Under the Privacy Act, a business that failed to protect customer or consumer data and sensitive information, whether intentional or not, previously faced a maximum penalty of up to $2.22 million.

New penalties announced by the Albanese government will now impose a fine for “serious or repeated privacy breaches” increased to either $50 million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period — whichever equals the highest amount.

Ms Murdoch, principal at Brisbane firm EAGLEGATE Lawyers, said that under European law, businesses held liable for high-level data breaches can face a penalty of up to €20 million or 4 per cent of the businesses’ annual turnover — whichever is the highest.

“In the wake of the Optus hack and the other data system hacks reported since then, it’s crucial there is a big enough motivator to make businesses strengthen their cyber security systems,” she said.

EAGLEGATE paralegal Rhys Fuller added that while the new penalties have been devised for big corporates, they will also apply to any business that holds data on its customers.

“So, real estate firms, rental agencies, even law firms, any business that is entrusted with personal data and information about clients will be liable if they fail to ensure adequate security of that data,” he explained.

The Optus and Medibank hacks meant that personal information, including customer names, dates of birth, addresses, phone numbers, and for some, even their driver’s licences, healthcare details, and passports, were compromised.

VIEW ALL

Ms Murdoch said that now, there’s a real fear that customers whose data was hacked are now vulnerable to scams, or identity fraud, moving forward.

While the media focus has been on big corporates, the new penalties will apply to any Australian business and company with privacy obligations pursuant to the Privacy Act.

“Businesses, such as real estate agencies, rental complexes or law firms, will be bound to these obligations under the Privacy Act,” Ms Murdoch said.

Mr Fuller noted that the proposed amendments are for serious or continued privacy breaches, and for small- to medium-sized businesses, the penalties could be significant enough to bankrupt the business.

“What constitutes a serious privacy breach will be up to interpretation of the court,” he said.

“A repeated privacy or data breach, however, could show that a business is not taking its cyber security measures seriously, whether it may be through the use of outdated technology and measures, or through the business not taking reasonable steps to ensure its data protection.”

Moreover, history will look back on the Optus and Medibank data hacks as the cyber security wake-up call Australia needed, according to Ms Murdoch.

“With both private and state-driven cyber attacks now the norm, Australians have a right to expect the data they confide to a business will be held securely,” she said.

“These new penalties more than ram the message home.”