DigitalSanctum.
Insight /

The Compliance Timebomb: Why 'It Works' isn't a Legal Defence

Marcus Thorne, CSO

Digital Sanctum Leadership

In the wake of the Optus and Medibank data breaches, the Australian regulatory landscape has shifted tectonically. Cybersecurity is no longer an "IT Problem"; it is a "Director Problem."

Many Victorian business owners operate under the assumption: "My systems are working, so I am safe."

This is a dangerous fallacy. In the eyes of the OAIC (Office of the Australian Information Commissioner), "It Works" is not a legal defence. The standard is "Reasonable Steps."

If you suffer a breach and cannot prove you took Reasonable Steps to secure client PII (Personally Identifiable Information), you face massive fines and reputational ruin.

The Privacy Act 1988 (and 2024 Reforms)

Under the updated Privacy Act, the penalties for serious or repeated privacy interferences have increased to the greater of:

  • $50 million.
  • Three times the value of the benefit obtained from the misuse of information.
  • 30% of the company's adjusted turnover during the breach period.

For an SME, this is an extinction event.

What Constitutes "Reasonable Steps"?

It is no longer enough to have "Antivirus." The OAIC expects a layered defence strategy fitting the Sovereign Infrastructure model we advocate.

1. Patch Management

If you are hacked via a vulnerability that was patched by Microsoft six months ago, but you failed to apply the update, you have been negligent. This is why we enforce automated, forced patching on all endpoints.

2. The Essential Eight

The Australian Cyber Security Centre (ACSC) publishes the Essential Eight maturity model. While not yet mandatory for all private sector firms, it is the benchmark courts will use to determine negligence.

  • Do you restrict admin privileges?
  • Do you configure Microsoft Office macro settings securely?
  • Do you enforce MFA?

3. Data Sovereignty

Do you know where your data lives? If you use a cheap backup plugin that stores data on a server in a non-compliant jurisdiction, you are violating the Act.

Conclusion

Ignorance is not a shield. As a Director, you must treat Cyber Risk with the same gravity as Financial Risk or OHS Risk.

You need an audit trail. You need to be able to show a regulator: "Here is our patching log. Here is our MFA enforcement policy. Here is our offsite backup verification."

If you cannot produce those documents today, you are sitting on a timebomb.

Series: Stratetic MSP Series

The Sovereign Infrastructure: Why Modern Managed Services is About Governance, Not Repairs

Our comprehensive executive guide to MSP.

Read the Master Guide
01 // Legal Risk
The Compliance Timebomb: Why 'It Works' isn't a Legal Defence
02 // Tech Stack
SentinelOne vs. Generic Antivirus: Why We Deploy Military-Grade EDR
03 // Recovery
The 3-2-1 Backup Rule is Dead: Welcome to Immutable Recovery

Limit your liability.

Are you compliant with the Privacy Act? Request a Security Audit to identify your exposure.

Request Sanctum Audit