Published on the 27/10/2022 | Written by Heather Wright
As Medibank hack revelations worsen…
Australian companies – and foreign companies operating in Australia – could find themselves facing hefty fines of up to $50 million for failing to properly protect sensitive data under new legislation introduced to parliament this week.
Attorney General Mark Dreyfus introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to parliament on Wednesday, after first announcing the plans over the weekend. The changes had been foreshadowed earlier in the month in the wake of the Optus breach.
The proposed amendments would increase maximum penalties that can be applied under the Privacy Act for serious or repeated privacy breaches from the current $2.2 million to the greater of $50 million, 30 percent of a company’s adjusted turnover in the relevant period or three times the value of any benefit obtained through the misuse of the information.
“We need bigger penalties to incentivise better behaviour.”
The bill is also amending the Privacy Act’s extraterritorial provisions, meaning foreign companies operating in Australia would also be subject to the Privacy Act even if they don’t collect or hold Australians’ information ‘directly from a source in Australia’.
“They must still meet the obligations under the Privacy Act so long as they carry on a business in Australia.”
Dreyfus says the Optus, Medibank and MyDeal cyberattacks have highlighted that data breaches have the potential to cause serious financial and emotional harm to Australians, something he says ‘is unacceptable’.
“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this.”
In foreshadowing the changes, Dreyfus said the significant privacy breaches seen in recent weeks have shown that existing safeguards are ‘inadequate’.
“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” he says.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
The proposed Privacy Legislation amendments will also provide the Australian information commissioner with greater powers to resolve privacy breaches, and strengthen the Notifiable Data Breaches scheme ‘to ensure the Australian information commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals’.
The information commissioner and the Australian Communications and Media Authority would also receive greater information sharing powers.
Australia has been rocked by a several high profile breaches in recent weeks.
While it’s the Optus breach, which exposed the data of almost 10 million Australians, that started the ball rolling for the changes, the Medibank breach announced on October 13 is now shaping up to be even worse, with the health insurer saying the hack has compromised the data of all of its 3.9 million customers.
This Wednesday, Medibank – Australia’s largest health insurer – confirmed that the hacker has had access to all customers’ personal data and significant amounts of health claims data across its main Medibank brand, sub-brand ahm and international student customers.
All international students are required to purchase the overseas student health cover insurance to meet their visa conditions.
“We have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data.
“As a result, we expect that the number of affected customers could grow substantially.”
All of Medibank and its subsidiary ahm’s 3.9 million existing customers, plus an unknown number of former customers, are now likely to be impacted.
The company has already flagged a AU$25-35 million hit to first-half earnings. Those costs don’t include further potential remediation or regulatory expenses.
The Federal Government, meanwhile, activated its Covid-era National Coordination Mechanism to bring together agencies across the Federal Government, states and territories to coordinate support to Medibank and affected Australians.
The NCM brings together the relevant departments, agencies and stakeholders to share information and coordinate a response.
The hacks and planned legislation changes come as 60 percent of Australian organisation report plans to increase their cyber budget in 2023.
But the recent PwC Global Digital Trust Insights also found Australian organisations aren’t impressed by mandatory disclosures of cyber incidents, with 81 percent saying they felt the new requirements for disclosure of cyber incidents to investors or national cyber authorities discourage them from sharing information with law enforcement authorities. That’s compared to 64 percent globally.
Ninety percent of the Australian respondents said sharing information was a risk that could lead to a loss of competitive advantage.
Despite the wariness, 89 percent of Australian respondents agreed mandatory disclosures of cyber incidents requiring comparable and consistent formats were necessary to gain stakeholder trust and confidence (versus 79 percent globally). In addition, organisations want the government to help set standards, with 90 percent of respondents stating they expected the government to develop cyber techniques for the private sector, based on the knowledge base built from mandatory disclosures of cyber incidents (75 percent globally).
