Australia proposes harsher penalties for data breaches in wake of high-profile incidents
The Australian Government is proposing laws to increase penalties for serious data breaches, which could see companies that fail to protect customer data hit with fines of $50 million or more.
In the wake of breach disclosures from Optus and Medibank, Attorney-General Mark Dreyfus announced a new bill that was introduced to parliament at the end of October. The bill passed the lower house in early November and proceeds to the Senate. A senate inquiry is expected to next report on November 22.
The Privacy Legislation Amendment will increase maximum penalties that can be applied under the Privacy Act for serious or repeated privacy breaches.
The Attorney-General’s statement noted the penalties would go up from the current $2.22 million penalty to whichever is the greater of $50 million; or three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period.
In September, telecommunications giant Optus revealed it had been the victim of a cyberattack. It is understood that 9.8 million customer records were exposed. Just weeks later, insurance provider Medibank revealed a breach that may have affected up to four million customers.
In his statement, Mr Dreyfus said Australians had the right to expect their personal data to be protected.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” he said.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
The announcement went on to state that the proposed law would provide the Australian Information Commissioner with greater powers to understand the extent of, and resolve, privacy breaches.
Cybersecurity Expert Reacts
McGrathNicol partner Jamie Norton, who has held security leadership roles in organisations including the Australian Taxation Office, NEC Australia, and the World Health Organisation, says putting pressure on companies to better invest in resilience made sense.
“There are unfortunately still many organisations of all sizes in Australia that are not effectively managing cyber security resilience, from the perspective of adequate investment, resourcing or appropriate focus on security governance from the executive,” he says.
“It is particularly concerning where consumer data is collected and stored, often in excess of what is absolutely necessary, and poorly secured – often with devastating consequences.
“The proposed changes to the Privacy Act will greatly increase the table stakes and the increased financial risk imposed should drive better organisational behaviours. This will shine a light on employing better practices for effectively managing personal data (PII), such as not collecting or storing unnecessary data, using strong encryption, and having greater control over who and how someone has access to PII. This will also no doubt drive stronger corporate accountability and cyber literacy at more senior levels, both of which are positive outcomes.”
Norton is nonetheless concerned about how blame is laid, given that organisations can still fall victim to breaches even when reasonable security practices are maintained.
“Not all breaches are due to manifestly poor cyber hygiene. We run the risk of scapegoating organisations who are trying to do the right thing and potentially layering significant fines on top of already significant investment in cyber security,” he says.
“Smaller organisations such as SMBs and start-ups will also face disproportionate penalties that would likely force them out of business.
“I’d like to see increased penalties apply for organisations that maintain insufficient or ineffective security practices, those without appropriate oversight and accountability, and those that put our personal data at risk. We saw this recently with the ASIC case against RI Advice, where they were fined for ‘failing to have adequate risk management systems to manage its cybersecurity risks’.”