A Senate committee has backed enabling legislation for what would be a radical extension of penalties for companies that are the victims of cybercrimes.
The federal government tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) on 26 October in response to the theft of personal data from Optus and also Medibank.
The private health insurer was recently the victim of a cyberattack that involved the theft of private patient information. Medibank has refused the demanded payment of a ransom with the hackers now releasing individual patient data, impacting many who have serious health issues.
In response, the federal government established a new task force focused on preventing the theft and criminal misuse of this data.
It also tabled the Bill that was quickly referred to a committee for inquiry.
The Bill would radically reshape the penalties for companies and organisations holding personal data.
The penalty for a breach of privacy by a company, which in this case means the victim of a cybercrime, would increase from $2.22 million to not more than the greater of $50 million, three times the value of any benefit obtained through the criminal misuse of the stolen information, or 30 per cent of a company's Australian turnover in the relevant period.
The Bill will also strengthen the existing Notifiable Data Breaches scheme by empowering the Office of the Australian Information Commissioner to assess an entity's compliance with its requirements. This includes new information-gathering powers.
The Senate inquiry received 32 submissions but not one was from a health-related organisation, despite the cyberattack on Medibank being the significant driver of the proposed change.
At least one of the submissions expressed concern over the far-reaching nature of the Bill given it is other laws administered by the federal government that require companies to hold data, sometimes in perpetuity.