Australia wants organizations to dig deeper into repeated or severe data privacy breaches, offering a maximum fine of up to AU$50 million (US$31.57 million). The move to increase penalties for violations comes in the context of a series of cyber security incidents that have compromised customer data, the latest of which involves Medibank insurance group.
Justice Minister Mark Dreyfus revealed plans to introduce legislation in parliament this week that would push financial penalties for privacy violators up from A$2.22 million ($1.4 million). US dollars) at present.
The new rules will be outlined in the Australian Privacy (Enforcement and Other Measures) Legislative Amendment Bill 2022, which could be applied under the Privacy Act 1988 to violations “serious or repeated” privacy violations.
Following the update, companies found to be in violation will be fined AU$50 million, or triple the value of any benefits they derive from the misuse of information, or 30% of revenue already lost. adjusted by the company for the relevant time period, whichever is greater.
The Bill would also give the Australian Information Commissioner “greater power” to tackle privacy breaches as well as bolster the Notable Data Breach scheme, which would give the Commissioner full knowledge of the matter. enough about the information compromised in the breach to be able to assess the risk of harm to affected individuals. In addition, the Commissioner and Australian Communications and Media Authority will be better be empowered to share information in the event of a data breach.
“When Australians are asked to turn over their personal data, they have a right to expect it to be protected. Unfortunately, there have been significant privacy breaches in recent weeks,” said Dreyfus. shows that current safeguards are not enough, it is not enough to penalize a big data breach that is seen as the cost of doing business.
“We need better laws to regulate how companies manage the massive amounts of data they collect, and bigger penalties to encourage better behaviour,” he said.
Australian policymakers had previously pushed for More severe fines will be dealt with by a specialty violation related to local telco Optuscompromised the data of 9.8 million customers including email addresses, phone numbers and other personally identifiable information.
Medibank’s breach infringes on health records
In another breach that followed Optus’, Medibank on October 13 revealed it had detected “unusual activity” on its network, which was later found to have compromised customers’ personal data. subsidiary, ahm, as well as international student customers.
In one statement yesterday it received files from the alleged hacker containing 1,100 ahm policy records including health and personal claim data, along with some Medibank and ahm customer information and international students other economy.
One of Australia’s largest health insurers, Medibank said last week The hacker claims to have stolen 200GB of data including the customer’s name, address, date of birth and contract number. Mediated data related to customer complaints includes the location from which the customer received medical services and codes related to their diagnoses and procedures.
However, the hacker also said they had data related to credit card security, which Medibank said it has yet to verify.
“Given the complexity of what we received, it is too early to determine the full extent of the customer data that was stolen,” it said. “We will continue to analyze what we receive to understand the total number of customers affected and specifically what information was stolen.”
The insurer added that the breach is currently under criminal investigation by the Australian Federal Police. It is also working with cybersecurity vendors, the Australian Cybersecurity Center and other relevant government agencies, it said.
“As we continue to investigate the scale of this cybercrime, we expect the number of customers affected to increase as this happens,” Medibank said.
Financial services regulator the Australian Prudential Regulatory Authority (APRA) on Monday issued a statement remind industry players to implement data security controls and ensure they comply with industry regulations.
Refers only to the requirements outlined in the Prudential Standards Information security CPS234, the government agency said APRA-regulated entities should clearly define the cybersecurity roles and responsibilities of their boards, senior management, regulators as well as individuals. They must also maintain information security capabilities appropriate to the size and severity of threats to their data assets and implement controls to protect their data assets. and run systematic tests to ensure the effectiveness of those controls.
APRA added that the recent security breaches are a reminder that such threats continue to escalate. It emphasizes the need for managed entities to review and regularly test incident response plans.
RELATED INSURANCE
