Companies face hundred million dollar fines for privacy breaches

Australia’s biggest companies could be slapped with fines worth hundreds of millions of dollars for Optus and Medibank-style privacy breaches under a massive increase in penalties to be introduced by the Albanese government.

The maximum penalty for serious or repeated breaches of the Privacy Act will jump from the current $2.2 million to $50 million under legislation to be rushed forward into parliament next week.

The Medibank hack may be even more severe than the Optus breach.Credit:Getty Images / Louise Kennerley

The rules are designed to combat the recent spate of cybersecurity breaches that has exposed Australians’ identity information along with highly personal medical records, potentially including treatments for sexually transmitted diseases, substance addiction and mental health conditions.

Penalties could be even higher than $50 million, based on company turnover and the estimated value of the stolen data. The government decided to fast-track the changes after recent breaches saw Australians’ sensitive personal data stolen and put up for ransom on the internet.

Australia has suffered six major cybersecurity breaches in five weeks, affecting more than 14 million customer records.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate,” Attorney-General Mark Dreyfus said.

Attorney-General Mark Dreyfus said increased penalties were necessary to encourage companies to take cybersecutrity seriously.Credit:Alex Ellinghausen

“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”

The changes bring Australia closer to the tough penalty regime used in Europe, where companies can be punished for major privacy breaches with fines up to $30 million or four per cent of global turnover from the previous year depending on which is higher.

On Friday, the government gave formal notice it was investigating which Medibank customers have had their Medicare card information exposed in the hack that has put up to 1 million people’s personal information at risk. To date, the hack appears to have affected systems for Medibank’s cheaper ahm brand and its international student division.

Major privacy breaches will be punished with whichever is higher from fines of up to $50 million, an amount three times the value of the benefit obtained through the misuse of information or 30 per cent of a company’s Australian turnover in the relevant period.

A government spokesman said the fines could reach into hundreds of millions of dollars for large companies. The rules will not apply retrospectively and investigations into the Optus and Medibank breaches are ongoing, though Home Affairs Minister Clare O'Neil has branded the telecommunications company breach "quite basic" in a description the company disputed.

The government will also beef up the Australian Information Commissioner with more powers to resolve privacy breaches and equip the Australian Communications and Media Authority with greater information sharing powers.

More changes are likely when the Attorney-General’s Department completes a review of the Privacy Act, due by the end of the year.

“I look forward to support from across the Parliament for this bill, which is an essential part of the Government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era,” Dreyfus said.

Medibank chief executive David Koczkar apologised to customers on Friday while declining to comment on whether the company had been in contact with the hackers or if it would ever pay a ransom to protect customer data.

“I feel devastated, I feel disappointed,” Koczkar said.

“I feel for all our customers. I feel particularly for the 100 customers… whose details we know have been compromised and I feel for all our customers who will feel anxious, concerned and let down. And for that I feel extremely sorry.”

The Coalition has criticised the government’s response to the Medibank hack as slow and unconvincing. “It took a week for the Government to come out on this issue,” Deputy Opposition Leader Sussan Ley said on Friday, adding that the government had frozen cybersecurity grants that would have helped companies defend their data.

On Friday Cybersecurity Minister Clare O’Neil said recent breaches showed Australia was “behind the eight-ball” when it comes to protecting customer data.

“We’ve got to muscle up here and understand that this is our future and our job is to make sure that the country is better prepared when things like this happen,” she said.

“For people who’ve got sexually transmitted diseases, drug addiction, mental health issues, these are things we’re entitled to keep private. And that’s why I find these incidents so very concerning.”
Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.

Most Viewed in Politics

From our partners

Source: Read Full Article