Laws increasing penalties for companies that suffer data breaches are too severe and could inadvertently lead to more ransomware attacks, say experts.
Australia’s national identity support service IDCARE has made a submission to the federal government’s review of the Privacy Act, criticising increased financial penalties for companies as being counterproductive to the aim of reducing scams and data breaches.
Under the new laws, organisations that experience “serious” or “repeated” privacy breaches can now be fined up to $50 million; or 30 per cent of adjusted annual turnover; or three times the value of any financial benefit obtained through the misuse of data.
That is a massive increase on the previous maximum penalty of $2.2 million per breach.
While the increase may be intended to signal to consumers that the government is taking cyberthreats seriously, IDCARE says their severity actually risks exacerbating the problem.
The group warns that the new penalties may act as a deterrent for businesses to report data breaches, as it may be cheaper to pay the cybercriminal and hope the breach isn’t exposed.
“There is little disincentive for these criminals to keep targeting Australian businesses and government agencies,” the submission reads.
“This is further exacerbated by the conflicting nature of compliance and notification environment.
“Pay a million dollars or face a breach that may cost $50 million. Don’t pay and have your customer data exploited in the most abhorrent and public way in an attempt to send a clear signal to future organisations that this will be the consequence if their demands are not met.”
A simple solution to that problem would be making ransom payments to cybercriminals illegal, but IDCARE says that introduces its own set of problems, including conflict with insurance companies that openly promote the payment of ransoms.
The group says any changes to the Privacy Act should be made after consultation with representatives from business, industry and services such as IDCARE – and not solely based on government opinion.
“Governments and businesses acting unilaterally without this collective view is very risky,” the IDCARE submission says.
“What we are witnessing transpire in terms of serious harms presenting from the actual remediation measures taken by these organisations are a case in point.
“IDCARE’s work is deliberately independent of government. We are free to provide the advice we see as critical to the impacted person. This advice is free from what a commercial entity or government agency believes is in their specific interests.”
Do you support the government’s changes to the Privacy Act? How do you think we should be tackling cybersecurity issues? Let us know in the comments section below.
Also read: Major security threat in government voice recognition