The past few years have fundamentally changed how Australian organisations approach data privacy and cybersecurity. High-profile data breaches at Qantas, Optus, Medibank, and Australian Clinical Labs have made headlines, sparked regulatory action, and exposed businesses to unprecedented legal and reputational risks. These aren’t isolated incidents, the Australian Signals Directorate has documented a significant surge in cyberattacks across the country. It responded to more than 1200 cybersecurity incidents during 2024/2025, an 11% increase. And this is happening against a backdrop of organisations simultaneously navigating sweeping legislative reforms that reshaped the compliance landscape.
For in-house counsel and legal professionals, the challenge is clear: privacy and cybersecurity risks are escalating, regulatory expectations are heightened, and the legal framework has become increasingly complex. The question isn’t whether your organisation will face these challenges, but whether you’ll be prepared when they strike.
Why Privacy and Cybersecurity Demand Your Attention Now
The regulatory environment has shifted dramatically. As Rebecca Brown, Senior Lawyer Writer, Data Privacy and Cybersecurity, for Practical Law Australia, explains: “We’ve seen a significant shift in the regulatory posture of the Privacy Commissioner to a more proactive, enforcement-focused approach.” This isn’t just rhetoric, Australian Clinical Labs faced the first ever civil penalty order under the Privacy Act, signalling a new era of enforcement.
The legislative changes have been equally transformative. Late 2024 saw significant reforms to the Privacy Act 1988 (Cth), amendments to the Security of Critical Infrastructure Act 2018 (Cth), and the introduction of the groundbreaking Cyber Security Act 2024 (Cth). These reforms have created new areas of legal risk that many organisations are still coming to terms with.
Perhaps most significantly, individuals now have a direct path to sue over privacy breaches through the new statutory tort for serious invasions of privacy. “Prior to the introduction of that statutory framework, individuals did not have a direct pathway to the courts under the Privacy Act or common law to sue for privacy breaches,” Louise Sinclair, Senior Lawyer Writer, Data Privacy and Cybersecurity notes. The tort commenced in June 2025, and Australia has already seen its first judicial decision, with more cases before the courts.
For organisations across sectors the message is clear: demonstrable governance and compliance is critical.
A Comprehensive Solution for Complex Challenges
In response to what customers have been requesting, Practical Law has developed an extensive suite of new privacy and cybersecurity resources, complementing the large swath of existing resources already available. These practical tools are specifically designed to help legal professionals manage escalating privacy and cybersecurity risks while ensuring compliance with Australia’s complex regulatory framework.
Cybersecurity Resources: From Ransomware to Smart Devices
The new cybersecurity content addresses both general risk management and high-interest specific scenarios. Organisations grappling with cybersecurity in the context of AI deployment, due diligence for asset purchases, or outsourcing to cloud providers will find dedicated guidance tailored to these challenges.
The Cyber Security Act 2024 introduced two particularly significant obligations. First, organisations must now report ransomware payments to the government, a mandatory requirement that represents a major shift in Australia’s approach to cybercrime. Second, new security standards for smart devices have brought regulation to what was previously an unregulated area, establishing minimum safety and security standards.
For organisations in critical infrastructure sectors, a comprehensive new toolkit breaks down the entire SOCI framework, including each of the positive security obligations. As Sinclair describes it: “It’s a complicated compliance framework, and this new toolkit is designed to make it easy for people to work out what they need to do and when.”
Given the rising tide of cybercrime, the new Practice note on Cyber Insurance and Checklist for Obtaining Cyber Insurance will be particularly valuable. These resources provide insights into the Australian cyber insurance market, available products, and practical tips for negotiating coverage – essential tools as organisations seek to transfer some of their cyber risk.
Privacy Resources: Individual Rights to Data Breach Litigation
The privacy resources address the full spectrum of compliance challenges facing modern organisations. A new Practice note on Data Ethics and AI Governance considers recent government guidance on AI adoption, and provides an overview of the key ethical considerations when developing a risk management framework for the use of data in AI.
Individual rights under the Privacy Act, including access requests, correction requests, and opting out of direct marketing, are among the most complained-about issues to the privacy regulator. The new Practice note on individual rights sets out the scope of these rights and provides key practical steps for businesses, particularly customer-facing organisations dealing with high volumes of requests.
For organisations involved in major commercial transactions, a suite of new standard documents and clauses focuses on privacy compliance during mergers and acquisitions and asset purchases. These ready-to-use templates are designed to fast-track contract drafting while managing privacy compliance risks.
Data breach litigation has become a reality in Australia, with class actions and privacy representative complaints now part of the legal landscape. The new Practice note on Key Issues in Data Breach Litigation provides an overview of the current state of play, emerging trends, and strategic considerations for navigating the realities of this evolving area.
The resources also extend to state-level obligations, with new Practice Notes on NSW and Victorian privacy laws, as well as guidance on navigating mandatory data breach schemes in New South Wales, Queensland, and Western Australia. These resources are not only relevant for state government agencies, but also for private sector organisations contracting with state governments.
Why Practical Law’s Approach Stands Apart
What distinguishes these resources is their practical, user-focused design. The content has been developed by experts with deep regulatory and in-house experience, Rebecca previously served as Director of Privacy Law Reform at the Office of the Australian Information Commissioner, where she provided expert advice to the government throughout the Privacy Act review contributing to significant legislative reform. Her insider perspective ensures the guidance reflects real-world compliance challenges and regulatory expectations.
Louise’s legal career has spanned both in-house and private practice with a large amount of time spent with the NSW government as a Principal Lawyer advising on privacy and regulatory compliance. Louise is a subject matter expert on privacy and data protection laws and is a current member of the NSW Law Society’s Privacy and Data Law Committee.
These new resources are structured to make complex frameworks accessible. Where Practical Law previously had one lengthy Practice Note on the Security of Critical Infrastructure regime, there are now seven specialised resources – including an overview note, a comprehensive suite of practice notes on each of the positive security obligations under the SOCI regime, and a detailed checklist on civil penalties and infringement notices.
As boards demand demonstrable governance, penalties escalate, and new areas of legal risk emerge, these resources provide a clear roadmap. They’re designed to help organisations from board level down achieve and demonstrate compliance with the complex layers of cybersecurity laws now in force in Australia – and to manage the inevitable challenges, risks, and costs associated with data breaches.
In an environment where cyber attacks are increasingly driven by AI and regulatory scrutiny continues to intensify, having expert guidance at your fingertips isn’t just helpful, it’s essential to your organisation’s risk management armoury.
