Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Australia Flags New Corporate Penalties for Privacy Breaches

Australia on Saturday proposed tougher penalties for companies that fail to protect customers’ personal data after two major cybersecurity breaches left millions vulnerable to criminals.

Australia on Saturday proposed tougher penalties for companies that fail to protect customers’ personal data after two major cybersecurity breaches left millions vulnerable to criminals.

The penalties for serious breaches of the Privacy Act would increase from 2.2 million Australian dollars ($1.4 million) now to AU$50 million ($32 million) under amendments to be introduced to Parliament next week, Attorney-General Mark Dreyfus said.

A company could also be fined the value of 30% of its revenues over a defined period if that amount exceeded AU$50 million ($32 million).

Dreyfus said “big companies could face penalties up to hundreds of millions of dollars” under the new law.

“It is a very, very substantial increase in the penalties,” Dreyfus told reporters.

“It’s designed to make companies think. It’s designed to be a deterrent so that companies will protect the data of Australians,” he added.

Parliament resumes on Tuesday for the first time since mid-September.

Advertisement. Scroll to continue reading.

Since Parliament last sat, unknown hackers stole personal data from 9.8 million customers of Optus, Australia’s second-largest wireless telecommunications carrier. The theft has left more than one-third of Australia’s population at heightened risk of identity theft and fraud.

Unknown cybercriminals this week demanded ransom from Australia’s largest health insurer, Medibank, after claiming to have stolen 200 gigabytes of customers’ data including medical diagnoses and treatments. Medibank has 3.7 million customers. The company said the hackers had proved they hold the personal records of at least 100.

The thieves have reportedly threatened to make public medical conditions of high-profile Medibank customers.

Dreyfus said both breaches had shown “existing safeguards are inadequate.”

As well as failing to protect personal information, the government is concerned that companies are unnecessarily holding too much customer data for too long in the hope of monetizing that information.

“We need to make sure that when a data breach occurs the penalty is large enough, that it’s a really serious penalty on the company and can’t just be disregarded or ignored or just paid as a part of a cost of doing business,” Dreyfus said.

Dreyfus hopes the proposed amendments will become law in the final four weeks that Parliament will sit this year.

Any new penalties will not be retroactive and will not effect Optus or Medibank.

Related: Australia Mulls Tougher Cybersecurity Laws After Data Breach

Related: Retail Giant Woolworths Discloses Data Breach Impacting 2.2 Million MyDeal Customers

Related: Second Australia-Based Singtel Subsidiary Hacked

Related: Australian Corporate Regulator Discloses Breach Involving Accellion Software

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.