Wednesday, November 16, 2022

I Am Not Sure Imposing Big Fines For Data Breaches Is All That Smart An Idea!

This release from the AIIA appeared last week:

Tuesday, 08 November 2022 22:23

AIIA calls on Government to introduce safe harbour and reconsider proposed penalties for data breaches

By David M Williams

The Australian Information Industry Association (AIIA) is calling on the Albanese Government to take a positive, collaborative approach to the complex issue of cybersecurity, cautioning against adopting a heavy-handed or exclusively punitive response to recent high-profile data breaches.

The AIIA is a not-for-profit organisation aimed at fuelling Australia's future social and economic prosperity through technological innovation. Its call comes on the heels of the Privacy Legislation Amendment (Enforcement and Other Measures Bill) 2022, currently working its way through the Australian parliamentary process.

The bill states it "would amend three Commonwealth Acts to increase penalties for serious or repeated interferences with privacy, enhance the Australian Information Commissioner’s enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority with greater information sharing powers."

The bill comes in response to a spate of recent high-profile data breaches among Australian organisations such as Optus and Medibank and seeks to increase penalties to the greater of $50 million, 30% of turnover, or three times the value of any benefit obtained through the misuse of information.


However, the AIIA has made a submission to the Senate's Legal and Constitutional Affairs Committee questioning the arbitrary nature and quantum of penalty increases, stating these could have unintended consequences. Further, the AIIA calls on the Government to implement a safe harbour provision in its privacy legislation, protecting businesses from penalties if they can demonstrate good faith and due diligence in reporting, including by implementing best-practice cyber security frameworks.

The AIIA states this would ensure the system encourages transparency and willingness to resolve major data breaches, and to seek assistance in doing so.

It is the AIIA's position that focusing on incentivising help-seeking and reporting behaviours by businesses who have been subject to data breaches is the proper response by Government and legislation.

The problem is, the AIIA states, data breaches can be the result of actors so sophisticated that a breach may well be unavoidable, thus a well-developed privacy and penalty regime ought to be encouraging good behaviour and providing support, instead of being heavy-handed and exclusively punitory.

AIIA CEO Simon Bush said, “All Australians have been concerned with the recent cyber-attacks on major Australian businesses. We rightly have high expectations of organisations who have our data. That is why we want the Government and industry to work together to uplift cyber security and data governance across all sectors. Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board.

“The Privacy Act review currently underway is the most appropriate vehicle for dealing with powers and penalties needed for privacy protections in a cohesive and coordinated way. As yet, we don’t know whether SMEs will be included in Australia’s privacy regime once the Privacy Act is updated. This is an important decision that will have a significant impact on many organisations.

“Working to build greater capabilities, by upskilling and elevating data practices, is the best way forward for Australia. This starts with growing the skills of Australia’s ICT workforce. Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia.

The Albanese Government has been responsive to industry recommendations to date, including the AIIA’s call for reconvening the Data and Digital Ministers’ Meeting which met last week, and we hope this will continue," Bush said.

Here is the link:

https://itwire.com/government-tech-news/government-tech-policy/aiia-calls-on-government-to-introduce-safe-harbour-and-reconsider-proposed-penalties-for-data-breaches.html

This release seems to be pre-empting what is happening in Parliament.

Gov gets privacy penalty laws through lower house

By Richard Chirgwin on Nov 9, 2022 11:48AM

As businesses baulk at $50m-plus fines.

A bill that would substantially increase the penalties for serious or repeated data breaches has passed the lower house of parliament, even as industry raised concerns with its contents via a senate inquiry.

The bill will now proceed to the Senate. However, the the Senate inquiry isn't due to report until November 22.

As the government promised when it announced the legislation, the Privacy Legislation Amendment increases the maximum penalties for “serious or repeated privacy breaches” to whichever is the greater of $50 million; three times the value of any benefit obtained through the misuse of information; or 30 percent of a company’s “adjusted turnover” in the relevant period.

As iTnews reported this morning, the penalties have raised concerns from across industry sectors, including from the Australian Banking Association (ABA), the Australian Information Industries Association (AIIA), and Amazon Web Services.

Both the ABA and the AIIA want some kind of safe harbour, so that organisations that meet recognised privacy or security standards can avoid the heaviest penalties.

More here:

https://www.itnews.com.au/news/gov-gets-privacy-penalty-laws-through-lower-house-587568

My take is that all the AIIA says is correct and that more than that the focus should be on helping the victims whose economic loss is likely to be much greater than the fines suggested.

I reckon the losses to Optus and Medibank are likely to be in the billions of dollars which makes any fines really a secondary matter….

All the reporting I have read suggests that even the smallest breach winds up being pretty expensive!

All the plans for legislation need to also be advanced – carefully and thoughtfully – to maximise data protection, data retention regulations and privacy etc.

We are a fair way behind where we need to be and considerable effort is needed.

David.

 

No comments:

Post a Comment