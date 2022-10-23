Attorney-general Mark Drefuys has revealed details of a regulatory crackdown for corporates and businesses that spill personal information through data breaches, as the Albanese government puts the onus back on businesses to clean up their own information security after the Optus hack.

Fines for serious data breaches will be increased to $50 million — a massive multiple of 22.5 times over the present maximum fines of $2.22 million, with legislation being rushed into parliament during Budget week.

The Mandarin revealed this month that Optus was unlikely to cop more than $4.4 million in government fines after the hack because fines were applied on a “per act or practice” basis, although the company is still on the hook for billions in compensation potentially payable to victims.

“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour,” Dreyfus said.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

Questions are starting to swirl as to why the Albanese government so heavily attacked Optus over its breach but has been comparatively measured over far more sensitive data being exfiltrated from Medibank Private.

The fines and penalties being rolled out will certainly sting, but many in the business community believe the approach essentially penalises victims who increasingly buy their technology applications that house data from managed service providers and cloud providers who are not on the hook.

It is understood that parts of the business community are pushing for providers of certain data storage and processing infrastructure to be legally required to guarantee information security to an “insurable standard” so they can buy services with peace of mind.

The severity of the fines Dreyfus revealed over the weekend will certainly force many businesses to reassess their financial exposure to data breaches.

Aside from the $50 million, another penalty allows for “three times the value of any benefit obtained through the misuse of information” or “30 per cent of a company’s adjusted turnover in the relevant period”.

It is widely anticipated that the government will tip even more money into cyber response in the Budget following the Optus and Medibank Private incidents, as well as boosting resources for the Office of the Australian Information Commissioner and ACCC.

Dreyfus said the new laws and penalties “provide the Australian Information Commissioner with greater powers to resolve privacy breaches” and would “strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals.

The same laws would “equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers,” Dreyfus said.

The attorney-general has also taken carriage of “Cybercrime” under recent changes quietly made to administrative orders that some believe is a loss for home affairs minister Clare O’Neil and her department secretary Mike Pezzullo.

However, it is understood the move relates more to getting cybercrime prosecutions up and running more quickly because the Director of Public Prosecutions is within the attorney-general’s portfolio.

READ MORE:

Dominello hardens ServiceNSW security, boosts authentication