Australia Will Now Fine Firms Up To $33.4 Million for Data Breaches

The Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches. From a report: The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million, three times the value of any benefit obtained through the misuse of information, and 30% of a company's adjusted turnover in the relevant period.

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms. The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country. "The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement. "These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."

Wrong Penalty

[gurps_npc]

The proper penalty for a data loss is to delete all non-transactional data from their database. (Transactional data being things like " A# units of product X bought on Y date, for $Z money, sent to person B at C address")

That is, if they can not properly protect our data, then they lose it all and have to laboriously get it back again.

Re:Wrong Penalty

[gweihir]

The GDPR has something like this: On gross violations, it is possible to forbid a company to continue processing and storing privacy-relevant data. That has happened at least in one case so far. It typically kills the company, but does not need to. It does mean that even HR has to be outsourced though.

Case by Case basis would be better IMO.

[GotNoRice]

I'm totally onboard with punishing companies for negligence when it comes to handling data. But sometimes breaches aren't due to negligence. It could be a zero-day exploit that no one even knew about until it was too late. Fines should be higher if it was a known flaw that they were simply lazy about fixing. It should also depend on exactly what data we are talking about. Is this basic customer data that is necessary for a company to have (basic subscriber/billing info) or is this marketing data that they collected for advertisement purposes, etc?

Re:

[ShanghaiBill]

Many data breaches are inside jobs, and most of them go undetected and unreported.

At least in Australia, more will go unreported in the future.

Do you pay a $1M ransom to criminals? Or do you go to the police and pay $33M?

Re:

[fibonacci8]

Option C, the police start distributing ransomware demanding $34M

Re:

[Anonymous Coward]

I'm totally onboard with punishing companies for negligence when it comes to handling data. But sometimes breaches aren't due to negligence. It could be a zero-day exploit that no one even knew about until it was too late

Wasn't the Australian Parliament House network breached in 2019?
Then again a year later due to a zero day exchange server exploit?

Then in 2021 their governments health department covid database was left exposed on the internet with no password, and everyone in the northern territory had their medical info released in bulk?

I know the government is exempt from their own rules, but seems to me they have already racked up $150 million AU in fines, including one that as you pointed out was not due to negligence

Re:

[arglebargle_xiv]

This isn't punishment, it's incentivisation. Right now if I want to convince the CEO to invest time and money into securing our XYZ I've essentially got no hope unless the auditors are due, and even then it'll only be some figleaf to fill a checkbox. With this change I can say that unless we put in the effort we stand to lose $bignum, which affects his end-of-year bonus. And since the metric is actual breaches it can't be fixed with checkbox-filling, you need to actually do something to prevent breaches.

Re:

[Shaitan]

Sure it is incentive. Data breaches depend on voluntary reporting so it is incentive not to report them.

Huh?

[Joce640k]

Huh?

Headline says: "... up to $33.4 million"

The summary says: "... whichever is greater: AU$50 million, three times the value of any benefit obtained through the misuse of information, and 30% of a company's adjusted turnover in the relevant period. "

So ... $33.4 million is the minimum fine, not the maximum.

Re:

[ShanghaiBill]

So ... $33.4 million is the minimum fine, not the maximum.

I don't think so. TFA contains a quote implying the law only applies to "larger" companies.

A blanket $33.4M minimum would make little sense since most Australian companies are worth nowhere near that much. A single breach would bankrupt them.

Re:

[prowler1]

Slashdot being an American website used $US33.4 million for its headline. Convert $US33.4 million to Australian dollars and you get $AU50 million.

$33.4M is great motivation

[LeadGeek]

I mean, great motivation to hide breaches, destroy evidence, and otherwise do anything and everything to not be caught.

A link to the legislation and an excerpt

[caviare]

https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r6940_aspassed/toc_pdf/22113b01.pdf;fileType=application/pdf [aph.gov.au]

(2) The amount of the penalty for a contravention of subsection (1) by a
person other than a body corporate is an amount not more than $2,500,000.
(3) The amount of the penalty for a contravention of subsection (1) by a body
corporate is an amount not more than the greater of the following:
        (a) $50,000,000;
        (b) if the court can determine the value of the benefit that the body
        corporate, and any related body corporate, have obtained directly or
        indirectly and that is reasonably attributable to the conduct constituting
        the contravention - 3 times the value of that benefit;
        (c) if the court cannot determine the value of that benefit - 30% of the
        adjusted turnover of the body corporate during the breach turnover period
        for the contravention.

Do-nothing Liberals

[The Evil Atheist]

Make no mistake, the Australian Liberals are not liberals. They're conservatives, which means they've been doing absolutely nothing for the past 9 years, only leaving timebombs like this for when Labor gets elected and finds out the shitshow they were left with.

Re:

[quenda]

Make no mistake, the Australian Liberals are not liberals.

Please do not bring American tribalism here. There are a spectrum of liberal and conservative attitudes in both parties.
But yes, the conservatives are increasingly powerful, and have been heading the Liberal party since the "coup" in 2018.

Re:

[The Evil Atheist]

Rupert Murdoch created the current state of American tribalism and is importing it back into Australia through the Sky News Party, starting with Tony Abbott, then Cory Bernadi, then Scott Morrison, and now Peter Dutton, and Matthew Guy.

Make penalties based on a %age of company worth

[ayesnymous]

$33M would be a drop in the bucket for large companies. Why not make the penalty be, say, 5% of the company's market cap?

Next up...

[Shaitan]

Headlines read: "New heavy Australian fines for data breaches prove highly effective with reported data breaches dropping to an all time low."

Does anyone else see a slight problem with fining the people who we depend on to voluntarily report data breaches when they report them?