Australia cyberattacks: increased penalties for data breaches

By Sam McKeith

(Reuters) – Australia will introduce laws to parliament to increase penalties for companies subject to major data breaches, Attorney-General Mark Dreyfus said, after high-profile cyberattacks hit millions of Australians in recent weeks.

Australia’s telco, financial and government sectors have been on high alert since Singtel-owned Optus, the country’s second-largest telco, disclosed on Sept. 22 a hack that saw the theft of personal data from up to 10 million accounts.

That attack was followed this month by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, resulting in personal information of 100 customers being stolen, including medical diagnoses and procedures, as part of a theft of 200 gigabytes of data.

Dreyfus, in an official statement issued on Saturday, said the government would next week move to “significantly increase penalties for repeated or serious privacy breaches” with amendments to privacy laws.

Personal Data Breach

The proposed changes would lift maximum penalties for serious or repeated privacy breaches from the current A$2.22 million ($1.4 million) to the greater of A$50 million, three times the value of the benefit obtained through the misuse of information, or 30% of turnover in the relevant period, he said.

When Australians were asked to hand over personal data to companies, they had a right to expect it would be protected, the attorney-general said.

“Significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” Dreyfus said.

“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”

The announcement comes after the government earlier this month revealed plans to overhaul consumer privacy rules that would help facilitate targeted data sharing between telecommunication firms and banks following the breach at Optus.

In the wake of Optus attack, two Australian regulators opened investigations into the company, which has come under heavy fire for not preventing the hack, one of the biggest on record in Australia cyberattacks.