Cybercrime and the Privacy Act: The Fed's Response to Recent Breaches

There has been a plethora of cyberattacks globally this year.  In Australia alone, millions have had their private data stolen, published on the dark web, and otherwise used illegally.  These cyberattacks have sparked action from the federal government that propose to amend the Privacy Act 1988 (Cth) (Privacy Act).

In the second reading speech for the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Privacy Bill), the Attorney-General placed weight on the recent, high profile cyberattacks of Optus, Medibank, and MyDeal.[1]

High Profile Cyberattacks

• Optus was hacked earlier this year, impacting millions of individuals.  Lavan has written about this Optus hack previously.
• Medibank Private Ltd (ASX:MPL) (Medibank), Australia's largest health insurer, has been the subject of a significant cyberattack.  In an ASX announcement dated 7 November 2022, Medibank notified the market that a criminal had accessed the private data of 9.7 million current and former customers.  After stealing the data, the criminal attempted to force Medibank to pay a ransom so that the data would not be misused, however, Medibank has taken a position that is in-line with the federal government and announced that it will not pay any ransom monies to the criminal.
• The Woolworths Group (ASX:WOW) (Woolworths) announced on 14 October 2022 that MyDeal, a subsidiary of Woolworths, had identified that a compromised user credential was used to gain unauthorised access to its Customer Relationship Management system where the data of approximately 2.2 million individuals was accessed.  The breached data includes email addresses, customer names, phone numbers, delivery addresses, and in some instances, the date of birth of the customers who have purchased alcohol.

Privacy Bill: Proposed Amendments

If passed in its entirety, the Privacy Bill will amend three Commonwealth Acts (including the Privacy Act) with the effect of:

1. substantially increasing penalties under the Privacy Act for serious or repeated privacy breaches.  Currently, the maximum penalty for a privacy breach is $2.22 million, whereas under the Privacy Bill it will be the greater of: 3 times the value of any benefits gained by the breach (if any gain calculatable), or 30% of the adjusted turnover of the body corporate during the breach period (if the gain is not calculatable), or $50 million AUD.
    
2. enhancing enforcement powers of the Office Australian Information Commissioner (OAIC) to resolve privacy breaches efficiently and effectively, where the OAIC has further powers to request information about a suspected data breach. 
    
3. strengthening the Notifiable Data Breaches scheme to ensure the Information Commissioner has comprehensive knowledge of the information compromised in a breach to assess the particular risk of harm to individuals; and
    
4. providing greater information sharing powers to the Information Commissioner and the Australian Communications and Media Authority (ACMA) to ensure regulators can work together and take prompt action to minimise harm to Australians.

Lavan Comment

If your organisation suffers a data breach, not only is it likely that the breach will greatly impact the way the market views your brand, but you also may face penalties from the government.  The federal government has indicated that it will take privacy breaches of Australian citizen’s personal information very seriously, and it is therefore vital for Australian businesses to take appropriate steps to ensure that they hold their customers’ personal data in a proper manner.  

Even if you have taken steps to review your systems and have in place cyberattack responses, now is the time to review those arrangements.  If you require assistance in your planning or if you are the subject of a data breach involving personal information, Lavan has extensive experience in assisting with cyberattack response plans and policies to help you minimise legal exposure. If you or your organisation requires a cyberattack policy or response plan, please contact Andrew Sutton or Iain Freeman for assistance on (08) 9288 6000 or andrew.sutton@lavan.com.au / iain.freeman@lavan.com.au.