Will Australia see its first $1 billion data privacy fine in 2023?
Last year was a pivotal year for cybersecurity in Australia. But with cyber attacks continuing to rise, and regulators aiming to sit closer to the action, Australia may this year see its first $1 billion data privacy fine, writes Robert Beck, ANZ Managing Director at Protegrity.
While the number of cybercrimes reported to the Australian Cyber Security Centre grew by 13% in 2022, the actual number of cyber breaches suffered by Australian businesses is probably larger, given that many would be dissuaded from reporting a breach to authorities because they are either uncertain about their reporting obligations or hopeful that they can solve the issue themselves, perhaps by paying the required ransom.
The growth in cybercrime is symptomatic of a number of factors that even the best-resourced organisations are powerless to fight against.
These factors include: digital transformation and the shift to hybrid working has enlarged the ‘attack surface’ meaning that cybercriminals have many more potential modes of entry; the cybercrime ecosystem has grown more sophisticated with breach specialists and brokers all playing their part; and the talent pipeline has not grown quick enough to keep up with demand meaning that security teams are under-resourced and under-manned.
High profile attacks like those suffered by Optus, Telstra and Medibank showed the enormous financial and reputational impacts that data breaches can have. Medibank’s value fell by $1.6 billion in just a single week and longer term, it has a mountain to climb to regain customer trust.
For many businesses and everyday Aussies, cyber attacks were, until 2022, a nebulous, vague threat – something that happened to someone else. These consecutive, high profile attacks, with news outlets reporting every new development in real time, changed all of that.
A shift from security to privacy
The needle shifted in 2022 because everyday Australians became aware of the consequences of cyber breaches. Everyday people don’t care about endpoint security or identity management but they do care when their sensitive personally identifiable information (PII) is being sold on the dark web. Public outcry was driven not by the fact that an organisation’s defences were breached but because their data was no longer private.
The Australian government has been quick to respond to the needs of businesses and the wider public by bringing forward new legislation. In the first half of the year it expanded the Critical Infrastructure Act to mandate organisations to achieve a state of cyber readiness - with boards being held responsible for lack of preparation.
However, at the end of 2022 the government sensed the shift towards privacy and brought forward the Data Privacy Act. The legislation gives authorities the ability to fine organisations up to ‘three times the value of any benefit obtained through the misuse of information’ or ‘30% of a company’s adjusted turnover in the relevant period’, suggesting that the figure could be much higher than the $50 million figure that drew headlines.
All of these regulatory movements in Australia share common characteristics with the European Union General Data Protection Regulation (GDPR), and many security and data privacy experts believe that the groundwork is being laid for an Australian version of the GDPR next year. European regulators have already used GDPR to issue hefty fines against organisations.
Last year, Luxembourg’s privacy watchdog fined Amazon €746 million (AU$1.17 billion) while authorities in Ireland slapped Meta’s WhatsApp with a €225 million (AU$354 million) penalty.
Getting ahead of consumers and regulators
While business leaders should be investing in cyber defences and recruiting talent to defend against these threats, the defender has to get lucky every time to stay safe, while the attacker only has to get lucky once to succeed. It’s increasingly becoming a matter of ‘when’ not ‘if’.
Data privacy is about protecting people’s most sensitive information and minimising the consequences of a breach. Data privacy technologies, such as Tokenisation, can keep sensitive data, including PII hidden, even in the event of a breach. These techniques enable organisations to utilise and analyse customer data to offer personalised services and remain competitive, while still reducing the risk of misuse by obfuscating the raw sensitive identifiers.
If this kind of technology had been applied in 2022, then the cybercriminals would have had to re-identify the data before they could derive value from it, a difficult process for those without authorisation.
With such technology readily available, it seems likely that the government will push Australian organisations, using the Data Privacy Act, to up their game on data privacy. When another major data breach of a trusted, public-facing brand occurs in 2023, we could well see regulators moving to issue a fine of 30% of company turnover, to show the public (and business community) they are taking the matter seriously and are on the side of victims.
This year then, boards need to elevate data privacy to that of cyber security, or be prepared to suffer the consequences should they suffer a breach. As we move into 2023, no doubt we will see even more high-profile cyber incidents. As more companies experience crippling security breaches, the wave of compromised data is on the rise.
It will only be a matter of time before Australian regulators will move to match the actions taken by European regulators against Meta, Amazon and others, including penalties of over AU$1 billion.