Welcome to the twelfth edition of our quarterly Digital Governance, Cyber and Privacy newsletter.

This quarter’s developments reflect the continued evolution of regulatory expectations and legal responses to cyber risk, AI use, and data governance.

ASIC has commenced its third cybersecurity prosecution, reinforcing its focus on licensee obligations. Courts and regulators are also responding to the growing use of AI in legal practice, with new judgments and practice notes addressing its risks and limitations.

Globally, enforcement activity remains high. Authorities have issued significant penalties for data protection failures, proposed new restrictions on ransomware payments, and taken action against insider threats and cross-border data transfers. These developments highlight the increasing scrutiny on how organisations manage digital risk and regulatory compliance.

Here is your roundup of relevant news from around the world:

ASIC launches third cyber security prosecution

In proceedings filed in the NSW Supreme Court, ASIC alleges that Fortnum Private Wealth Limited did not meet its obligations as an AFSL holder because it failed to have adequate policies, frameworks, systems, and controls in place to deal with cybersecurity risks, thus exposing the company, its authorised representatives, and clients to an unacceptable level of risk of a cyber-attack or cybersecurity incident.

In detail, the originating process sets out that ASIC alleges Fortnum contravened ss 912A(1)(a) and 912A(5A) of the Corporations Act by:

• Not doing all things necessary to ensure that the financial services covered by its AFSL were provided efficiently, honestly, and fairly, and thereby contravened ss 912A(1)(a) and 912A(5A) of the Corporations Act, by its failure to:
  • Implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for itself and its authorised representatives;
  • provide any adequate education or training to its ARs on cybersecurity; and
  • implement any, or any adequate, processes, systems, or frameworks for the oversight and monitoring of its ARs in terms of cybersecurity risk and cyber resilience.
• failing to have available adequate resources (specifically human resources) to provide the financial services covered by the Licence and to carry out supervisory arrangements;
• failing to ensure that its ARs were adequately trained and competent to provide the financial services covered by the Licence; and
• failing to have adequate risk management systems in place.

Critical Infrastructure Risk Management Program (CIRMP) Annual Report due by 28 September 2025

Responsible entities under the Security of Critical Infrastructure Act 2018 (SOCI Act) have 90 days following the end of the financial year (1 July 2025 - 28 September 2025) to submit their annual report. 

They can submit the report using the Responsible Entity Risk Management Program - Annual Report webform. The webform records information directly into Critical Infrastructure Security Centre (CISC) system.

In April 2025, CISC have updated the CIRMP Annual Report by including new questions, revising existing questions for clarity and adding further questions to help industry assess their maturity against the legislated cyber and information security hazard frameworks and non-cyber frameworks. CISC states that there will be no further changes to the 2024-25 reporting cycle.

AI hallucinations judgments

Two decisions in Australia have highlighted the growing problem with the use of AI for preparing legal documents: Wamba Wemba Native Title Claim Group v State of Victoria [2025] FCA 731 and Ivins v KMA Consulting Engineers Pty Ltd & Ors [2025] QIRC 141.

In the Wamba Wemba case, a junior solicitor used Google Scholar to produce a list of search results that was then directly transposed into a court document as a footnote, believing it to be the correct citation. When concerns were raised and the junior solicitor could not replicate the results, questions emerged about hallucinations or fabrications. The Federal Court ruled that the applicant's law firm must personally pay the respondents’ costs, on an indemnity basis, due to the firm’s use of AI in preparing two court documents. The court found this caused cost, inconvenience, and delay, and compromised the administration of justice.

However, due to the solicitor’s inexperience, remote working conditions, lack of access to documents, and the firm’s prompt response to the issue, the Federal Court did not consider it appropriate to refer the conduct to the Victorian Legal Services Board.

In Ivins v KMA, the self-representing complainant relied on AI to assist in preparing submissions. The Queensland Industrial Relations Commission took the same view as in Goodchild v State of Queensland (Queensland Health) [2025] QIRC 046, giving no weight to the authorities cited.

NSW Supreme Court Practice Note on Gen-AI

On 3 February 2025, the NSW judiciary introduced the Supreme Court Practice SC Gen 23 covering Generative AI and will apply to all proceedings in the NSW Supreme Court. This practice note warns practitioners of the limits, risks and shortcomings of any particular Gen AI program which they use.

These may include:

• The scope for “hallucinations”;
• the quality and reach of underlying datasets;
• the potential for biased or inaccurate output;
• lack of adequate safeguards to preserve confidentiality, privacy and privilege, and
• the possibility that data in the dataset may have been sourced in breach of copyright.

This practice note sets out general prohibitions and other prohibitions and limitations (including when an expert report or submissions can use AI).

Bunnings boss wants new laws to allow facial recognition in stores

Bunnings managing director Michael Schneider has called for privacy laws to be changed to allow the use of facial recognition in stores to reduce shoplifting and protect staff.

Australian Information Commissioner takes civil penalty action against Optus

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

CDPP secured 32 convictions for cyber offences in last six years

More than 50 people have been prosecuted for cybercrimes in Australia during the last six years. The figures come amid a parliamentary committee inquiry into the capability of law enforcement to respond to cybercrime.

Four arrested in connection with M&S and Co-op cyber attacks

Four people in the UK have been arrested by police investigating the cyber-attacks that have caused havoc at M&S and the Co-op. The National Crime Agency (NCA), responsible for protecting the public from serious and organised crime, apprehended the four on suspicion of offences under the Computer Misuse Act, blackmail, money laundering, and participating in the activities of an organised crime group.

US probes whether negotiator took slice of hacker payments

A former employee of DigitalMint, a company that negotiates with hackers and facilitates cryptocurrency payments during ransomware attacks, is being investigated by law enforcement officials.

DigitalMint President Marc Jason Grens has informed organisations that the US Justice Department is examining allegations that the then-employee struck deals with hackers to receive illicit payments from their extortion scheme.

Mr Grens has explained that the former employee’s actions do not represent those of the company and clarified that the company is not under scrutiny in this investigation.

105 Indians among over 3,000 arrested in Cambodia for cyber scam crackdown

Cambodian police conducted raids over 15 days across 138 locations in the country as part of a nationwide campaign against digital scams. Authorities have arrested more than 3,000 people linked to online fraud.

During the raids, Cambodian authorities recovered computers, laptops, mobile phones, firearms, ammunition, and drug processing equipment. The Indian government is coordinating with Cambodian authorities to arrange the deportation of the 105 Indian nationals who were arrested.

UK to ban public sector paying ransoms

The UK plans to ban public sector bodies and operators of critical national infrastructure, including the state-run health service, local councils and schools, from paying ransom demands to cyber criminals.

The decision comes in response to numerous high-profile ransomware attacks, such as the “WannaCry” attack on the National Health Service in 2017, and a recent attack on the British Library.

The government aims to disrupt cybercriminal business models and protect essential services. The proposed measures include a ransomware payment prevention regime and mandatory reporting to equip law enforcement with essential intelligence.

UK NCSC issues report on the impact of AI on cyber threats

The UK National Cyber Security Centre (NCSC) Report provides an assessment of the most significant impacts on cyber threat from AI developments between now and 2027.

The report predicts that AI will continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in the frequency and intensity of cyber threats. UK NCSC anticipates that by 2027, skilled cyber actors are highly likely to be using AI-enabled automation to aid evasion and scalability. The proliferation of AI-enabled cyber tools is also expected to increase access to intrusion capabilities.

The NCSC warns that insufficient cyber security will increase the opportunity for capable state-linked actors and cyber criminals to misuse AI systems for cyber threat, and keeping pace with frontier AI cyber developments will be critical to cyber resilience for the decade to come. 

Growing risk of the insider threat - North Korean remote tech workers

The US Justice Department has cracked down on an alleged North Korean scheme to use remote tech workers to fund its weapons programs. The scheme saw North Korean tech workers allegedly use stolen and fake identities to gain remote work at more than 100 US companies. In one case, the workers stole more than $1 million in virtual currency from a Georgia-based company.

Judgments on training AI

Beginning as copyright disputes, these discussions, culminating in two decisions handed down at the end of June 2025, lay down the framework for whether Large Language Model (LLM) training constitutes fair use. See Thomson Reuters v. ROSS Intelligence, 765 F. Supp. 3d 382 (D. Del. 2025) and the recent decisions by  Bartz v. Anthropic PBC, No. 24-cv-05417 handed down on 23 June and Kadrey v. Meta Platforms, Inc., No. 23-cv-03417 handed down on 25 June.

Chinas new digital ID - Big Brother gets new powers in China with digital ID system

China is introducing a government-run digital ID system to further centralise its control over the internet, enabling closer censorship and surveillance of its 1 billion internet users.

The policy is justified on data privacy grounds, aiming to protect individuals’ sensitive information from social media companies, data leaks, and fraudsters.

However, critics argue that the system will lead to the centralisation of data in the hands of the Chinese government, making it easier to enforce “digital exile” and potentially paving the way for more personalised censorship.

There are also concerns about the risk of data breaches or hacks if China does not invest enough resources in protecting the personal data collected for the system.

UK watchdog fines 23andMe for 'profoundly damaging' data breach

DNA testing firm 23andMe was fined £2.31 million by the UK Information Commissioner's Office (ICO) for a data breach in 2023 that affected thousands of people. The breach exposed sensitive personal information, including family histories and health conditions. No DNA records were stolen.

The company, now in bankruptcy, failed to implement adequate security measures, such as multi-factor authentication and secure password requirements. The ICO emphasised the need for firms handling genetic data to have additional security measures in place.

Italy issues first GDPR fine for remote worker privacy breach

The fine of €50,000 was imposed for unlawfully storing employee emails for excessive periods in excess of the legal limits.

Ireland fined TikTok €530m for sending EU data to China

The Irish Data Protection Commission (DPC) said that TikTok infringed the bloc’s GDPR data protection law over transfers of European user data to China. The regulator ordered TikTok to bring its data processing into compliance within six months and said it would suspend TikTok’s transfers to China if it doesn’t do so in time. Western policymakers and regulators are concerned TikTok’s transfers of user data could lead to Beijing accessing the data to spy on users with the app.

*Note: for some publications, you may require a current subscription to read the full article.