How Data Breach Protection Laws Have Evolved in 2022
In September and October of 2022, two major data breaches occurred in Australia, affecting telecommunications provider Optus and private health insurer Medibank. The breaches exposed the personal information of millions of current and former customers, including sensitive medical information in the case of Medibank. The incidents, which were not isolated, brought the issue of data protection to the forefront and prompted the government to introduce stricter data breach and protection laws and penalties for companies involved with serious or repeated data breaches.
The new breach laws come in the form of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. These laws aim to strengthen the protection of personal information and increase the penalties for companies that suffer serious or repeated data breaches.
Under the new legislation, the maximum penalties for such breaches have been increased from a fine of $2.22 million to whichever is the greater of three options: $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company's adjusted turnover in the relevant period.
In addition to increasing the penalties for data breaches, the new legislation also gives the privacy regulator the power to conduct investigations and audits of companies to ensure they are complying with privacy laws. The regulator also has new teeth in the form of civil penalties such as fines and a criminal offence in cases of systemic misconduct or patterned and ongoing noncompliance behaviour.
In an administrative guidance document, the office of the Commissioner states that the question of seriousness in breaches is objective and will reflect the opinion of a reasonable person. The list of relevant factors in determining seriousness of a breach reflect:
· the number of individuals potentially affected;
· whether it involved ‘sensitive information’ or other information of a sensitive nature;
· whether significant adverse consequences were caused or are likely to be caused to one or more individuals from the interference;
· whether vulnerable or disadvantaged people may have been or may be particularly adversely affected or targeted;
· whether it involved deliberate or reckless conduct;
· whether senior or experienced personnel were responsible for the conduct.
The bill also includes provisions to improve the reporting of data breaches. Under the new laws, companies are required not only to provide affected individuals and the
Commissioner’s office with notification of the kind or kinds of personal information involved in a data breach, but with the particular kind or kinds of personal information involved. This means that to be in compliance, organisations must be far more specific when notifying the Commissioner of a data breach. For example, what could previously be described as ‘contact information’ must now be described as ‘phone numbers’, ‘home addresses’ or ‘email addresses’. The threshold for application of existing privacy laws to offshore organizations has also been lowered. Australian privacy and data protection laws now apply to any organization doing business in Australia, regardless of where personal information is collected. The introduction of these stricter penalties reflects the growing importance of data protection in the digital age. As more and more personal information is collected and stored online, the risk of data breaches increases. These breaches can have serious consequences for individuals, including identity theft, financial loss, and damage to reputation.
With the toughening of data protection laws in Australia, businesses must take care to perform due diligence around the safety of personally identifiable information. Bepoz’s online ordering app offers a readymade and secure solution to contactless ordering, protecting customer information on secure servers and allowing you to focus on running your business. Get in touch today to discuss POS software and system solutions for your business.