Australia was the first country to extend mandatory reporting of ransomware payments beyond critical infrastructure entities[i]. As from 30 May 2025 all businesses that have an annual turnover of $3 million in a financial year, must report a ransomware or cyber extortion within 72 hours of making or having a payment made on its behalf. This reporting requirement is in addition to the existing reporting obligations under the Notifiable Data Breach (NDB) scheme. The NDB scheme requires mandatory notification by organisations[ii] of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access, disclosure or loss of personal information.[iii]
With the significant increase in ransomware and cybersecurity extortion incidents which are impacting the Australian economy, mandatory reporting was required to enable Government and industry to develop effective responses to cyber security incidents, and defences against these criminal attacks and extortions. The existing voluntary scheme for reporting of ransomware payments was not working, with only about 20 percent of victims reporting an incident. This meant that Government did not have up to date data and intelligence to respond to incidents and support impacted industry[iv].
Mandatory reporting will assist Government with intelligence gathering, enhance resilience and defences. It will also enable Government to provide support and advice to industry on how to better protect their systems and networks.
Combined with compliance with mandatory reporting obligations under the Privacy Act’s NDB scheme, industry and Government agencies (including the Federal Police and Australian Cyber Security Centre) are increasingly working together, to respond to these destructive crimes.
| The Qantas Incident – an Example
An example of Government/Industry co-operation involved the recent cybersecurity incident resulting from a cyberattack on one of Qantas’ third-party call centres which impacted the data of 5.7 million Qantas customers. Qantas reported the data breach to the Office of the Australian Information Commissioner in compliance with its obligations under the Notifiable Data Breach Scheme. Due to the criminal nature of the attack, Qantas has also been working with Government agencies – National Cyber Security Coordinator and Australian Cyber Security Centre. The incident was also reported to the Federal Police. ************* |
A significant increase in cybersecurity and ransomware incidents
The privacy breach reporting obligations under the Notifiable Data Breach scheme (NDB scheme), introduced by the Privacy Act 1988 (Cth) (Privacy Act), have been in operation since February 2018.
The NDB scheme requires mandatory notification by organisations[v] of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access, disclosure or loss of personal information.[vi]
The Office of the Australian Information Commission (OAIC), the regulator responsible for compliance with the NDB scheme, recently published its half-yearly Report for the period from July to December 2024.[vii] The OAIC Report reveals a notable increase in the number of reported breaches resulting from cybersecurity and ransomware incidents, with health service providers (121 notifications) and the Australian Government (100 notifications) being the top two sectors to notify data breaches during this reporting period.
The OAIC reports that in the period July to December 2024, 595 notifications of data breaches were received by the OAIC under the NBD scheme. The leading source of all data breach notifications during this period was malicious or criminal attacks accounting for 69% (or 404) of the total notifications for this reporting period. This is a 17% increase on the last 6-month reporting period – with 247 (or 61%) of these notifications resulting from cyber security incidents – 46 more than for the last accounting period. Of these 247 cyber security incident notifications, 60 involved ransomware – a significant increase from 49 reported during the last 6-month reporting period.
However, the NBD scheme does not require reporting of ransomware payments. This ‘gap’ has been addressed by the Australian Government’s recent introduction of mandatory ransomware and cyber extortion reporting requirements in the Cyber Security Act 2024 (Cth).
The new mandatory ransomware and cyber extortion payment reporting regime
The Government’s new mandatory ransomware and cyber extortion payment reporting regime set out in Part 3 of the Cyber Security Act 2024 (‘Mandatory Reporting Regime’) commenced on 30 May 2025.
The mandatory reporting obligation only applies to an entity if the following three (3) criteria have been met:-
- an entity is a reporting business entity[viii] as defined under clause 26(2) of the Cyber Security Act 2024 (Cth) – i.e. an entity that is carrying on a business in Australia and has an annual turnover of $3 million in a financial year or is the responsible entity for a critical infrastructure asset as defined under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth));
- the reporting business entity is impacted by a cyber security incident directly or indirectly;
- the reporting business entity provides a ransomware payment to an extorting entity, in response to a demand, that is seeking to gain from the impact of the cyber security incident).[ix]
Under section 27 of the Cyber Security Act 2024 (Cth) a reporting business entity must make a report to the Government if it has made or is aware another entity has made on its behalf, a ransomware or cyber extortion payment. The report must be made within 72 hours of making the payment using the form provided by the Australian Signals Directorate (ASD)[x].
However, there is NO obligation to report where the reporting business entity has elected NOT to make any payment in response to the ransomware or cyber extortion payment demand. [xi]
The Mandatory Reporting Regime is being implemented in 2 phases:-
- Phase 1, From 30 May 2025 to 31 December, 2025 – An Education First Approach – which will be used to socialise the reporting form with regulated entities, manage any challenges and identify key compliance barriers. Regulatory, enforcement action taken by the Department of Home Affairs during this first phase would aim to pursue ‘only cases of egregious non-compliance against businesses that report on incidents’[xii];
and
- Phase 2, From 1 January, 2026 – A Compliance and Enforcement Approach – during which the Department would pursue a more active regulatory focus.
The mandatory reporting will benefit business and Australia’s economy and build resilience against these types of attacks, which have the potential of bringing Australia’s whole economy to a standstill.
Businesses cannot afford to be complacent about Privacy
Privacy compliance should be a priority for all organisations and businesses that collect or hold Australians’ personal information. Data and other privacy breaches can have significant impact on businesses and result in:
- Business disruption
- Significant costs in responding to a data breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Regulatory fines and penalties
- Compensation claims by individuals/class actions.
In December 2022 the penalties for repeated or serious privacy breaches increased from AU$2.22 million to the greater of AU$50 million, or three (3) times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period.
The Australian Information Commissioner’s enforcement powers have also recently been changed and enhanced through changes to the Privacy Act 1988 (Cth) made by the Privacy and Other Legislation Amendment Act 2024 (Cth), which commenced on 10 December 2024 and introduced a statutory tort to provide redress (including civil penalties) for serious invasions of privacy[xiii].
Civil penalties under the Cyber Security Act 2024 (Cth) may also be incurred by a reporting business entity which fails to comply with the new mandatory ransomware reporting requirements.
| AIC commences civil penalty action against Optus
On 8 August, 2025, the Australian Information Commissioner (AIC) filed civil penalty proceedings in the Federal Court of Australia against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus) in relation to a cyberattack which accessed the personal information of approximately 9.5 million current and former Australian Optus customers, and which Optus made public on 22 September 2022. The AIC is alleging that “Optus did not take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the personal information it held, and the risk of harm for an individual in the case of a breach”[xiv]. The AIC is alleging one contravention for each of the 9.5 million individuals allegedly impacted by the privacy breach. As the alleged contraventions occurred from 17 October 2019 to 20 September 2022 – prior to the increase in penalties which occurred in December 2022 – in this case, the Federal Court can impose a civil penalty of up to $2.22 million for each contravention[xv]. ********** |
Privacy Risk Management – Some Strategies to Consider
The privacy, data protection and cybersecurity laws are complex, as are the reporting obligations.
People are the most important part of the process and solution, followed by technology. Safeguards against unauthorised use, disclosure, theft, cyber-attacks, industrial espionage and sabotage of IT systems have to be agile and updated to deal with evolving and increasing sophistication of cyber-attacks or cyber incidents. There are also additional risks to be considered where an organisation outsources the handling of personal information to service providers and contractors.
There is no single solution for data protection and compliance with privacy and data protection laws, Organisations must be pro-active and agile in their approach, keeping pace with changes in technology and the law. This includes recognising when expertise which is required in this area is not available in-house – and seeking external expert advice and assistance, particularly in the areas of:
- Development and implementation of cybersecurity and ransomware incident response plans including testing of these in a simulated environment.
- Data retention laws and the development and implementation of data retention policies for the destruction of data that is no longer required to be kept by the organisation
- Reviews and assessments of organisation’s processes, systems, policies and other documents for privacy and data protection and regulatory compliance, systems security, technological data flows and storage and associated risks.
- Training and education of management and employees on privacy and data protection compliance requirements including risk mitigation.
- Mandatory reporting of privacy breaches and other cybersecurity incidents to all relevant regulators and affected individuals.
- Review of insurance policies to ensure the business has adequate to cover for liabilities and claims arising from privacy breaches and cybersecurity incidents.
Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.
© Stephens Lawyers & Consultants. 9 September 2025; Co-Authored by Katarina Klaric, Principal and Rochina Iannella, Consultant, Stephens Lawyers & Consultants.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Level 40, 140 William Street, Melbourne VIC 3000
Phone: (03) 8636 9100
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[i] Cyber Security Act 2024, Part 3.
[ii] Under the scheme, any organisation or government agency covered by the Privacy Act 1988 (Cth) that experiences an eligible data breach must notify affected individuals and the OAIC.
[iii] Privacy Act 1988(Cth) s 26 WE(2)
[iv] Explanatory Memorandum – House of Representatives -Cybersecurity Bill 2024.
[v] Under the scheme, any organisation or government agency covered by the Privacy Act 1988 (Cth) that experiences an eligible data breach must notify affected individuals and the OAIC.
[vi] Privacy Act 1988(Cth) s 26 WE(2)
[vii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2024, 13 May 2025 – Notifiable Data Breaches Report: July to December 2024 | OAIC
[viii] As defined under section 26(2) of the Cyber Security Act 2024 (Cth)
[ix] Department of Home Affairs, “Frequently Asked Questions – Mandatory ransomware and cyber extortion payment reporting is active from 30 May 2025” , https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx
[x] Australian Signals Directorate, Australian Cyber Security Centre, ‘Ransomware payment and cyber extortion payment reporting’ ; https://www.cyber.gov.au/report-and-recover/report/ransomware-payment-and-cyber-extortion-payment-reporting
[xi] Department of Home Affairs, “Fact Sheet – Mandatory ransomware and cyber extortion payment reporting is active from 30 May 2025”, https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/cyber-security-act.aspx
[xii] Ibid.
[xiii] OAIC, ‘Privacy Regulatory Action Policy’, Privacy regulatory action policy | OAIC ; 23 June 2025.
[xiv] OAIC, “Australian Information Commissioner takes civil penalty action against Optus”, 8 August 2025.
[xv] Ibid.