What businesses need to know about Australia’s new $50 million data breach penalty reforms

data-quality data breach penalty

Source: Unsplash

Parliament has approved new legislation that exponentially increases company fines for privacy breaches from $2.2 million up to $50 million. But some lack of clarification raises concerns around SMEs and charities being hit as hard as large corporations.

The new legislation was passed earlier this week, with support from the Opposition. This follows the tabling of the changes as part of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 by a senate committee late last week.

This is what Australian businesses need to know.

Why have Australian data breach penalty laws been changed?

The Optus data breach initially kicked off the changes, titled Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

The data of up to 9.8 million Australians were caught up in the breach.

Since then we have also seen breaches over at Vinomofo, as well as the enormous Medibank hack, which helped solidify the argument for the changes.

In the case of Medibank, personal information such as names, dates of birth, email addresses, phone numbers and medical history of 5.1 million customers were exposed. A further 4.6 million international and ahm customer data was also exposed.

The hackers have already begun releasing this information online after Medibank refused to pay their proposed ransom. The hackers have targeted some victims with medical history that includes sexually transmitted diseases and abortions.

The Legal and Constitutional Affairs Legislation Committee reviewed the bill and tabled its report on November 22. Parliament then approved these changes on November 28.

What are the new data breach penalty for businesses?

There are a few ways that businesses can be impacted by the changes. Previously, the maximum penalty is $2.2 million. For serious or repeated breaches, this will now be jacked up to one of the following:

  • $50 million;
  • Three times the value of any benefit obtained through the misuse of the information; or
  • 30% of the company’s adjusted turnover during the breach turnover period.

When do the privacy breach reforms come into effect?

We don’t have a hard date yet, but it will be soon.

According to the Attorney General’s Department, the “new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department which is now being finalised.”

Will any other changes be made to the bill?

Possibly.

When the bill was tabled there were some concerns from stakeholders around some definitions. The Senate committee only recommended that before passing the legislation there be further clarity around what would constitute a “serious interference” and “repeated interference” when it comes to user privacy. The term ‘benefit’ in relation to breaches has also been called into question.

These recommendations were rejected and the bill was passed. However, there have been promises to address these points in an ongoing review of the Privacy Act. This is supposed to be completed by the Attorney-General’s Department before the end of 2022.

Will small businesses get the same fines?

One of the other major concerns about the changes is the lack of a tiered system. Both Agriculture minister, Murray Watt and Greens Senator David Shoebridge, raised points about the need for this tiered system and more consideration for how complex privacy breaches can be.

As we mentioned above, there has been a commitment to look into this further before the end of the year. It’s also worth noting that fines are currently marked as being ‘up to’ $50 million. So its not guaranteed that will be the cost for every breach. Multiple factors are likely to contribute to fines, such as impact and if the business benefitted from the breach.

What can I do right now?

If you own a business that holds customer data and has concerns, we recommend looking at your data and cyber security hygiene and practices. If need be, hire a professional to do an audit of your cyber security processes in order to protect your customers and business.

COMMENTS