The word is out – Medibank confirmed earlier this week that they DON’T have cyber insurance after a breach that impacted all 3.9 million customers. The cybercriminals responsible for the attack now have access to customers’ personal data and a significant amount of health-claim data.

Experts estimate that the breach will cost Medibank up to $35 million, plus the cost of legal fees and remediation. However, the government proposed a new bill on 22 October which, if passed, will increase the maximum penalty for serious or repeated privacy breaches from $2.22 million to a whopping $50 million.

The press release stated, “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

So, what is this new legislation all about?

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is designed to incentivise businesses to implement tighter data protection policies. The fundamental changes announced include:

  • A maximum penalty of either $50 million, three times the value of the benefit gained through misuse of information, or 30% of the company’s adjusted turnover in the relevant period – whichever amount is greater
  • Increased powers for the Australian Information Commissioner (AIC) to step in to resolve privacy breaches
  • Ramp up the Notifiable Data Breaches scheme, ensuring the AIC has transparency into any breach that occurs
  • Giving the Australian Information Commissioner and Australian Communications and Media Authority additional ability to share information

The government is reviewing the Privacy Act, with further recommendations for reform anticipated.

Directors Responsibilities

Earlier this month, a US court ruled that Uber’s former chief security officer was guilty of criminal obstruction charges after he failed to report a cyber breach to authorities. As a result, he faces a prison sentence of up to eight years.

Following this verdict, the Cyber Security Cooperative Research Centre and Australian Institute of Directors have published a set of cyber security governance principles to help organisations better protect their data and that of their clients and customers. These principles establish a framework for the board across the following areas:

  • Roles and responsibilities
  • Cyber strategy development and evolution
  • Incorporating cyber into risk management
  • Building a cyber-resilient culture
  • Preparing and responding to a significant cyber incident

This increased expectation on board members reflects the current climate, with the CEO for Cyber Security Cooperative Research Centre, Rachael Falk MAICD, talking about why the principles have been developed.

“Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security. This is a core risk that has to be incorporated into the everyday business of running any organisation,” said Falk.

Safeguards for the Digital Era

With the massive quantities of data companies are collecting in the digital era, every business needs to step up and be accountable for storing and protecting this information. It doesn’t matter what size your organisation is – if you can’t afford to protect the data you collect, you can’t afford to be in business.

While this is a significant shift for many businesses, it is evident with the recent spate of breaches (Optus, Medibank, Woolworths MyDeal, the list goes on) that there is no more poking your head in the sand.

If you aren’t sure you are covered, call us to book a check-up. We also have a range of cyber resources available:

Don’t risk being front-page news for all the wrong reasons – ensure your company’s data is protected.