AIIA urges rethink on proposed data breach penalty increases

The Australian Information Industry Association (AIIA) says the federal government should take a positive, collaborative approach to the complex issue of data and cybersecurity, cautioning against the adoption of a heavy-handed or exclusively punitive response to recent high-profile data breaches.

The AIIA position is based on its submission made to the Senate’s Legal and Constitutional Affairs Committee, which is considering the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

In its submission, the AIIA questioned both the arbitrary nature as well as the quantum of increase in penalties, which could have unintended consequences, and called on the government to introduce a safe harbour provision in privacy legislation. A safe harbour from penalties for businesses that can demonstrate good faith and due diligence in reporting, including by implementing best-practice cybersecurity frameworks, would ensure that the system encourages transparency and willingness to both resolve major data breaches and seek assistance in doing so. A focus on incentivising help-seeking and reporting behaviours by businesses subject to data breaches should be the focus of government and any legislation, the AIIA said.

Data breaches can be the result of sophisticated actors, meaning a breach may be all but unavoidable, so a well-developed privacy and penalty regime needs to encourage good behaviour and provide support. Penalties have their place but there should be clarity as to when these would apply, the AIIA said.

In 2019, the ACCC recommended in its Digital Platforms Inquiry Final Report that privacy penalties mirror the maximum penalties available under the Australian Consumer Law (ACL), a recommendation the government has referenced in explaining the quantum of increase under the Privacy Legislation Amendment. However, at the time that report was released, those maximum penalties under the ACL were $10 million and 10% of turnover — significantly below the $50 million and 30% of turnover to which the government has recently sought to increase penalties.

“All Australians have been concerned with the recent cyber attacks on major Australian businesses. We rightly have high expectations of organisations who have our data. That is why we want the government and industry to work together to uplift cybersecurity and data governance across all sectors. Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cybersecurity across the board,” said AIIA CEO Simon Bush.

“The Privacy Act review currently underway is the most appropriate vehicle for dealing with powers and penalties needed for privacy protections in a cohesive and coordinated way. As yet, we don’t know whether SMEs will be included in Australia’s privacy regime once the Privacy Act is updated. This is an important decision that will have a significant impact on many organisations.

“Working to build greater capabilities, by upskilling and elevating data practices, is the best way forward for Australia. This starts with growing the skills of Australia’s ICT workforce. Our members tell us regularly that hiring staff skilled in cybersecurity is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia. The Albanese government has been responsive to industry recommendations to date, including the AIIA’s call for reconvening the Data and Digital Ministers’ Meeting ... and we hope this will continue,” Bush said.

At the recent Data and Digital Ministers’ Meeting (DDMM), a resolution was passed to develop a National Strategy for Identity Resilience whereby jurisdictions work together to protect Australians from identity-related theft.

“The items on the agenda of the first meeting since the DDMM reconvened — including digital inclusion and data sharing — are evidence of its importance. Proactive, strategic and nationally coordinated work on digital identity and data security will serve the mission to better securing the personal information of Australian citizens. The nation will benefit from this kind of collaboration and strategic thinking on identity and data,” Bush said.

Image credit: iStock.com/JuSun