Australian companies to face fines for concealing data breaches under new laws

0:00

Australian companies and government agencies that lose sensitive personal data will be forced to notify the individuals affected or risk fines.

Companies and government agencies that fail to raise the alarm when they lose their customers’ personal information could face fines as high as $2.1 million under new laws that take effect on Thursday.

The federal law will cover any data lost in a hack, theft or leak that is likely to cause “serious harm” to the individuals involved, including personal health or financial records.

The rules will apply to any company with an annual turnover of more than $3 million – but some small businesses under that threshold will still be covered if they handle sensitive health documents or government contracts.

SBS News asked cybersecurity minister Angus Taylor if Australian companies were ready for the new obligation.

“Some are and some are not,” Mr Taylor said on Thursday, as the new laws came into effect.

“There has been a long consultation period.”

Data breaches that meet the “serious harm” standard must be reported to the individuals whose data is affected, as well as to the Australian Information Commissioner, which has the power to issue the fines.

Last year saw a number of high-profile data breaches around the world, including the massive release of financial records following the hack of credit agency Equifax.

Another data breach at the ride-share company Uber was also exposed in 2017, revealing the company had failed to notify the majority of its 57 million customers affected, which included Australians.

Analysis by tracking site Breach Level Index shows Australia has the highest rate of data breaches in the Asia-Pacific region.

Mr Taylor said the government wanted to “work with” business and said there were a range of government and private services available to companies that still needed to improve their reporting processes.

He also stressed the government would be forced to meet the same standards as it was demanding from companies.

Businesses will have 30 days to analyse a suspicious breach and determine if sensitive information was lost.

Tim Bentley of the cybersecurity firm Proofpoint said the new laws were among the “strictest in the world”.

But he said the risk of major fines may not be enough to change business behaviour without a massive breach increasing public awareness.

“There is concern that the new data breach disclosure laws will not amass real action on the ground in the business community until a big, local breach in post-data disclosure Australia occurs,” Mr Bentley said.

US expert says companies should not fear new laws

Similar breach-notification laws in parts of the United States have helped improve their data security, a former cybersecurity heavyweight in the US State Department told SBS News.

Chris Painter was Director of Cyber Issues at the department from 2011-17.

He said while there were no federal laws in the US, the vast majority of states had adopted their own regulations.

“My sense is that it could be very helpful. It has been very helpful in the 49 states that have done this,” Mr Painter said.

Companies that experienced hacks initially “didn’t want to report” because they were “worried about being further victimised” by the law, he said.

But Mr Painter said over time, companies realised they could work with law enforcement to “stem the harm that can be caused by the theft of information, theft of trade secrets and other issues”.

Stay up to date with SBS NEWS

  • App
  • Subscribe
  • Follow
  • Listen
  • Watch