Practical Law Australia: privacy and cybersecurity expertise when risk is rising

High-profile data breaches, sweeping legislative reforms, escalating regulatory enforcement. For Australian lawyers, privacy and cybersecurity have transformed from niche specialisations into essential practice capabilities – and clients need sophisticated guidance now.

The Australian Signals Directorate responded to more than 1,200 cybersecurity incidents during 2024/2025, an 11 per cent increase from the previous year. High-profile breaches at Qantas, Optus, Medibank, and Australian Clinical Labs have exposed organisations to unprecedented legal and reputational risks. For legal professionals across Australia, whether you’re advising corporate clients, government agencies, or private sector organisations, privacy and cybersecurity questions are no longer occasional matters – they’re daily realities.

“We’ve seen a significant shift in the regulatory posture of the Privacy Commissioner to a more proactive, enforcement-focused approach,” explains Rebecca Brown, Senior Lawyer Writer, Data Privacy and Cybersecurity, for Practical Law Australia. Australian Clinical Labs faced the first ever civil penalty order under the Privacy Act, signalling a new era of enforcement.

The shift is fundamental. Late 2024 saw significant reforms to the Privacy Act 1988 (Cth), amendments to the Security of Critical Infrastructure Act 2018 (Cth), and the introduction of the Cyber Security Act 2024 (Cth). For lawyers advising clients across sectors, these changes have created new areas of legal risk that many organisations are still coming to terms with.

Meet the experts behind the content

At the heart of Practical Law Australia’s privacy and cybersecurity content is a dedicated team of lawyer-writers who bring decades of regulatory and in-house experience.

Rebecca Brown previously served as Director of Privacy Law Reform at the Office of the Australian Information Commissioner, where she provided expert advice to the government throughout the Privacy Act review, contributing to significant legislative reform. Her insider perspective ensures the guidance reflects real-world compliance challenges and regulatory expectations.

Louise Sinclair’s legal career has spanned both in-house and private practice with a large amount of time spent with the NSW Government as a Principal Lawyer advising on privacy and regulatory compliance. She’s a subject matter expert on privacy and data protection laws and a current member of the NSW Law Society’s Privacy and Data Law Committee.

Together, they’ve developed an extensive suite of new privacy and cybersecurity resources designed to help Australian lawyers manage escalating risks while ensuring compliance with Australia’s increasingly complex regulatory framework.

The challenges reshaping privacy practice

The statutory tort: a new litigation landscape

Perhaps most significantly, individuals now have a direct path to sue over privacy breaches through the new statutory tort for serious invasions of privacy. “Prior to the introduction of that statutory framework, individuals did not have a direct pathway to the courts under the Privacy Act or common law to sue for privacy breaches,” Sinclair notes.

The tort commenced in June 2025, and Australia has already seen its first judicial decision, with more cases before the courts. Data breach litigation has become a reality, with class actions and privacy representative complaints now part of the legal landscape. For lawyers, the message is clear: demonstrable governance and compliance is critical.

Mandatory ransomware reporting and smart device regulation

The Cyber Security Act 2024 introduced two particularly significant obligations that lawyers need to understand. First, organisations must now report ransomware payments to the government – a mandatory requirement that represents a major shift in Australia’s approach to cybercrime. Second, new security standards for smart devices have brought regulation to what was previously an unregulated area, establishing minimum safety and security standards.

These changes require lawyers to bridge traditional privacy law with modern cybersecurity challenges. When clients face ransomware attacks or implement smart device networks, legal professionals need sophisticated strategies that combine regulatory compliance with practical risk management.

Comprehensive resources for complex challenges

Cybersecurity guidance from infrastructure to insurance

For organisations in critical infrastructure sectors, a comprehensive new toolkit breaks down the entire SOCI framework, including each of the positive security obligations. “It’s a complicated compliance framework, and this new toolkit is designed to make it easy for people to work out what they need to do and when,” Sinclair explains.

The new cybersecurity content addresses both general risk management and specific scenarios – from AI deployment to due diligence for asset purchases to outsourcing to cloud providers. Given the rising tide of cybercrime, the new Practice Note on Cyber Insurance and Checklist for Obtaining Cyber Insurance will be particularly valuable, providing insights into the Australian cyber insurance market and practical tips for negotiating coverage.

Privacy resources from individual rights to commercial transactions

Individual rights under the Privacy Act – including access requests, correction requests, and opting out of direct marketing – are among the most complained-about issues to the privacy regulator. The new Practice Note on individual rights sets out the scope of these rights and provides key practical steps for businesses, particularly customer-facing organisations dealing with high volumes of requests.

A new Practice Note on Data Ethics and AI Governance considers recent government guidance on AI adoption and provides an overview of key ethical considerations when developing a risk management framework for data use in AI.

For lawyers working on major commercial transactions, a suite of new standard documents and clauses focuses on privacy compliance during mergers and acquisitions and asset purchases. These ready-to-use templates are designed to fast-track contract drafting while managing privacy compliance risks.

The new Practice Note on Key Issues in Data Breach Litigation provides an overview of the current state of play, emerging trends, and strategic considerations for navigating this evolving area.

State-level guidance

The resources extend to state-level obligations, with new Practice Notes on NSW and Victorian privacy laws, as well as guidance on navigating mandatory data breach schemes in New South Wales, Queensland, and Western Australia. These resources are relevant not only for state government agencies but also for private sector organisations contracting with state governments.

Built for how you actually work

What distinguishes these resources is their practical, user-focused design. Where Practical Law previously had one lengthy Practice Note on the Security of Critical Infrastructure regime, there are now seven specialised resources – including an overview note, practice notes on each of the positive security obligations under the SOCI regime, and a detailed checklist on civil penalties and infringement notices.

The content is structured to make complex frameworks accessible. You can quickly find exactly what you need for your specific situation, rather than having to read through pages of general information. Resources are updated within 48 hours of legislative or regulatory changes, ensuring you can rely on the accuracy and currency of the guidance when advising clients.

Your competitive advantage

As boards demand demonstrable governance, penalties escalate, and new areas of legal risk emerge, these resources provide a clear roadmap to achieve and demonstrate compliance with the complex layers of cybersecurity laws now in force in Australia.

In an environment where cyber attacks are increasingly sophisticated and regulatory scrutiny continues to intensify, having expert guidance at your fingertips isn’t just helpful – it’s essential to your organisation’s risk management capability.

Make our expertise your unfair advantage.

Explore how Practical Law can change the way you get privacy and cybersecurity work done. Get started.