The government plans to knuckle down on businesses that don't protect personal data
Following data hacks at Optus and private health insurer Medibank, the government is introducing legislation this week that will crack down on companies that fail to protect sensitive information. Affected companies will face a massive increase in fines for serious or repeated breaches. Penalties will rise from $2.22 million to $50 million, 30% of the company’s turnover in the relevant period, or three times the value of any benefit obtained through the misuse of the information – whichever is greater.
Read more: Government grant support for Victorian businesses impacted by floods
The government is also intent on making privacy laws in Australia more robust.
“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset,” said Attorney-General Mark Dreyfus.
Overseas businesses are also included in the bill, which proposes that a company that carries on a business in Australia but doesn’t collect or hold Australians’ information from a direct source in the country, must still comply with local rules. The increased penalties are likely to have a deterrent effect on businesses already hit by ransom demands from hackers.
The official advice from the federal government’s Australian Cyber Security Centre is never to pay a ransom. But in reality many firms do. No word has been forthcoming from Medibank on whether the company will pay a ransom for the extraction of 200GB of files with data on all of the company’s 3.9 million customers. Although the hackers have not locked up the data as is typical in a ransomware attack, negotiations over the data have followed the breach.
Cybersecurity firm Sophos’ State of Ransomware report, released in April, showed 43% of companies in Australia paid ransoms after ransomware attacks, compared to 46% globally.
This month, another cybersecurity company, Proofpoint, also released a new report revealing Australian boards significantly lag behind global counterparts in cybersecurity maturity and understanding. Only 58% of Australian boards see cybersecurity as a top priority, the least among the 12 countries surveyed (US, Canada, UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico), where the average was 77%. Even more worryingly, only half of Australian boards agree that organisations should be required to report a material cyberattack to regulators within a reasonable timeframe – again, the lowest of all 12 countries surveyed (global average 80%).
Skeeve Stevens, who was jailed in 1998 for a data hack that was described at the time as Australia's most “notorious” internet cybercrime, told SBS News recently that “there’s a lot of ‘FUD’ in government and industry: fear, uncertainty, and doubt from officials.” He believes Australia is lacking in literacy around cybersecurity, beginning with the average Australian and extending to business and government leaders making decisions about data collection and storage.
Read more: "We'll fight you," says powerful industry group to Albanese
While cyberattacks are commonplace, he fears that large-scale attacks will become normalised – with no real action made until a “cyber epidemic” hits Australia. Stevens said Australians and governments should be questioning why companies need to have as much sensitive data as they do, and whether there are alternative ways to confirm identity or store personal information.
The recent data breaches at least have helped to bring cybersecurity into the spotlight and a focus of conversations across boardrooms, says Lucia Milică, vice president and global resident chief information security officer at Proofpoint. However, there is still a long way to go for boards and senior management to understand the threat landscape and prepare their organisations for material cyberattacks.
“One of the ways boards can boost preparedness is by getting on the same page with their CISOs (chief information security officer). The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success,” Milică says.
However, the signs don’t look good. Australia again scores the lowest of any market surveyed when it comes to investing in increasing cybersecurity budgets in the next 12 months. In addition, 22% of boards expect their budgets to go down, according to Proofpoint. It may well be a false economy with pressure building on the federal government to go further than the increased penalties that are imminent.
Australian privacy laws are set to be reformed in 2023 following a review by the attorney-general which is nearing completion. The Consumer Policy Research Centre’s digital policy director, Chandni Gupta, has said: “We need the Privacy Act to do more than just having companies keep our data safe – that is the absolute minimum.” And Electronic Frontiers Australia (EFA) wants the government to introduce a tort that would allow Australians to sue for serious breaches of privacy.
“A fine doesn't compensate us when a company’s lax data security means everyone on the internet knows our medical history,” said EFA chair Justin Warren.
Few would admit it, but heavy fines may be the least of companies’ problems when data is breached. Reputational damage, as Optus and Medibank are discovering, can be a much longer-lasting problem that has businesses wishing they had acted – and invested – sooner.
