Australia increases penalties for data breaches after Optus, Medibank hacks

• Following a series of cyberattacks involving Optus and Medibank amongst others, Australia will be introducing laws to increase penalties for companies subject to major data breaches.
• The proposed changes would mean penalties for serious or repeated privacy breaches will increase from current A$2.22 million to A$50 million.

Over the last one month, millions of Australians have had their personal data jeopardized. First, telecommunications company Optus revealed a vast security breach impacting 10 million of its customers — it was one of the country’s biggest-ever hacks. Few weeks later, local private health insurer Medibank said 200GB of its customers’ data were stolen. Shortly before that, MyDeal, an online retail store owned by Woolworths, also revealed that 2.2 million of their customers’ details have been exposed in an apparent data breach.

In between, even a smaller corporation like online wine seller Vinomofo fell victim to a data breach, with 500,000 of its customers’ data exposed. Now, following the biggest breach involving Optus and the series of its ramifications, Australian Attorney General Mark Dreyfus reckons the country needs better laws to regulate how companies manage the large amount of data they collect and bigger penalties for “repeated or serious privacy breaches”.

Dreyfus said he will fast-track amendments to the Privacy Act when federal parliament resumes next week. According to Bloomberg, the legislation will boost the maximum penalty for serious or repeated privacy breaches to A$50 million (US$32 million); three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period, whichever is greater. The current level is a A$2.22 million penalty.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate,” Dreyfus said. “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.” The incoming bill will also provide the Australian Information Commissioner with greater powers to resolve privacy breaches.

Even the country’s cybersecurity minister, Clare O’Neil, warned of a new world “under relentless cyberattack”, following the Optus and other breaches that took place within the span of one month. Speaking to the ABC, O’Neil said the Medibank and Optus breaches amounted to a “huge wake-up call” that showed the need for an overhaul of information and privacy protections.

The Australian government has been in fact considering a sweeping overhaul of data retention and privacy laws following the massive Optus cyber attack. Dreyfus had revealed that in addition to completing a review of Australia’s privacy laws, the Albanese government will look to legislate “even more urgent reforms” later this year or in early 2023. The immediate reforms besides penalties could include, safeguards on personal information and strengthening requirements for companies to notify customers of breaches.

In a statement from the office of Australian Treasurer Jim Chalmers recently, it is stated that the Albanese government has even prepared amendments to the Telecommunications Regulations 2021 to better protect Australians following the Optus data breach. The amendments will enable telecommunications companies to temporarily share approved government identifier information with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach.

“The government will recommend to the Governor-General that the regulations be amended to allow Optus and other telcos to better coordinate with financial institutions, the Commonwealth, and states and territories, to detect and mitigate the risks of cyber security incidents, frauds, scams and other malicious cyber activities,” the statement reads.

---

---

---

---