BDO partner Conor McGarrity warns businesses to review security amid Privacy Act changes
Businesses need to review how personal information is being stored or face the prospect of harsh penalties when strict privacy laws come into effect later this year.
Business has been warned to review how personal information is stored or face the prospect of harsh penalties when strict privacy laws come into effect later this year, as Medibank faces a maximum potential fine of $21.5 trillion for its 2022 cyber breach.
Forensic services experts at BDO say changes to Australia’s Privacy Act may leave businesses open to harsher penalties unless they take proactive measures to identify and appropriately store or remove data kept in their archives.
It comes days after Australia’s largest private health insurer Medibank said it would defend allegations it failed to protect the personal information of its near 10 million current and former members in the wake of a major cyber attack.
BDO partner Conor McGarrity told The Australian that businesses need to do an immediate deep dive into their records to get ahead of the curve and understand what personal information has been held in the past, where it is stored now and why it is collected, to determine whether there’s risk in carrying the data.
Mr McGarrity said personal information identified as attractive to dangerous parties should be the main focus for businesses.
“Taking a preventive approach of what is coming down the line sometime from August will hold organisations in good stead,” he said.
“Executives should also be asking questions about whether the business is holding on to personal information of customers or shareholders that maybe we haven’t dealt with in years.
“It’s useful to understand the sensitivity because of all the cyber attacks we’ve had in recent years, particularly with the Medicare and Optus hacks in 2022.”
In 2024, the federal government has committed to strengthening privacy law, having agreed in principle to 38 changes to the 1988 Privacy Act to create a direct right of action for individuals. This allows affected parties to seek compensation through court action when they have suffered loss or damage due to a severe breach of privacy.
Companies also now face penalties for serious or repeated interference with privacy equal to the greater of $50m, or three times the value of the benefit obtained. For individuals, the civil penalty can be up to $2.5m.
Cyber threats have increased in frequency since 2022 and impacted all parts of the economy from Medibank to Optus, as well as DP World, Latitude Financial and HWL Ebsworth, and this week ASX-listed rare earths explorer Northern Minerals.
Medibank faces a maximum fine of $21.5 trillion after the Office of the Australian Information Commissioner alleges the company “seriously interfered” with the privacy of its 9.7 million customers between March 2021 to October 2022 by failing to take reasonable steps to protect their private information. This action demonstrated failure to comply with the Privacy Act 1988.
Mr McGarrity said that at an executive or board level, recent cyber attacks have shone a light on the risk posed by personal information collected by any entity, but also made mid-sized businesses pause for thought about the damages an incident could cause.
“These attacks should have resonated with mid-sized businesses who might have sat up and looked at what type of information they are holding,” he said.
The expected introduction of stricter privacy laws will have a financial cost for businesses at a time when GDP growth is at its lowest since the 1990s outside Covid-19. However, Mr McGarrity said investing in prevention would likely give a good return on investment going forward.
“It is not just about the cost in real dollar terms, but also avoiding the reputational damage to your business,” he said.
“There’s actual risk posed to your customers going forward. In some instances, depending on the severity of the hack or the release of personal information, it may even pose an existential threat.”
More Coverage
Viva’s ‘incomplete’ LNG work puts question mark over Geelong plan
Ports Victoria says Viva Energy hasn’t adhered to requests it complete works that will ascertain risks to other vessels from a planned LNG import facility at Geelong.
Minerals 260 beats larger rivals to Chinese-owned mining project
Minerals 260 has sealed a deal to buy a gold project in Western Australia from Norton Gold Fields, a wholly owned subsidiary of China’s Zijin Mining.