As the year draws to a close we have had a flurry of substantial developments, in our final quarterly round up. 
 
We now have our Cyber Security Act 2024 which will make reporting of ransoms mandatory for some businesses and set security standards for manufacturers and suppliers of goods which are internet enabled.  
 
The ASD report for 2023/24 highlights the increasing complexity and challenges in Australia's cyber threat landscape, driven by geopolitical tensions, state-sponsored cyber operations, and evolving cybercrime tactics. Phishing represented 55% ($33 million) of all losses to Australians with low-level (unsuccessful) malicious attacks increasing by 10%. Significantly cyber security incidents were the cause of 69% of large-scale data breaches.
 
The tortuous right to privacy has made strides in the past two months. As discussed in our September article on the Privacy and Other Legislation Amendment Bill 2024 (the Bill), it is proposed that there be a new statutory tort to address serious invasions of privacy. Whilst the new tort has not yet been enacted, we have had our first decision in the matter Waller v Barrett [2024] VCC 962 which found there was a right to privacy and that it was breached. This decision being in the County Court of Victoria is of interest as it is not a superior court decision and is one made prior to the legislative changes, however is likely to be indicative of jurisprudence to come.  
 
In Re Blockchain Tech Pty Ltd [2024] VSC 690, the Court considered whether Bitcoin which had been transferred on bailment had been properly accounted for. The Court stepped through the criteria to establish property under common law and held that blockchain is property bringing Australia in line with the UK, Hong Kong and Singapore. 
 
On 25 November 2024, the Australian Institute of Company Directors released updates to their 2022 Cyber Security Governance Principals. Initially published after the Optus and Medibank incidents, the public is now more aware of incidents and have higher expectations of businesses. The three key areas which are updated are the focus on the digital supply chain and an awareness of how interconnected businesses are (ala CrowdStrike). Robust data governance and appreciating why data is collected, where it is stored and who has access to it. The third category is a refined guide on preparing for a cyber incident, the response and the recovery. 
 
From 1 December 2024, state and territory government services will be able to join the Australian Government Digital ID system which will be rolled out to the private sector at the end of 2026. It is hoped that with the Digital ID fewer organisations will need to keep personal information, or keep less personal information, about individuals reducing the impact of data breaches. 
 
Other news  
 
EU's Digital Operational Resilience Act (DORA) 
 
Financial service firms and information and communication technology service providers (ICTs) have until January 2025 to become compliant with DORA. DORA has wide ranging obligations split into pillars for those caught by the legislation which include creating an ICT risk management framework, harmonising the classification of incidents and their reporting, setting EU wide standards for digital operations, harmonising minimum contractual elements for relationships with ICT third parties and creating direct oversight framework. 
 
EU's NIS2 takes effect
 
Effective from 18 October 2024, the directive seeks to increase the resilience of network and information systems in the EU and replaces directive 2016/1148.  
 
UK Cyber Security and Resilience Bill
 
First mentioned in the King's July Speech, the bill has yet to make its debut, but will according to the UK Department of Science, Innovation and Technology be introduced to Parliament in 2025.
 
UK Data (Use and Access) Bill 
 
Introduced to Parliament on 23 October 2024, the tabled legislation is set to replace the Data Protection and Digital Information Bill.  
 
Google Cybersecurity Forecast 2025
 
Google has released its forecast for what trends are expected next year, which include adversarial AI, geopolitical risks, evolving ransomware tactics, risks within the cloud and Web3 environments and the rise of 'infostealer' malware. 
 
US Supreme Court declines to hear appeal over Bitcoin ownership 
 
Seized back in 2021 by the Department of Justice, over 50,000 Bitcoins from the Silk Road Dark Web fraud will now be available to the US government following the US Supreme Court declining to hear a final appeal over the ownership of the Bitcoin. The Bitcoin is valued at US$4.4 billion. 
 
Hong Kong has circulated its Protection of Critical Infrastructure (Computer Systems) Bill 
 
In July 2024, the Hong Kong legislative council called for consultation on its first specific cybersecurity legislation for the protection of critical infrastructure. Similar to other countries including the USA and Australia the proposed legislation defines 8 sectors that would be caught by the legislation. 
 
Canada's proposed Critical Infrastructure legislation progresses 
 
In October 2024, Canada's amendments to the Telecommunications Act had their second reading in the Senate (following three readings in the House of Commons). The proposed legislation has now been referred to a committee. The proposed legislation seeks to introduce the Critical Cyber Systems Protection Act for Canada's critical infrastructure along with broader amendments to bolster security across financial, telecommunication, energy and transportation sectors  
 
Canada identifies the People Republic of China as their biggest threat
 
Canada's National Cyber Threat Assessment 2025/2026 has identified that the People's Republic of China, with its global cyber surveillance, espionage and attack capabilities presents the most sophisticated and active cyber threat to Canada.