Is the Early Childhood Education and Care Sector Ready For New Cybersecurity Legislation?

FDC-Friendly

Contributed Content

Jan 15, 2025

Save

The early childhood education and care (ECEC) sector continues to grapple with significant and rising cyber risks, with the education and training sector ranking fourth among the top 10 reporting sectors for cyber security incidents in the 2023-2024 Australian Signals Directorate (ASD) Annual Cyber Threat Report and the high-profile attack on Guardian Childcare in May last year.

With this in mind the Australian Government’s spotlight on cyber security is a welcome one. With it comes changes to legislation, the biggest being that most businesses, including early learning centres, will be required to report ransomware payments within 72 hours.

Any business which falls victim to an attack will need to provide information to the ASD (or provide it to the National Cyber Security Coordinator under a parallel voluntary scheme), which aggregates and analyses the information to produce a national cyber threat picture.

However, it’s important to remember that this notification is not the end of your legal obligations. Your duty to act in the best interests of your organisation means you should consider whether paying a ransom (and obtaining an initial release from the incident) will genuinely prevent the hackers from misusing the obtained information, particularly the private information of children and their families.

You also need to assess whether such payment may make the learning centre a target for future attacks. Depending on the circumstances, a ransom payment may put the organisation at risk of being penalised under counter-terrorism and anti-money laundering laws.

What the Cyber Security Act changes

The following initiatives are expected to have the most immediate impact on ECEC centres and are likely to take effect from mid-2025.

Mandatory 72-hour reporting obligation for ransom payments

Organisations, including large ECEC centres, must report any payments made in response to a cyber ransom event to the ASD within 72 hours.

This measure recognises that there will be circumstances where making a payment could be justified and seeks to preserve the legal rights of the disclosing entity, for instance, by excluding waiver of privilege. While the government has not pursued a complete ban on payments, they strongly advise against payments, to make Australia a less attractive target for ransomware attacks.

Regulated use of information submitted to National Cyber Security Coordinator

There will be rules in place to govern how organisations use information submitted to the National Cyber Security Coordinator to ensure such information is used appropriately. However, this does not extend to the full ‘safe harbour’, a legal provision that affords protection from prosecution to individuals or organisations from liability or penalties, despite it being called for, in many submissions made during the government’s consultation process.

Instead of granting an organisation total immunity for the information it provides to the authorities after a cyber incident, the proposed rules will reassure them that the information can only be used and shared for prescribed purposes, such as assisting with incident response.

Similar restrictions will apply to the ASD when it receives such information, under the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024.

New Cyber Incident Review Board

A new Cyber Incident Review Board will be established to review how cyber incidents are dealt with, including by compelling entities to produce information. Its role will be to review and assess major cyber incidents that impact Australia’s defence or cause serious public concern.

The Board will have the authority to request information from affected entities, allowing it to examine how incidents were handled and provide findings that help prevent future occurrences.

While the Board may share its findings with government and industry, any public reporting will not assign fault or prejudice legal rights. Through these reviews, the Board aims to improve understanding and prevent similar incidents in the future.How ECEC centres can prepare

These new cyber security laws introduce new requirements for ECEC centres. Approved providers will need to review and strengthen their cyber security measures to ensure they meet these requirements, such as the new 72-hour deadline for reporting ransomware payments to the ASD.

This may involve assessing internal security measures, reviewing incident response plans, and preparing for increased regulatory requirements. By staying informed of these changes, services can better position their organisation to comply with the legislation and manage potential cyber threats.Dan Pearce is a General Counsel at national law firm Holding Redlich, experienced in advising organisations on the regulation over the use of data and personal information in Australia, responding to data breaches, and managing regulatory notifications.

Don’t miss a thing

NSW Early Learning Commission conducts 220 unannounced visits

More than 100 regulatory officers conducted unannounced inspections at over 220 early learning services in a single-day compliance operation, as the NSW Early Learning Commission intensifies oversight across the sector.

Failing the Most Vulnerable: Two WA Childcare Providers Penalised Over Supervision Breaches

In February the Western Australian State Administrative Tribunal handled two separate disciplinary proceedings brought by the CEO of the Department of Communities against out-of-school-hours care (OSHC) providers. Both cases highlight critical failures in active supervision, particularly concerning highly vulnerable children diagnosed with autism who managed to wander away from their respective services unnoticed.

What Can Australia Learn from Ontario’s Child Care Ratios?

As workforce pressures continue to shape early childhood education and care (ECEC) policy discussions in Australia, international comparisons provide useful perspectives. Canada’s approach, particularly in Ontario, offers a case study in how educator-to-child ratios, maximum group sizes and qualification requirements can be legislated as an integrated framework.

National Early Childhood Worker Register: commencing 27 February 2026

The introduction of the National Early Childhood Worker Register from the 27 February, has signalled a significant shift in workforce oversight across early childhood education and care (ECEC).

Regulation 168: do you understand your leadership responsibilities

Regulation 168 of the Education and Care Services National Regulations is not a policy checklist. For approved providers and nominated supervisors, it is a test of governance capability, risk oversight and leadership influence. The critical question is not whether policies exist, it is whether leadership understands how to review, embed and monitor them effectively.

NSW Early Learning Commission conducts 220 unannounced visits

Failing the Most Vulnerable: Two WA Childcare Providers Penalised Over Supervision Breaches

What Can Australia Learn from Ontario’s Child Care Ratios?

National Early Childhood Worker Register: commencing 27 February 2026

The introduction of the National Early Childhood Worker Register from the 27 February, has signalled a significant shift in workforce oversight across early childhood education and care (ECEC).