The Commonwealth Government to increase fines for serious data breaches to either 30% of turnover or $50 million whichever is the larger
October 22, 2022 |
The Attorney General has announced proposed amendments to the Privacy Act to increase the potential size of penalty for a serious or repeated privacy breaches. They will be increased to the greater of:
- $50 million;
- 3 times the value of the benefit obtained through the misuse of the data; or
- 30% of the coThe jmpany’s adjusted turnover in the relevant period.
The statement provides:
The reports do not say what the penalty to Government agencies will be in the event of a serious data breach. Clearly the turnover calculation will not apply.
Currently penalties for serious and repeated interferences with privacy are found in section 13G of the Privacy Act 1988. It provides:
An entity contravenes this subsection if:
(a) the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or
(b) the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
Civil penalty: 2,000 penalty units.
Under the Privacy Act the Commissioner must commence civil penalty proceedings in the Federal Court to seek penalties under section 13G. The process differs to the Monetary Penalty issued by the UK Information Office. It is much quicker in the United Kingdom.
The balance of the proposals, giving the Information Commissioner greater powers to resolve privacy breaches and strengthen the data breach notification scheme is quite vague at the moment. All shall be revealed when the Bill is presented to Parliament.
This is a welcome but incomplete reform. It does not give individuals a right to commence action against those who breach their data. To be fair the Government has acknowledged that further reform is required.
There is no guarantee that the Information Commissioner will be more assertive than has been the case to date. Greater powers and more penalties granted to a tentative and timid regulator will make not much difference.
The Governments announcement has received wide coverage, with the ABC’s Optus and Medibank hacks prompt government to increase fines for massive data breaches to a minimum of $50 million, the Guardian’s Australian companies to face fines of $50m for data breaches, the Australian Financial Review’s Bigger fines for data breaches on the way for businesses, the Australian’s Government beefing-up penalties for firms failing to protect customers from hackers and AAP’s Tough fines for serious data breaches. And there are others.
The ABC article has a neat summation of the proposal, providing:
The financial penalty imposed on companies that suffer serious or repeated privacy breaches will be increased to at least $50 million.
The current penalty is $2.2 million and the federal government believes that is insufficient given massive cyber-attacks on Optus and Medibank Private in recent weeks.
Attorney-General Mark Dreyfus will fast-track amendments to the Privacy Act when federal parliament returns next week
“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Mr Dreyfus said.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate.
“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
The proposed legislation would see the fine for “serious or repeated privacy breaches” increased to either $50 million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period.
The fine would be whichever value is the highest.
Opposition wants jail terms for cyber extortion
The federal opposition has already called for tougher penalties in response to major cyber incidents.
Last month, shadow home affairs minister Karen Andrews also proposed new offences for cyber extortion that would carry a maximum 10 years imprisonment.
Earlier this week, Medibank admitted the personal data of some of its customers – including names, addresses, Medicare numbers and phone numbers – had been stolen in a cyber-attack.
Data related to health conditions and where people had received medical treatment was also compromised, with a criminal demanding ransom.
The matter has been referred to the Australian Federal Police and Medibank is working with the Australian Cyber Security Centre and Australian Signals Directorate.
It follows the breach on telco Optus, where hackers claimed to have accessed the data of 9.8 million current and former customers, including their passports, drivers licences and Medicare card details.
These hacks leave their customers vulnerable to identity theft, which can also lead to financial crime.
On Friday, The Australian Tax Office revealed it gets three million attempted hacks on its system every month.
The Australian’s article provides:
Companies could be fined hundreds of millions of dollars under new laws beefing-up penalties for organisations that fail to protect customers’ personal information from hackers.
Following significant data breaches at Medibank and Optus, Attorney-General Mark Dreyfus said Labor would introduce legislation to increase the maximum fine for serious breaches from $2.2m to at least $50m.
Companies could also be fined three times the value of “any benefit obtained” through the misuse of information, or 30 per cent of their adjusted turnover over the period the breach was conducted.
“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Mr Dreyfus said.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
Mr Dreyfus said Australia needed “better laws” to regulate how companies managed the data they collected, and bigger penalties to incentivise better behaviour.
The Privacy Legislation Amendment Bill will also provide the Australian Information Commissioner with greater powers to resolve privacy breaches.
The Notifiable Data Breaches Scheme – which requires organisations to notify anyone likely to be at risk of serious harm by a data breach – will also be strengthened.
The government this week said Australia was significantly lagging the rest of the world in its privacy laws. “We need to do better as a country,” Home Affairs Minister Clare O’Neil said. “We’re in the order of five years behind where we need to be on our cyber laws and our policies and our approaches.”
It is not illegal for companies to pay a ransom to retrieve stolen data. The bill canvassed by Mr Dreyfus will not change that.
Medibank this week became the second major company in less than a month to be hacked and confirm customers’ personal information had been breached.
The hackers have shared the details of 100 customers, but claim they have 200GB of data. Medibank confirmed this would include intimidate medical details and locations of where care was provided.
A review of the privacy act, initiated by the previous government, is expected to recommend further reforms and will be completed by the end of the year.
Australian Chamber of Commerce and Industry chief executive Andrew McKellar said small businesses in particular were struggling to cope with the increased risk and associated costs of cyber attacks.
“The rise in the number and severity of cyber attacks has significantly impacted insurance premiums,” he said. “This is increasingly putting cyber-attack coverage out of reach for small businesses in particular.
“With more and more main street businesses generating income from online sales, small businesses are having to play catch-up and are often lacking the digital expertise to protect themselves.”
He urged Labor to match the increased penalties with cash incentives for businesses to invest in cyber security.
“It’s critical that government continues to incentivise cyber-security protections,” he said.
“With ongoing supply-side constraints and high input costs, small business margins are being squeezed. While cyber security should remain front of mind, this is often the last thing small business owners are worrying about.”