Australia flags increased penalties for data breaches following major cyberattacks

The changes would lift maximum penalties by three times the value of benefit obtained through misuse of information


REUTERS October 23, 2022
Adam Mudd was 16 when he created the Titanium Stresser program. PHOTO: AFP

Australia will introduce laws to parliament to increase penalties for companies subject to major data breaches, Attorney-General Mark Dreyfus said, after high-profile cyberattacks hit millions of Australians in recent weeks.

Australia's telco, financial and government sectors have been on high alert since Singtel-owned Optus, the country's second-largest telco, disclosed on Sept. 22 a hack that saw the theft of personal data from up to 10 million accounts.

That attack was followed this month by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, resulting in personal information of 100 customers being stolen, including medical diagnoses and procedures, as part of a theft of 200 gigabytes of data.

Dreyfus, in an official statement issued on Saturday, said the government would next week move to "significantly increase penalties for repeated or serious privacy breaches" with amendments to privacy laws.

The proposed changes would lift maximum penalties for serious or repeated privacy breaches from the current A$2.22 million ($1.4 million) to the greater of A$50 million, three times the value of the benefit obtained through the misuse of information, or 30% of turnover in the relevant period, he said.

When Australians were asked to hand over personal data to companies, they had a right to expect it would be protected, the attorney-general said.

"Significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," Dreyfus said.

"We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."

The announcement comes after the government earlier this month revealed plans to overhaul consumer privacy rules that would help facilitate targeted data sharing between telecommunication firms and banks following the breach at Optus.

In the wake of Optus attack, two Australian regulators opened investigations into the company, which has come under heavy fire for not preventing the hack, one of the biggest on record in Australia.

COMMENTS

Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ