Is the Early Childhood Education and Care Sector Ready For New Cybersecurity Legislation?

The early childhood education and care (ECEC) sector continues to grapple with significant and rising cyber risks, with the education and training sector ranking fourth among the top 10 reporting sectors for cyber security incidents in the 2023-2024 Australian Signals Directorate (ASD) Annual Cyber Threat Report and the high-profile attack on Guardian Childcare in May last year.

With this in mind the Australian Government’s spotlight on cyber security is a welcome one. With it comes changes to legislation, the biggest being that most businesses, including early learning centres, will be required to report ransomware payments within 72 hours. 

Any business which falls victim to an attack will need to provide information to the ASD (or provide it to the National Cyber Security Coordinator under a parallel voluntary scheme), which aggregates and analyses the information to produce a national cyber threat picture. 

However, it’s important to remember that this notification is not the end of your legal obligations. Your duty to act in the best interests of your organisation means you should consider whether paying a ransom (and obtaining an initial release from the incident) will genuinely prevent the hackers from misusing the obtained information, particularly the private information of children and their families. 

You also need to assess whether such payment may make the learning centre a target for future attacks. Depending on the circumstances, a ransom payment may put the organisation at risk of being penalised under counter-terrorism and anti-money laundering laws.

What the Cyber Security Act changes

The following initiatives are expected to have the most immediate impact on ECEC centres and are likely to take effect from mid-2025.

• Mandatory 72-hour reporting obligation for ransom payments

Organisations, including large ECEC centres, must report any payments made in response to a cyber ransom event to the ASD within 72 hours. 

This measure recognises that there will be circumstances where making a payment could be justified and seeks to preserve the legal rights of the disclosing entity, for instance, by excluding waiver of privilege. While the government has not pursued a complete ban on payments, they strongly advise against payments, to make Australia a less attractive target for ransomware attacks.

• Regulated use of information submitted to National Cyber Security Coordinator

There will be rules in place to govern how organisations use information submitted to the National Cyber Security Coordinator to ensure such information is used appropriately. However, this does not extend to the full ‘safe harbour’, a legal provision that affords protection from prosecution to individuals or organisations from liability or penalties, despite it being called for, in many submissions made during the government’s consultation process.

Instead of granting an organisation total immunity for the information it provides to the authorities after a cyber incident, the proposed rules will reassure them that the information can only be used and shared for prescribed purposes, such as assisting with incident response. 

Similar restrictions will apply to the ASD when it receives such information, under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024.  

• New Cyber Incident Review Board

A new Cyber Incident Review Board will be established to review how cyber incidents are dealt with, including by compelling entities to produce information. Its role will be to review and assess major cyber incidents that impact Australia’s defence or cause serious public concern. 

The Board will have the authority to request information from affected entities, allowing it to examine how incidents were handled and provide findings that help prevent future occurrences. 

While the Board may share its findings with government and industry, any public reporting will not assign fault or prejudice legal rights. Through these reviews, the Board aims to improve understanding and prevent similar incidents in the future.

How ECEC centres can prepare

These new cyber security laws introduce new requirements for ECEC centres. Approved providers will need to review and strengthen their cyber security measures to ensure they meet these requirements, such as the new 72-hour deadline for reporting ransomware payments to the ASD. 

This may involve assessing internal security measures, reviewing incident response plans, and preparing for increased regulatory requirements. By staying informed of these changes, services can better position their organisation to comply with the legislation and manage potential cyber threats.

Dan Pearce is a General Counsel at national law firm Holding Redlich, experienced in advising organisations on the regulation over the use of data and personal information in Australia, responding to data breaches, and managing regulatory notifications.