While the big names grab the headlines, cybersecurity is an increasingly significant area of risk for businesses of all sizes.  Due to recent widely publicised cyberattacks on Optus, EnergyAustralia, and Medibank, the Australian public are rapidly becoming armchair experts in data privacy and cybersecurity.  The information age has increased the value of electronic personal information, and as a result, cybercriminals are further incentivised to infiltrate data that may be inadequately safeguarded by businesses.  Understandably, Australians expect that, when their sensitive data is entrusted to businesses, it will be protected.  While cybercrime has become very costly for businesses, the costs associated with implementing and maintaining a robust cybersecurity platform may be to blame for corporate Australia’s heel dragging in the implementation of effective data protection procedures.  Alternatively, it could be that businesses simply aren’t familiar enough with their data handling and storage practices to implement appropriate data security compliance procedures.

As part of an overarching privacy reform effort, the Albanese government has responded to the current circumstances by fast-tracking the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 which ramps up penalties for private data breaches where cybersecurity measures fail to adequately protect the privacy of personal information entrusted to businesses. The Bill passed both houses of Parliament on 28 November 2022 and is now awaiting Royal Assent.

One objective of the changes is to overcome the view that the older, and significantly lower, penalties were simply a ‘cost of doing business.’  To this end, the legislation increases maximum penalties under the Privacy Act 1988 for serious or repeated interferences with privacy to the greater of:

• $50 million;
• three times the value of the benefit obtained; or
• if the court cannot determine the value of the benefit, 30% of adjusted turnover in the relevant period.

The Bill also empowers the Office of the Australian Information Commissioner (OAIC) with new ways to resolve breaches of private data. For example, the strengthened OAIC can request information and conduct compliance assessments, potentially requiring a corporation to have an independent advisor conduct a review of whether the corporation has appropriate data protection procedures in place. The OAIC could then retain possession of any relevant information collected necessary to assess compliance. The Bill also grants the OAIC new powers to share information with other Australian authorities and certain third parties, or even to disclose information to the general public, where information sharing would be in the public interest. The Bill may fall short in that it does not allow the OAIC to resolve cybersecurity incidents at a technical level, but rather limits its role to monitoring and enforcing the Privacy Act.

While the introduction of new increased penalties does send the message that the Government is taking a tougher stance on cybersecurity due to recent high-profile data breaches in Australia, the fact that the OAIC does not have an extensive record of enforcing penalties under the Privacy Act means that the impact of the increased penalties may be difficult to quantify. While sending a message has all the right optics, the Government has done little to assist or inform businesses on specific technical action they can take to comply with the Privacy Act and protect against privacy breaches.  Because the Bill fails to go so far as to mandate a more active role by the OAIC in assisting businesses with cybersecurity procedures, it appears that the onus has now fallen back to business leadership to play a critical role in sharpening the cybersecurity focus to reduce key commercial risks to business and the public.

The potential costs associated with a data breach can be widespread, extending to containment of the breach, investigating the extent of the breach, audit costs, legal bills, regulatory penalties, communicating with and potentially compensating those affected, as well as damage to business reputation, brand, trust, and share value.  In general, business owners and managers may lack sophistication when it comes to cybersecurity, and even if they are aware of and appreciate the risks involved, many still do not have specific resources focused on cybersecurity or even conduct regular discussions about cybersecurity.  Additionally, this is likely only the beginning of a broad privacy reform policy designed to drag Australia into the modern privacy age.  Companies already lagging on privacy procedures may find it difficult to maintain pace with new government efforts to reform.

A proactive approach to the risk can be far less costly than a reactive one.  While no level of cybersecurity can immunise a business from a cyberattack, businesses should focus on what they are able to control.  For example, owners and operators should familiarise themselves with applicable legal obligations, assess the privacy risks inherent to their information flows, design best practices in data controls, and build trust with those who may provide personal information.  They should also ensure that, where appropriate, their contracts with contractors and suppliers address cyber risks.  Many businesses use collected data as a key business asset, but the other side of the coin is that there is a risk, if personal information is not correctly managed, that same data can also represent a potential business liability.