Australia wants organisations to dig deeper for serious or repeated data privacy breaches, forking out maximum fines of up to AU$50 million ($31.57 million). The move to increase penalties for violations comes amidst a spate of cybersecurity incidents that compromised customer data, with the latest involving insurance group Medibank.
Attorney-General Mark Dreyfus unveiled plans to introduce legislation in parliament this week would push financial punishment for privacy violators up from the current AU$2.22 million ($1.4 million).
The new rules will be outlined in Australia’s Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which can be applied under the Privacy Act 1988 for “serious or repeated” privacy breaches.
Following the update, companies found to have committed the breaches will be fined AU$50 million, or three times the value of any benefit it obtained through the misuse of information, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater.
The Bill also will afford the Australian Information Commissioner “greater power” to resolve privacy breaches as well as strengthen the Notifiable Data Breaches scheme, which will provide the Commissioner with full knowledge of information that compromised in a breach so it can assess the risks of harm to affected individuals. In addition, the Commissioner as and Australian Communications and Media Authority will be better empowered to share information in the event of a data breach.
Dreyfus said: “When Australians are asked to hand over their personal data they have a right to expect it will be protected. Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.
“We need better laws to regulate how companies manage the huge amount of data they collect and bigger penalties to incentivise better behaviour,” he said.
Australian policy makers earlier had pushed for more severe fines to be meted out following a major breach involving local telco Optus, which compromised the data of 9.8 million customers including email addresses, phone numbers, and other personal identification information.
Medibank breach compromises health records
In another breach that followed Optus’, Medibank on October 13 revealed it detected “unusual activity” on its network that was later found to have compromised the personal data of customers under its subsidiary, ahm, as well as international student customers.
In a statement yesterday, it had received files from the alleged hacker that contained 1,100 ahm policy records comprising personal and health claims data, and some Medibank and further ahm and international student customer information.
One of Australia’s largest health insurance companies, Medibank last week said the hacker claimed to have stolen 200GB worth of data that included customer names, addresses, dates of birth, and policy numbers. Compromised data concerning customer claims included the location at which the customer received medical services and codes related to their diagnosis and procedures.
The hacker also said it had data related to credit card security, though, Medibank said it had yet to verify this.
“Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen,” it said. “We will continue to analyse what we have received to understand the total number of customers impacted and, specifically, which information has been stolen.”
The insurance company added that the breach currently was under criminal investigation by the Australian Federal Police. It also was working with cybersecurity vendors, the Australian Cyber Security Centre, and other relevant government agencies, it said.
Medibank said: “As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds.”