Australia’s privacy commissioner has defended a failure to penalise any organisation for any of the 1,748 data breaches reported over the past two years as a decision based on “regulatory strategy”.
In an exchange with Greens Senator David Shoebridge during Senate estimates on Monday night, Australia’s information and privacy commissioner, Angelene Falk, revealed that the Office of the Australian Information Commissioner (OAIC) had received 1,748 reports of notifiable data breaches over the past two financial years.
She said a third of them were caused by human error as well as a “large proportion” by hackers.
“We’ve seen an increase in cyber intrusion and hence the major investigations that are ongoing now and the specific funding that we’ve received in order to advance those,” she said.
There would be an outcome from OAIC’s major investigations into data breaches at Optus, Medibank, Australian Clinical Labs Limited and Latitude group “shortly”, she said.
An incredulous Shoebridge asked what had “gone wrong” that her office had not sought a single penalty over the past two years.
Falk said the OAIC’s “regulatory strategy” had encouraged the resolution of investigations by means other than penalties. She said the purpose of the notifiable data breaches scheme was to ensure that Australians were told when their data was affected by a breach so that they could take steps to mitigate their risk — a result that she said had been “achieved”.
“It’s about ensuring that we’re using the right tool in the right circumstances,” she said.
Organisations are required under the Privacy Act to notify individuals and the OAIC about eligible data breaches, and they can be fined for “serious or repeated privacy breaches”. After a series of high-profile breaches last year, the Albanese government passed a bill that increased the size of the fines as well as giving new reporting powers to the information commissioner.
But even with the beefed-up penalty powers, the OAIC has lobbied for penalty powers for breaches that don’t meet the “serious or repeated” threshold. In a submission to a discussion paper for the Privacy Act review, the OAIC called for lower tiers of fines to give the office “more options so they can better target regulatory responses”.
Shoebridge responded to Falk’s explanation by linking the lack of penalties to the OAIC’s performance in its other functions: “Every part of the office, whether it’s FOIs [freedom of information] or prosecution for data breaches or investigation for privacy complaints, every part of your office is mired in endless delays, isn’t it?”
Falk replied: “No, that’s not the case, senator. But we have a very, very, broad remit across the economy and a very high workload.”
Despite the escalating data breaches & increased expertise of hackers our banks are winding back cash to send us online for all transactions.
It’s time for push-back from the public as our funds are at mounting risk.
Crikey editors, how about pursuing the banks’ demise of cash as an issue of public importance…
the only thing corporations understand is money – the must be fined – really fined, so it hurts
Can’t disagree with that except that fines would be a tax write-off “expense of doing business”.
How about custodial sentences – sure to wake up the most complacent uberprivileged A-hole?
Go hard, go heavy!
“Tell us were dreamin'”
Fines are generally not tax-deductible.
Even then the fines must be massive to be more than an operating expense.
Mandatory gaol time for executives would focus their attention acutely, I suspect.
Hmm. Wouldn’t happen in Europe. GDPR has teeth, and these companies would all have been fined a motza. A big enough sum that shareholders would have the executives and the boards overseeing them turfed out. About time we went down this path. Nothing focusses the mind of a high level executive more than the thought of bring rendered unemployed and unemployable and then having to either queue up with the hoi polloi at CentreLink, or gain preselection for a safe Liberal seat.
Exactly, while locally and presumably with lobbying, we try to reinvent the wheel rather than e.g. even the UK simply adopted EU GDPR ‘over ready’ to deal with breaches, responsibilities, punishments, sanctions etc.
Many, especially the right, assume they can have their own suboptimal native version but at their peril i.e. the EU ‘Brussels Effect’ that demands 2nd, 3rd etc. links in supply chains leading ultimately to the EU, must comply with EU regulation; hence Brexit, Putin, Orban, Trump, Koch think tanks, RW MSM etc. dog whistle the EU and wish to avoid regulations and compliance.
Our corporate regulatory bodies must go through a lot of lettuces – all those warm leaves they flog offenders with.
“Department Store Dummies ‘R Us”