Australia will introduce laws to parliament to increase penalties for companies subject to major data breaches, Attorney-General Mark Dreyfus said, after high-profile cyberattacks hit millions of Australians in recent weeks.
Australia’s telco, financial and government sectors have been on high alert since Singtel-owned Optus, the country’s second-largest telco, disclosed on September 22 a hack that saw the theft of personal data from up to 10 million accounts.
That attack was followed this month by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, resulting in personal information of 100 customers being stolen, including medical diagnoses and procedures, as part of a theft of 200 gigabytes of data.
Dreyfus, in an official statement issued on Saturday, said the government would next week move to “significantly increase penalties for repeated or serious privacy breaches” with amendments to privacy laws.
Privacy breaches
The proposed changes would lift maximum penalties for serious or repeated privacy breaches from the current A$2.22 million ($1.4 million) to the greater of A$50 million, three times the value of the benefit obtained through the misuse of information, or 30% of turnover in the relevant period, he said.
When Australians were asked to hand over personal data to companies, they had a right to expect it would be protected, the attorney-general said.
“Significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” Dreyfus said.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
