Protecting Sensitive Data: The Impact of Cyber Security Incidents and the Power of Higher Penalties in Australia

By Gerald Jimenez

to find out how we can help your business

Cybersecurity has become a major concern in today’s digital world, with cyber threats becoming more sophisticated and frequent. In recent years, numerous high-profile data breaches have occurred, exposing sensitive personal and financial information of millions of people. The Australian government is taking measures to address this issue, and two recent articles from the Office of the Australian Information Commissioner (OAIC) shed light on some of these efforts.

According to the OAIC’s latest quarterly report, there were 539 data breaches reported to the agency between July and September 2021. Malicious cyber attacks were the leading cause of these breaches, accounting for 61% of all incidents. Other causes included human error (26%) and system faults (13%).

The report also notes that organizations that suffer a cyber security incident are more likely to experience a data breach. In fact, 88% of the organizations that reported an incident in the third quarter of 2021 also reported a data breach. This underscores the importance of having robust cybersecurity measures in place to prevent incidents from occurring in the first place.

The Privacy Amendment (Privacy Regulatory Powers) Bill 2019, which was passed by Parliament in December 2021, gives the OAIC the power to impose fines of up to $10 million for serious or repeated breaches of privacy. The legislation also includes a range of other measures to strengthen privacy protections, such as giving individuals greater control over their personal information and improving the transparency of data handling practices.

The aim of the legislation is to deter organizations from being careless with personal information and to encourage them to take their obligations under the Privacy Act more seriously. The OAIC hopes that the increased penalties will provide a strong incentive for organizations to improve their data protection practices and prevent privacy breaches from occurring.

Small businesses affected

The Privacy Act covers some small business operators (organisations with an annual turnover of $3 million or less), including:

  • a private sector health service provider — an organisation that provides a health service includes:
    • a traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
    • a complementary therapist, such as a naturopath and a chiropractor
    • a gym or weight loss clinic
    • a child care centre, a private school and a private tertiary educational institution
  • a business that sells or purchases personal information
  • a credit reporting body
  • a contracted service provider for a Australian Government contract
  • an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • a business that holds accreditation under the Consumer Data Right System
  • a business that has opted-in to the Privacy Act
  • a business that is related to a business that is covered by the Privacy Act
  • a business prescribed by the Privacy Regulation 2013.

In conclusion, cyber security is a critical issue in today’s digital world, and the Australian government is taking steps to address the risks posed by cyber threats and data breaches. Businesses should take note of the risks and ensure that they have robust cybersecurity measures in place to protect their sensitive data. With the increased penalties for privacy breaches, businesses that fail to take their obligations under the Privacy Act seriously are now at greater risk of significant financial penalties.