Privacy chief pushes for heavier fines for breaches after Optus hack

Australia’s privacy commissioner wants the power to hit corporations that fail to safeguard personal data with penalties into the billions of dollars after the Optus hack as she warned companies were seeing the current $2.1 million maximum as just a cost of doing business.

The federal government is urgently reviewing the Privacy Act and has flagged stiffer penalties in a plan that drew a positive response from Australian Information and Privacy Commissioner Angelene Falk. She is considering a formal investigation into the Optus hack that exposed data on almost 10 million people.

Australian Information and Privacy Commissioner Angelene Falk is weighing whether to launch a formal investigation into Optus.Credit:Alex Ellinghausen

“We do need to have a deterrent that is more than the cost of doing business,” Falk said on 7.30. “Currently, I can seek civil penalties to the Federal Court of $2.1 million. But overseas there are penalties as large as 4 per cent of global turnover.”

Those penalties, which are in force in the European Union, could equate to billions of dollars if ever levied against the largest internet firms such as Google owner Alphabet or hundreds of millions if applied to a firm the size of Optus' Singaporean parent company.

“I think that that is the kind of penalty that we need here to make all boards and directors sit up and take notice of the very important responsibilities they have as custodians of Australians’ personal information,” Falk said of the EU model.

In an interview with The Sydney Morning Herald and The Age on Monday before Falk’s comments on 7.30, Optus chief executive Kelly Bayer Rosmarin argued calls for higher fines would not help because everyone at the company was already sorry and working to regain customers’ trust.

“So I don’t think that an idea that we need extra incentive to do what’s right for customers makes a lot of sense,” Bayer Rosmarin said.

She declined to comment on whether a $2.1 million potential maximum fine for the Optus breach – which included driver’s licences, passport and Medicare numbers as well as millions of names, addresses and emails – was appropriate, saying Optus was focussed on customers.

Two national law firms, Slater & Gordon and Maurice Blackburn, are investigating group claims against Optus that could yield much larger total payouts to affected customers, though that would be compensation rather than a fine.

Bayer Rosmarin said on Monday it was “not for her to comment on policy matters” when questioned about whether fines should be increased for future breaches. She deferred to the review Optus has commissioned into the hack from consultants at Deloitte when pressed on Optus’ long record of publicly commenting on other policy matters affecting the company.

Optus chief executive Kelly Bayer Rosmarin said on Monday it was “not for her to comment on policy matters” when questioned about whether fines should be increased for future breaches.Credit:Louie Douvis

Falk also said on Monday that she was seeking information from Optus about its security practices, which cybersecurity experts and the government have said was so lax as to be like “leaving a window open”.

“I’ll assess that information and decide whether further regulatory action is warranted,” Falk said.

And in a broadening of the fallout from the hack, Falk said she had recommended government should rethink a carve out that exempts small businesses from the Privacy Act to ensure all businesses are storing data securely.

“Even very small businesses can hold vast arrays of data,” Falk said. “You can develop an app in the garage and suddenly you’ve got millions of Australians’ personal information.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

Most Viewed in Technology

From our partners

Source: Read Full Article