Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

New data breach fines could bankrupt SMEs and boutiques

A number of industries, including law firms, will be liable for tough new government financial penalties for businesses that are hacked by scammers, according to this IP and technology lawyer.

user iconLauren Croft 03 November 2022 SME Law
New data breach fines could bankrupt SMEs and boutiques
expand image

In the wake of the Optus and Medibank data breaches, the new maximum penalty, announced last week, is necessary to replace the previous data breach penalties, said Brisbane-based intellectual property and technology lawyer Nicole Murdoch.

Under the Privacy Act, a business that failed to protect customer or consumer data and sensitive information, whether intentional or not, previously faced a maximum penalty of up to $2.22 million.

New penalties announced by the Albanese government will now impose a fine for “serious or repeated privacy breaches” increased to either $50 million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period — whichever equals the highest amount.

Ms Murdoch, principal at Brisbane firm EAGLEGATE Lawyers, said that under European law, businesses held liable for high-level data breaches can face a penalty of up to €20 million or 4 per cent of the businesses’ annual turnover — whichever is the highest.

“In the wake of the Optus hack and the other data system hacks reported since then, it’s crucial there is a big enough motivator to make businesses strengthen their cyber security systems,” she said.

EAGLEGATE paralegal Rhys Fuller added that while the new penalties have been devised for big corporates, they will also apply to any business that holds data on its customers.

“So, real estate firms, rental agencies, even law firms, any business that is entrusted with personal data and information about clients will be liable if they fail to ensure adequate security of that data,” he explained.

The Optus and Medibank hacks meant that personal information, including customer names, dates of birth, addresses, phone numbers, and for some, even their driver’s licences, healthcare details, and passports, were compromised.

Ms Murdoch said that now, there’s a real fear that customers whose data was hacked are now vulnerable to scams, or identity fraud, moving forward.

While the media focus has been on big corporates, the new penalties will apply to any Australian business and company with privacy obligations pursuant to the Privacy Act.

“Businesses, such as real estate agencies, rental complexes or law firms, will be bound to these obligations under the Privacy Act,” Ms Murdoch said.

Mr Fuller noted that the proposed amendments are for serious or continued privacy breaches, and for small- to medium-sized businesses, the penalties could be significant enough to bankrupt the business.

“What constitutes a serious privacy breach will be up to interpretation of the court,” he said.

“A repeated privacy or data breach, however, could show that a business is not taking its cyber security measures seriously, whether it may be through the use of outdated technology and measures, or through the business not taking reasonable steps to ensure its data protection.”

Moreover, history will look back on the Optus and Medibank data hacks as the cyber security wake-up call Australia needed, according to Ms Murdoch.

“With both private and state-driven cyber attacks now the norm, Australians have a right to expect the data they confide to a business will be held securely,” she said.

“These new penalties more than ram the message home.”

Lauren Croft

Lauren Croft

Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.

You need to be a member to post comments. Become a member for free today!