Companies who fail to protect data will face minimum $50 million fine

Companies that fail to protect Australians’ personal data will face hundreds of millions of dollars in fines under new laws responding to Optus and Medibank hacks.

Clare Armstrong

@ByClare

2 min read

October 22, 2022 - 6:00AM

The Saturday Telegraph

The Optus breach was a ‘wake-up call’ for companies

NSW

Don't miss out on the headlines from NSW. Followed categories will be added to My News.

Companies that fail to protect Australians’ personal data will face fines of hundreds of millions of dollars under new laws to be introduced in the wake of major breaches at Optus and Medibank.

The federal government will seek to rush legislation through parliament next week to “significantly increase” penalties for “repeated or serious privacy breaches”, having criticised the current $2.22 million fine as “totally inappropriate”.

Under the changes, companies would instead be fined whichever is higher: $50 million, three times the cost of damage caused by the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

Attorney-General Mark Dreyfus said it was “not enough” for a penalty for a major data breach to be seen by companies as the “cost of doing business”.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” he said. “Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate.”

The details of almost 10 million Optus customers were stolen. Picture: Getty Images

The new penalties are not retrospective, meaning recent high-profile companies to be hit by cyber attacks would not be subjected to higher fines.

In September it was revealed about 9.8 million current and former Optus customers had been impacted by a major data breach, which included the theft of detailed personal information like Medicare card and passport numbers.

This week it was confirmed healthcare provider Medibank had been breached, with data stolen including Medicare information and some insurance claims information.

Mr Dreyfus said in addition to bigger penalties to “incentivise better behaviour”, Australia needed stronger laws to regulate how companies managed the huge amounts of data they collected.

The government’s bill would beef up the powers of the Australian Information Commissioner and strengthen notification requirements to ensure companies properly reported the types of data compromised.

The proposed laws would give the Commissioner and the Australian Communications and Media Authority “greater information sharing powers”, such as being able to alert banks to look out for suspicious behaviour on the accounts of customers impacted by a hack.

A comprehensive review of the Privacy Act is also due to be completed by the Attorney-General’s Department this year, and is expected to make recommendations for further reforms.

“I look forward to support from across the parliament for this Bill, which is an essential part of the government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era,” Mr Dreyfus said.

Got a news tip? Email clare.armstrong@news.com.au