers and suppliers of those products to
9
comply with security standards specified in the rules; and
10
(b) encourage the provision of information relating to the
11
provision of payments or benefits (called ransomware
12
payments) to entities seeking to benefit from cyber security
13
incidents by imposing reporting obligations on entities in
14
relation to the payment of such payments or benefits; and
15
(c) facilitate the whole of Government response to significant
16
cyber security incidents by providing for the National Cyber
17
Security Coordinator to lead across the whole of Government
18
the coordination and triaging of action in response to
19
significant cyber security incidents; and
20
(d) prevent, improve the detection of, improve the response to
21
and minimise the impact of cyber security incidents by
22
establishing the Cyber Incident Review Board to:
23
(i) cause reviews to be conducted in relation to certain
24
cyber security incidents; and
25
(ii) make recommendations to government and industry
26
about actions that could be taken to prevent, detect,
27
respond to or minimise the impact of, incidents of a
28
similar nature in the future; and
29
(e) improve the response to and minimise the impact of cyber
30
security incidents (including imminent incidents) through
31
encouraging entities impacted, or probably impacted, by such
32
cyber security incidents to provide information to the
33
Australian Government about the incidents by ensuring that:
34
(i) the information provided is only used and disclosed for
35
limited purposes; and
36
Part 1
Preliminary
Section 4
4
Cyber Security Bill 2024
No. , 2024
(ii) the information provided is not admissible in evidence
1
in proceedings against the entities that provided the
2
information; and
3
(f) to facilitate the sharing of information about cyber security
4
incidents with State and Territory Governments for limited
5
purposes, with their consent that the information is only to be
6
used and disclosed for limited purposes.
7
4 Simplified outline of this Act
8
This Act provides for mandatory security standards for certain
9
products that can directly or indirectly connect to the internet
10
(called relevant connectable products).
11
This Act also provides an obligation to report payments or benefits
12
(called ransomware payments) provided to an entity that is seeking
13
to benefit from a cyber security incident.
14
Information may be voluntarily provided to the National Cyber
15
Security Coordinator in relation to a significant cyber security
16
incident. The National Cyber Security Coordinator's role is to lead
17
across the whole of Government the coordination and triaging of
18
action in response to a significant cyber security incident.
19
The Cyber Incident Review Board is established by this Act. Its
20
functions include causing reviews to be conducted in relation to
21
certain cyber security incidents. A review will make
22
recommendations to Government and industry about actions that
23
could be taken to prevent, detect, respond to or minimise the
24
impact of, incidents of a similar nature in the future.
25
Information provided by entities under provisions of this Act may
26
only be used and disclosed for limited purposes. Certain
27
information provided to the Australian Government under this Act
28
is not admissible in evidence in proceedings against the entity that
29
provided the information.
30
Preliminary
Part 1
Section 5
No. , 2024
Cyber Security Bill 2024
5
A range of compliance and enforcement powers are provided for,
1
including by applying the
Regulatory Powers (Standard
2
Provisions) Act 2014
.
3
This Act also deals with administrative matters such as delegations
4
and the power to make rules.
5
5 Extraterritoriality
6
This Act applies both within and outside Australia.
7
Note:
This Act extends to every external Territory.
8
6 Act binds the Crown
9
(1) This Act binds the Crown in each of its capacities.
10
(2) This Act does not make the Crown liable to be prosecuted for an
11
offence.
12
Note:
The Crown (other than a Crown authority) is not liable to a pecuniary
13
penalty for the breach of a civil penalty provision or to be given an
14
infringement notice: see subsections 79(8) and 82(7).
15
(3) The protection in subsection (2) does not apply to an authority of
16
the Crown.
17
7 Concurrent operation of State and Territory laws
18
This Act is not intended to exclude or limit the operation of a law
19
of a State or Territory to the extent that that law is capable of
20
operating concurrently with this Act.
21
8 Definitions
22
In this Act:
23
ASD
means the Australian Signals Directorate.
24
benefit
includes any advantage and is not limited to property.
25
business
has the same meaning as in the
Income Tax Assessment
26
Act 1997
.
27
Part 1
Preliminary
Section 8
6
Cyber Security Bill 2024
No. , 2024
Chair
means the Chair of the Cyber Incident Review Board.
1
civil penalty provision
has the same meaning as in the Regulatory
2
Powers Act.
3
Commonwealth body
means:
4
(a) a Minister of the Commonwealth; or
5
(b) a Department of State of the Commonwealth; or
6
(c) a body (whether incorporated or not) that:
7
(i) is established, or continued in existence, for a public
8
purpose by or under a law of the Commonwealth; and
9
(ii) is not an authority of the Crown.
10
Commonwealth enforcement body
means:
11
(a) the Australian Federal Police; or
12
(b) the Australian Prudential Regulation Authority; or
13
(c) the Australian Securities and Investments Commission; or
14
(d) the Inspector of the National Anti-Corruption Commission;
15
or
16
(e) the Office of the Director of Public Prosecutions; or
17
(f) the National Anti-Corruption Commissioner; or
18
(g) Sport Integrity Australia; or
19
(h) another Commonwealth body, to the extent that it is
20
responsible for administering, or performing a function
21
under, a law that imposes a penalty or sanction for a criminal
22
offence.
23
Commonwealth officer
has the same meaning as in Part 5.6 of the
24
Criminal Code
.
25
computer
has the same meaning as in the
Security of Critical
26
Infrastructure Act 2018
.
27
coronial inquiry
means a coronial inquiry, coronial investigation
28
or coronial inquest under a law of the Commonwealth, or of a State
29
or Territory.
30
critical infrastructure asset
has the same meaning as in the
31
Security of Critical Infrastructure Act 2018
.
32
Preliminary
Part 1
Section 8
No. , 2024
Cyber Security Bill 2024
7
Cyber Incident Review Board
or
Board
means the Cyber Incident
1
Review Board established by section 60.
2
cyber security incident
has the meaning given by section 9.
3
designated Commonwealth body
means:
4
(a) a Department, or a body established by a law of the
5
Commonwealth, specified in the rules; or
6
(b) if no rules are made for the purposes of paragraph (a)--the
7
Department and ASD.
8
draft review report
has the meaning given by subsection 51(1).
9
entity
means any of the following:
10
(a) an individual;
11
(b) a body corporate;
12
(c) a partnership;
13
(d) an unincorporated association that has a governing body;
14
(e) a trust;
15
(f) an entity that is a responsible entity for a critical
16
infrastructure asset.
17
Expert Panel
means the Expert Panel established by the Board
18
under section 70.
19
final review report
has the meaning given by subsection 52(1).
20
intelligence agency
means:
21
(a) the agency known as the Australian Criminal Intelligence
22
Commission established by the
Australian Crime
23
Commission Act 2002
; or
24
(b) the Australian Geospatial-Intelligence Organisation; or
25
(c) the Australian Secret Intelligence Service; or
26
(d) the Australian Security Intelligence Organisation; or
27
(e) ASD; or
28
(f) the Defence Intelligence Organisation; or
29
(g) the Office of National Intelligence.
30
Part 1
Preliminary
Section 8
8
Cyber Security Bill 2024
No. , 2024
internet-connectable product
has the meaning given by
1
subsection 13(4).
2
manufacturer
has the same meaning as in the Australian
3
Consumer Law.
4
National Cyber Security Coordinator
means:
5
(a) the officer of the Department known as the National Cyber
6
Security Coordinator; and
7
(b) the APS employees, and officers or employees of
8
Commonwealth bodies, whose services are made available to
9
the officer in connection with the performance of any of the
10
officer's functions or the exercise of any of the officer's
11
powers under this Act.
12
network-connectable product
has the meaning given by
13
subsection 13(5).
14
permitted cyber security purpose
for a cyber security incident has
15
the meaning given by section 10.
16
personal information
has the same meaning as in the
Privacy Act
17
1988
.
18
protected review report
has the meaning given by subsection 54(1).
19
ransomware payment
has the meaning given by subsection 26(1).
20
ransomware payment report
means a report given by an entity
21
under subsection 27(1).
22
Regulatory Powers Act
means the
Regulatory Powers (Standard
23
Provisions) Act 2014
.
24
relevant connectable product
has the meaning given by
25
subsection 13(2).
26
reporting business entity
has the meaning given by
27
subsection 26(2).
28
responsible entity
, for an asset, has the same meaning as in the
29
Security of Critical Infrastructure Act 2018
.
30
Preliminary
Part 1
Section 9
No. , 2024
Cyber Security Bill 2024
9
Secretary
means the Secretary of the Department.
1
sensitive information
has the same meaning as in the
Privacy Act
2
1988
.
3
sensitive review information
has the meaning given by
4
subsection 53(2).
5
significant cyber security incident
has the meaning given by
6
section 34.
7
State body
means:
8
(a) a Minister of a State or Territory; or
9
(b) a Department of State of a State or Territory or a Department
10
of the Public Service of a State or Territory; or
11
(c) a body (whether incorporated or not) that:
12
(i) is established, or continued in existence, for a public
13
purpose by or under a law of a State or Territory; and
14
(ii) is not an authority of the Crown.
15
supply
has the same meaning as in the Australian Consumer Law
16
and
supplied
and
supplier
have corresponding meanings.
17
9 Meaning of cyber security incident
18
(1) A
cyber security incident
is one or more acts, events or
19
circumstances:
20
(a) of a kind covered by the meaning of
cyber security incident
21
in the
Security of Critical Infrastructure Act 2018
; or
22
(b) involving unauthorised impairment of electronic
23
communication to or from a computer, within the meaning of
24
that phrase in that Act, but as if that phrase did not exclude
25
the mere interception of any such communication.
26
(2) However, an incident is only a
cyber security incident
for the
27
purposes of this Act if:
28
(a) the incident involves a critical infrastructure asset; or
29
(b) the incident involves the activities of an entity that is a
30
corporation to which paragraph 51(xx) of the Constitution
31
applies; or
32
Part 1
Preliminary
Section 10
10
Cyber Security Bill 2024
No. , 2024
(c) the incident is or was effected by means of a telegraphic,
1
telephonic or other like service within the meaning of
2
paragraph 51(v) of the Constitution (including, for example,
3
by means of the internet); or
4
(d) the incident is impeding or impairing, or has impeded or
5
impaired, the ability of a computer to connect to such a
6
service; or
7
(e) the incident has seriously prejudiced or is seriously
8
prejudicing:
9
(i) the social or economic stability of Australia or its
10
people; or
11
(ii) the defence of Australia; or
12
(iii) national security.
13
10 Meaning of permitted cyber security purpose
14
Each of the following is a
permitted cyber security purpose
for a
15
cyber security incident:
16
(a) the performance of the functions of a Commonwealth body
17
(to the extent that it is not a Commonwealth enforcement
18
body) relating to responding to, mitigating or resolving the
19
cyber security incident;
20
(b) the performance of the functions of a State body relating to
21
responding to, mitigating or resolving the cyber security
22
incident;
23
(c) the performance of the functions of the National Cyber
24
Security Coordinator under Part 4
relating to the cyber
25
security incident;
26
(d) informing and advising the Minister, and other Ministers of
27
the Commonwealth, about the cyber security incident;
28
(e) preventing or mitigating material risks that the cyber security
29
incident has seriously prejudiced, is seriously prejudicing, or
30
could reasonably be expected to prejudice:
31
(i) the social or economic stability of Australia or its
32
people; or
33
(ii) the defence of Australia; or
34
(iii) national security;
35
Preliminary
Part 1
Section 11
No. , 2024
Cyber Security Bill 2024
11
(f) preventing or mitigating material risks to a critical
1
infrastructure asset;
2
(g) the performance of the functions of an intelligence agency;
3
(h) the performance of the functions of a Commonwealth
4
enforcement body.
5
Note 1:
There are some limitations in relation to civil or regulatory functions
6
against entities that have provided information in relation to the
7
incident: see subsections 38(2) and 39(3).
8
Note 2:
Certain information must not be disclosed to a State body under Parts
9
of this Act unless a Minister of the State or Territory has consented to
10
those Parts applying to the State body: see section 11.
11
11 Disclosure to State body
12
(1) Despite any other provision of this Act, information that may be
13
disclosed to a State body under Part 3, 4 or 5 must not be disclosed
14
to the State body under that Part unless:
15
(a) a Minister of the State or Territory has informed the Minister
16
administering this Act, in writing, that the State or Territory
17
gives consent to the provisions of that Part applying to the
18
State body; and
19
(b) a Minister of the State or Territory has not informed the
20
Minister administering this Act, in writing, that the State or
21
Territory withdraws that consent.
22
(2) For the purposes of paragraph (1)(a), a Minister of a State or
23
Territory may give consent in relation to all State bodies, a class of
24
State bodies, or particular State bodies, of that State or Territory.
25
Part 2
Security standards for smart devices
Division 1
Preliminary
Section 12
12
Cyber Security Bill 2024
No. , 2024
Part 2--Security standards for smart devices
1
Division 1--Preliminary
2
12 Simplified outline of this Part
3
The rules may provide mandatory security standards for products
4
that can directly or indirectly connect to the internet (called
5
relevant connectable products) that will be acquired in Australia in
6
specified circumstances.
7
If the rules provide a security standard for a product:
8
(a)
manufacturers must manufacture the product in
9
compliance with the requirements of the security
10
standard if they are aware, or could reasonably be
11
expected to be aware, that the product will be acquired
12
in Australia in the specified circumstances; and
13
(b)
those manufacturers must also comply with any other
14
obligations relating to the product in the security
15
standard (for example, obligations to publish
16
information about the product); and
17
(c)
if the product does not comply it must not be supplied in
18
Australia if the supplier is aware, or could reasonably be
19
expected to be aware, that the products will be acquired
20
in Australia in those specified circumstances; and
21
(d)
those suppliers must supply the product in Australia
22
accompanied by a statement of compliance.
23
A compliance notice, a stop notice and a recall notice may be given
24
for non-compliance with obligations in this Part. Internal review
25
may be sought for a decision to issue a notice.
26
An independent audit of a product may be undertaken to determine
27
compliance with the requirements of a security standard or
28
requirements for the statement of compliance. The Secretary may
29
Security standards for smart devices
Part 2
Preliminary
Division 1
Section 13
No. , 2024
Cyber Security Bill 2024
13
request the manufacturer or supplier to provide the product, the
1
statement of compliance or both for the purposes of the audit.
2
13 Application of this Part
3
(1) This Part applies to a relevant connectable product that is:
4
(a) manufactured on or after the commencement of this Part; or
5
(b) supplied (other than as second hand goods) on or after the
6
commencement of this Part.
7
(2) A
relevant connectable product
is a product that:
8
(a) is an internet-connectable product or a network-connectable
9
product; and
10
(b) is not exempted under the rules.
11
(3) For the purposes of paragraph (2)(b), the rules may specify that:
12
(a) classes of products are exempted; or
13
(b) particular products are exempted.
14
(4) An
internet-connectable product
is a product that is capable of
15
connecting to the internet using a communication protocol that
16
forms part of the internet protocol suite to send and receive data
17
over the internet.
18
(5) A
network-connectable product
is a product that:
19
(a) is capable of both sending and receiving data by means of a
20
transmission involving electrical or electromagnetic energy;
21
and
22
(b) is not an internet-connectable product; and
23
(c) meets the condition in subsection (6) or (7).
24
(6) A product meets the condition in this subsection if it is capable of
25
connecting directly to an internet-connectable product by means of
26
a communication protocol that forms part of the internet protocol
27
suite.
28
(7) Subject to subsections (8) and (9), a product meets the condition in
29
this subsection if:
30
Part 2
Security standards for smart devices
Division 1
Preliminary
Section 13
14
Cyber Security Bill 2024
No. , 2024
(a) it is capable of connecting directly to 2 or more products at
1
the same time by means of a communication protocol that
2
does not form part of the internet protocol suite; and
3
(b) it is capable of connecting directly to an internet-connectable
4
product by means of such a communication protocol
5
(whether or not at the same time as it connects to any other
6
product).
7
(8) A product consisting of a wire or cable that is used merely to
8
connect the product to another product does not meet the condition
9
in subsection (7).
10
(9) If:
11
(a) two or more products are designed to be used together for the
12
purposes of facilitating the use of a computer (within the
13
ordinary meaning of that expression); and
14
(b) at least one of the products (the
linking product
) is capable
15
of connecting directly to an internet-connectable product
16
(whether the computer or some other product) by means of a
17
communication protocol that does not form part of the
18
internet protocol suite; and
19
(c) each of the products (the
input products
) that is not a linking
20
product is capable of connecting directly to the linking
21
product, or, if there is more than one linking product, to each
22
linking product:
23
(i) wirelessly; and
24
(ii) by means of a communication protocol that does not
25
form part of the internet protocol suite;
26
each of the input products meets the condition in subsection (7).
27
(10) For the purposes of subsections (4) to (9), a product is not
28
prevented from being regarded as connecting directly to another
29
product merely because the connection involves the use of a wire
30
or cable.
31
Security standards for smart devices
Part 2
Security standards for relevant connectable products
Division 2
Section 14
No. , 2024
Cyber Security Bill 2024
15
Division 2--Security standards for relevant connectable
1
products
2
14 Security standards for relevant connectable products
3
(1) The rules may make provision for, or in relation to, security
4
standards for specified classes of relevant connectable products
5
that will be acquired in Australia in specified circumstances.
6
(2) Without limiting subsection (1) a class of relevant connectable
7
products specified for the purposes of that subsection may consist
8
of a particular relevant connectable product or of all relevant
9
connectable products.
10
(3) Despite subsection 14(2) of the
Legislation Act 2003
, the rules may
11
make provision in relation to a matter by applying, adopting or
12
incorporating, with or without modification, any matter contained
13
in an instrument or other writing as in force or existing from time
14
to time.
15
15 Compliance with security standard for a relevant connectable
16
product
17
Manufacturer must comply
18
(1) An entity must manufacture a relevant connectable product in
19
compliance with the requirements of the security standard for a
20
class of relevant connectable product that will be acquired in
21
Australia in specified circumstances if:
22
(a) the product is included in that class; and
23
(b) the entity is aware, or could reasonably be expected to be
24
aware, that the product will be acquired in Australia in those
25
circumstances.
26
(2) The entity must comply with any other requirements of the security
27
standard that apply to the manufacturer of a product included in
28
that class.
29
Part 2
Security standards for smart devices
Division 2
Security standards for relevant connectable products
Section 15
16
Cyber Security Bill 2024
No. , 2024
(3) An entity must not supply a product in Australia that was not
1
manufactured in compliance with the requirements of the security
2
standard for a class of relevant connectable product that will be
3
acquired in Australia in specified circumstances if:
4
(a) the product is included in that class; and
5
(b) the entity is aware, or could reasonably be expected to be
6
aware, that the product will be acquired in Australia in those
7
circumstances.
8
(4) The entity must comply with any other requirements of the security
9
standard that apply to the supplier of a product included in that
10
class.
11
Exception
12
(5) However, to the extent that a requirement in the security standard
13
does not relate to any of the matters in subsection (6), an entity is
14
not required to comply with subsections (1) to (4) if the entity is
15
not:
16
(a) an entity that is a corporation to which paragraph 51(xx) of
17
the Constitution applies; or
18
(b) an entity that is undertaking activities in the course of, or in
19
relation to, trade or commerce with other countries, among
20
the States, between Territories or between a Territory and a
21
State.
22
(6) The matters are the following:
23
(a) the direct, or indirect, connection of the relevant connectable
24
product to, a telegraphic, telephonic or other like service
25
within the meaning of paragraph 51(v) of the Constitution
26
(including, for example, connection to the internet);
27
(b) the direct, or indirect, use by the relevant connectable product
28
of such a service (including, for example, use of the internet);
29
(c) measures that would protect the relevant connectable product
30
from an attack effected by means of such a service
31
(including, for example, by means of the internet).
32
Security standards for smart devices
Part 2
Security standards for relevant connectable products
Division 2
Section 16
No. , 2024
Cyber Security Bill 2024
17
16 Obligation to provide and supply products with a statement of
1
compliance with security standard
2
Manufacturer must provide statement of compliance
3
(1) An entity that manufactures a relevant connectable product must
4
provide, for the supply of the product in Australia, a statement of
5
compliance with the security standard for a class of relevant
6
connectable product that will be acquired in Australia in specified
7
circumstances if:
8
(a) the product is included in that class; and
9
(b) the entity is aware, or could reasonably be expected to be
10
aware, that the product will be acquired in Australia in those
11
circumstances.
12
(2) The entity must retain a copy of the statement of compliance for
13
the period specified in the rules for that class of statements.
14
Supplier must supply the product with statement of compliance
15
(3) An entity that supplies a relevant connectable product in Australia
16
must supply the product with a statement of compliance with the
17
security standard for a class of relevant connectable product that
18
will be acquired in Australia in specified circumstances if:
19
(a) the product is included in that class; and
20
(b) the entity is aware, or could reasonably be expected to be
21
aware, that the product will be acquired in Australia in those
22
circumstances.
23
(4) The entity must retain a copy of the statement of compliance for
24
the period specified in the rules for that class of statements.
25
Requirements for statement of compliance
26
(5) The statement of compliance with the security standard under
27
subsection (1) or (2) must meet the requirements provided by the
28
rules for that class of statements.
29
Part 2
Security standards for smart devices
Division 2
Security standards for relevant connectable products
Section 16
18
Cyber Security Bill 2024
No. , 2024
Matters relating to the rule making powers
1
(6) Without limiting subsection (2), (4) or (5) a class of statements
2
may consist of a statement for a particular relevant connectable
3
product or a particular security standard or all relevant connectable
4
products or all security standards.
5
Security standards for smart devices
Part 2
Enforcement
Division 3
Section 17
No. , 2024
Cyber Security Bill 2024
19
Division 3--Enforcement
1
17 Compliance notice
2
(1) The Secretary may give an entity that must comply with an
3
obligation under section 15 or 16 a compliance notice if the
4
Secretary:
5
(a) is reasonably satisfied that the entity is not complying with
6
the obligation; or
7
(b) is aware of information that suggests that the entity may not
8
be complying with the obligation.
9
(2) The compliance notice must:
10
(a) set out the name of the entity to which the notice is given;
11
and
12
(b) set out brief details of the non-compliance or possible
13
non-compliance; and
14
(c) specify action within the entity's control that the entity must
15
take in order to address the non-compliance or possible
16
non-compliance; and
17
(d) specify a reasonable period within which the entity must take
18
the specified action; and
19
(e) if the Secretary considers it appropriate--specify a
20
reasonable period within which the entity must provide the
21
Secretary with evidence that the entity has taken the specified
22
action; and
23
(f) explain what may happen if the entity does not comply with
24
the notice; and
25
(g) explain how the entity may seek review of the decision to
26
issue the notice; and
27
(h) set out any other matters prescribed by the rules.
28
(3) Before giving the notice to the entity, the Secretary must:
29
(a) notify the entity that the Secretary intends to give the notice
30
to the entity; and
31
Part 2
Security standards for smart devices
Division 3
Enforcement
Section 18
20
Cyber Security Bill 2024
No. , 2024
(b) give the entity a specified period (which must not be shorter
1
than 10 days) to make representations about the giving of the
2
notice.
3
(4) Only one compliance notice may be given to an entity in relation to
4
a particular instance of the entity's non-compliance, or possible
5
non-compliance, with an obligation under section 15 or 16.
6
18 Stop notice
7
(1) The Secretary may give an entity that must comply with an
8
obligation under section 15 or 16 a stop notice if:
9
(a) the entity has been given a compliance notice under
10
section 17 in relation to the non-compliance with the
11
obligation; and
12
(b) the Secretary is reasonably satisfied that:
13
(i) the entity has not complied with the compliance notice;
14
or
15
(ii) actions taken by the entity to rectify non-compliance
16
with the obligation (whether in accordance with the
17
compliance notice or otherwise) are inadequate to
18
rectify the non-compliance.
19
(2) The stop notice must:
20
(a) set out the name of the entity to which the notice is given;
21
and
22
(b) set out brief details of the non-compliance; and
23
(c) specify action within the entity's control that the entity must
24
take, or refrain from taking, in order to address the
25
non-compliance; and
26
(d) specify a reasonable period within which the entity must take
27
the specified action or refrain from taking the specified
28
action; and
29
(e) if the Secretary considers it appropriate--specify a
30
reasonable period within which the entity must provide the
31
Secretary with evidence that the entity has taken the specified
32
action or refrained from taking the specified action; and
33
(f) explain what may happen if the entity does not comply with
34
the notice; and
35
Security standards for smart devices
Part 2
Enforcement
Division 3
Section 19
No. , 2024
Cyber Security Bill 2024
21
(g) explain how the entity may seek review of the decision to
1
issue the notice; and
2
(h) set out any other matters prescribed by the rules.
3
(3) Before giving the notice to the entity, the Secretary must:
4
(a) notify the entity that the Secretary intends to give the notice
5
to the entity; and
6
(b) give the entity a specified period (which must not be shorter
7
than 10 days) to make representations about the giving of the
8
notice.
9
(4) Only one stop notice may be given to an entity in relation to a
10
particular instance of the entity's non-compliance with an
11
obligation under section 15 or 16.
12
19 Recall notice
13
(1) The Secretary may give an entity that must comply with an
14
obligation under section 15 or 16 a recall notice if:
15
(a) the entity has been given a stop notice under section 18 in
16
relation to the non-compliance with the obligation; and
17
(b) the Secretary is reasonably satisfied that:
18
(i) the entity has not complied with the stop notice; or
19
(ii) actions taken by the entity to rectify the non-compliance
20
with the obligation (whether in accordance with the
21
compliance notice or otherwise) are inadequate to
22
rectify the non-compliance.
23
(2) The recall notice must:
24
(a) set out the name of the entity to which the notice is given;
25
and
26
(b) set out brief details of the non-compliance; and
27
(c) specify action that the entity must take to do any or all of the
28
following:
29
(i) ensure, to the extent within the entity's control, the
30
product is not acquired in Australia;
31
(ii) ensure, to the extent within the entity's control, that the
32
product is not supplied to suppliers for supply in
33
Australia;
34
Part 2
Security standards for smart devices
Division 3
Enforcement
Section 20
22
Cyber Security Bill 2024
No. , 2024
(iii) arrange for the return, within a specified reasonable
1
period, of the product to the entity, or if the entity is not
2
the manufacturer of the product, the manufacturer of the
3
product; and
4
(d) specify a reasonable period within which the entity must take
5
the specified action; and
6
(e) if the Secretary considers it appropriate--specify a
7
reasonable period within which the entity must provide the
8
Secretary with evidence that the entity has taken the specified
9
action; and
10
(f) explain what may happen if the entity does not comply with
11
the notice; and
12
(g) explain how the entity may seek review of the decision to
13
issue the notice; and
14
(h) set out any other matters prescribed by the rules.
15
(3) Before giving the notice to the entity, the Secretary must:
16
(a) notify the entity that the Secretary intends to give the notice
17
to the entity; and
18
(b) give the entity a specified period (which must not be shorter
19
than 10 days) to make representations about the giving of the
20
notice.
21
(4) Only one recall notice may be given to an entity in relation to a
22
particular instance of the entity's non-compliance with an
23
obligation under section 15 or 16.
24
20 Public notification of failure to comply with recall notice
25
If an entity fails to comply with a recall notice, the Minister may
26
publish the following information on the Department's website, or
27
in any other way the Minister considers appropriate:
28
(a) the identity of the entity;
29
(b) details of the product;
30
(c) details of the non-compliance;
31
(d) risks posed by the product relating to the non-compliance;
32
(e) any other matters prescribed by the rules.
33
Security standards for smart devices
Part 2
Miscellaneous
Division 4
Section 21
No. , 2024
Cyber Security Bill 2024
23
Division 4--Miscellaneous
1
21 Revocation and variation of notices given under this Part
2
Variation
3
(1) The Secretary may, by notice in writing given to an entity, vary a
4
compliance notice, stop notice or recall notice given under this Part
5
to the entity if the Secretary is reasonably satisfied that the
6
variation is required:
7
(a) in order to rectify an error, defect or ambiguity in the notice;
8
or
9
(b) to adequately rectify the non-compliance, or possible
10
non-compliance, to which the notice relates.
11
(2) Before giving the notice to the entity under subsection (1), the
12
Secretary must:
13
(a) notify the entity that the Secretary intends to give the notice
14
to the entity; and
15
(b) give the entity a specified period (which must not be shorter
16
than 10 days) to make representations about the giving of the
17
notice.
18
(3) A varied compliance notice, stop notice or recall notice has the
19
same effect as the original notice for the purposes of this Part.
20
Revocation
21
(4) The Secretary may, by notice in writing given to an entity, revoke a
22
compliance notice, stop notice or recall notice given under this Part
23
to the entity if the Secretary is no longer satisfied that the grounds
24
for issuing the notice were met.
25
(5) If a compliance notice, stop notice or recall notice, relating to
26
non-compliance or possible non-compliance by an entity with an
27
obligation, is revoked under subsection (4), no further notices may
28
be issued under this Part in relation to that non-compliance.
29
Part 2
Security standards for smart devices
Division 4
Miscellaneous
Section 22
24
Cyber Security Bill 2024
No. , 2024
22 Internal review of decision to give compliance, stop or recall
1
notice
2
(1) An entity may apply, in writing, to the Secretary for review (an
3
internal review
) of a decision:
4
(a) to give the entity a compliance notice under section 17; or
5
(b) to give the entity a stop notice under section 18; or
6
(c) to give the entity a recall notice under section 19; or
7
(d) to vary, under section 21, a notice given to the entity.
8
(2) An application for an internal review must be made within 30 days
9
after the day on which the notice was given to the entity.
10
(3) The decision-maker for the internal review is:
11
(a) the Secretary; or
12
(b) if the Secretary made the decision personally--a person:
13
(i) to whom the power to issue a notice of that kind has
14
been delegated under section 86; and
15
(ii) that was not involved in the making of the Secretary's
16
decision.
17
(4) Within 30 days after the application is received, the decision-maker
18
must:
19
(a) review the decision; and
20
(b) affirm, vary or revoke the decision; and
21
(c) if the decision is revoked--make such other decision (if any)
22
that the decision-maker thinks appropriate.
23
(5) The decision-maker for the reviewable decision must, as soon as
24
practicable after making a decision under subsection (4), give the
25
applicant a written statement of the decision-maker's reasons for
26
the decision.
27
23 Examination to assess compliance with security standard and
28
statement of compliance
29
(1) If an entity must comply with an obligation in section 15 or 16 in
30
relation to a relevant connectable product, the Secretary may
31
engage an appropriately qualified and experienced expert to carry
32
Security standards for smart devices
Part 2
Miscellaneous
Division 4
Section 23
No. , 2024
Cyber Security Bill 2024
25
out an independent examination of the product to determine either
1
or both of the following:
2
(a) whether the product complies with the security standard for
3
the class of relevant connectable product;
4
(b) whether the statement of compliance for the product
5
complies with the requirements of section 16.
6
(2) The expert may examine the product, for example, by doing any of
7
the following:
8
(a) opening any package in which the product is contained;
9
(b) operating the product;
10
(c) testing or analysing the product, including through the use of
11
electronic equipment;
12
(d) if the product contains a record or document--reading the
13
record or document either directly or with the use of an
14
electronic device;
15
(e) taking photographs or video recordings of the product.
16
Request for product and statement of compliance
17
(3) For the purposes of the examination, the Secretary may request, by
18
notice in writing, the entity to provide the product, or the statement
19
of compliance for the product, or both.
20
(4) The notice must:
21
(a) specify the product; and
22
(b) if the entity is not the manufacturer--specify the
23
manufacturer of the product (if known); and
24
(c) specify a reasonable period within which the entity must
25
provide the notice; and
26
(d) specify the period for which the product will be retained for
27
testing; and
28
(e) specify the requirements of the security standard that the
29
product will be tested against; and
30
(f) explain the kind of testing or analysis that will be done; and
31
(g) explain what may happen if:
32
(i) the entity does not comply with the notice; or
33
Part 2
Security standards for smart devices
Division 4
Miscellaneous
Section 24
26
Cyber Security Bill 2024
No. , 2024
(ii) the entity does not comply with its obligations in
1
section 15 or 16 in relation to the product; and
2
(h) set out any other matters prescribed by the rules.
3
Compensation
4
(5) An entity is entitled to be paid by the Commonwealth reasonable
5
compensation for complying with a request under subsection (3).
6
24 Acquisition of property
7
This Part has no effect to the extent (if any) that its operation
8
would result in an acquisition of property (within the meaning of
9
paragraph 51(xxxi) of the Constitution) from a person otherwise
10
than on just terms (within the meaning of that paragraph).
11
Ransomware reporting obligations
Part 3
Preliminary
Division 1
Section 25
No. , 2024
Cyber Security Bill 2024
27
Part 3--Ransomware reporting obligations
1
Division 1--Preliminary
2
25 Simplified outline of this Part
3
This Part imposes reporting obligations on certain entities who are
4
impacted by a cyber security incident, and who have provided or
5
are aware that another entity has provided, a payment or benefit
6
(called a ransomware payment) to an entity that is seeking to
7
benefit from the impact or the cyber security incident.
8
Particular information must be included in a ransomware payment
9
report, including information relating to the cyber security incident,
10
the demand made by the extorting entity and the ransomware
11
payment.
12
An entity may be liable to a civil penalty if the entity fails to make
13
a ransomware payment report as required by this Part.
14
Part 3
Ransomware reporting obligations
Division 2
Reporting obligations
Section 26
28
Cyber Security Bill 2024
No. , 2024
Division 2--Reporting obligations
1
26 Application of this Part
2
(1) This Part applies if:
3
(a) an incident has occurred, is occurring or is imminent; and
4
(b) the incident is a cyber security incident; and
5
(c) the incident has had, is having, or could reasonably be
6
expected to have, a direct or indirect impact on a reporting
7
business entity; and
8
(d) an entity (the
extorting entity
) makes a demand of the
9
reporting business entity, or any other entity, in order to
10
benefit from the incident or the impact on the reporting
11
business entity; and
12
(e) the reporting business entity provides, or is aware that
13
another entity has provided on their behalf, a payment or
14
benefit (a
ransomware payment
) to the extorting entity that
15
is directly related to the demand.
16
(2) An entity is a
reporting business entity
if, at the time the
17
ransomware payment is made:
18
(a) the entity:
19
(i) is carrying on a business in Australia with an annual
20
turnover for the previous financial year that exceeds the
21
turnover threshold for that year; and
22
(ii) is not a Commonwealth body or a State body; and
23
(iii) is not a responsible entity for a critical infrastructure
24
asset; or
25
(b) the entity is a responsible entity for a critical infrastructure
26
asset to which Part 2B of the
Security of Critical
27
Infrastructure Act 2018
applies.
28
(3) For the purposes of subparagraph (2)(a)(i), the
turnover threshold
29
is:
30
(a) if a business has been carried on for only part of the previous
31
financial year--the amount worked out in the manner
32
prescribed by the rules; or
33
Ransomware reporting obligations
Part 3
Reporting obligations
Division 2
Section 26
No. , 2024
Cyber Security Bill 2024
29
(b) in any other case--the amount prescribed by, or worked out
1
in the manner prescribed by, the rules.
2
Presumption
3
(4) For the purposes of paragraph (1)(b), an incident (other than an
4
incident covered by paragraph 9(2)(a) or (b)) is presumed to be a
5
cyber security incident if:
6
(a) the incident was probably effected, is probably being effected
7
or could reasonably be expected to be effected, by means of a
8
telegraphic, telephonic or other like service within the
9
meaning of paragraph 51(v) of the Constitution (including,
10
for example, by means of the internet); or
11
(b) the incident has probably impeded or impaired, or is probably
12
impeding or impairing or could reasonably be expected to
13
impede or impair, the ability of a computer to connect to such
14
a service; or
15
(c) the incident has probably seriously prejudiced, is probably
16
seriously prejudicing, or could reasonably be expected to
17
prejudice:
18
(i) the social or economic stability of Australia or its
19
people; or
20
(ii) the defence of Australia; or
21
(iii) national security.
22
Note:
Paragraphs 9(2)(a) and (b) cover incidents involving critical
23
infrastructure assets or the activities of corporations to which
24
paragraph 51(xx) of the Constitution applies.
25
(5) However, subsection (4) does not make an entity liable to a civil
26
penalty under this Part if the incident:
27
(a) was not in fact effected by means of a telegraphic, telephonic
28
or other like service within the meaning of paragraph 51(v)
29
of the Constitution (including, for example, by means of the
30
internet); or
31
(b) did not in fact impede or impair the ability of a computer to
32
connect to such a service; or
33
(c) did not in fact seriously prejudice:
34
(i) the social or economic stability of Australia or its
35
people; or
36
Part 3
Ransomware reporting obligations
Division 2
Reporting obligations
Section 27
30
Cyber Security Bill 2024
No. , 2024
(ii) the defence of Australia; or
1
(iii) national security.
2
27 Obligation to report following a ransomware payment
3
(1) The reporting business entity must give the designated
4
Commonwealth body a report (a
ransomware payment report
) that
5
complies with the requirements of this section within 72 hours of
6
making the ransomware payment or becoming aware that the
7
ransomware payment has been made (whichever is applicable).
8
Note:
For the definition of
designated Commonwealth body
: see section 8.
9
(2) The ransomware payment report must contain information relating
10
to the following, in accordance with any requirements prescribed
11
by the rules, that, at the time of making the report, the reporting
12
business entity knows or is able, by reasonable search or enquiry,
13
to find out:
14
(a) if the reporting business entity made the payment--the
15
reporting business entity's contact and business details;
16
(b) if another entity made the payment--that entity's contact and
17
business details;
18
(c) the cyber security incident, including its impact on the
19
reporting business entity;
20
(d) the demand made by the extorting entity;
21
(e) the ransomware payment;
22
(f) communications with the extorting entity relating to the
23
incident, the demand and the payment.
24
(3) The reporting business entity may include other information
25
relating to the cyber security incident in the ransomware payment
26
report.
27
(4) The ransomware payment report must be given:
28
(a) in the form approved by the Secretary (if any); and
29
(b) in the manner (if any) prescribed by the rules.
30
(5) An entity is liable to a civil penalty if the entity contravenes
31
subsection (1).
32
Ransomware reporting obligations
Part 3
Reporting obligations
Division 2
Section 28
No. , 2024
Cyber Security Bill 2024
31
Civil penalty:
60 penalty units.
1
(6) Subsection 93(2) of the Regulatory Powers Act does not apply in
2
relation to a contravention of subsection (1) of this section.
3
28 Liability
4
(1) An entity is not liable to an action or other proceeding for damages
5
for or in relation to an act done or omitted in good faith in
6
compliance with section 27.
7
(2) An officer, employee or agent of an entity is not liable to an action
8
for damages for or in relation to an act done or omitted in good
9
faith in connection with an act done or omitted by the entity as
10
mentioned in subsection (1).
11
(3) An entity that wishes to rely on subsection (1) in relation to an
12
action or other proceeding bears an evidential burden (within the
13
meaning of the Regulatory Powers Act) in relation to that matter.
14
Part 3
Ransomware reporting obligations
Division 3
Protection of information
Section 29
32
Cyber Security Bill 2024
No. , 2024
Division 3--Protection of information
1
29 Ransomware payment reports may only be used or disclosed for
2
permitted purposes
3
Permitted use and disclosure
4
(1) A designated Commonwealth body may make a record of, use or
5
disclose information provided in a ransomware payment report by
6
a reporting business entity, but only for the purposes of one or
7
more of the following:
8
(a) assisting the reporting business entity, and other entities
9
acting on behalf of the reporting business entity, to respond
10
to, mitigate or resolve the cyber security incident;
11
(b) performing functions or exercising powers under this Part or
12
Part 6 as it applies to this Part;
13
(c) proceedings under, or arising out of, section 137.1 or 137.2
14
of the
Criminal Code
(false and misleading information and
15
documents)
that relate to this Act;
16
(d) proceedings for an offence against section 149.1 of the
17
Criminal Code
(which deals with obstruction of
18
Commonwealth public officials) that relates to this Act;
19
(e) the performance of the functions of a Commonwealth body
20
relating to responding to, mitigating or resolving a cyber
21
security incident;
22
(f) the performance of the functions of a State body relating to
23
responding to, mitigating or resolving a cyber security
24
incident;
25
(g) the performance of the functions of the National Cyber
26
Security Coordinator under Part 4
relating to a cyber security
27
incident;
28
(h) informing and advising the Minister, and other Ministers of
29
the Commonwealth, about a cyber security incident;
30
(i) the performance of the functions of an intelligence agency.
31
Note:
Certain information must not be disclosed to a State body under Parts
32
of this Act unless a Minister of the State or Territory has consented to
33
those Parts applying to the State body: see section 11.
34
Ransomware reporting obligations
Part 3
Protection of information
Division 3
Section 30
No. , 2024
Cyber Security Bill 2024
33
Restriction on use and disclosure for civil or regulatory action
1
(2) However, the designated Commonwealth body must not make a
2
record of, use or disclose the information for the purposes of
3
investigating or enforcing, or assisting in the investigation or
4
enforcement of, any contravention by the reporting business entity
5
of a Commonwealth, State or Territory law other than:
6
(a) a contravention by the reporting business entity of this Part;
7
or
8
(b) a contravention by the reporting business entity of a law that
9
imposes a penalty or sanction for a criminal offence.
10
Note:
See also section 32 in relation to admissibility of the information in
11
proceedings against the reporting business entity.
12
Interaction with the Privacy Act 1988
13
(3) Subsection (1) does not authorise the designated Commonwealth
14
body to record, use or disclose the information to the extent that it
15
is prohibited or restricted by or under the
Privacy Act 1988
.
16
Information not covered by the prohibitions in this section
17
(4) Subsection (1) does not prohibit the recording, use or disclosure of
18
the following information:
19
(a) information that has been provided to the designated
20
Commonwealth body by, or on behalf of, the entity to the
21
Commonwealth to comply with:
22
(i) a requirement in Part 2B of the
Security of Critical
23
Infrastructure Act 2018
; or
24
(ii) a requirement under the
Telecommunications Act 1997
;
25
or
26
(iii) a requirement under a law prescribed by the rules;
27
(b) information that has already been lawfully made available to
28
the public.
29
30 Limitations on secondary use and disclosure of information in
30
ransomware payment reports
31
(1) This section applies to information that:
32
Part 3
Ransomware reporting obligations
Division 3
Protection of information
Section 30
34
Cyber Security Bill 2024
No. , 2024
(a) has been provided in a ransomware payment report by a
1
reporting business entity; and
2
(b) has been obtained by another entity, Commonwealth body or
3
State body under subsection 29(1) or this section; and
4
(c) is held by the other entity, Commonwealth body or State
5
body.
6
Note:
This section does not apply to the information to the extent that it has
7
been otherwise obtained by the other entity, Commonwealth body or
8
State body.
9
Permitted use and disclosure
10
(2) The other entity, Commonwealth body or State body may make a
11
record of, use or disclose the information but only for the purposes
12
of one or more of the following:
13
(a) assisting the reporting business entity, and other entities
14
acting on behalf of the reporting business entity, to respond
15
to, mitigate or resolve the cyber security incident;
16
(b) performing functions or exercising powers under this Part or
17
Part 6 as it applies to this Part;
18
(c) proceedings under, or arising out of, section 137.1 or 137.2
19
of the
Criminal Code
(false and misleading information and
20
documents)
that relate to this Act;
21
(d) proceedings for an offence against section 149.1 of the
22
Criminal Code
(which deals with obstruction of
23
Commonwealth public officials) that relates to this Act;
24
(e) the performance of the functions of a Commonwealth body
25
relating to responding to, mitigating or resolving a cyber
26
security incident;
27
(f) the performance of the functions of a State body relating to
28
responding to, mitigating or resolving a cyber security
29
incident;
30
(g) the performance of the functions of the National Cyber
31
Security Coordinator under Part 4
relating to a cyber security
32
incident;
33
(h) informing and advising the Minister, and other Ministers of
34
the Commonwealth, about a cyber security incident;
35
(i) the performance of the functions of an intelligence agency.
36
Ransomware reporting obligations
Part 3
Protection of information
Division 3
Section 30
No. , 2024
Cyber Security Bill 2024
35
Restriction on use and disclosure for civil or regulatory action
1
(3) However, the other entity, Commonwealth body or State body
2
must not make a record of, use or disclose the information for the
3
purposes of investigating or enforcing, or assisting in the
4
investigation or enforcement of, any contravention, by the
5
reporting business entity, of a Commonwealth, State or Territory
6
law other than:
7
(a) a contravention by the reporting business entity of this Part;
8
or
9
(b) a contravention by the reporting business entity of a law that
10
imposes a penalty or sanction for a criminal offence.
11
Interaction with the Privacy Act 1988
12
(4) Subsection (2) does not authorise the other entity, Commonwealth
13
body or State body to record, use or disclose the information to the
14
extent that it is prohibited or restricted by or under the
Privacy Act
15
1988
.
16
Information not covered by the prohibitions in this section
17
(5) Subsection (2) does not prohibit:
18
(a) recording, use or disclosure of information referred to in
19
subsection 29(4); or
20
(b) if the other entity is an individual--recording, use or
21
disclosure of personal information about the individual; or
22
(c) recording, use or disclosure of the reporting business entity's
23
own information, with the consent of the reporting business
24
entity, by another entity, a Commonwealth body or a State
25
body; or
26
(d) recording, use or disclosure of information for the purposes
27
of carrying out a State's constitutional functions, powers or
28
duties.
29
Civil penalty for contravention of this section
30
(6) An entity is liable to a civil penalty if:
31
(a) the entity contravenes subsection (2); and
32
(b) the entity is not a Commonwealth officer; and
33
Part 3
Ransomware reporting obligations
Division 3
Protection of information
Section 31
36
Cyber Security Bill 2024
No. , 2024
(c) any of the following applies:
1
(i) the information is sensitive information about an
2
individual and the individual has not consented to the
3
record, use or disclosure of the information;
4
(ii) the information is confidential or commercially
5
sensitive;
6
(iii) the record, use or disclosure of the information would,
7
or could reasonably be expected to, cause damage to the
8
security, defence or international relations of the
9
Commonwealth.
10
Note 1:
See the
Criminal Code
for offences for Commonwealth officers.
11
Note 2:
This Act does not make the Crown (other than an authority of the
12
Crown) liable to a civil penalty.
13
Civil penalty:
60 penalty units.
14
31 Legal professional privilege
15
(1) The fact that a reporting business entity provided information in a
16
ransomware payment report does not otherwise affect a claim of
17
legal professional privilege that anyone may make in relation to
18
that information in any proceedings:
19
(a) under any Commonwealth, State or Territory law (including
20
the common law); or
21
(b) before a tribunal of the Commonwealth, a State or a
22
Territory.
23
(2) Despite subsection (1), this section does not apply to the following:
24
(a) the proceedings of a coronial inquiry or a Royal Commission
25
in Australia;
26
(b) proceedings in a federal court exercising original jurisdiction
27
in which a writ of mandamus or prohibition or an injunction
28
is sought against an officer or officers of the Commonwealth.
29
Note:
For
federal court
, see section 2B of the
Acts Interpretation Act
30
1901
.
31
(3) This section does not limit or affect any right, privilege or
32
immunity that the reporting business entity has, apart from this
33
section, as a defendant in any proceedings.
34
Ransomware reporting obligations
Part 3
Protection of information
Division 3
Section 32
No. , 2024
Cyber Security Bill 2024
37
32 Admissibility of information in ransomware payment report
1
against reporting business entity
2
(1) This section applies to information that:
3
(a) has been provided in a ransomware payment report by a
4
reporting business entity; and
5
(b) has been obtained by a Commonwealth body or State body
6
under section 27, subsection 29(1) or section 30; and
7
(c) is held by the Commonwealth body or State body.
8
Note:
This section does not apply to information held by the Commonwealth
9
body or State body to the extent that it has been otherwise obtained.
10
(2) That information is not admissible in evidence against the
11
reporting business entity in any of the following proceedings:
12
(a) criminal proceedings for an offence against a
13
Commonwealth, State or Territory law, other than:
14
(i) proceedings for an offence against section 137.1 or
15
137.2 of the
Criminal Code
(which deal with false or
16
misleading information or documents) that relates to
17
this Act; or
18
(ii) proceedings for an offence against section 149.1 of the
19
Criminal Code
(which deals with obstruction of
20
Commonwealth public officials) that relates to this Act;
21
(b) civil proceedings for a contravention of a civil penalty
22
provision of a Commonwealth, State or Territory law, other
23
than a civil penalty provision of this Part;
24
(c) proceedings for a breach of any other Commonwealth, State
25
or Territory law (including the common law);
26
(d) proceedings before a tribunal of the Commonwealth, a State
27
or a Territory.
28
(3) However, this section does not apply to the following:
29
(a) the proceedings of a coronial inquiry or a Royal Commission
30
in Australia;
31
(b) proceedings in a federal court exercising original jurisdiction
32
in which a writ of mandamus or prohibition or an injunction
33
is sought against an officer or officers of the Commonwealth.
34
Part 3
Ransomware reporting obligations
Division 3
Protection of information
Section 32
38
Cyber Security Bill 2024
No. , 2024
Note:
For federal court, see section 2B of the
Acts Interpretation Act
1
1901
.
2
(4) This section does not limit or affect any right, privilege or
3
immunity that the reporting business entity has, apart from this
4
section, as a defendant in any proceedings.
5
Coordination of significant cyber security incidents
Part 4
Preliminary
Division 1
Section 33
No. , 2024
Cyber Security Bill 2024
39
Part 4--Coordination of significant cyber security
1
incidents
2
Division 1--Preliminary
3
33 Simplified outline of this Part
4
Information may be voluntarily provided to the National Cyber
5
Security Coordinator in relation to significant cyber security
6
incidents.
7
The National Cyber Security Coordinator's role is to lead across
8
the whole of Government the coordination and triaging of action in
9
response to a significant cyber security incident.
10
Information voluntarily provided under this Part may only be
11
recorded, used and disclosed for limited purposes.
12
34 Meaning of significant cyber security incident
13
A cyber security incident is a
significant cyber security incident
if:
14
(a) there is a material risk that the incident has seriously
15
prejudiced, is seriously prejudicing, or could reasonably be
16
expected to prejudice:
17
(i) the social or economic stability of Australia or its
18
people; or
19
(ii) the defence of Australia; or
20
(iii) national security; or
21
(b) the incident is, or could reasonably be expected to be, of
22
serious concern to the Australian people.
23
Part 4
Coordination of significant cyber security incidents
Division 2
Voluntary information sharing with the National Cyber Security
Coordinator
Section 35
40
Cyber Security Bill 2024
No. , 2024
Division 2--Voluntary information sharing with the
1
National Cyber Security Coordinator
2
35 Impacted entity may voluntarily provide information to National
3
Cyber Security Coordinator in relation to a significant
4
cyber security incident
5
(1) This section applies if:
6
(a) an incident has occurred, is occurring or is imminent; and
7
(b) the incident is a cyber security incident; and
8
(c) the incident has had, is having, or could reasonably be
9
expected to have, a direct or indirect impact on an entity (the
10
impacted entity
); and
11
(d) the impacted entity is:
12
(i) carrying on a business in Australia; or
13
(ii) a responsible entity for a critical infrastructure asset to
14
which the
Security of Critical Infrastructure Act 2018
15
applies.
16
(2) The impacted entity, or another entity acting on behalf of the
17
impacted entity, may provide information about the incident to the
18
National Cyber Security Coordinator if:
19
(a) the incident is a significant cyber security incident; or
20
(b) the incident could reasonably be expected to be a significant
21
cyber security incident.
22
Note 1:
For information provided in relation to other kinds of cyber security
23
incidents: see sections 36 and 39.
24
Note 2:
This subsection constitutes an authorisation for the National Cyber
25
Security Coordinator to collect the information (including sensitive
26
information) for the purposes of the
Privacy Act 1988
.
27
(3) Information about the incident may be provided under
28
subsection (2):
29
(a) at any time during the response to the incident; and
30
(b) on the impacted entity's own initiative or in response to a
31
request by the National Cyber Security Coordinator.
32
Coordination of significant cyber security incidents
Part 4
Voluntary information sharing with the National Cyber Security Coordinator
Division
2
Section 35
No. , 2024
Cyber Security Bill 2024
41
Note:
There is no obligation on the impacted entity to provide information in
1
response to a request.
2
Presumption
3
(4) For the purposes of paragraph (1)(b), an incident (other than an
4
incident covered by paragraph 9(2)(a) or (b)) is presumed to be a
5
cyber security incident if:
6
(a) the incident was probably effected, is probably being effected
7
or could reasonably be expected to be effected, by means of a
8
telegraphic, telephonic or other like service within the
9
meaning of paragraph 51(v) of the Constitution (including,
10
for example, by means of the internet); or
11
(b) the incident has probably impeded or impaired, or is probably
12
impeding or impairing or could reasonably be expected to
13
impede or impair, the ability of a computer to connect to such
14
a service; or
15
(c) the incident has probably seriously prejudiced, is probably
16
seriously prejudicing, or could reasonably be expected to
17
prejudice:
18
(i) the social or economic stability of Australia or its
19
people; or
20
(ii) the defence of Australia; or
21
(iii) national security.
22
Note:
Paragraphs 9(2)(a) and (b) covers incidents involving critical
23
infrastructure assets or the activities of corporations to which
24
paragraph 51(xx) of the Constitution applies.
25
(5) However, subsection (4) does not make an entity liable to a civil
26
penalty under this Part if the incident:
27
(a) was not in fact effected by means of a telegraphic, telephonic
28
or other like service within the meaning of paragraph 51(v)
29
of the Constitution (including, for example, by means of the
30
internet); or
31
(b) did not in fact impede or impair the ability of a computer to
32
connect to such a service; or
33
(c) did not in fact seriously prejudice:
34
(i) the social or economic stability of Australia or its
35
people; or
36
Part 4
Coordination of significant cyber security incidents
Division 2
Voluntary information sharing with the National Cyber Security
Coordinator
Section 36
42
Cyber Security Bill 2024
No. , 2024
(ii) the defence of Australia; or
1
(iii) national security.
2
36 Voluntary provision of information in relation to other incidents
3
or cyber security incidents
4
(1) This section applies if:
5
(a) an incident has occurred, is occurring or is imminent; and
6
(b) an entity (the
impacted entity
) provides information to the
7
National Cyber Security Coordinator in relation to the
8
incident; and
9
(c) it is unclear at the time the information is provided whether
10
the incident is a cyber security incident or a significant cyber
11
security incident.
12
(2) The National Cyber Security Coordinator may collect and use the
13
information for the purposes of determining whether the incident is
14
a cyber security incident or a significant cyber security incident.
15
Note:
This subsection constitutes an authorisation for the National Cyber
16
Security Coordinator to collect the information (including sensitive
17
information) for the purposes of the
Privacy Act 1988
.
18
37 Role of the National Cyber Security Coordinator
19
The role of the National Cyber Security Coordinator includes, but
20
is not limited to, the following:
21
(a) to lead across the whole of Government the coordination and
22
triaging of action in response to a significant cyber security
23
incident;
24
(b) to inform and advise the Minister and the whole of
25
Government in relation to the whole of Government response
26
to a significant cyber security incident.
27
Coordination of significant cyber security incidents
Part 4
Protection of information
Division 3
Section 38
No. , 2024
Cyber Security Bill 2024
43
Division 3--Protection of information
1
38 Information provided in relation to a significant cyber security
2
incident--use and disclosure by National Cyber Security
3
Coordinator
4
Permitted use and disclosure
5
(1) The National Cyber Security Coordinator may make a record of,
6
use or disclose information provided under subsection 35(2) by, or
7
on behalf of, an entity (the
impacted entity
) in relation to a cyber
8
security incident but only for the purposes of one or more of the
9
following:
10
(a) assisting the impacted entity, and other entities acting on
11
behalf of the impacted entity, to respond to, mitigate or
12
resolve the cyber security incident;
13
(b) a permitted cyber security purpose for a cyber security
14
incident.
15
Note 1:
For
permitted cyber security purpose
for a cyber security incident: see
16
section 10. This includes the functions of the National Cyber Security
17
Coordinator under this Part.
18
Note 2:
Certain information must not be disclosed to a State body under Parts
19
of this Act unless a Minister of the State or Territory has consented to
20
those Parts applying to the State body: see section 11.
21
Restriction on use and disclosure for civil or regulatory action
22
(2) However, the National Cyber Security Coordinator must not make
23
a record of, use or disclose the information for the purposes of
24
investigating or enforcing, or assisting in the investigation or
25
enforcement of, any contravention by the impacted entity of a
26
Commonwealth, State or Territory law other than:
27
(a) a contravention by the impacted entity of this Part; or
28
(b) a contravention by the impacted entity of a law that imposes
29
a penalty or sanction for a criminal offence.
30
Note:
See also section 42 in relation to admissibility of the information in
31
proceedings against the impacted entity.
32
Part 4
Coordination of significant cyber security incidents
Division 3
Protection of information
Section 39
44
Cyber Security Bill 2024
No. , 2024
Interaction with the Privacy Act 1988
1
(3) Subsection (1) does not authorise the National Cyber Security
2
Coordinator to record, use or disclose the information to the extent
3
that it is prohibited or restricted by or under the
Privacy Act 1988
.
4
Information not covered by the prohibitions in this section
5
(4) Subsection (1) does not prohibit the recording, use or disclosure of
6
the following information:
7
(a) information that has been provided by, or on behalf of, the
8
impacted entity to the Commonwealth about the cyber
9
security incident to comply with:
10
(i) a requirement in Part 3 of this Act; or
11
(ii) a requirement in Part 2B of the
Security of Critical
12
Infrastructure Act 2018
; or
13
(iii) a requirement under the
Telecommunications Act 1997
;
14
or
15
(iv) a requirement under a law prescribed by the rules;
16
(b) information that has been provided voluntarily to the
17
National Cyber Security Coordinator by, or on behalf of, the
18
impacted entity, other than under this Part;
19
(c) information that has already been lawfully made available to
20
the public.
21
39 Information provided in relation to other incidents--use and
22
disclosure by National Cyber Security Coordinator
23
(1) This section applies if:
24
(a) an incident has occurred, is occurring or is imminent; and
25
(b) an entity (the
impacted entity
) provides information to the
26
National Cyber Security Coordinator in relation to the
27
incident; and
28
(c) the incident either:
29
(i) is not a cyber security incident; or
30
(ii) is a cyber security incident but is not a significant cyber
31
security incident.
32
Coordination of significant cyber security incidents
Part 4
Protection of information
Division 3
Section 39
No. , 2024
Cyber Security Bill 2024
45
Permitted use and disclosure
1
(2) The National Cyber Security Coordinator may make a record of,
2
use or disclose the information provided by the impacted entity but
3
only for the purposes of one or more of the following:
4
(a) directing the impacted entity to other services that may assist
5
the entity to respond to, mitigate, or resolve the incident;
6
(b) if the incident is a cyber security incident--coordinating the
7
whole of Government response to the cyber security incident
8
where the National Cyber Security Coordinator considers
9
such a response is necessary;
10
(c) if the incident is a cyber security incident--informing and
11
advising the Minister, and other Ministers of the
12
Commonwealth, about the cyber security incident.
13
Restriction on use and disclosure for civil or regulatory action
14
(3) However, the National Cyber Security Coordinator must not make
15
a record of, use or disclose the information for the purposes of
16
investigating or enforcing, or assisting in the investigation or
17
enforcement of, any contravention by the impacted entity of a
18
Commonwealth, State or Territory law other than:
19
(a) a contravention by the impacted entity of this Part; or
20
(b) a contravention by the impacted entity of a law that imposes
21
a penalty or sanction for a criminal offence.
22
Note:
See also section 42 in relation to admissibility of the information in
23
proceedings against the impacted entity.
24
Interaction with the Privacy Act 1988
25
(4) Subsection (2) does not authorise the National Cyber Security
26
Coordinator to record, use or disclose the information to the extent
27
that it is prohibited or restricted by or under the
Privacy Act 1988
.
28
Information not covered by the prohibitions in this section
29
(5) Subsection (2) does not prohibit the recording, use or disclosure of
30
the following information:
31
Part 4
Coordination of significant cyber security incidents
Division 3
Protection of information
Section 40
46
Cyber Security Bill 2024
No. , 2024
(a) information that has been provided by, or on behalf of, the
1
impacted entity to the Commonwealth about the cyber
2
security incident to comply with:
3
(i) a requirement in Part 3 of this Act; or
4
(ii) a requirement in Part 2B of the
Security of Critical
5
Infrastructure Act 2018
; or
6
(iii) a requirement under the
Telecommunications Act 1997
;
7
or
8
(iv) a requirement under a law prescribed by the rules;
9
(b) information that has been provided voluntarily to the
10
National Cyber Security Coordinator by, or on behalf of, the
11
impacted entity, other than under this Part;
12
(c) information that has already been lawfully made available to
13
the public.
14
40 Limitations on secondary use and disclosure
15
(1) This section applies to information that:
16
(a) has been provided by, or on behalf of, an entity (the
impacted
17
entity
) under subsection 35(2) or as referred to in
18
subsection 39(1); and
19
(b) has been obtained by another entity, a Commonwealth body
20
(other than ASD) or a State body under subsection 38(1) or
21
39(2) or this section; and
22
(c) is held by the other entity, Commonwealth body or State
23
body.
24
Note 1:
This section does not apply to the information to the extent that it has
25
been otherwise obtained by the other entity, Commonwealth body or
26
State body.
27
Note 2:
For ASD, see Division 1A of Part 6 of the
Intelligence Services Act
28
2001
.
29
Permitted use and disclosure
30
(2) The other entity, Commonwealth body or State body may make a
31
record of, use or disclose the information but only for the purposes
32
of one or more of the following:
33
Coordination of significant cyber security incidents
Part 4
Protection of information
Division 3
Section 40
No. , 2024
Cyber Security Bill 2024
47
(a) assisting the impacted entity, and other entities acting on
1
behalf of the impacted entity, to respond to, mitigate or
2
resolve the cyber security incident;
3
(b) a permitted cyber security purpose for a cyber security
4
incident.
5
Note:
For
permitted cyber security purpose
for a cyber security incident: see
6
section 10.
7
Restriction on use and disclosure for civil or regulatory action
8
(3) However, the other entity, Commonwealth body or State body
9
must not make a record of, use or disclose the information for the
10
purposes of investigating or enforcing, or assisting in the
11
investigation or enforcement of, any contravention by the impacted
12
entity of a Commonwealth, State or Territory law other than:
13
(a) a contravention by the impacted entity of this Part; or
14
(b) a contravention by the impacted entity of a law that imposes
15
a penalty or sanction for a criminal offence.
16
Interaction with the Privacy Act 1988
17
(4) Subsection (2) does not authorise the other entity, Commonwealth
18
body or State body to record, use or disclose the information to the
19
extent that it is prohibited or restricted by or under the
Privacy Act
20
1988
.
21
Information not covered by the prohibitions in this section
22
(5) Subsection (2) does not prohibit:
23
(a) recording, use or disclosure of information referred to in
24
subsection 38(4) or 39(5); or
25
(b) if the other entity is an individual--recording, use or
26
disclosure of personal information about the individual; or
27
(c) recording, use or disclosure of the impacted entity's own
28
information, with the consent of the impacted entity, by
29
another entity, a Commonwealth body or a State body; or
30
(d) recording, use or disclosure for the purposes of carrying out a
31
State's constitutional functions, powers or duties.
32
Part 4
Coordination of significant cyber security incidents
Division 3
Protection of information
Section 41
48
Cyber Security Bill 2024
No. , 2024
Civil penalty for contravention of this section
1
(6) An entity is liable to a civil penalty if:
2
(a) the entity contravenes subsection (2); and
3
(b) the entity is not a Commonwealth officer; and
4
(c) any of the following applies:
5
(i) the information is sensitive information about an
6
individual and the individual has not consented to the
7
record, use or disclosure of the information;
8
(ii) the information is confidential or commercially
9
sensitive;
10
(iii) the record, use or disclosure of the information would,
11
or could reasonably be expected to, cause damage to the
12
security, defence or international relations of the
13
Commonwealth.
14
Note 1:
See the
Criminal Code
for offences for Commonwealth officers.
15
Note 2:
This Act does not make the Crown (other than an authority of the
16
Crown) liable to a civil penalty.
17
Civil penalty:
60 penalty units.
18
41 Legal professional privilege
19
(1) The fact that an entity provided information to the National Cyber
20
Security Coordinator under subsection 35(2), or as referred to in
21
subsection 39(1), does not otherwise affect a claim of legal
22
professional privilege that anyone may make in relation to that
23
information in any proceedings:
24
(a) under any Commonwealth, State or Territory law (including
25
the common law); or
26
(b) before a tribunal of the Commonwealth, a State or a
27
Territory.
28
(2) Despite subsection (1), this section does not apply to the following:
29
(a) the proceedings of a coronial inquiry or a Royal Commission
30
in Australia;
31
Coordination of significant cyber security incidents
Part 4
Protection of information
Division 3
Section 42
No. , 2024
Cyber Security Bill 2024
49
(b) proceedings in a federal court exercising original jurisdiction
1
in which a writ of mandamus or prohibition or an injunction
2
is sought against an officer or officers of the Commonwealth.
3
Note:
For
federal court
, see section 2B of the
Acts Interpretation Act
4
1901
.
5
(3) This section does not limit or affect any right, privilege or
6
immunity that the entity has, apart from this section, as a defendant
7
in any proceedings.
8
42 Admissibility of information voluntarily given by impacted entity
9
(1) This section applies to information that:
10
(a) has been provided by, or on behalf of, an entity (the
impacted
11
entity
) under subsection 35(2) or as referred to in
12
subsection 39(1); and
13
(b) has been obtained by a Commonwealth body or State body
14
under subsection 35(2), 38(1), 39(1), 39(2) or 40(2); and
15
(c) is held by the Commonwealth body or State body.
16
Note:
This section does not apply to information held by the Commonwealth
17
body or State body to the extent that it has been otherwise obtained.
18
(2) That information is not admissible in evidence against the
19
impacted entity in any of the following proceedings:
20
(a) criminal proceedings for an offence against a
21
Commonwealth, State or Territory law, other than:
22
(i) proceedings for an offence against section 137.1 or
23
137.2 of the
Criminal Code
(which deal with false or
24
misleading information or documents) that relates to
25
this Act; or
26
(ii) proceedings for an offence against section 149.1 of the
27
Criminal Code
(which deals with obstruction of
28
Commonwealth public officials) that relates to this Act;
29
(b) civil proceedings for a contravention of a civil penalty
30
provision of a Commonwealth, State or Territory law, other
31
than a civil penalty provision of this Part;
32
(c) proceedings for a breach of any other Commonwealth, State
33
or Territory law (including the common law);
34
Part 4
Coordination of significant cyber security incidents
Division 3
Protection of information
Section 43
50
Cyber Security Bill 2024
No. , 2024
(d) proceedings before a tribunal of the Commonwealth, a State
1
or a Territory.
2
(3) However, this section does not apply to the following:
3
(a) the proceedings of a coronial inquiry or a Royal Commission
4
in Australia;
5
(b) proceedings in a federal court exercising original jurisdiction
6
in which a writ of mandamus or prohibition or an injunction
7
is sought against an officer or officers of the Commonwealth.
8
Note:
For
federal court
, see section 2B of the
Acts Interpretation Act
9
1901
.
10
(4) This section does not limit or affect any right, privilege or
11
immunity that the entity has, apart from this section, as a defendant
12
in any proceedings.
13
43 National Cyber Security Coordinator not compellable as witness
14
(1) The Secretary may issue a certificate stating that:
15
(a) a specified person is, or has been:
16
(i) a person referred to in paragraph (a) of the definition of
17
National Cyber Security Coordinator
in section 8; or
18
(ii) a person referred to in paragraph (b) of the definition of
19
National Cyber Security Coordinator
in section 8; and
20
(b) the specified person is involved, or has been involved, in a
21
specified matter in which the National Cyber Security
22
Coordinator is performing or has performed functions or is
23
exercising or has exercised powers under this Part.
24
(2) If, under subsection (1), the Secretary issues a certificate in relation
25
to a person and a specified matter, the person:
26
(a) is not obliged to comply with a subpoena or similar direction
27
of a federal court or a court of a State or Territory to attend
28
and answer questions relating to the matter; and
29
(b) is not compellable to give an expert opinion in any civil or
30
criminal proceedings in a federal court or a court of a State or
31
Territory in relation to the matter;
32
Coordination of significant cyber security incidents
Part 4
Protection of information
Division 3
Section 43
No. , 2024
Cyber Security Bill 2024
51
but only to the extent that the matter relates to information that has
1
been provided by, or on behalf of, an entity under subsection 35(2)
2
or as referred to in subsection 39(1).
3
(3) This section does not apply to a coronial inquiry.
4
Part 4
Coordination of significant cyber security incidents
Division 4
Miscellaneous
Section 44
52
Cyber Security Bill 2024
No. , 2024
Division 4--Miscellaneous
1
44 Interaction with other requirements to provide information in
2
relation to a cyber security incident
3
Information provided by an entity under this Part does not affect
4
any other requirement of the entity to provide that information
5
under this Act or another law of the Commonwealth.
6
Note:
For example, the entity may also be required to provide some or all of
7
the information under Part 3 of this Act, Part 2B of the
Security of
8
Critical Infrastructure Act 2018
or under the
Telecommunications Act
9
1997
.
10
Cyber Incident Review Board
Part 5
Preliminary
Division 1
Section 45
No. , 2024
Cyber Security Bill 2024
53
Part 5--Cyber Incident Review Board
1
Division 1--Preliminary
2
45 Simplified outline of this Part
3
The Cyber Incident Review Board is established by this Part.
4
The Board must cause reviews to be conducted in relation to
5
certain cyber security incidents. The purpose of a review is to make
6
recommendations to government and industry about actions that
7
could be taken to prevent, detect, respond to or minimise the
8
impact of, cyber security incidents of a similar nature in the future.
9
A review panel will be established for each review in accordance
10
with the terms of reference for the review.
11
The Board consists of the Chair and up to 6 other standing
12
members. The standing members are appointed by the Minister.
13
The Board may establish an Expert Panel. One or more members
14
of the Expert Panel may be appointed to assist in relation to a
15
review conducted under this Part.
16
This Part also deals with the appointment of the Chair, standing
17
members and Expert Panel members, and the procedures of the
18
Board.
19
Part 5
Cyber Incident Review Board
Division 2
Reviews
Section 46
54
Cyber Security Bill 2024
No. , 2024
Division 2--Reviews
1
46 Board must cause reviews to be conducted
2
(1) The Cyber Incident Review Board may cause a review to be
3
conducted under this section in relation to a cyber security
4
incident, or a series of related cyber security incidents, on written
5
referral by:
6
(a) the Minister; or
7
(b) the National Cyber Security Coordinator; or
8
(c) an entity impacted by the incident or an incident in the series
9
of incidents; or
10
(d) a member of the Board.
11
Note:
Each review is conducted by a particular review panel established for
12
that review in accordance with the terms of reference for the review.
13
(2) A review may only be conducted under this section:
14
(a) if the Board is satisfied that the incident or series of incidents
15
meets the criteria mentioned in subsection (3); and
16
(b) after the incident or series of incidents, and the immediate
17
response, has ended; and
18
(c) if the Minister has approved the terms of reference for the
19
review.
20
(3) For the purposes of paragraph (2)(a), the criteria are:
21
(a) the incident or series of incidents have seriously prejudiced,
22
or could reasonably be expected to seriously prejudice:
23
(i) the social or economic stability of Australia or its
24
people; or
25
(ii) the defence of Australia; or
26
(iii) national security; or
27
(b) the incident or series of incidents involved novel or complex
28
methods or technologies, an understanding of which will
29
significantly improve Australia's preparedness, resilience, or
30
response to cyber security incidents of a similar nature; or
31
(c) the incident or series of incidents are, or could reasonably be
32
expected to be, of serious concern to the Australian people.
33
Cyber Incident Review Board
Part 5
Reviews
Division 2
Section 47
No. , 2024
Cyber Security Bill 2024
55
(4) Each review is to be conducted by a review panel that consists of:
1
(a) the Chair; and
2
(b) the standing members of the Board that are specified in the
3
terms of reference for the review; and
4
(c) the members of the Expert Panel appointed to assist in the
5
review under section 70.
6
The terms of reference for the review must specify one or more
7
standing members for the review.
8
(5) The rules may make provision for or in relation to reviews under
9
this Part, including for or in relation to the following:
10
(a) dealing with written referrals made to the Board;
11
(b) prioritisation of referrals for review and reviews conducted;
12
(c) terms of reference for reviews, including their variation;
13
(d) notification of reviews;
14
(e) the timing of when reviews may be conducted;
15
(f) when reviews may be discontinued;
16
(g) how information or submissions may be provided for
17
reviews.
18
47 Board may discontinue a review
19
(1) The Board may discontinue a review at any time.
20
(2) The Board must, within 28 days of discontinuing a review, publish
21
in any way the Board considers appropriate notice of the review
22
being discontinued.
23
48 Chair may request information or documents
24
If the Board reasonably believes that:
25
(a) an entity; or
26
(b) a Commonwealth body or a State body; or
27
(c) an officer or employee of a Commonwealth body or a State
28
body;
29
has information or documents relevant to a review being conducted
30
under section 46 by a review panel, the Chair may request, by
31
notice in writing,
the entity, body, officer or employee to give the
32
Part 5
Cyber Incident Review Board
Division 2
Reviews
Section 49
56
Cyber Security Bill 2024
No. , 2024
Board such information or documents as are specified in the
1
request.
2
Note 1:
There is no requirement to comply with the request.
3
Note 2:
The Chair may require certain entities to give documents under
4
section 49.
5
49 Chair may require certain entities to produce documents
6
(1) This section applies if:
7
(a) the Board reasonably believes that an entity involved in a
8
cyber security incident that relates to a review being
9
conducted under section 46 by a review panel has a
10
document that is relevant to the review; and
11
(b) the Chair of the Board has requested that the entity provide
12
the document under section 48; and
13
(c) the entity is not:
14
(i) a Commonwealth body or a State body; or
15
(ii) an officer or employee of a Commonwealth body or a
16
State body.
17
(2) The Chair of the Board may, by notice in writing given to the
18
entity, require the entity to:
19
(a) produce any such documents; or
20
(b) make copies of any such documents and to produce those
21
copies;
22
to the Board within the period (which must not be less than 14
23
days), and in the manner, specified in the notice.
24
(3) The notice must set out the effect of the following provisions:
25
(a) section 50;
26
(b) Part 6 of this Act (Regulatory powers);
27
(c) sections 137.1 and 137.2 of the
Criminal Code
(false or
28
misleading information or documents).
29
Cyber Incident Review Board
Part 5
Reviews
Division 2
Section 50
No. , 2024
Cyber Security Bill 2024
57
Compensation
1
(4) An entity is entitled to be paid by the Commonwealth reasonable
2
compensation for complying with a requirement covered by
3
paragraph (2)(b).
4
50 Civil penalty--failing to comply with a notice to produce
5
documents
6
(1) An entity is liable to a civil penalty if:
7
(a) the entity is given a notice under subsection 49(2); and
8
(b) the entity fails to comply with the notice.
9
Civil penalty:
60 penalty units.
10
(2) Subsection (1) does not apply in relation to the production of a
11
document or a copy of a document if the production would, or
12
could reasonably be expected to, prejudice one or more of the
13
following:
14
(a) the security, defence or international relations of the
15
Commonwealth;
16
(b) the capabilities of an intelligence agency;
17
(c) the prevention, detection or investigation of, or the conduct
18
of proceedings relating to, an offence or a contravention of a
19
civil penalty provision;
20
(d) the administration of justice.
21
(3) Subsection 93(2) of the Regulatory Powers Act does not apply in
22
relation to a contravention of subsection (1) of this section.
23
(4) Despite section 96 of the Regulatory Powers Act, in proceedings
24
for a civil penalty order against an entity for a contravention of
25
subsection (1), the entity does not bear an evidential burden in
26
relation to the matters in subsection (2).
27
Note:
This Act does not make the Crown (other than an authority of the
28
Crown) liable to a civil penalty.
29
Part 5
Cyber Incident Review Board
Division 2
Reviews
Section 51
58
Cyber Security Bill 2024
No. , 2024
51 Draft review reports
1
(1) The Board must prepare a draft report (a
draft review repor
t) on a
2
review being conducted under section 46 by a review panel.
3
(2) The draft review report must set out:
4
(a) the preliminary findings of the review; and
5
(b) a summary of the information and material on which those
6
preliminary findings are based; and
7
(c) any recommendations the Board proposes to make; and
8
(d) if the Board proposes to make recommendations--the
9
reasons for those proposed recommendations; and
10
(e) if the terms of reference for the review require particular
11
information to be included in the draft review report--that
12
information; and
13
(f) information (if any) that is prescribed by the rules; and
14
(g) such other information that the Board thinks fit to include in
15
the draft review report.
16
(3) The Board must give the draft review report to the Minister.
17
(4) The Board may give the draft review report, or an extract of the
18
draft review report, to any other Commonwealth body or a State
19
body or entity:
20
(a) if the Board considers it appropriate to give the body or
21
entity an opportunity to make submissions on the draft
22
review report or the extract; or
23
(b) for the purposes of determining whether information
24
proposed to be included in the final review report is sensitive
25
review information.
26
Note 1:
The disclosure of sensitive review information may be prohibited
27
under another Act (for example, the
Privacy Act 1988
). This section
28
does not authorise disclosure if prohibited under that Act: see
29
subsection (7) of this section.
30
Note 2:
Sensitive review information must be redacted from a final review
31
report that is to be published by the Board: see section 53.
32
(5) If the Board gives a draft review report to the Minister under
33
subsection (3), or a Commonwealth body, State body or entity
34
under subsection (4), the Board must specify a reasonable period
35
Cyber Incident Review Board
Part 5
Reviews
Division 2
Section 52
No. , 2024
Cyber Security Bill 2024
59
within which submissions may be made to the Board on the draft
1
review report.
2
(6) Submissions must be given in the manner and form (if any)
3
prescribed by the rules.
4
(7) However, this section does not authorise the Board to record, use
5
or disclose the information to the extent that it is prohibited or
6
restricted by or under the
Privacy Act 1988
or any other Act.
7
52 Final review reports
8
(1) After a review is completed under section 46 by the review panel,
9
the Board must prepare a report (a
final review report
) on the
10
review.
11
Note 1:
The Board must redact sensitive review information from a final
12
review report: see section 53.
13
Note 2:
If information is redacted from a final review report, the Board must
14
also prepare a protected review report: see section 54.
15
(2) In preparing the final review report, the Board must consider any
16
submissions received under section 51 in relation to the draft
17
review report.
18
(3) Subject to section 53, the final review report must set out:
19
(a) the findings of the review; and
20
(b) a summary of the information and material on which those
21
findings are based; and
22
(c) any recommendations made by the Board; and
23
(d) if recommendations are made--the reasons for those
24
recommendations; and
25
(e) if the terms of reference for the review require particular
26
information to be included in the review report--that
27
information; and
28
(f) information (if any) that is prescribed by the rules; and
29
(g) such other information that the Board thinks fit to include in
30
the report.
31
(4) The Board must not in the final review report:
32
Part 5
Cyber Incident Review Board
Division 2
Reviews
Section 53
60
Cyber Security Bill 2024
No. , 2024
(a) apportion blame in relation to a cyber security incident that
1
was the subject of the review; or
2
(b) provide the means to determine the liability of any entity in
3
relation to such a cyber security incident; or
4
(c) identify an individual (unless the individual has consented);
5
or
6
(d) allow any adverse inference to be drawn from the fact that an
7
entity is the subject of the review.
8
However, even though blame or liability may be inferred, or an
9
adverse inference may be made, by a person other than the Board,
10
this does not prevent the Board from including information in the
11
final review report.
12
(5) This section does not otherwise limit what may be included in the
13
final review report.
14
(6) The Board must publish the final review report (excluding any
15
information required to be redacted under section 53). The report
16
may be published in any way the Board considers appropriate.
17
53 Certain information must be redacted from final review reports
18
(1) Information must be redacted from a final review report if the
19
Chair is satisfied that the information is sensitive review
20
information.
21
Note:
If information is redacted from a final review report, the Board must
22
prepare a protected review report that includes the information, see
23
section 54.
24
(2)
Sensitive review information
is information the disclosure of
25
which:
26
(a) could prejudice the security, defence or international
27
relations of Australia; or
28
(b) would prejudice relations between the Commonwealth
29
government and the government of a State or Territory; or
30
(c) could reveal, or enable a person to ascertain, the existence or
31
identity of a confidential source of information in relation to
32
the enforcement of the criminal law; or
33
(d) could endanger a person's life or physical safety; or
34
Cyber Incident Review Board
Part 5
Reviews
Division 2
Section 54
No. , 2024
Cyber Security Bill 2024
61
(e) would prejudice the fair trial of any person or the impartial
1
adjudication of a matter; or
2
(f) would involve disclosing information whose disclosure is
3
prohibited or restricted by or under this Act, another Act or
4
an instrument made under an Act; or
5
(g) would involve unreasonably disclosing information that is
6
confidential or commercially sensitive; or
7
(h) would involve the disclosure of personal information about
8
an individual without their consent.
9
54 Protected review reports
10
(1) If information must be redacted from a final review report under
11
section 53, the Board must prepare another report (a
protected
12
review report
) that includes:
13
(a) the redacted information; and
14
(b) the reasons for redacting the information from the final
15
review report.
16
(2) If a protected review report is prepared under this section, the
17
Board must give the Minister, and the Prime Minister, a copy of:
18
(a) the final review report prepared under section 52; and
19
(b) a copy of the protected review report.
20
(3) The Minister may give a copy of the protected review report, or an
21
extract of the protected review report, to any other Commonwealth
22
body, a State body or an entity but only for the purposes of one or
23
more of the following:
24
(a) the performance of the functions of a Commonwealth body
25
relating to responding to, mitigating or resolving a cyber
26
security incident;
27
(b) the performance of the functions of a State body relating to
28
responding to, mitigating or resolving a cyber security
29
incident;
30
(c) informing and advising the Minister, and other Ministers of
31
the Commonwealth, about a cyber security incident;
32
(d) the performance of the functions of an intelligence agency.
33
Part 5
Cyber Incident Review Board
Division 3
Protection of information relating to reviews
Section 55
62
Cyber Security Bill 2024
No. , 2024
Division 3--Protection of information relating to reviews
1
2
55 Limitations on use and disclosure by the Board
3
Permitted use and disclosure
4
(1) The Board may make a record of, use or disclose information
5
provided by an entity, Commonwealth body or State body under
6
section 48, 49 or 51 but only:
7
(a) for the purposes of one or more of the following:
8
(i) performing functions or exercising powers under this
9
Part or Part 6 as it applies to this Part;
10
(ii) proceedings under, or arising out of, section 137.1 or
11
137.2 of the
Criminal Code
(false and misleading
12
information and documents) that relate to this Act;
13
(iii) proceedings for an offence against section 149.1 of the
14
Criminal Code
(which deals with obstruction of
15
Commonwealth public officials) that relates to this Act;
16
(iv) the performance of the functions of a Commonwealth
17
body relating to responding to, mitigating or resolving a
18
cyber security incident;
19
(v) the performance of the functions of a State body relating
20
to responding to, mitigating or resolving a cyber
21
security incident;
22
(vi) informing and advising the Minister, and other
23
Ministers of the Commonwealth, about a cyber security
24
incident;
25
(vii) the performance of the functions of an intelligence
26
agency; or
27
(b) as otherwise authorised by a provision of this Part.
28
Note:
Certain information must not be disclosed to a State body under Parts
29
of this Act unless a Minister of the State or Territory has consented to
30
those Parts applying to the State body: see section 11.
31
Cyber Incident Review Board
Part 5
Protection of information relating to reviews
Division 3
Section 56
No. , 2024
Cyber Security Bill 2024
63
Restriction on use and disclosure for civil or regulatory action
1
(2) However, the Board must not make a record of, use or disclose the
2
information for the purposes of investigating or enforcing, or
3
assisting in the investigation or enforcement of, any contravention
4
by the entity or body of a Commonwealth, State or Territory law
5
other than:
6
(a) a contravention by the entity or body of this Part; or
7
(b) a contravention by the entity or body of a law that imposes a
8
penalty or sanction for a criminal offence.
9
Note:
See also section 58 in relation to admissibility of the information in
10
proceedings.
11
Interaction with the Privacy Act 1988
12
(3) Subsection (1) does not authorise the Board to record, use or
13
disclose the information to the extent that it is prohibited or
14
restricted by or under
the
Privacy Act 1988
.
15
Information not covered by the prohibitions in this section
16
(4) Subsection (1) does not prohibit the recording, use or disclosure of
17
information that has already been lawfully made available to the
18
public
.
19
56 Limitations on secondary use and disclosure
20
(1) This section applies to information that:
21
(a) has been provided to the Board under section 48, 49 or 51;
22
and
23
(b) has been obtained under section 54 or 55, or this section, by
24
an entity, a Commonwealth body or a State body; and
25
(c) is held by the entity, Commonwealth body or State body.
26
Note:
This section does not apply to the information to the extent that it has
27
been otherwise obtained by the entity, Commonwealth body or State
28
body.
29
Part 5
Cyber Incident Review Board
Division 3
Protection of information relating to reviews
Section 56
64
Cyber Security Bill 2024
No. , 2024
Permitted use and disclosure
1
(2) The entity, Commonwealth body or State body may make a record
2
of, use or disclose the information but only:
3
(a) for the purposes of one or more of the following:
4
(i) performing functions or exercising powers, or assisting
5
in the performance of functions or the exercise of
6
powers, under this Part or Part 6 as it applies to this
7
Part;
8
(ii) proceedings under, or arising out of, section 137.1 or
9
137.2 of the
Criminal Code
(false and misleading
10
information and documents) that relate to this Act;
11
(iii) proceedings for an offence against section 149.1 of the
12
Criminal Code
(which deals with obstruction of
13
Commonwealth public officials) that relates to this Act;
14
(iv) the performance of the functions of a Commonwealth
15
body relating to responding to, mitigating or resolving a
16
cyber security incident;
17
(v) the performance of the functions of a State body relating
18
to responding to, mitigating or resolving a cyber
19
security incident;
20
(vi) informing and advising the Minister, and other
21
Ministers of the Commonwealth, about a cyber security
22
incident;
23
(vii) the performance of the functions of an intelligence
24
agency; or
25
(b) as otherwise authorised by a provision of this Part.
26
Restriction on use and disclosure for civil or regulatory action
27
(3) However, the entity, Commonwealth body or State body must not
28
make a record of, use or disclose the information for the purposes
29
of investigating or enforcing, or assisting in the investigation or
30
enforcement of, any contravention, by the entity or body that
31
originally provided the information under section 48, 49 or 51, of a
32
Commonwealth, State or Territory law other than:
33
(a) a contravention by the entity or body of this Part; or
34
Cyber Incident Review Board
Part 5
Protection of information relating to reviews
Division 3
Section 56
No. , 2024
Cyber Security Bill 2024
65
(b) a contravention by the entity or body of a law that imposes a
1
penalty or sanction for a criminal offence.
2
Note:
See also section 58 in relation to admissibility of the information in
3
proceedings.
4
Interaction with the Privacy Act 1988
5
(4) Subsection (2) does not authorise the entity, Commonwealth body
6
or State body to record, use or disclose the information to the
7
extent that it is prohibited or restricted by or under
the
Privacy Act
8
1988
.
9
Information not covered by the prohibitions in this section
10
(5) Subsection (2) does not prohibit:
11
(a) recording, use or disclosure of information that has already
12
been lawfully made available to the public (for example, in
13
the publication of the final review report); or
14
(b) if the entity is an individual--recording, use or disclosure of
15
personal information about the individual; or
16
(c) if the entity or body is the entity or body that originally
17
provided the information under section 48, 49 or 51--the
18
entity's or body's own information; or
19
(d) recording, use or disclosure of that entity's or body's own
20
information, with the consent of that entity or body, by
21
another entity, a Commonwealth body or a State body; or
22
(e) recording, use or disclosure of information for the purposes
23
of carrying out a State's constitutional functions, powers or
24
duties.
25
Civil penalty for contravention of this section
26
(6) An entity is liable to a civil penalty if:
27
(a) the entity contravenes subsection (2); and
28
(b) the entity is not a Commonwealth officer; and
29
(c) any of the following applies:
30
(i) the information is sensitive information about an
31
individual and the individual has not consented to the
32
record, use or disclosure of the information;
33
Part 5
Cyber Incident Review Board
Division 3
Protection of information relating to reviews
Section 57
66
Cyber Security Bill 2024
No. , 2024
(ii) the information is confidential or commercially
1
sensitive;
2
(iii) the record, use or disclosure of the information would,
3
or could reasonably be expected to, cause damage to the
4
security, defence or international relations of the
5
Commonwealth.
6
Note 1:
See the
Criminal Code
for offences for Commonwealth officers.
7
Note 2:
This Act does not make the Crown (other than an authority of the
8
Crown) liable to a civil penalty.
9
Civil penalty:
60 penalty units.
10
57 Legal professional privilege
11
(1) The fact that an entity provided information to the Board under
12
section 48, 49 or 51 does not otherwise affect a claim of legal
13
professional privilege that anyone may make in relation to that
14
information in any proceedings:
15
(a) under any Commonwealth, State or Territory law (including
16
the common law); or
17
(b) before a tribunal of the Commonwealth, a State or a
18
Territory.
19
(2) Despite subsection (1), this section does not apply to the following:
20
(a) the proceedings of a coronial inquiry or a Royal Commission
21
in Australia;
22
(b) proceedings in a federal court exercising original jurisdiction
23
in which a writ of mandamus or prohibition or an injunction
24
is sought against an officer or officers of the Commonwealth.
25
Note:
For
federal court
, see section 2B of the
Acts Interpretation Act
26
1901
.
27
(3) This section does not limit or affect any right, privilege or
28
immunity that the entity has, apart from this section, as a defendant
29
in any proceedings.
30
Cyber Incident Review Board
Part 5
Protection of information relating to reviews
Division 3
Section 58
No. , 2024
Cyber Security Bill 2024
67
58 Admissibility of information given by an entity that has been
1
requested or required by the Board
2
(1) This section applies to information that:
3
(a) has been provided by an entity to the Board under section 48,
4
49 or 51; and
5
(b) has been obtained under section 48, 49, 51, 54, 55 or 56 by a
6
Commonwealth body or a State body; and
7
(c) is held by the Commonwealth body or State body.
8
Note:
This section does not apply to information held by the Commonwealth
9
body or State body to the extent that it has been otherwise obtained.
10
(2) The information is not admissible in evidence against the entity in
11
any of the following proceedings:
12
(a) criminal proceedings for an offence under a Commonwealth
13
law, other than:
14
(i) proceedings for an offence against section 137.1 or
15
137.2 of the
Criminal Code
(which deal with false or
16
misleading information or documents) that relates to
17
this Act; or
18
(ii) proceedings for an offence against section 149.1 of the
19
Criminal Code
(which deals with obstruction of
20
Commonwealth public officials) that relates to this Act;
21
(b) civil proceedings for a contravention of a civil penalty
22
provision of a Commonwealth law, other than a civil penalty
23
provision of this Part;
24
(c) proceedings for a breach of any other Commonwealth, State
25
or Territory law (including the common law);
26
(d) proceedings before a tribunal of the Commonwealth, a State
27
or a Territory.
28
(4) This section does not apply to the following:
29
(a) the proceedings of a coronial inquiry or a Royal Commission
30
in Australia;
31
(b) proceedings in a federal court exercising original jurisdiction
32
in which a writ of mandamus or prohibition or an injunction
33
is sought against an officer or officers of the Commonwealth.
34
Part 5
Cyber Incident Review Board
Division 3
Protection of information relating to reviews
Section 59
68
Cyber Security Bill 2024
No. , 2024
Note:
For
federal court
, see section 2B of the
Acts Interpretation Act
1
1901
.
2
(5) This section does not limit or affect any right, privilege or
3
immunity that the entity has, apart from this section, as a defendant
4
in any proceedings.
5
59 Disclosure of draft review reports prohibited
6
(1) An entity is liable to a civil penalty if:
7
(a) the entity receives a draft review report under section 51; and
8
(b) the entity makes a record of, discloses or otherwise uses any
9
information in the draft review report.
10
Civil penalty:
60 penalty units.
11
(2) Subsection (1) does not apply if the making of the record,
12
disclosure or use is:
13
(a) for the purpose of preparing a submission to the Board in
14
accordance with section 51; or
15
(b) if the entity is the entity that originally provided the
16
information under section 48 or 49--of the entity's own
17
information; or
18
(c) with the consent of the Chair of the Board; or
19
(d) after the information has already been lawfully made
20
available to the public (for example, in the publication of the
21
final review report);
22
(e) for the purposes of carrying out a State's constitutional
23
functions, powers or duties.
24
(3) Despite section 96 of the Regulatory Powers Act, in proceedings
25
for a civil penalty order against an entity for a contravention of
26
subsection (1), the entity does not bear an evidential burden in
27
relation to the matters in subsection (2).
28
Note:
This Act does not make the Crown (other than an authority of the
29
Crown) liable to a civil penalty.
30
Cyber Incident Review Board
Part 5
Establishment, functions and powers of the Board
Division 4
Section 60
No. , 2024
Cyber Security Bill 2024
69
Division 4--Establishment, functions and powers of the
1
Board
2
60 Cyber Incident Review Board
3
(1) The Cyber Incident Review Board is established by this section.
4
(2) For the purposes of paragraph (a) of the definition of
Department
5
of State
in section 8 of the
Public Governance, Performance and
6
Accountability Act 2013
, the Cyber Incident Review Board is
7
prescribed in relation to the Department.
8
Note:
Subject to subsection (2), this means that the chair and members of the
9
Board are officials of the Department for the purposes of the
Public
10
Governance, Performance and Accountability Act 2013
.
11
61 Constitution of the Board
12
The Board consists of the following members:
13
(a) a Chair;
14
(b) at least 2, and not more than 6, other standing members.
15
62 Functions of the Board
16
(1) The functions of the Board are:
17
(a) to cause reviews to be conducted by review panels in relation
18
to cyber security incidents, or series of related cyber security
19
incidents, to:
20
(i) identify factors that contributed to the incident or series
21
of incidents; and
22
(ii) make recommendations to government and industry
23
about actions that could be taken to prevent, detect,
24
respond to or minimise the impact of, incidents of a
25
similar nature in the future; and
26
(iii) report publicly on the review; and
27
(b) any other functions conferred on the Board by this Act or the
28
rules.
29
Part 5
Cyber Incident Review Board
Division 4
Establishment, functions and powers of the Board
Section 63
70
Cyber Security Bill 2024
No. , 2024
Note:
See section 46 in relation to the circumstances in which a cyber
1
security incident may be reviewed.
2
(2) It is not a function of the Board to:
3
(a) apportion blame in relation to a cyber security incident; or
4
(b) provide the means to determine the liability of any entity in
5
relation to a cyber security incident; or
6
(c) allow any adverse inference to be drawn from the fact that an
7
entity is the subject of a review.
8
However, even though blame or liability may be inferred, or an
9
adverse inference may be made, by a person other than the Board,
10
this does not prevent the Board from carrying out its functions.
11
(3) The Board has power to do all things necessary or convenient to be
12
done for or in connection with the performance of the Board's
13
functions.
14
(4) The Board must not perform a function or exercise a power under
15
this Part at a particular time if the performance of the function or
16
the exercise of the power at that time would prejudice the
17
investigation of, or the conduct of proceedings relating to, an
18
offence or a contravention of a civil penalty provision under a law
19
of the Commonwealth or of a State or Territory.
20
(5) The rules may prescribe the circumstances in which cyber security
21
incidents are a series of related incidents for the purposes of this
22
section.
23
Note:
For example, the rules may prescribe that cyber security incidents are
24
a series of related incidents if the incidents involve a common type of
25
impacted system or a common attack method.
26
63 Independence
27
Subject to this Act and to other laws of the Commonwealth, the
28
Cyber Incident Review Board:
29
(a) has complete discretion in the performance of the Board's
30
functions and the exercise of the Board's powers; and
31
(b) is not subject to direction by any person in relation to the
32
performance or exercise of those functions or powers.
33
Cyber Incident Review Board
Part 5
Establishment, functions and powers of the Board
Division 4
Section 63
No. , 2024
Cyber Security Bill 2024
71
Note:
The Minister must approve the terms of reference for a review to be
1
undertaken by the Board: see subsection 46(2).
2
Part 5
Cyber Incident Review Board
Division 5
Terms and conditions of appointment of the Chair and members of the
Board
Section 64
72
Cyber Security Bill 2024
No. , 2024
Division 5--Terms and conditions of appointment of the
1
Chair and members of the Board
2
64 Appointment of Chair
3
(1) The Chair of the Board is to be appointed by the Minister by
4
written instrument.
5
Note:
The Chair may be reappointed: see section 33AA of the
Acts
6
Interpretation Act 1901
.
7
(2) The Chair may be appointed on a full-time or part-time basis.
8
(3) The Chair holds office for the period specified in the instrument of
9
appointment. The period must not exceed 4 years.
10
(4) The rules may make provision for or in relation to the appointment
11
of the Chair, including in relation to eligibility for appointment.
12
65 Remuneration of the Chair
13
(1) The Chair of the Board is to be paid the remuneration that is
14
determined by the Remuneration Tribunal. If no determination of
15
that remuneration by the Tribunal is in operation, the Chair is to be
16
paid the remuneration that is prescribed by the rules.
17
(2) The Chair is to be paid the allowances that are prescribed by the
18
rules.
19
(3) This section has effect subject to the
Remuneration Tribunal Act
20
1973
.
21
66 Appointment of standing members of the Board
22
(1) A standing member of the Board is to be appointed by the Minister
23
by written instrument.
24
Note:
A member may be reappointed: see section 33AA of the
Acts
25
Interpretation Act 1901
.
26
Cyber Incident Review Board
Part 5
Terms and conditions of appointment of the Chair and members of the Board
Division
5
Section 67
No. , 2024
Cyber Security Bill 2024
73
(2) A standing member of the Board may be appointed on a full-time
1
or part-time basis.
2
(3) A standing member of the Board holds office for the period
3
specified in the instrument of appointment. The period must not
4
exceed 4 years.
5
(4) The rules may make provision for or in relation to the appointment
6
of standing members of the Board, including in relation to
7
eligibility for appointment.
8
67 Remuneration of standing members of the Board
9
(1) A standing member of the Board is to be paid the remuneration that
10
is determined by the Remuneration Tribunal. If no determination of
11
that remuneration by the Tribunal is in operation, a standing
12
member of the Board is to be paid the remuneration that is
13
prescribed by the rules.
14
(2) A standing member of the Board is to be paid the allowances that
15
are prescribed by the rules.
16
(3) This section has effect subject to the
Remuneration Tribunal Act
17
1973
.
18
68 Acting Chair
19
The Minister may, by written instrument, appoint a standing
20
member of the Board to act as the Chair:
21
(a) during a vacancy in the office of Chair (whether or not an
22
appointment has previously been made to the office); or
23
(b) during any period, or during all periods, when the Chair:
24
(i) is absent from duty or from Australia; or
25
(ii) is, for any reason, unable to perform the duties of the
26
office.
27
Note:
For rules that apply to acting appointments, see section 33A of the
28
Acts Interpretation Act 1901
.
29
Part 5
Cyber Incident Review Board
Division 5
Terms and conditions of appointment of the Chair and members of the
Board
Section 69
74
Cyber Security Bill 2024
No. , 2024
69 Terms and conditions etc. for standing members
1
(1) The rules may make provision for or in relation to the Board,
2
including for or in relation to the following:
3
(a) membership of the Board (subject to section 61);
4
(b) terms of appointment of the Chair and standing members;
5
(c) acting appointments;
6
(d) resignation of the Chair and standing members;
7
(e) disclosure of interests by the Chair and standing members;
8
(f) termination of appointment of the Chair and standing
9
members;
10
(g) leave of absence of the Chair and standing members.
11
(2) The Chair and a standing member of the Board holds office on the
12
terms and conditions (if any) that are determined by the Minister in
13
relation to matters not covered by this Act or the rules.
14
Cyber Incident Review Board
Part 5
Expert Panel, staff assisting and consultants
Division 6
Section 70
No. , 2024
Cyber Security Bill 2024
75
Division 6--Expert Panel, staff assisting and consultants
1
70 Expert Panel
2
(1) The Board may, in writing, establish an Expert Panel.
3
(2) The Expert Panel consists of such members as the Board from time
4
to time appoints by written instrument.
5
Note:
A member of the Expert Panel may be reappointed: see section 33AA
6
of the
Acts Interpretation Act 1901
.
7
(3) One or more members of the Expert Panel are to be appointed by
8
the Board, in writing and in accordance with the terms of reference
9
for a review under section 46, to the review panel for the review to
10
assist in the review.
11
(4) The office of member of the Expert Panel, and the office of
12
member of the Expert Panel assisting in relation to a review, are
13
not public offices within the meaning of the
Remuneration
14
Tribunal Act 1973
.
15
(5) The rules may make provision for or in relation to the Expert
16
Panel, including for or in relation to the following:
17
(a) membership of the Expert Panel;
18
(b) appointment of members to the Expert Panel;
19
(c) appointments of its members to a review panel for a review;
20
(d) terms of appointment of members;
21
(e) remuneration of members;
22
(f) resignation of members;
23
(g) disclosure of interests by members;
24
(h) termination of appointment of members;
25
(i) leave of absence of members.
26
71 Arrangements relating to staff of the Department
27
(1) The staff assisting the Cyber Incident Review Board are to be APS
28
employees, or officers or employees of a Commonwealth body,
29
whose services are made available to the Board in connection with
30
Part 5
Cyber Incident Review Board
Division 6
Expert Panel, staff assisting and consultants
Section 72
76
Cyber Security Bill 2024
No. , 2024
the performance of any of the Board's functions or the exercise of
1
any of the Board's powers.
2
(2) When performing services for the Board, the staff are subject to the
3
directions of the Board.
4
72 Consultants
5
The Secretary of the Department may, on behalf of the
6
Commonwealth, engage consultants to assist in the performance of
7
any of the Cyber Incident Review Board's functions or the exercise
8
of any of the Board's powers.
9
Cyber Incident Review Board
Part 5
Other matters relating to the Board
Division 7
Section 73
No. , 2024
Cyber Security Bill 2024
77
Division 7--Other matters relating to the Board
1
73 Board procedures
2
(1) Subject to this Act and the rules, the Board may:
3
(a) operate in the way it determines; and
4
(b) regulate proceedings at its meetings as it considers
5
appropriate.
6
(2) The rules may make provision for or in relation to the operation
7
and procedures of the Board.
8
74 Liability
9
Responding to notices to produce
10
(1) An entity is not liable to an action or other proceeding for damages
11
for or in relation to an act done or omitted in good faith in
12
compliance with section 49 (Chair may obtain documents from
13
certain entities).
14
(2) An officer, employee or agent of an entity is not liable to an action
15
for damages for or in relation to an act done or omitted in good
16
faith in connection with an act done or omitted by the entity as
17
mentioned in subsection (1).
18
The Board etc.
19
(3) A person who is or has been:
20
(a) the Chair; or
21
(b) a standing member of the Board; or
22
(c) a member of the Expert Panel; or
23
(d) a member of the staff assisting the Board (as mentioned in
24
section 71); or
25
(e) a consultant assisting the Board (as mentioned in section 72);
26
or
27
(f) a witness appearing in a review;
28
Part 5
Cyber Incident Review Board
Division 7
Other matters relating to the Board
Section 75
78
Cyber Security Bill 2024
No. , 2024
is not liable to an action or other proceeding for damages for or in
1
relation to an act done or omitted in good faith in the performance
2
or purported performance of a function or duty conferred by this
3
Part, or the exercise or purported exercise of a power conferred by
4
this Part.
5
Evidential burden
6
(4) An entity or person who wishes to rely on subsection (1), (2) or (3)
7
in relation to an action or other proceeding bears an evidential
8
burden (within the meaning of the Regulatory Powers Act) in
9
relation to that matter.
10
75 Certification of involvement in review
11
(1) The Chair may issue a certificate stating that a specified person
12
who is, or has been:
13
(a) a standing member of the Board; or
14
(b) a member of the Expert Panel; or
15
(c) a member of the staff assisting the Board (as mentioned in
16
section 71); or
17
(d) a consultant assisting the Board (as mentioned in section 72);
18
or
19
(e) a witness appearing in a review;
20
is involved, or has been involved, in a review under this Part into a
21
specified matter.
22
(2) The Secretary may issue a certificate stating that a specified person
23
who is, or has been, the Chair is involved, or has been involved, in
24
a review under this Part into a specified matter.
25
(3) If, under subsection (1) or (2), a certificate is issued in relation to a
26
person and a specified matter, the person:
27
(a) is not obliged to comply with a subpoena or similar direction
28
of a federal court or a court of a State or Territory to attend
29
and answer questions relating to the matter; and
30
(b) is not compellable to give an expert opinion in any civil or
31
criminal proceedings in a federal court or a court of a State or
32
Territory in relation to the matter.
33
Cyber Incident Review Board
Part 5
Other matters relating to the Board
Division 7
Section 76
No. , 2024
Cyber Security Bill 2024
79
(4) This section does not apply to a coronial inquiry.
1
76 Annual report
2
The annual report prepared by the Secretary and given to the
3
Minister under section 46 of the
Public Governance, Performance
4
and Accountability Act 2013
for a reporting period must also
5
include the following:
6
(a) the number of each of the following during the period:
7
(i) reviews commenced;
8
(ii) reviews completed;
9
(iii) reviews discontinued;
10
(b) a brief description of each of those reviews;
11
(c) the status of any reviews not yet completed at the end of the
12
period;
13
(d) the reasons for discontinuing any reviews during the period;
14
(e) the number of times the Minister refused to approve the
15
terms of reference for a review during the period;
16
(f) the number of members of the Expert Panel during the
17
period;
18
(g) the number of Expert Panel members appointed to a review
19
panel during the period;
20
(h) the number of times appointment of a member of the Board
21
was terminated during the period.
22
77 Rules may prescribe reporting requirements etc.
23
The rules may prescribe requirements with which the Board must
24
comply relating to:
25
(a) the communication of information to the public; and
26
(b) reporting to the Minister;
27
about the work of the Board.
28
Part 6
Regulatory powers
Division 1
Preliminary
Section 78
80
Cyber Security Bill 2024
No. , 2024
Part 6--Regulatory powers
1
Division 1--Preliminary
2
78 Simplified outline of this Part
3
Each civil penalty provision of this Act, and of Division 1A of
4
Part 6 of the
Intelligence Services Act 2001
, is subject to:
5
(a)
monitoring under Part 2 of the Regulatory Powers Act;
6
and
7
(b)
investigation under Part 3 of the Regulatory Powers Act.
8
Sections 15 and 16 of this Act (regarding security standards) are
9
also subject to monitoring under Part 2 of the Regulatory Powers
10
Act.
11
Civil penalty orders may be sought under Part 4 of the Regulatory
12
Powers Act from a relevant court in relation to contraventions of
13
such civil penalty provisions.
14
Infringement notices may be given under Part 5 of the Regulatory
15
Powers Act for alleged contraventions of such civil penalty
16
provisions.
17
Undertakings to comply with such civil penalty provisions, and
18
sections 15 and 16 (regarding security standards), may be accepted
19
and enforced under Part 6 of the Regulatory Powers Act.
20
Injunctions under Part 7 of the Regulatory Powers Act may be used
21
to restrain a person from contravening, or to compel compliance
22
with, such civil penalty provisions.
23
Regulatory powers
Part 6
Civil penalty provisions, enforceable undertakings and injunctions
Division 2
Section 79
No. , 2024
Cyber Security Bill 2024
81
Division 2--Civil penalty provisions, enforceable
1
undertakings and injunctions
2
79 Civil penalty provisions, enforceable undertakings and
3
injunctions
4
Enforceable provisions
5
(1) Each civil penalty provision of this Act, and each civil penalty
6
provision of Division 1A of Part 6 of the
Intelligence Services Act
7
2001
,
is enforceable:
8
(a) under Part 4 of the Regulatory Powers Act (civil penalty
9
provisions); and
10
(b) Part 7 (injunctions) of the Regulatory Powers Act.
11
Note 1:
Part 4 of the Regulatory Powers Act allows a civil penalty provision to
12
be enforced by obtaining an order for a person to pay a pecuniary
13
penalty for the contravention of the provision.
14
Note 2:
Part 7 of that Act creates a framework for using injunctions to enforce
15
provisions.
16
(2) The following provisions are enforceable under Part 6 (enforceable
17
undertakings) of the Regulatory Powers Act:
18
(a) each civil penalty provision of this Act, and each civil
19
penalty provision of Division 1A of Part 6 of the
Intelligence
20
Services Act 2001
;
21
(b) sections 15 and 16 of this Act.
22
Note:
Part 6 of the Regulatory Powers Act creates a framework for
23
accepting and enforcing undertakings relating to compliance with
24
provisions.
25
Authorised applicant
26
(3) For the purposes of Parts 4 and 7 of the Regulatory Powers Act,
27
each of the following persons is an authorised applicant in relation
28
to the civil penalty provisions mentioned in subsection (1):
29
(a) the Secretary;
30
(b) a person who is appointed under subsection (4).
31
Part 6
Regulatory powers
Division 2
Civil penalty provisions, enforceable undertakings and injunctions
Section 79
82
Cyber Security Bill 2024
No. , 2024
(4) For the purposes of paragraph (3)(b), the Secretary may, by
1
writing, appoint a person who:
2
(a) is the chief executive officer (however described) of a
3
designated Commonwealth body; or
4
(b) is an SES employee, or an acting SES employee, in:
5
(i) the Department; or
6
(ii) a designated Commonwealth body; or
7
(c) holds, or is acting in, a position in a designated
8
Commonwealth body that is equivalent to, or higher than, a
9
position occupied by an SES employee;
10
to be an authorised applicant for the purposes of Part 4 of the
11
Regulatory Powers Act.
12
Note:
The expressions
SES employee
and
acting SES employee
are defined
13
in section 2B of the
Acts Interpretation Act 1901
.
14
Authorised person
15
(5) For the purposes of Part 6 of the Regulatory Powers Act, as that
16
Part applies in relation to a provision mentioned in subsection (2),
17
each of the following persons is an authorised person:
18
(a) the Secretary;
19
(b) a person who is appointed under subsection (6).
20
(6) For the purposes of paragraph (5)(b), the Secretary may, by
21
writing, appoint a person who is an SES employee, or an acting
22
SES employee in:
23
(a) the Department; or
24
(b) a designated Commonwealth body.
25
Note:
The expressions
SES employee
and
acting SES employee
are defined
26
in section 2B of the
Acts Interpretation Act 1901
.
27
Relevant court
28
(7) For the purposes of Parts 4, 6 and 7 of the Regulatory Powers Act,
29
each of the following courts is a relevant court in relation to the
30
provisions mentioned in subsections (1) and (2):
31
(a) the Federal Court of Australia;
32
Regulatory powers
Part 6
Civil penalty provisions, enforceable undertakings and injunctions
Division 2
Section 79
No. , 2024
Cyber Security Bill 2024
83
(b) the Federal Circuit and Family Court of Australia
1
(Division 2);
2
(c) a court of a State or Territory that has jurisdiction in relation
3
to the matter.
4
Liability of Crown
5
(8) Part 4 of the Regulatory Powers Act, as that Part applies in relation
6
to the civil penalty provisions mentioned in subsection (1), does
7
not make the Crown liable to a pecuniary penalty.
8
(9) The protection in subsection (8) does not apply to an authority of
9
the Crown.
10
Part 6
Regulatory powers
Division 3
Monitoring and investigation powers
Section 80
84
Cyber Security Bill 2024
No. , 2024
Division 3--Monitoring and investigation powers
1
80 Monitoring powers
2
Provisions subject to monitoring
3
(1) The following provisions are subject to monitoring under Part 2 of
4
the Regulatory Powers Act:
5
(a) each civil penalty provision of this Act;
6
(b) each civil penalty provision of Division 1A of Part 6 of the
7
Intelligence Services Act 2001
;
8
(c) sections 15 and 16 of this Act.
9
Note:
Part 2 of the Regulatory Powers Act creates a framework for
10
monitoring whether the provisions have been complied with. It
11
includes powers of entry and inspection.
12
Information subject to monitoring
13
(2) Information given in compliance or purported compliance with a
14
provision mentioned in subsection (1) is subject to monitoring
15
under Part 2 of the Regulatory Powers Act.
16
Note:
Part 2 of the Regulatory Powers Act creates a framework for
17
monitoring whether the information is correct. It includes powers of
18
entry and inspection.
19
Authorised applicant
20
(3) For the purposes of Part 2 of the Regulatory Powers Act, a person
21
who is appointed under subsection (4) is an authorised applicant in
22
relation to the provisions mentioned in subsection (1) and
23
information mentioned in subsection (2).
24
(4) The Secretary may, by writing, appoint a person who:
25
(a) is an SES employee, or an acting SES employee, in:
26
(i) the Department; or
27
(ii) a designated Commonwealth body; or
28
Regulatory powers
Part 6
Monitoring and investigation powers
Division 3
Section 80
No. , 2024
Cyber Security Bill 2024
85
(b) holds, or is acting in, a position in a designated
1
Commonwealth body that is equivalent to, or higher than, a
2
position occupied by an SES employee;
3
to be an authorised applicant in relation to the provisions
4
mentioned in subsection (1) and information mentioned in
5
subsection (2).
6
Note:
The expressions
SES employee
and
acting SES employee
are defined
7
in section 2B of the
Acts Interpretation Act 1901
.
8
Authorised person
9
(5) For the purposes of Part 2 of the Regulatory Powers Act, a person
10
who is appointed under subsection (6) is an authorised person in
11
relation to the provisions mentioned in subsection (1) and
12
information mentioned in subsection (2).
13
(6) The Secretary may, by writing, appoint a person who is:
14
(a) an APS employee in:
15
(i) the Department; or
16
(ii) a designated Commonwealth body; or
17
(b) an officer or employee of a designated Commonwealth body;
18
to be an authorised person in relation to the provisions mentioned
19
in subsection (1) and information mentioned in subsection (2).
20
Issuing officer
21
(7) For the purposes of Part 2 of the Regulatory Powers Act, a
22
magistrate is an issuing officer in relation to the provisions
23
mentioned in subsection (1) and information mentioned in
24
subsection (2).
25
Relevant chief executive
26
(8) For the purposes of Part 2 of the Regulatory Powers Act, the
27
Secretary is the relevant chief executive in relation to the
28
provisions mentioned in subsection (1) and information mentioned
29
in subsection (2).
30
Part 6
Regulatory powers
Division 3
Monitoring and investigation powers
Section 81
86
Cyber Security Bill 2024
No. , 2024
Relevant court
1
(9) For the purposes of Part 2 of the Regulatory Powers Act, each of
2
the following courts is a relevant court in relation to the provisions
3
mentioned in subsection (1) and information mentioned in
4
subsection (2):
5
(a) the Federal Court of Australia;
6
(b) the Federal Circuit and Family Court of Australia
7
(Division 2);
8
(c) a court of a State or Territory that has jurisdiction in relation
9
to matters arising under this Act.
10
Premises
11
(10) An authorised person must not enter premises under Part 2 of the
12
Regulatory Powers Act, as it applies in relation to the provisions
13
mentioned in subsection (1) and information mentioned in
14
subsection (2), if the premises are used solely or primarily as a
15
residence.
16
81 Investigation powers
17
Provisions subject to investigation
18
(1) Each civil penalty provision of this Act, and each civil penalty
19
provision of Division 1A of Part 6 of the
Intelligence Services Act
20
2001
, is subject to investigation under Part 3 of the Regulatory
21
Powers Act.
22
Authorised applicant
23
(2) For the purposes of Part 3 of the Regulatory Powers Act, a person
24
who is appointed under subsection (3) is an authorised applicant in
25
relation to evidential material that relates to a provision mentioned
26
in subsection (1).
27
(3) The Secretary may, by writing, appoint a person who:
28
(a) is an SES employee, or an acting SES employee, in:
29
(i) the Department; or
30
(ii) a designated Commonwealth body; or
31
Regulatory powers
Part 6
Monitoring and investigation powers
Division 3
Section 81
No. , 2024
Cyber Security Bill 2024
87
(b) holds, or is acting in, a position in a designated
1
Commonwealth body that is equivalent to, or higher than, a
2
position occupied by an SES employee;
3
to be an authorised applicant in relation to evidential material that
4
relates to a provision mentioned in subsection (1).
5
Note:
The expressions
SES employee
and
acting SES employee
are defined
6
in section 2B of the
Acts Interpretation Act 1901
.
7
Authorised person
8
(4) For the purposes of Part 3 of the Regulatory Powers Act, a person
9
who is appointed under subsection (5) is an authorised person in
10
relation to evidential material that relates to a provision mentioned
11
in subsection (1).
12
(5) The Secretary may, by writing, appoint a person who is:
13
(a) an APS employee in:
14
(i) the Department; or
15
(ii) a designated Commonwealth body; or
16
(b) an officer or employee of a designated Commonwealth body;
17
to be an authorised person in relation to evidential material that
18
relates to a provision mentioned in subsection (1).
19
Issuing officer
20
(6) For the purposes of Part 3 of the Regulatory Powers Act, a
21
magistrate is an issuing officer in relation to evidential material
22
that relates to a provision mentioned in subsection (1).
23
Relevant chief executive
24
(7) For the purposes of Part 3 of the Regulatory Powers Act, the
25
Secretary is the relevant chief executive in relation to evidential
26
material that relates to a provision mentioned in subsection (1).
27
Relevant court
28
(8) For the purposes of Part 3 of the Regulatory Powers Act, each of
29
the following courts is a relevant court in relation to evidential
30
material that relates to a provision mentioned in subsection (1):
31
Part 6
Regulatory powers
Division 3
Monitoring and investigation powers
Section 81
88
Cyber Security Bill 2024
No. , 2024
(a) the Federal Court of Australia;
1
(b) the Federal Circuit and Family Court of Australia
2
(Division 2);
3
(c) a court of a State or Territory that has jurisdiction in relation
4
to matters arising under this Act.
5
Regulatory powers
Part 6
Infringement notices
Division 4
Section 82
No. , 2024
Cyber Security Bill 2024
89
Division 4--Infringement notices
1
82 Infringement notices
2
Provisions subject to an infringement notice
3
(1) A civil penalty provision of this Act or of Division 1A of Part 6 of
4
the
Intelligence Services Act 2001
is subject to an infringement
5
notice under Part 5 of the Regulatory Powers Act.
6
Note:
Part 5 of the Regulatory Powers Act creates a framework for using
7
infringement notices in relation to provisions.
8
Infringement officer
9
(2) For the purposes of Part 5 of the Regulatory Powers Act, a person
10
authorised under subsection (3) is an infringement officer in
11
relation to the civil penalty provisions mentioned in subsection (1).
12
(3) The Secretary may, by writing, authorise a person who:
13
(a) is an SES employee, or an acting SES employee, in:
14
(i) the Department; or
15
(ii) a designated Commonwealth body; or
16
(b) holds, or is acting in, a position in a designated
17
Commonwealth body that is equivalent to, or higher than, a
18
position occupied by an SES employee;
19
to be an infringement officer in relation to the civil penalty
20
provisions mentioned in subsection (1).
21
Note:
The expressions
SES employee
and
acting SES employee
are defined
22
in section 2B of the
Acts Interpretation Act 1901
.
23
Relevant chief executive
24
(4) For the purposes of Part 5 of the Regulatory Powers Act, the
25
Secretary is the relevant chief executive in relation to the civil
26
penalty provisions mentioned in subsection (1).
27
(5) The relevant chief executive may, in writing, delegate any or all of
28
the relevant chief executive's powers and functions under Part 5 of
29
Part 6
Regulatory powers
Division 4
Infringement notices
Section 82
90
Cyber Security Bill 2024
No. , 2024
the Regulatory Powers Act to a person who is an SES employee or
1
an acting SES employee in:
2
(a) the Department; or
3
(b) a designated Commonwealth body.
4
Note:
The expressions
SES employee
and
acting SES employee
are defined
5
in section 2B of the
Acts Interpretation Act 1901
.
6
(6) A person exercising powers or performing functions under a
7
delegation under subsection (5) must comply with any directions of
8
the relevant chief executive.
9
Liability of Crown
10
(7) Part 5 of the Regulatory Powers Act, as that Part applies in relation
11
to the civil penalty provisions mentioned in subsection (1), does
12
not make the Crown liable to be given an infringement notice.
13
(8) The protection in subsection (7) does not apply to an authority of
14
the Crown.
15
Regulatory powers
Part 6
Other matters
Division 5
Section 83
No. , 2024
Cyber Security Bill 2024
91
Division 5--Other matters
1
83 Contravening a civil penalty provision
2
(1) This section applies if a provision of this Act provides that an
3
entity contravening another provision of this Act (the
conduct
4
provision
) is liable to a civil penalty.
5
(2) For the purposes of this Act, and the Regulatory Powers Act to the
6
extent that it relates to this Act, a reference to a contravention of a
7
civil penalty provision includes a reference to a contravention of
8
the conduct provision.
9
Part 7
Miscellaneous
Section 84
92
Cyber Security Bill 2024
No. , 2024
Part 7--Miscellaneous
1
2
84 Simplified outline of this Part
3
This Part deals with miscellaneous matters, such as delegations and
4
rules.
5
85 How this Act applies in relation to non-legal persons
6
How permissions and rights are conferred and exercised
7
(1) If this Act purports to confer a permission or right on an entity that
8
is not a legal person, the permission or right:
9
(a) is conferred on each person who is an accountable person for
10
the entity at the time the permission or right may be
11
exercised; and
12
(b) may be exercised by:
13
(i) any person who is an accountable person for the entity
14
at the time the permission or right may be exercised; or
15
(ii) any person who is authorised by a person referred to in
16
subparagraph (i) to exercise the permission or right.
17
How obligations and duties are imposed and discharged
18
(2) If this Act purports to impose an obligation or duty on an entity
19
that is not a legal person, the obligation or duty:
20
(a) is imposed on each person who is an accountable person for
21
the entity at the time the obligation or duty arises or is in
22
operation; and
23
(b) may be discharged by:
24
(i) any person who is an accountable person for the entity
25
at the time the obligation or duty arises or is in
26
operation; or
27
(ii) any person who is authorised by a person referred to in
28
subparagraph (i) to discharge the obligation or duty.
29
Miscellaneous
Part 7
Section 86
No. , 2024
Cyber Security Bill 2024
93
How non-legal persons contravene this Act
1
(3) A provision of this Act (including a civil penalty provision) that is
2
purportedly contravened by an entity that is not a legal person is
3
instead contravened by each accountable person for the entity who:
4
(a) did the relevant act or made the relevant omission; or
5
(b) aided, abetted, counselled or procured the relevant act or
6
omission; or
7
(c) was in any way knowingly concerned in, or party to, the
8
relevant act or omission.
9
Meaning of accountable person
10
(4) For the purposes of this section, a person is an
accountable person
11
for an entity at a particular time if:
12
(a) in the case of a partnership in which one or more of the
13
partners is an individual--the individual is a partner in the
14
partnership at that time; or
15
(b) in the case of a partnership in which one or more of the
16
partners is a body corporate--the person is a director of the
17
body corporate at that time; or
18
(c) in the case of a trust in which the trustee, or one or more of
19
the trustees, is an individual--the individual is a trustee of
20
the trust at that time; or
21
(d) in the case of a trust in which the trustee, or one or more of
22
the trustees, is a body corporate--the person is a director of
23
the body corporate at that time; or
24
(e) in the case of an unincorporated association--the person is a
25
member of the governing body of the unincorporated
26
association at that time.
27
86 Delegation by Secretary
28
(1) The Secretary may, in writing, delegate all or any of the
29
Secretary's functions or powers under section 17, 18, 19, 21 or 23
30
to an SES employee, or acting SES employee, in the Department.
31
Note 1:
Sections 34AA to 34A of the
Acts Interpretation Act 1901
contain
32
provisions relating to delegations.
33
Part 7
Miscellaneous
Section 87
94
Cyber Security Bill 2024
No. , 2024
Note 2:
The expressions
SES employee
and
acting SES employee
are defined
1
in section 2B of the
Acts Interpretation Act 1901
.
2
(2) In performing a delegated function or exercising a delegated
3
power, the delegate must comply with any written directions of the
4
Secretary.
5
87 Rules
6
(1) The Minister may, by legislative instrument, make rules
7
prescribing matters:
8
(a) required or permitted by this Act to be prescribed by the
9
rules; or
10
(b) necessary or convenient to be prescribed for carrying out or
11
giving effect to this Act.
12
(2) To avoid doubt, the
rules may not do the following:
13
(a) create an offence or civil penalty;
14
(b) provide powers of:
15
(i) arrest or detention; or
16
(ii) entry, search or seizure;
17
(c) impose a tax;
18
(d) set an amount to be appropriated from the Consolidated
19
Revenue Fund under an appropriation in this Act;
20
(e) directly amend the text of this Act.
21
(3) Before making or amending the rules, the Minister must:
22
(a) cause to be published on the Department's website a notice:
23
(i) setting out the draft rules or amendments; and
24
(ii) inviting persons to make submissions to the Minister
25
about the draft rules or amendments within the period
26
specified in the notice; and
27
(b) consider any submissions received within the period
28
mentioned in subparagraph (a)(ii).
29
(4) The period specified in the notice must not be shorter than 28 days.
30
Miscellaneous
Part 7
Section 88
No. , 2024
Cyber Security Bill 2024
95
88 Review of this Act
1
The Parliamentary Joint Committee on Intelligence and Security
2
may:
3
(a) review the operation, effectiveness and implications of this
4
Act; and
5
(b) report the Committee's comments and recommendations to
6
each House of the Parliament;
7
so long as the Committee begins the review as soon as practicable
8
after 1 December 2027.
9
10
(116/24)