Data breaches: New Bill to penalise corporates up to $50 million
Australia has now been rocked by two major data breaches in a short span of time, with Optus on 22 September 2022 and then Medibank on 12 October exposing personal information of tens of millions of Australians.
On 11 October 2022, the Office of the Australian Information Commissioner (OAIC) and Australian Communications and Media Authority (ACMA) launched an investigation into the Optus incident, which was estimated to have exposed the personal information of between 2.8 million and 9.8 million Optus customers. The following day, private health insurer Medibank advised shareholders that it had suffered a cyber incident and had taken immediate steps to contain. Medibank announced on 26 October 2022 that every one of its 3.9 million customers was affected.
Reuters reported that an Optus hacker demanded payment but later rescinded on account of, ironically, concerns over publicity. Medibank has revealed, a criminal has demanded payment for the data’s return1. These incidents have also led to nefarious elements taking advantage of the affected vulnerable people as a 19-year-old Sydney man was arrested and charged for “allegedly using information obtained during last month's Optus data breach to blackmail people”. He had accessed the records of 93 Optus customers from the 10,200 that were dumped on an online forum. This is perhaps only the tip of the iceberg as AFP says this may be the first arrest, but it would not be the last 2.
In response to this serious and delicate matter of immense concern to the public, the Federal government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 on 26 October 2022.
The scope of the Bill involves amendments to the Privacy Act 1988, the Australian Information Commissioner Act 2010 and the Australian Communications and Media Authority Act 2005 to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with greater enforcement powers, and to provide the Commissioner and ACMA with greater information-sharing powers.
Among the main reforms of this Bill is to increase the maximum civil penalty under Section 13 G of the Privacy Act to $2.5 million for a person other than a body corporate for serious or repeated interferences. And for a body corporate, the maximum penalty will increase to an amount not exceeding the greater $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period.
The Bill also strengthened the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals. By way of example provided in the Explanatory Memorandum, the Commissioner would be empowered to use information from a Notifiable Data Breach statement in a subsequent investigation into potential Australian Privacy Principle 11 breaches, given that they both fall within the Commissioner’s privacy functions.
Other changes introduced by the Bill involved enhanced powers for the Commissioner in resolving privacy breaches, including the ability to compel entities to undertake external reviews to improve data security practices, and the ability publish final determinations and assessments following privacy investigations.
Latest news: The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has been referred to the Legal and Constitutional Affairs Legislation Committee. Submissions closed on 7 November 2022, the report is due on 22 November 2022.