Getting your Trinity Audio player ready...
null

Under Australia's Privacy Act, applicable businesses that hold personal information are legally required to report actual or suspected breaches of data security to the regulator, the Office of the Australian Information Commissioner (OAIC) and to affected individuals whose data is compromised. This Privacy Act requirement has been in place since early 2018.

Who must comply with the Privacy Act?

The Privacy Act applies to businesses that meet any of the following criteria:

  • Annual turnover of $3 million or more,
  • Operate as a private health service provider,
  • Acts as a credit reporting body, a credit provider, or
  • Trade in personal information or handle tax file numbers (TFNs).

Expanded cyber breach obligations — understand the requirements businesses need to comply with

Since May 2025, the regulatory obligations expanded to include ransomware payments which must be notified to the Australian Signals Directorate (ASD) within 72 hours by businesses that have revenue >$3 million or which are required to comply with the Security of Critical Infrastructure Act 2018 (SOCI)1.

The SOCI applies to entities that own or operate critical infrastructure assets in sectors like energy, water and telecommunications, and are required to meet obligations such as registering their assets, implementing a risk management program and reporting cyber incidents.

What is the scope of ransomware notifications?

  • Businesses must disclose the use of any third-party ransom negotiator, the value of the demand and any communications with the criminals.
  • Non-compliance penalties may be imposed up to $19,800 civil penalty, increased regulatory scrutiny and reputational harm.
  • This applies to payments made in response to all cybersecurity incidents that directly or indirectly impact the business.

Added liability for privacy breaches

The Statutory Tort of Privacy was introduced in June 2025, allowing individuals to sue businesses for serious privacy breaches caused by deliberate or reckless actions. The key implications for businesses:

  • Legal actions: Imposed remedial actions may include compensatory damages (including for emotional harm), injunctions, apologies and data destruction.
  • Insurance coverage: Cyber insurance policies may provide some protection under third-party liability, but coverage for emotional distress varies according to the insurer.

Heightened cybersecurity requirements for financial services

Australian financial services licence holders have come under scrutiny over inadequate cyber security and CPS230 obligations2, with the Australian Securities & Investments Commission (ASIC) pursuing enforcement for inadequate cyber protections.

Key obligations include identifying and managing operational risks, maintaining critical operations through disruptions and enhancing oversight of service providers.

Cyber breach actions against Australian business: Real life examples

  1. In the first Privacy Act civil penalty issued following poor notification procedures, to the OAIC, Australian Clinical Labs (formerly Medlab Pathology) was fined a $5.8 million civil (non-criminal) penalty for inadequately reporting its data breach to the OAIC.
  2. ASIC's action against FIIG Securities seeking civil penalties and compliance orders as a result of systemic failures underscores that cybersecurity compliance is now a legal obligation.
  3. Fortnum Private Wealth was found to have failures in policies, frameworks and systems and ASIC is seeking penalties against Fortnum for exposing the company, its representatives and clients to unacceptable cyber risk due to a lack of operational resilience. Businesses subject to an Australian Financial Services Licence (AFSL) must be capable of managing service disruption risks.
  4. Optus: The OAIC commenced proceedings against Optus for the data breach affecting 9.5 million customers and is alleging each customer represents a separate contravention of the Act, representing a potential maximum penalty of $21 trillion.

Why businesses must continuously strengthen cyber security

Ongoing regulatory changes highlight the need for businesses to implement operational changes that support cyber breach/ransomware detection and effective response and enable compliance with local and international data protection laws and mandatory obligations and reporting.

Larger organisations must be extra cautious, as their size attracts greater scrutiny from auditors and regulatory bodies. Penalties are also higher. Government mandates impose stricter regulations on larger entities to ensure critical infrastructure and services remain risk free.

As cyber attacks become more sophisticated, it's critical for businesses to adopt strategic cybersecurity measures, invest in advanced cybersecurity tools and develop robust incident response plans to build resilience against threats.

Exploring cyber insurance options can provide a crucial safety net, providing resources to help detect, manage and mitigate a cyber incident efficiently.

How Gallagher can help your business stay protected

Gallagher's cyber practice team helps businesses adapt to evolving regulations and their implications for business management, including the liability of directors and officers. Our services include threat response and remediation, reputation management and regulatory action handling.

Our specialists continually manage evolving cyber risks, including strategic negotiation with threat actors making cyber ransom demands. Alongside our cyber risk management services, we offer robust and comprehensive cyber insurance policies that cover data breaches, business interruptions, legal expenses and more, all in one place.

connect with us

Sources

1 Security of Critical Infrastructure Act 2018 (SOCI), Critical Infrastructure Security Centre, Australian Department of Internal Affairs, accessed 9 January 2026.

2 CPS 230 Operational Risk Management, APRA Prudential Handbook, 1 July 2025.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS