In the first half of 2024, Australia recorded 527 data breaches, a 9% increase from the previous period—the highest since 2020. Alarmingly, 67% of these were due to malicious or criminal attacks, per the Office of the Australian Information Commissioner (OAIC).

In response, the government introduced the Privacy and Other Legislation Amendment Bill 2024, significantly strengthening the Privacy Act 1988.

Compliance is no longer a tick-box exercise. It's a legal obligation, a risk management strategy, and a core part of customer trust.

Key Updates CISOs Should Know

1. Expanded OAIC Enforcement Powers

The Office of the Australian Information Commissioner (OAIC) has been granted enhanced investigative and enforcement powers under the Regulatory Powers (Standard Provisions) Act 2014. This aligns the OAIC's capabilities with other domestic regulators, allowing for more effective compliance monitoring and breach investigations. Source: OAIC - Inquiry into the Privacy and other Legislation Amendment Bill 2024 Provisions

2. Children’s Online Privacy Code

The Bill mandates the development of a Children’s Online Privacy Code, focusing on strengthening privacy protections for children online. The OAIC is tasked with creating this code through research and consultations, aiming to ensure that children's personal information is handled with heightened care. Source: OAIC - Better Privacy Protections for Children are Coming

3. Criminalization of Doxxing

The legislation introduces criminal offences for doxxing. Offenders may face up to six years in prison, or seven years if the act is motivated by discriminatory beliefs such as race or religion. Source: The Guardian - Australia New Doxing Laws Government

4. Statutory Tort for Serious Invasions of Privacy

A new statutory tort allows individuals to sue for serious invasions of privacy. This provides a legal avenue for individuals to seek redress when their privacy is intentionally or recklessly violated, such as through unauthorized surveillance or misuse of personal information. Source: Quaylaw - Privacy Reforms Privacy and other Legislation Amendment Bill 2024

Even small businesses (including health providers, data brokers, and federal contractors) may now fall under these expanded obligations—and can face legal and financial liability, regardless of turnover.

What This Means for Businesses

The Privacy and Other Legislation Amendment Bill 2024 raises the bar for how organisations must handle personal information. Whether you're a large enterprise or an SME, you’ll need to:

• Establish clear internal policies governing the collection, storage, access, and disposal of personal data.
• Provide regular staff training on privacy obligations, phishing awareness, secure data handling, and breach response.
• Implement technical safeguards such as encryption for data at rest and in transit, MFA for access to sensitive systems, timely and secure deletion of data no longer needed and Access controls aligned with the principle of least privilege.
• Develop a formal data breach response plan, including: incident detection and containment procedures, roles and responsibilities during an incident, notification templates and timelines
• Mandatory reporting: You must now notify both the OAIC and affected individuals of eligible data breaches as soon as practicable, or within 72 hours if reasonably possible.

Bottom line: Compliance is no longer a tick-box exercise. It's a legal obligation, a risk management strategy, and a core part of customer trust.

Cyber Node helps SMBs navigate this shift. From privacy readiness to penetration testing, our expert team ensures your defences align with the latest requirements.

🔗 Book a consult at cybernode.au or email sales@cybernode.au.