Site search
2025 regulatory enforcement trends and what they mean for the year ahead
2025 regulatory enforcement trends and what they mean for the year ahead

Cyber, data and privacy

What have been the key regulatory and enforcement developments in Australia in 2025?

Enforcement action: cybersecurity and data breaches

  • ASIC commenced two cybersecurity enforcement actions in 2025 against FIIG Securities1 and Fortnum Private Wealth,2 following cyberattacks on these organisations.  ASIC finalised its enforcement action against FIIG Securities in February 2026, with the Federal Court granting consent orders reflecting FIIG's admissions and imposing civil penalties ($2.5 million) for cyber security failures that breached its general financial services licence obligations. These actions reflect ASIC's emphasis on cybersecurity as a core component of financial services licensee obligations under section 912A of the Corporations Act. The FIIG action focused on deficiencies in technical cybersecurity measures and risk management systems, while the Fortnum action concentrates on inadequate policies, ineffective frameworks, weak internal controls and failure to provide adequate cybersecurity training.
  • ASIC has not yet publicly announced any formal case against individual directors, despite stating that it was actively pursuing this in September 2024.
  • APRA took robust steps following credential stuffing attacks on the superannuation industry to clarify its concerns regarding registrable superannuation entity (RSE) licensees' information security controls, and to outline minimum expectations regarding authentication/multi-factor authentication controls for high-risk activities. It issued formal letters to super fund boards reminding them of CPS 234 obligations, mandated self-assessment audits, and hosted a Superannuation Industry Roundtable focused on cyber resilience and uplift.
  • The Federal Court approved Australian Clinical Lab's settlement with the Office of the Australian Information Commissioner (the OAIC) to pay $5.8 million for failing to take reasonable steps to protect personal information and assess a suspected eligible data breach3—the first civil penalty under the Privacy Act 1988 (Cth).4 The decision emphasises baseline cyber risk management expectations, and the importance of cyber risk diligence and transition planning in an acquisition context.
  • A June 2027 hearing date has been set for the first stage of the Optus class action arising from its 2022 data breach. The trial will be heard jointly with the OAIC and ACMA civil penalty proceedings. The representative class action and OAIC proceedings against Medibank5 continue, while the OAIC's investigations into Latitude6 and HWL Ebsworth Lawyers7 remain ongoing.
  • In a determination against online wine seller Vinomofo,8 the OAIC provided further guidance on Australian Privacy Principle (APP) 11.1 requirements, with a particular focus on cloud and data migration projects.

Facial recognition technology

  • The OAIC found Kmart breached privacy by collecting personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud9—the second major ruling on the use of FRT in retail stores following the Bunnings determination in October 2024. Both of these decisions have been appealed. Bunnings' appeal, which was handed down in February 2026,10 was largely successful. While the Administrative Review Tribunal upheld part of OAIC's decision, finding that Bunnings failed to provide notice to customers and should have conducted a privacy assessment before implementing the facial recognition technology, it found that Bunnings was entitled to rely on exemptions to the requirement to obtain consent, for the limited purpose of combatting retail crime, and protecting its staff and customers from violence, abuse and intimidation within its stores.

Record retention and destruction

  • APRA took steps to investigate vulnerabilities with data retention and destruction practices of RSE licence holders, after observing systemic issues in relation to licensees' failure to destroy tax file number records as soon as reasonably practicable. In a formal letter to all RSE licensees, it noted these practices typically indicated broader data retention and destruction deficiencies; and that, in turn, retaining sensitive member information for significant periods of time heightens the consequence and impact of potential information security incidents. APRA requested that licensees review relevant practices for compliance and determine if a significant breach notification was required to be submitted to the regulator.
  • Similarly, the OAIC highlighted excessive collection and retention of personal information as an area of key regulatory focus for 2025–26.11

Consumer Data Right

  • The OAIC issued its first Consumer Data Right (CDR) determination against Regional Australia Bank for breaches of Privacy Safeguards 1 and 11 relating to comingling of CDR data.12 The determination clarified that data holders remain liable for third-party service provider failings.
  • National Australia Bank and Commonwealth Bank of Australia each paid penalties ($751,200 and $792,000 respectively) to the ACCC for alleged breaches of the CDR Rules.

Law reform

The following legislative reforms commenced in 2025:

 Law reform    Commencement date  
Mandatory ransomware payment reporting rules13   30 May 2025  
Statutory tort for serious invasions of privacy14   10 June 2025  
Prudential Standard CPS 230 (Operational Risk Management)     1 July 2025  
Mandatory cyber security standards for internet-connectable (IoT/smart) devices sold in Australia15   29 November 2025  

What are the likely regulatory and enforcement developments in Australia in 2026?

Cyber and data breaches

We expect regulators will continue to focus on cyber risk and its associated impacts, including operational resilience, with the OAIC, ASIC and APRA targeting enforcement to drive industry standards.

Following cybersecurity incidents in 2025, APRA will continue to focus on closing sector-wide deficiencies related to cybersecurity resilience, including timely reporting, adequate investment in technology, minimising risk in legacy systems, and concentration risk management.16

Boards will need to continue to focus on secure-by-design and secure-by-default technology, and prioritise defence of their organisations' critical assets.17

Privacy

From December 2026, organisations will have additional transparency obligations in relation to automated decision making under amendments to the Privacy Act 1988 (Cth). APPs 1.7 to 1.9 will mandate disclosure of the use of automated decision making within privacy policies where it is used to make decisions that could 'reasonably be expected to significantly affect the rights or interests of an individual'.

The Government has committed to registering by 10 December 2026 a final Children's Online Privacy Code, 18 which is aimed at enhancing privacy principles implemented by services likely to be accessed by children—its timing and scope remain uncertain. Two rounds of public and industry consultations were completed in 2025; the OAIC has indicated that, in early 2026, a third consultation phase will begin, where the public and industry will be given an opportunity to provide feedback on the draft Code.

Security of critical infrastructure

In accordance with the requirements of the Security of Critical Infrastructure Act 2018 (Cth), an independent review into the Act has commenced, to assess whether it is operating as intended. Dr Jill Slay AM has been appointed as the independent reviewer.

The Department of Home Affairs released a consultation paper on proposed amendments to the Critical Infrastructure Risk Management Program Rules, with consultation closing 13 February 2026.

Record retention

We expect OAIC's and APRA's heightened scrutiny on data retention practices will continue, with enforcement action possible in circumstances where entities have engaged in excessive data collection and retention practices (or, conversely, failed to comply with legal destruction requirements).

Who are the key regulators in relation to this area?

OAIC, APRA, ASIC, Critical Infrastructure Security Centre, ACCC.

Key government agencies include the Australian Cyber Security Centre, the Australian Signals Directorate (ASD), the Department of Home Affairs, the National Cyber Security Committee, and the National Office of Cyber Security.

What are the key sectors of focus?

All sectors.

Footnotes

  1. ASIC v FIIG Securities Limited. For more, see ASIC commences proceedings against FIIG for alleged cybersecurity failures.  

  2. ASIC v Fortnum Private Wealth Limited. For more, see Cyber enforcement in the spotlight again as ASIC pursues Fortnum Private Wealth.  

  3. For more, see One cyber incident, many breaches: first civil penalty under the Privacy Act

  4. The case against ACL arose before the November 2022 amendments to the Privacy Act that increased the maximum penalty from $2.2 million to a 'greater of' formula with at least $50 million as a baseline. In this case, the theoretical maximum penalty was (as outlined by Justice Halley) $495,060,000,000. It would have been over $11 trillion under the current penalty regime.

     

  5. Australian Information Commissioner v Medibank Private Limited

  6. See OAIC Statement on Latitude Financial data breach  and Joint Australia–New Zealand investigation into Latitude group | OAIC.

  7. See OAIC opens investigation into HWL Ebsworth over data breach | OAIC.  

  8. Commissioner Initiated Investigation into Vinomofo Pty Ltd (Privacy) [2025] AICmr 175 (17 October 2025). 

  9. Commissioner Initiated Investigation into Kmart Australia Limited (Privacy) [2025] AICmr 155 (26 August 2025). 

  10. Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130 (Link).

     

  11. OAIC regulatory priorities | OAIC

  12. Commissioner Initiated Investigation into Regional Australia Bank Limited (Privacy) [2025] AICmr 89 (14 May 2025). 

  13. The mandatory ransomware reporting obligations under the Cyber Security Act 2024 (Cth). 

  14. The statutory tort for serious invasions of privacy formed part of the Australian Government's first tranche of substantial privacy reforms in 2024. Many experts believe this tort may be leveraged to initiate class action claims for privacy and cyber incidents. 

  15. The framework for the mandatory cyber security standards for IoT / smart devices sold in Australia is established under Part 2 of the Cyber Security Act

  16. APRA Member Suzanne Smith - Speech to Financial Services and ASX Sector Assurance Forum 2025 | APRA

  17. See ASD and AICD's joint Cyber security priorities for boards of directors 2025-26.  

  18. For more, see our Insight Children’s privacy: what’s next for the upcoming OAIC code?.