The rules are designed to combat the recent spate of cybersecurity breaches that has exposed Australians’ identity information along with highly personal medical records,potentially including treatments for sexually transmitted diseases,substance addiction and mental health conditions.
Penalties could be even higher than $50 million,based on company turnover and the estimated value of the stolen data. The government decided to fast-track the changes after recent breaches saw Australians’ sensitive personal data stolen and put up for ransom on the internet.
Australia has suffered six major cybersecurity breaches in five weeks,affecting more than 14 million customer records.
“Unfortunately,significant privacy breaches in recent weeks have shown existing safeguards are inadequate,” Attorney-General Mark Dreyfus said.
“It’s not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect,and bigger penalties to incentivise better behaviour.”
The changes bring Australia closer to the tough penalty regime used in Europe,where companies can be punished for major privacy breaches with fines up to $30 million or four per cent of global turnover from the previous year depending on which is higher.