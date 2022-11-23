A senate committee has tabled an amendment to Australia’s data breach penalty laws that proposes maximum penalties of $50 million. This is what Australian businesses need to know if it’s voted in.

Why are changes to data breach penalty laws being proposed?

The Optus data breach initially kicked off the proposed changes, titled Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

The data of up to 9.8 million Australians were caught up in the breach.

Since then we have also seen breaches over at Vinomofo, as well as the enormous Medibank hack, which helped solidify the argument for the changes.

In the case of Medibank, personal information such as names, dates of birth, email addresses, phone numbers and medical history of 5.1 million customers were exposed. A further 4.6 million international and ahm customer data was also exposed.

The hackers have already begun releasing this information online after Medibank refused to pay their proposed ransom. The hackers have targeted some victims with medical history that includes sexually transmitted diseases and abortions.

The Legal and Constitutional Affairs Legislation Committee reviewed the bill and tabled its report on November 22.

What are the new data breach penalty for businesses?

If the amendment is passed, there are a few ways this could play out.

At the present time, the maximum penalty is $2.2 million. For serious or repeated breaches, this would be jacked up to one of the following:

$50 million;

Three times the value of any benefit obtained through the misuse of the information; or

30% of the company’s adjusted turnover during the breach turnover period.

Are these penalties now in place?

Not yet. The Senate committee’s report was only just tabled. It needs to be voted on in Parliament.

Will any other changes be made to the bill?

Possibly. The Senate committee only recommend one major recommendation — to provide further clarity around what would constitute a “serious interference” and “repeated interference” when it comes to user privacy.

But at this point in time, it doesn’t seem like the proposed penalty options will change.

When will the bill go in front of parliament?

This is currently unclear, but with only a few weeks between now and Christmas, it may not be until next year.

What can I do right now?

If you own a business that holds customer data and have concerns, we recommend looking at your data and cyber security hygiene and practices. If need be, hire a professional to do an audit of your cyber security processes in order to protect your customers and business.