Will Australia see its first $1 billion data privacy fine in 2023?
Last year was a pivotal year for cyber security in Australia. But with cyber attacks on the rise, and regulators aiming to get closer to the action, Australia could face its first $1 billion data privacy fine this year, writes Robert Beck, ANZ Managing Director at Protegrity.
While the number of cyber crimes reported to the Australian Cyber Security Center grew by 13% in 2022, the actual number of cyber breaches suffered by Australian businesses is likely to be higher, as many will be deterred from reporting a breach to authorities because they are either unsure of their reporting obligations or hopeful that they can resolve the issue themselves, perhaps by paying the required ransom.
The growth in cybercrime is symptomatic of a number of factors that even the best-resourced organizations are powerless to combat.
These factors include: digital transformation and the shift to hybrid work has increased the ‘attack surface’, meaning that cybercriminals have many more possible means of entry; the cybercrime ecosystem has become more sophisticated with breach specialists and brokers all playing their part; and the talent pipeline hasn’t grown fast enough to keep up with demand, meaning security teams are understaffed and understaffed.
High-profile attacks such as those suffered by Optus, Telstra and Medibank have shown the enormous financial and reputational impact that data breaches can have. Medibank’s value has fallen by $1.6 billion in just a single week and in the longer term it has a mountain to climb to regain customer confidence.
For many businesses and everyday Aussies, until 2022 cyber attacks were a vague, vague threat – something that happened to someone else. These successive, high-profile attacks, with news outlets reporting each new development in real time, changed all that.
A shift from security to privacy
The needle moved in 2022 as everyday Australians became aware of the consequences of cyber breaches. Everyday people don’t care about endpoint security or identity management, but they do care when their sensitive personally identifiable information (PII) is sold on the dark web. Public outcry was driven not by the fact that an organization’s defenses were breached, but because their data was no longer private.
The Australian government has been quick to respond to the needs of businesses and the wider public by introducing new legislation. In the first half of the year, it extended the Critical Infrastructure Act to mandate organizations to achieve a state of cyber readiness – with councils held accountable for a lack of preparation.
However, at the end of 2022, the government sensed the shift towards privacy and brought forward the Data Privacy Act. The legislation gives authorities the ability to fine organizations up to ‘three times the value of any benefit obtained through the misuse of information’ or ‘30% of a company’s adjusted turnover in the relevant period’, suggesting that the figure could be much higher than the $50 million figure that attracted headlines.
All of these regulatory moves in Australia share common features with the European Union’s General Data Protection Regulation (GDPR), and many security and data privacy experts believe the groundwork is being laid for an Australian version of the GDPR next year. European regulators have already used GDPR to issue hefty fines against organizations.
Last year, Luxembourg’s privacy watchdog fined Amazon €746 million (AU$1.17 billion) while authorities in Ireland slapped Meta’s WhatsApp with a €225 million (AU$354 million) fine.
To get in front of consumers and regulators
While business leaders should invest in cyber defenses and recruit talent to defend against these threats, the defender needs to be lucky every time to stay safe, while the attacker only needs to be lucky once to succeed. It is increasingly becoming a matter of ‘when’ not ‘if’.
Data privacy is about protecting people’s most sensitive information and minimizing the consequences of a breach. Data privacy technologies, such as Tokenisation, can keep sensitive data, including PII, hidden even in the event of a breach. These techniques allow organizations to use and analyze customer data to offer personalized services and remain competitive, while still reducing the risk of abuse by obfuscating the raw sensitive identifiers.
If this kind of technology were applied in 2022, the cybercriminals would have to re-identify the data before they could extract value from it, a difficult process for those without authorization.
With such technology readily available, it seems likely that the government will force Australian organizations to up their data privacy game using the Data Privacy Act. When another major data breach of a trusted, public brand occurs in 2023, we may very well see regulators move to issue a fine of 30% of the company’s turnover, to keep the public (and business community) to show that they take the matter seriously and are on the side of victims.
This year, boards must then elevate data privacy to that of cyber security, or be prepared to suffer the consequences if they experience a breach. As we move into 2023, we will undoubtedly see even more high-profile cyber incidents. As more companies experience crippling security breaches, the wave of compromised data is rising.
It will only be a matter of time before Australian regulators move to match the actions of European regulators against Meta, Amazon and others, including fines of more than AU$1 billion.