The Australian government has enacted a significant legislative measure aimed at increasing penalties for companies that experience serious or repeated data breaches. This new bill raises the maximum fine from AU$2.22 million to AU$50 million, or 30% of an entity’s adjusted turnover during the relevant period, or three times the value gained from any illicit use of breached information—whichever amount is higher.
The turnover period for assessing penalties is defined as the time frame from the occurrence of the contravention until the end of the month in which the incident is officially resolved. This stringent approach underscores a clear message to companies: the financial repercussions of major data breaches should no longer be seen as merely a cost of doing business.
Attorney-General Mark Dreyfus stated, “Recent significant privacy breaches have illustrated that existing safeguards are outdated and inadequate.” His comments emphasize the government’s commitment to reforming privacy laws to better protect individual data. The legislative proposal, known as the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, also empowers the Australian Information Commissioner with enhanced authority to address security breaches more effectively.
Angelene Falk, both the Australian Information Commissioner and Privacy Commissioner, remarked that the updated information-sharing powers would foster improved collaboration with domestic regulators and international counterparts. This coordination is intended to streamline regulatory activities related to data protection and breach responses.
The bill is part of broader reforms to the Privacy Act 1988 and is currently awaiting Royal Assent to become officially law. This development follows significant data breaches at companies like Optus and Medibank, which exposed sensitive personal information of 2.1 million and 9.7 million customers, respectively. Such incidents have amplified concerns over the adequacy of existing data protection measures.
From a cybersecurity perspective, it’s important to recognize the potential tactics that adversaries may employ in executing such breaches. Under the MITRE ATT&CK framework, initial access might be gained through methods such as phishing or exploiting vulnerabilities, while persistence could be maintained via backdoors or malware. Moreover, privilege escalation techniques can allow attackers to gain higher-level access to systems, making it increasingly difficult for organizations to detect or mitigate ongoing threats.
This new regulatory landscape signals a critical shift for businesses, reinforcing the imperative for effective cybersecurity measures. As organizations navigate these changes, they must also remain vigilant against emerging threats and adapt their strategies to protect sensitive data adequately.
