Legislation, In force, Commonwealth

Commonwealth: Cyber Security Act 2024 (Cth)

Summary not found.

Commonwealth: Cyber Security Act 2024 (Cth) Image
Cyber Security Act 2024 No. 98, 2024 An Act relating to cyber security for Australians, and for other purposes Contents Part 1—Preliminary 1 Short title 2 Commencement 3 Objects 4 Simplified outline of this Act 5 Extraterritoriality 6 Act binds the Crown 7 Concurrent operation of State and Territory laws 8 Definitions 9 Meaning of cyber security incident 10 Meaning of permitted cyber security purpose 11 Disclosure to State body Part 2—Security standards for smart devices Division 1—Preliminary 12 Simplified outline of this Part 13 Application of this Part Division 2—Security standards for relevant connectable products 14 Security standards for relevant connectable products 15 Compliance with security standard for a relevant connectable product 16 Obligation to provide and supply products with a statement of compliance with security standard Division 3—Enforcement 17 Compliance notice 18 Stop notice 19 Recall notice 20 Public notification of failure to comply with recall notice Division 4—Miscellaneous 21 Revocation and variation of notices given under this Part 22 Internal review of decision to give compliance, stop or recall notice 23 Examination to assess compliance with security standard and statement of compliance 24 Acquisition of property Part 3—Ransomware reporting obligations Division 1—Preliminary 25 Simplified outline of this Part Division 2—Reporting obligations 26 Application of this Part 27 Obligation to report following a ransomware payment 28 Liability Division 3—Protection of information 29 Ransomware payment reports may only be used or disclosed for permitted purposes 30 Limitations on secondary use and disclosure of information in ransomware payment reports 31 Legal professional privilege 32 Admissibility of information in ransomware payment report against reporting business entity Part 4—Coordination of significant cyber security incidents Division 1—Preliminary 33 Simplified outline of this Part 34 Meaning of significant cyber security incident Division 2—Voluntary information sharing with the National Cyber Security Coordinator 35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident 36 Voluntary provision of information in relation to other incidents or cyber security incidents 37 Role of the National Cyber Security Coordinator Division 3—Protection of information 38 Information provided in relation to a significant cyber security incident—use and disclosure by National Cyber Security Coordinator 39 Information provided in relation to other incidents—use and disclosure by National Cyber Security Coordinator 40 Limitations on secondary use and disclosure 41 Legal professional privilege 42 Admissibility of information voluntarily given by impacted entity 43 National Cyber Security Coordinator not compellable as witness Division 4—Miscellaneous 44 Interaction with other requirements to provide information in relation to a cyber security incident Part 5—Cyber Incident Review Board Division 1—Preliminary 45 Simplified outline of this Part Division 2—Reviews 46 Board must cause reviews to be conducted 47 Board may discontinue a review 48 Chair may request information or documents 49 Chair may require certain entities to produce documents 50 Civil penalty—failing to comply with a notice to produce documents 51 Draft review reports 52 Final review reports 53 Certain information must be redacted from final review reports 54 Protected review reports Division 3—Protection of information relating to reviews 55 Limitations on use and disclosure by the Board 56 Limitations on secondary use and disclosure 57 Legal professional privilege 58 Admissibility of information given by an entity that has been requested or required by the Board 59 Disclosure of draft review reports prohibited Division 4—Establishment, functions and powers of the Board 60 Cyber Incident Review Board 61 Constitution of the Board 62 Functions of the Board 63 Independence Division 5—Terms and conditions of appointment of the Chair and members of the Board 64 Appointment of Chair 65 Remuneration of the Chair 66 Appointment of standing members of the Board 67 Remuneration of standing members of the Board 68 Acting Chair 69 Terms and conditions etc. for standing members Division 6—Expert Panel, staff assisting and consultants 70 Expert Panel 71 Arrangements relating to staff of the Department 72 Consultants Division 7—Other matters relating to the Board 73 Board procedures 74 Liability 75 Certification of involvement in review 76 Annual report 77 Rules may prescribe reporting requirements etc. Part 6—Regulatory powers Division 1—Preliminary 78 Simplified outline of this Part Division 2—Civil penalty provisions, enforceable undertakings and injunctions 79 Civil penalty provisions, enforceable undertakings and injunctions Division 3—Monitoring and investigation powers 80 Monitoring powers 81 Investigation powers Division 4—Infringement notices 82 Infringement notices Division 5—Other matters 83 Contravening a civil penalty provision Part 7—Miscellaneous 84 Simplified outline of this Part 85 How this Act applies in relation to non‑legal persons 86 Delegation by Secretary 87 Rules 88 Review of this Act Cyber Security Act 2024 No. 98, 2024 An Act relating to cyber security for Australians, and for other purposes [Assented to 29 November 2024] The Parliament of Australia enacts: Part 1—Preliminary 1 Short title This Act is the Cyber Security Act 2024. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. Part 1 and anything in this Act not elsewhere covered by this table The day after this Act receives the Royal Assent. 30 November 2024 2. Part 2 A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 12 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. 3. Part 3 A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. 4. Part 4 The day after this Act receives the Royal Assent. 30 November 2024 5. Part 5 A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. 6. Parts 6 and 7 The day after this Act receives the Royal Assent. 30 November 2024 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Objects The objects of this Act are to: (a) improve the cyber security of products that: (i) can connect directly or indirectly to the internet; and (ii) will be acquired in Australia; by requiring manufacturers and suppliers of those products to comply with security standards specified in the rules; and (b) encourage the provision of information relating to the provision of payments or benefits (called ransomware payments) to entities seeking to benefit from cyber security incidents by imposing reporting obligations on entities in relation to the payment of such payments or benefits; and (c) facilitate the whole of Government response to significant cyber security incidents by providing for the National Cyber Security Coordinator to lead across the whole of Government the coordination and triaging of action in response to significant cyber security incidents; and (d) prevent, improve the detection of, improve the response to and minimise the impact of cyber security incidents by establishing the Cyber Incident Review Board to: (i) cause reviews to be conducted in relation to certain cyber security incidents; and (ii) make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future; and (e) improve the response to and minimise the impact of cyber security incidents (including imminent incidents) through encouraging entities impacted, or probably impacted, by such cyber security incidents to provide information to the Australian Government about the incidents by ensuring that: (i) the information provided is only used and disclosed for limited purposes; and (ii) the information provided is not admissible in evidence in proceedings against the entities that provided the information; and (f) to facilitate the sharing of information about cyber security incidents with State and Territory Governments for limited purposes, with their consent that the information is only to be used and disclosed for limited purposes. 4 Simplified outline of this Act This Act provides for mandatory security standards for certain products that can directly or indirectly connect to the internet (called relevant connectable products). This Act also provides an obligation to report payments or benefits (called ransomware payments) provided to an entity that is seeking to benefit from a cyber security incident. Information may be voluntarily provided to the National Cyber Security Coordinator in relation to a significant cyber security incident. The National Cyber Security Coordinator's role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident. The Cyber Incident Review Board is established by this Act. Its functions include causing reviews to be conducted in relation to certain cyber security incidents. A review will make recommendations to Government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, incidents of a similar nature in the future. Information provided by entities under provisions of this Act may only be used and disclosed for limited purposes. Certain information provided to the Australian Government under this Act is not admissible in evidence in proceedings against the entity that provided the information. A range of compliance and enforcement powers are provided for, including by applying the Regulatory Powers (Standard Provisions) Act 2014. This Act also deals with administrative matters such as delegations and the power to make rules. 5 Extraterritoriality This Act applies both within and outside Australia. Note: This Act extends to every external Territory. 6 Act binds the Crown (1) This Act binds the Crown in each of its capacities. (2) This Act does not make the Crown liable to be prosecuted for an offence. Note: The Crown (other than a Crown authority) is not liable to a pecuniary penalty for the breach of a civil penalty provision or to be given an infringement notice: see subsections 79(8) and 82(7). (3) The protection in subsection (2) does not apply to an authority of the Crown. 7 Concurrent operation of State and Territory laws This Act is not intended to exclude or limit the operation of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act. 8 Definitions In this Act: ASD means the Australian Signals Directorate. benefit includes any advantage and is not limited to property. business has the same meaning as in the Income Tax Assessment Act 1997. Chair means the Chair of the Cyber Incident Review Board. civil penalty provision has the same meaning as in the Regulatory Powers Act. Commonwealth body means: (a) a Minister of the Commonwealth; or (b) a Department of State of the Commonwealth; or (c) a body (whether incorporated or not) that: (i) is established, or continued in existence, for a public purpose by or under a law of the Commonwealth; and (ii) is not an authority of the Crown. Commonwealth enforcement body means: (a) the Australian Federal Police; or (b) the Australian Prudential Regulation Authority; or (c) the Australian Securities and Investments Commission; or (d) the Inspector of the National Anti‑Corruption Commission; or (e) the Office of the Director of Public Prosecutions; or (f) the National Anti‑Corruption Commissioner; or (g) Sport Integrity Australia; or (h) another Commonwealth body, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction for a criminal offence. Commonwealth officer has the same meaning as in Part 5.6 of the Criminal Code. computer has the same meaning as in the Security of Critical Infrastructure Act 2018. coronial inquiry means a coronial inquiry, coronial investigation or coronial inquest under a law of the Commonwealth, or of a State or Territory. critical infrastructure asset has the same meaning as in the Security of Critical Infrastructure Act 2018. Cyber Incident Review Board or Board means the Cyber Incident Review Board established by section 60. cyber security incident has the meaning given by section 9. designated Commonwealth body means: (a) a Department, or a body established by a law of the Commonwealth, specified in the rules; or (b) if no rules are made for the purposes of paragraph (a)—the Department and ASD. draft review report has the meaning given by subsection 51(1). entity means any of the following: (a) an individual; (b) a body corporate; (c) a partnership; (d) an unincorporated association that has a governing body; (e) a trust; (f) an entity that is a responsible entity for a critical infrastructure asset. Expert Panel means the Expert Panel established by the Board under section 70. final review report has the meaning given by subsection 52(1). intelligence agency means: (a) the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002; or (b) the Australian Geospatial‑Intelligence Organisation; or (c) the Australian Secret Intelligence Service; or (d) the Australian Security Intelligence Organisation; or (e) ASD; or (f) the Defence Intelligence Organisation; or (g) the Office of National Intelligence. internet‑connectable product has the meaning given by subsection 13(4). manufacturer has the same meaning as in the Australian Consumer Law. National Cyber Security Coordinator means: (a) the officer of the Department known as the National Cyber Security Coordinator; and (b) the APS employees, and officers or employees of Commonwealth bodies, whose services are made available to the officer in connection with the performance of any of the officer's functions or the exercise of any of the officer's powers under this Act. network‑connectable product has the meaning given by subsection 13(5). permitted cyber security purpose for a cyber security incident has the meaning given by section 10. personal information has the same meaning as in the Privacy Act 1988. protected review report has the meaning given by subsection 54(1). ransomware payment has the meaning given by subsection 26(1). ransomware payment report means a report given by an entity under subsection 27(1). Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. relevant connectable product has the meaning given by subsection 13(2). reporting business entity has the meaning given by subsection 26(2). responsible entity, for an asset, has the same meaning as in the Security of Critical Infrastructure Act 2018. Secretary means the Secretary of the Department. sensitive information has the same meaning as in the Privacy Act 1988. sensitive review information has the meaning given by subsection 53(2). significant cyber security incident has the meaning given by section 34. State body means: (a) a Minister of a State or Territory; or (b) a Department of State of a State or Territory or a Department of the Public Service of a State or Territory; or (c) a body (whether incorporated or not) that: (i) is established, or continued in existence, for a public purpose by or under a law of a State or Territory; and (ii) is not an authority of the Crown. supply has the same meaning as in the Australian Consumer Law and supplied and supplier have corresponding meanings. 9 Meaning of cyber security incident (1) A cyber security incident is one or more acts, events or circumstances: (a) of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018; or (b) involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act, but as if that phrase did not exclude the mere interception of any such communication. (2) However, an incident is only a cyber security incident for the purposes of this Act if: (a) the incident involves a critical infrastructure asset; or (b) the incident involves the activities of an entity that is a corporation to which paragraph 51(xx) of the Constitution applies; or (c) the incident is or was effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (d) the incident is impeding or impairing, or has impeded or impaired, the ability of a computer to connect to such a service; or (e) the incident has seriously prejudiced or is seriously prejudicing: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security. 10 Meaning of permitted cyber security purpose Each of the following is a permitted cyber security purpose for a cyber security incident: (a) the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving the cyber security incident; (b) the performance of the functions of a State body relating to responding to, mitigating or resolving the cyber security incident; (c) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to the cyber security incident; (d) informing and advising the Minister, and other Ministers of the Commonwealth, about the cyber security incident; (e) preventing or mitigating material risks that the cyber security incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security; (f) preventing or mitigating material risks to a critical infrastructure asset; (g) the performance of the functions of an intelligence agency; (h) the performance of the functions of a Commonwealth enforcement body. Note 1: There are some limitations in relation to civil or regulatory functions against entities that have provided information in relation to the incident: see subsections 38(2) and 39(3). Note 2: Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section 11. 11 Disclosure to State body (1) Despite any other provision of this Act, information that may be disclosed to a State body under Part 3, 4 or 5 must not be disclosed to the State body under that Part unless: (a) a Minister of the State or Territory has informed the Minister administering this Act, in writing, that the State or Territory gives consent to the provisions of that Part applying to the State body; and (b) a Minister of the State or Territory has not informed the Minister administering this Act, in writing, that the State or Territory withdraws that consent. (2) For the purposes of paragraph (1)(a), a Minister of a State or Territory may give consent in relation to all State bodies, a class of State bodies, or particular State bodies, of that State or Territory. Part 2—Security standards for smart devices Division 1—Preliminary 12 Simplified outline of this Part The rules may provide mandatory security standards for products that can directly or indirectly connect to the internet (called relevant connectable products) that will be acquired in Australia in specified circumstances. If the rules provide a security standard for a product: (a) manufacturers must manufacture the product in compliance with the requirements of the security standard if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances; and (b) those manufacturers must also comply with any other obligations relating to the product in the security standard (for example, obligations to publish information about the product); and (c) if the product does not comply it must not be supplied in Australia if the supplier is aware, or could reasonably be expected to be aware, that the products will be acquired in Australia in those specified circumstances; and (d) those suppliers must supply the product in Australia accompanied by a statement of compliance. A compliance notice, a stop notice and a recall notice may be given for non‑compliance with obligations in this Part. Internal review may be sought for a decision to issue a notice. An independent audit of a product may be undertaken to determine compliance with the requirements of a security standard or requirements for the statement of compliance. The Secretary may request the manufacturer or supplier to provide the product, the statement of compliance or both for the purposes of the audit. 13 Application of this Part (1) This Part applies to a relevant connectable product that is: (a) manufactured on or after the commencement of this Part; or (b) supplied (other than as second hand goods) on or after the commencement of this Part. (2) A relevant connectable product is a product that: (a) is an internet‑connectable product or a network‑connectable product; and (b) is not exempted under the rules. (3) For the purposes of paragraph (2)(b), the rules may specify that: (a) classes of products are exempted; or (b) particular products are exempted. (4) An internet‑connectable product is a product that is capable of connecting to the internet using a communication protocol that forms part of the internet protocol suite to send and receive data over the internet. (5) A network‑connectable product is a product that: (a) is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; and (b) is not an internet‑connectable product; and (c) meets the condition in subsection (6) or (7). (6) A product meets the condition in this subsection if it is capable of connecting directly to an internet‑connectable product by means of a communication protocol that forms part of the internet protocol suite. (7) Subject to subsections (8) and (9), a product meets the condition in this subsection if: (a) it is capable of connecting directly to 2 or more products at the same time by means of a communication protocol that does not form part of the internet protocol suite; and (b) it is capable of connecting directly to an internet‑connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other product). (8) A product consisting of a wire or cable that is used merely to connect the product to another product does not meet the condition in subsection (7). (9) If: (a) two or more products are designed to be used together for the purposes of facilitating the use of a computer (within the ordinary meaning of that expression); and (b) at least one of the products (the linking product) is capable of connecting directly to an internet‑connectable product (whether the computer or some other product) by means of a communication protocol that does not form part of the internet protocol suite; and (c) each of the products (the input products) that is not a linking product is capable of connecting directly to the linking product, or, if there is more than one linking product, to each linking product: (i) wirelessly; and (ii) by means of a communication protocol that does not form part of the internet protocol suite; each of the input products meets the condition in subsection (7). (10) For the purposes of subsections (4) to (9), a product is not prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable. Division 2—Security standards for relevant connectable products 14 Security standards for relevant connectable products (1) The rules may make provision for, or in relation to, security standards for specified classes of relevant connectable products that will be acquired in Australia in specified circumstances. (2) Without limiting subsection (1) a class of relevant connectable products specified for the purposes of that subsection may consist of a particular relevant connectable product or of all relevant connectable products. (3) Despite subsection 14(2) of the Legislation Act 2003, the rules may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in an instrument or other writing as in force or existing from time to time. 15 Compliance with security standard for a relevant connectable product Manufacturer must comply (1) An entity must manufacture a relevant connectable product in compliance with the requirements of the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if: (a) the product is included in that class; and (b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances. (2) The entity must comply with any other requirements of the security standard that apply to the manufacturer of a product included in that class. (3) An entity must not supply a product in Australia that was not manufactured in compliance with the requirements of the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if: (a) the product is included in that class; and (b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances. (4) The entity must comply with any other requirements of the security standard that apply to the supplier of a product included in that class. Exception (5) However, to the extent that a requirement in the security standard does not relate to any of the matters in subsection (6), an entity is not required to comply with subsections (1) to (4) if the entity is not: (a) an entity that is a corporation to which paragraph 51(xx) of the Constitution applies; or (b) an entity that is undertaking activities in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State. (6) The matters are the following: (a) the direct, or indirect, connection of the relevant connectable product to, a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, connection to the internet); (b) the direct, or indirect, use by the relevant connectable product of such a service (including, for example, use of the internet); (c) measures that would protect the relevant connectable product from an attack effected by means of such a service (including, for example, by means of the internet). 16 Obligation to provide and supply products with a statement of compliance with security standard Manufacturer must provide statement of compliance (1) An entity that manufactures a relevant connectable product must provide, for the supply of the product in Australia, a statement of compliance with the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if: (a) the product is included in that class; and (b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances. (2) The entity must retain a copy of the statement of compliance for the period specified in the rules for that class of statements. Supplier must supply the product with statement of compliance (3) An entity that supplies a relevant connectable product in Australia must supply the product with a statement of compliance with the security standard for a class of relevant connectable product that will be acquired in Australia in specified circumstances if: (a) the product is included in that class; and (b) the entity is aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances. (4) The entity must retain a copy of the statement of compliance for the period specified in the rules for that class of statements. Requirements for statement of compliance (5) The statement of compliance with the security standard under subsection (1) or (2) must meet the requirements provided by the rules for that class of statements. Matters relating to the rule making powers (6) Without limiting subsection (2), (4) or (5) a class of statements may consist of a statement for a particular relevant connectable product or a particular security standard or all relevant connectable products or all security standards. Division 3—Enforcement 17 Compliance notice (1) The Secretary may give an entity that must comply with an obligation under section 15 or 16 a compliance notice if the Secretary: (a) is reasonably satisfied that the entity is not complying with the obligation; or (b) is aware of information that suggests that the entity may not be complying with the obligation. (2) The compliance notice must: (a) set out the name of the entity to which the notice is given; and (b) set out brief details of the non‑compliance or possible non‑compliance; and (c) specify action within the entity's control that the entity must take in order to address the non‑compliance or possible non‑compliance; and (d) specify a reasonable period within which the entity must take the specified action; and (e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action; and (f) explain what may happen if the entity does not comply with the notice; and (g) explain how the entity may seek review of the decision to issue the notice; and (h) set out any other matters prescribed by the rules. (3) Before giving the notice to the entity, the Secretary must: (a) notify the entity that the Secretary intends to give the notice to the entity; and (b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice. (4) Only one compliance notice may be given to an entity in relation to a particular instance of the entity's non‑compliance, or possible non‑compliance, with an obligation under section 15 or 16. 18 Stop notice (1) The Secretary may give an entity that must comply with an obligation under section 15 or 16 a stop notice if: (a) the entity has been given a compliance notice under section 17 in relation to the non‑compliance with the obligation; and (b) the Secretary is reasonably satisfied that: (i) the entity has not complied with the compliance notice; or (ii) actions taken by the entity to rectify non‑compliance with the obligation (whether in accordance with the compliance notice or otherwise) are inadequate to rectify the non‑compliance. (2) The stop notice must: (a) set out the name of the entity to which the notice is given; and (b) set out brief details of the non‑compliance; and (c) specify action within the entity's control that the entity must take, or refrain from taking, in order to address the non‑compliance; and (d) specify a reasonable period within which the entity must take the specified action or refrain from taking the specified action; and (e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action or refrained from taking the specified action; and (f) explain what may happen if the entity does not comply with the notice; and (g) explain how the entity may seek review of the decision to issue the notice; and (h) set out any other matters prescribed by the rules. (3) Before giving the notice to the entity, the Secretary must: (a) notify the entity that the Secretary intends to give the notice to the entity; and (b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice. (4) Only one stop notice may be given to an entity in relation to a particular instance of the entity's non‑compliance with an obligation under section 15 or 16. 19 Recall notice (1) The Secretary may give an entity that must comply with an obligation under section 15 or 16 a recall notice if: (a) the entity has been given a stop notice under section 18 in relation to the non‑compliance with the obligation; and (b) the Secretary is reasonably satisfied that: (i) the entity has not complied with the stop notice; or (ii) actions taken by the entity to rectify the non‑compliance with the obligation (whether in accordance with the compliance notice or otherwise) are inadequate to rectify the non‑compliance. (2) The recall notice must: (a) set out the name of the entity to which the notice is given; and (b) set out brief details of the non‑compliance; and (c) specify action that the entity must take to do any or all of the following: (i) ensure, to the extent within the entity's control, the product is not acquired in Australia; (ii) ensure, to the extent within the entity's control, that the product is not supplied to suppliers for supply in Australia; (iii) arrange for the return, within a specified reasonable period, of the product to the entity, or if the entity is not the manufacturer of the product, the manufacturer of the product; and (d) specify a reasonable period within which the entity must take the specified action; and (e) if the Secretary considers it appropriate—specify a reasonable period within which the entity must provide the Secretary with evidence that the entity has taken the specified action; and (f) explain what may happen if the entity does not comply with the notice; and (g) explain how the entity may seek review of the decision to issue the notice; and (h) set out any other matters prescribed by the rules. (3) Before giving the notice to the entity, the Secretary must: (a) notify the entity that the Secretary intends to give the notice to the entity; and (b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice. (4) Only one recall notice may be given to an entity in relation to a particular instance of the entity's non‑compliance with an obligation under section 15 or 16. 20 Public notification of failure to comply with recall notice If an entity fails to comply with a recall notice, the Minister may publish the following information on the Department's website, or in any other way the Minister considers appropriate: (a) the identity of the entity; (b) details of the product; (c) details of the non‑compliance; (d) risks posed by the product relating to the non‑compliance; (e) any other matters prescribed by the rules. Division 4—Miscellaneous 21 Revocation and variation of notices given under this Part Variation (1) The Secretary may, by notice in writing given to an entity, vary a compliance notice, stop notice or recall notice given under this Part to the entity if the Secretary is reasonably satisfied that the variation is required: (a) in order to rectify an error, defect or ambiguity in the notice; or (b) to adequately rectify the non‑compliance, or possible non‑compliance, to which the notice relates. (2) Before giving the notice to the entity under subsection (1), the Secretary must: (a) notify the entity that the Secretary intends to give the notice to the entity; and (b) give the entity a specified period (which must not be shorter than 10 days) to make representations about the giving of the notice. (3) A varied compliance notice, stop notice or recall notice has the same effect as the original notice for the purposes of this Part. Revocation (4) The Secretary may, by notice in writing given to an entity, revoke a compliance notice, stop notice or recall notice given under this Part to the entity if the Secretary is no longer satisfied that the grounds for issuing the notice were met. (5) If a compliance notice, stop notice or recall notice, relating to non‑compliance or possible non‑compliance by an entity with an obligation, is revoked under subsection (4), no further notices may be issued under this Part in relation to that non‑compliance. 22 Internal review of decision to give compliance, stop or recall notice (1) An entity may apply, in writing, to the Secretary for review (an internal review) of a decision: (a) to give the entity a compliance notice under section 17; or (b) to give the entity a stop notice under section 18; or (c) to give the entity a recall notice under section 19; or (d) to vary, under section 21, a notice given to the entity. (2) An application for an internal review must be made within 30 days after the day on which the notice was given to the entity. (3) The decision‑maker for the internal review is: (a) the Secretary; or (b) if the Secretary made the decision personally—a person: (i) to whom the power to issue a notice of that kind has been delegated under section 86; and (ii) that was not involved in the making of the Secretary's decision. (4) Within 30 days after the application is received, the decision‑maker must: (a) review the decision; and (b) affirm, vary or revoke the decision; and (c) if the decision is revoked—make such other decision (if any) that the decision‑maker thinks appropriate. (5) The decision‑maker for the reviewable decision must, as soon as practicable after making a decision under subsection (4), give the applicant a written statement of the decision‑maker's reasons for the decision. 23 Examination to assess compliance with security standard and statement of compliance (1) If an entity must comply with an obligation in section 15 or 16 in relation to a relevant connectable product, the Secretary may engage an appropriately qualified and experienced expert to carry out an independent examination of the product to determine either or both of the following: (a) whether the product complies with the security standard for the class of relevant connectable product; (b) whether the statement of compliance for the product complies with the requirements of section 16. (2) The expert may examine the product, for example, by doing any of the following: (a) opening any package in which the product is contained; (b) operating the product; (c) testing or analysing the product, including through the use of electronic equipment; (d) if the product contains a record or document—reading the record or document either directly or with the use of an electronic device; (e) taking photographs or video recordings of the product. Request for product and statement of compliance (3) For the purposes of the examination, the Secretary may request, by notice in writing, the entity to provide the product, or the statement of compliance for the product, or both. (4) The notice must: (a) specify the product; and (b) if the entity is not the manufacturer—specify the manufacturer of the product (if known); and (c) specify a reasonable period within which the entity must provide the notice; and (d) specify the period for which the product will be retained for testing; and (e) specify the requirements of the security standard that the product will be tested against; and (f) explain the kind of testing or analysis that will be done; and (g) explain what may happen if: (i) the entity does not comply with the notice; or (ii) the entity does not comply with its obligations in section 15 or 16 in relation to the product; and (h) set out any other matters prescribed by the rules. Compensation (5) An entity is entitled to be paid by the Commonwealth reasonable compensation for complying with a request under subsection (3). 24 Acquisition of property This Part has no effect to the extent (if any) that its operation would result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph). Part 3—Ransomware reporting obligations Division 1—Preliminary 25 Simplified outline of this Part This Part imposes reporting obligations on certain entities who are impacted by a cyber security incident, and who have provided or are aware that another entity has provided, a payment or benefit (called a ransomware payment) to an entity that is seeking to benefit from the impact or the cyber security incident. Particular information must be included in a ransomware payment report, including information relating to the cyber security incident, the demand made by the extorting entity and the ransomware payment. An entity may be liable to a civil penalty if the entity fails to make a ransomware payment report as required by this Part. Division 2—Reporting obligations 26 Application of this Part (1) This Part applies if: (a) an incident has occurred, is occurring or is imminent; and (b) the incident is a cyber security incident; and (c) the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on a reporting business entity; and (d) an entity (the extorting entity) makes a demand of the reporting business entity, or any other entity, in order to benefit from the incident or the impact on the reporting business entity; and (e) the reporting business entity provides, or is aware that another entity has provided on their behalf, a payment or benefit (a ransomware payment) to the extorting entity that is directly related to the demand. (2) An entity is a reporting business entity if, at the time the ransomware payment is made: (a) the entity: (i) is carrying on a business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold for that year; and (ii) is not a Commonwealth body or a State body; and (iii) is not a responsible entity for a critical infrastructure asset; or (b) the entity is a responsible entity for a critical infrastructure asset to which Part 2B of the Security of Critical Infrastructure Act 2018 applies. (3) For the purposes of subparagraph (2)(a)(i), the turnover threshold is: (a) if a business has been carried on for only part of the previous financial year—the amount worked out in the manner prescribed by the rules; or (b) in any other case—the amount prescribed by, or worked out in the manner prescribed by, the rules. Presumption (4) For the purposes of paragraph (1)(b), an incident (other than an incident covered by paragraph 9(2)(a) or (b)) is presumed to be a cyber security incident if: (a) the incident was probably effected, is probably being effected or could reasonably be expected to be effected, by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (b) the incident has probably impeded or impaired, or is probably impeding or impairing or could reasonably be expected to impede or impair, the ability of a computer to connect to such a service; or (c) the incident has probably seriously prejudiced, is probably seriously prejudicing, or could reasonably be expected to prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security. Note: Paragraphs 9(2)(a) and (b) cover incidents involving critical infrastructure assets or the activities of corporations to which paragraph 51(xx) of the Constitution applies. (5) However, subsection (4) does not make an entity liable to a civil penalty under this Part if the incident: (a) was not in fact effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (b) did not in fact impede or impair the ability of a computer to connect to such a service; or (c) did not in fact seriously prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security. 27 Obligation to report following a ransomware payment (1) The reporting business entity must give the designated Commonwealth body a report (a ransomware payment report) that complies with the requirements of this section within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made (whichever is applicable). Note: For the definition of designated Commonwealth body: see section 8. (2) The ransomware payment report must contain information relating to the following, in accordance with any requirements prescribed by the rules, that, at the time of making the report, the reporting business entity knows or is able, by reasonable search or enquiry, to find out: (a) if the reporting business entity made the payment—the reporting business entity's contact and business details; (b) if another entity made the payment—that entity's contact and business details; (c) the cyber security incident, including its impact on the reporting business entity; (d) the demand made by the extorting entity; (e) the ransomware payment; (f) communications with the extorting entity relating to the incident, the demand and the payment. (3) The reporting business entity may include other information relating to the cyber security incident in the ransomware payment report. (4) The ransomware payment report must be given: (a) in the form approved by the Secretary (if any); and (b) in the manner (if any) prescribed by the rules. (5) An entity is liable to a civil penalty if the entity contravenes subsection (1). Civil penalty: 60 penalty units. (6) Subsection 93(2) of the Regulatory Powers Act does not apply in relation to a contravention of subsection (1) of this section. 28 Liability (1) An entity is not liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with section 27. (2) An officer, employee or agent of an entity is not liable to an action for damages for or in relation to an act done or omitted in good faith in connection with an act done or omitted by the entity as mentioned in subsection (1). (3) An entity that wishes to rely on subsection (1) in relation to an action or other proceeding bears an evidential burden (within the meaning of the Regulatory Powers Act) in relation to that matter. Division 3—Protection of information 29 Ransomware payment reports may only be used or disclosed for permitted purposes Permitted use and disclosure (1) A designated Commonwealth body may make a record of, use or disclose information provided in a ransomware payment report by a reporting business entity, but only for the purposes of one or more of the following: (a) assisting the reporting business entity, and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident; (b) performing functions or exercising powers under this Part or Part 6 as it applies to this Part; (c) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act; (d) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act; (e) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident; (f) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident; (g) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to a cyber security incident; (h) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident; (i) the performance of the functions of an intelligence agency. Note: Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section 11. Restriction on use and disclosure for civil or regulatory action (2) However, the designated Commonwealth body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the reporting business entity of a Commonwealth, State or Territory law other than: (a) a contravention by the reporting business entity of this Part; or (b) a contravention by the reporting business entity of a law that imposes a penalty or sanction for a criminal offence. Note: See also section 32 in relation to admissibility of the information in proceedings against the reporting business entity. Interaction with the Privacy Act 1988 (3) Subsection (1) does not authorise the designated Commonwealth body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988. Information not covered by the prohibitions in this section (4) Subsection (1) does not prohibit the recording, use or disclosure of the following information: (a) information that has been provided to the designated Commonwealth body by, or on behalf of, the entity to the Commonwealth to comply with: (i) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018; or (ii) a requirement under the Telecommunications Act 1997; or (iii) a requirement under a law prescribed by the rules; (b) information that has already been lawfully made available to the public. 30 Limitations on secondary use and disclosure of information in ransomware payment reports (1) This section applies to information that: (a) has been provided in a ransomware payment report by a reporting business entity; and (b) has been obtained by another entity, Commonwealth body or State body under subsection 29(1) or this section; and (c) is held by the other entity, Commonwealth body or State body. Note: This section does not apply to the information to the extent that it has been otherwise obtained by the other entity, Commonwealth body or State body. Permitted use and disclosure (2) The other entity, Commonwealth body or State body may make a record of, use or disclose the information but only for the purposes of one or more of the following: (a) assisting the reporting business entity, and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident; (b) performing functions or exercising powers under this Part or Part 6 as it applies to this Part; (c) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act; (d) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act; (e) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident; (f) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident; (g) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to a cyber security incident; (h) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident; (i) the performance of the functions of an intelligence agency. Restriction on use and disclosure for civil or regulatory action (3) However, the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention, by the reporting business entity, of a Commonwealth, State or Territory law other than: (a) a contravention by the reporting business entity of this Part; or (b) a contravention by the reporting business entity of a law that imposes a penalty or sanction for a criminal offence. Interaction with the Privacy Act 1988 (4) Subsection (2) does not authorise the other entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988. Information not covered by the prohibitions in this section (5) Subsection (2) does not prohibit: (a) recording, use or disclosure of information referred to in subsection 29(4); or (b) if the other entity is an individual—recording, use or disclosure of personal information about the individual; or (c) recording, use or disclosure of the reporting business entity's own information, with the consent of the reporting business entity, by another entity, a Commonwealth body or a State body; or (d) recording, use or disclosure of information for the purposes of carrying out a State's constitutional functions, powers or duties. Civil penalty for contravention of this section (6) An entity is liable to a civil penalty if: (a) the entity contravenes subsection (2); and (b) the entity is not a Commonwealth officer; and (c) any of the following applies: (i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information; (ii) the information is confidential or commercially sensitive; (iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth. Note 1: See the Criminal Code for offences for Commonwealth officers. Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty. Civil penalty: 60 penalty units. 31 Legal professional privilege (1) The fact that a reporting business entity provided information in a ransomware payment report does not otherwise affect a claim of legal professional privilege that anyone may make in relation to that information in any proceedings: (a) under any Commonwealth, State or Territory law (including the common law); or (b) before a tribunal of the Commonwealth, a State or a Territory. (2) Despite subsection (1), this section does not apply to the following: (a) the proceedings of a coronial inquiry or a Royal Commission in Australia; (b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth. Note: For federal court, see section 2B of the Acts Interpretation Act 1901. (3) This section does not limit or affect any right, privilege or immunity that the reporting business entity has, apart from this section, as a defendant in any proceedings. 32 Admissibility of information in ransomware payment report against reporting business entity (1) This section applies to information that: (a) has been provided in a ransomware payment report by a reporting business entity; and (b) has been obtained by a Commonwealth body or State body under section 27, subsection 29(1) or section 30; and (c) is held by the Commonwealth body or State body. Note: This section does not apply to information held by the Commonwealth body or State body to the extent that it has been otherwise obtained. (2) That information is not admissible in evidence against the reporting business entity in any of the following proceedings: (a) criminal proceedings for an offence against a Commonwealth, State or Territory law, other than: (i) proceedings for an offence against section 137.1 or 137.2 of the Criminal Code (which deal with false or misleading information or documents) that relates to this Act; or (ii) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act; (b) civil proceedings for a contravention of a civil penalty provision of a Commonwealth, State or Territory law, other than a civil penalty provision of this Part; (c) proceedings for a breach of any other Commonwealth, State or Territory law (including the common law); (d) proceedings before a tribunal of the Commonwealth, a State or a Territory. (3) However, this section does not apply to the following: (a) the proceedings of a coronial inquiry or a Royal Commission in Australia; (b) proceedings in a federal court exercising original jurisdiction in which a writ of mandamus or prohibition or an injunction is sought against an officer or officers of the Commonwealth. Note: For federal court, see section 2B of the Acts Interpretation Act 1901. (4) This section does not limit or affect any right, privilege or immunity that the reporting business entity has, apart from this section, as a defendant in any proceedings. Part 4—Coordination of significant cyber security incidents Division 1—Preliminary 33 Simplified outline of this Part Information may be voluntarily provided to the National Cyber Security Coordinator in relation to significant cyber security incidents. The National Cyber Security Coordinator's role is to lead across the whole of Government the coordination and triaging of action in response to a significant cyber security incident. Information voluntarily provided under this Part may only be recorded, used and disclosed for limited purposes. 34 Meaning of significant cyber security incident A cyber security incident is a significant cyber security incident if: (a) there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or could reasonably be expected to prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security; or (b) the incident is, or could reasonably be expected to be, of serious concern to the Australian people. Division 2—Voluntary information sharing with the National Cyber Security Coordinator 35 Impacted entity may voluntarily provide information to National Cyber Security Coordinator in relation to a significant cyber security incident (1) This section applies if: (a) an incident has occurred, is occurring or is imminent; and (b) the incident is a cyber security incident; and (c) the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on an entity (the impacted entity); and (d) the impacted entity is: (i) carrying on a business in Australia; or (ii) a responsible entity for a critical infrastructure asset to which the Security of Critical Infrastructure Act 2018 applies. (2) The impacted entity, or another entity acting on behalf of the impacted entity, may provide information about the incident to the National Cyber Security Coordinator if: (a) the incident is a significant cyber security incident; or (b) the incident could reasonably be expected to be a significant cyber security incident. Note 1: For information provided in relation to other kinds of cyber security incidents: see sections 36 and 39. Note 2: This subsection constitutes an authorisation for the National Cyber Security Coordinator to collect the information (including sensitive information) for the purposes of the Privacy Act 1988. (3) Information about the incident may be provided under subsection (2): (a) at any time during the response to the incident; and (b) on the impacted entity's own initiative or in response to a request by the National Cyber Security Coordinator. Note: There is no obligation on the impacted entity to provide information in response to a request. Presumption (4) For the purposes of paragraph (1)(b), an incident (other than an incident covered by paragraph 9(2)(a) or (b)) is presumed to be a cyber security incident if: (a) the incident was probably effected, is probably being effected or could reasonably be expected to be effected, by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (b) the incident has probably impeded or impaired, or is probably impeding or impairing or could reasonably be expected to impede or impair, the ability of a computer to connect to such a service; or (c) the incident has probably seriously prejudiced, is probably seriously prejudicing, or could reasonably be expected to prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security. Note: Paragraphs 9(2)(a) and (b) covers incidents involving critical infrastructure assets or the activities of corporations to which paragraph 51(xx) of the Constitution applies. (5) However, subsection (4) does not make an entity liable to a civil penalty under this Part if the incident: (a) was not in fact effected by means of a telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution (including, for example, by means of the internet); or (b) did not in fact impede or impair the ability of a computer to connect to such a service; or (c) did not in fact seriously prejudice: (i) the social or economic stability of Australia or its people; or (ii) the defence of Australia; or (iii) national security. 36 Voluntary provision of information in relation to other incidents or cyber security incidents (1) This section applies if: (a) an incident has occurred, is occurring or is imminent; and (b)