Laws increasing penalties for companies that suffer data breaches are too severe and could inadvertently lead to more ransomware attacks, say experts.
Australia’s national identity support service IDCARE has made a submission to the federal government’s review of the Privacy Act, criticising increased financial penalties for companies as being counterproductive to the aim of reducing scams and data breaches.
Under the new laws, organisations that experience “serious” or “repeated” privacy breaches can now be fined up to $50 million; or 30 per cent of adjusted annual turnover; or three times the value of any financial benefit obtained through the misuse of data.
That is a massive increase on the previous maximum penalty of $2.2 million per breach.
While the increase may be intended to signal to consumers that the government is taking cyberthreats seriously, IDCARE says their severity actually risks exacerbating the problem.
The group warns that the new penalties may act as a deterrent for businesses to report data breaches, as it may be cheaper to pay the cybercriminal and hope the breach isn’t exposed.
“There is little disincentive for these criminals to keep targeting Australian businesses and government agencies,” the submission reads.
“This is further exacerbated by the conflicting nature of compliance and notification environment.
“Pay a million dollars or face a breach that may cost $50 million. Don’t pay and have your customer data exploited in the most abhorrent and public way in an attempt to send a clear signal to future organisations that this will be the consequence if their demands are not met.”
A simple solution to that problem would be making ransom payments to cybercriminals illegal, but IDCARE says that introduces its own set of problems, including conflict with insurance companies that openly promote the payment of ransoms.
The group says any changes to the Privacy Act should be made after consultation with representatives from business, industry and services such as IDCARE – and not solely based on government opinion.
“Governments and businesses acting unilaterally without this collective view is very risky,” the IDCARE submission says.
“What we are witnessing transpire in terms of serious harms presenting from the actual remediation measures taken by these organisations are a case in point.
“IDCARE’s work is deliberately independent of government. We are free to provide the advice we see as critical to the impacted person. This advice is free from what a commercial entity or government agency believes is in their specific interests.”
Do you support the government’s changes to the Privacy Act? How do you think we should be tackling cybersecurity issues? Let us know in the comments section below.
Also read: Major security threat in government voice recognition
Yes, the Privacy Act needs updating to bring it up to date in this digital age.
But draconian fines to the Victims of Cybercrime are not the answer.
They are already facing a huge cost to diagnose and remediate their IT Infrastructure, possible ransom payments etc., so why hit them with an additional impost of a fine.
Why doesn’t the Government assist with the remediation process to harden the victims systems, and could then charge a “small” fee for the service. That way a victim is more likely to report the breach, knowing that they will get help instead of a hefty fine.
All businesses need to be implementing changes to keeping customers details safe from hackers. It is now a serious threat that hundreds/thousands of customers have their details sold on the dark web, all because these businesses did not implement a more higher security for cyber targeting. There is no excuse as this is the didgital age and has been for many years. The businesses that were targeted are huge corporations that can easily afford protection via employing people that would be looking after that particlar area. The question remains though, why did these giants keep information that was over 10 years old as it should have been destroyed/deleted. This is all about profit making and not implementing the right tools for the job – profits over customers.