-
Australia on Saturday imposed tougher penalties for businesses that failed to protect customers’ personal information after two major cybersecurity breaches left millions vulnerable to criminals.
Attorney-General Mark Dreyfus said that under amendments that would be presented to Parliament next week, the penalty for major violations of the Privacy Act will rise from AUD 2.2 million (about Rs. 11 crore) to AUD 50 million (roughly Rs. 260 crore).
If the amount exceeds A$50 million, the company could also be fined 30% of his earnings over a period of time.
“Big companies could face penalties of up to hundreds of millions of dollars under the new law,” Dreyfus said.
Parliament will resume on Tuesday for the first time since mid-September.
“This is a very significant increase in penalties,” Dreyfus told reporters. “It should make businesses think. It’s designed to act as a deterrent for businesses to protect Australians’ data,” he added.
Since the last session of parliament, an unknown hacker has stolen personal information from his 9.8 million customers at Optus, Australia’s second largest mobile operator.
The theft puts more than a third of the Australian population at risk of identity theft and fraud. Unidentified cybercriminals this week demanded a ransom from Medibank, Australia’s largest health insurance company, claiming they stole 200 GB of customer data, including medical diagnoses and treatments.
At Medibank he has 3.7 million customers. The hacker has proven that he has at least 100 personal records, according to the company. The thief had reportedly threatened to reveal the health status of a high-profile Medibank client of hers.
Dreyfus said both breaches show that “existing safeguards are inadequate.” Not only are governments failing to protect personal information, but there are concerns that companies are keeping too much customer data for unnecessarily long periods of time in hopes of monetizing that information.
“In the event of a data breach, we need to make sure that the penalties are large enough to be very serious penalties for the business, and not simply ignored or neglected, or out of the cost of doing business. You can’t pay as part of it,” Dreyfus said. He said. Dreyfus hopes the proposed changes will become law in his final four weeks of this year’s legislative session.