Australia to introduce tougher penalties for data breaches

The legislation will increase the maximum penalty for serious or repeated breaches of privacy to A$50 million ($32 million); three times the value of any benefit obtained through the misuse of the information; or 30% of a company’s adjusted turnover in the relevant period, whichever is greater. The current level is a 2.22 million Australian dollar penalty.

Australia needs better laws to regulate how companies handle the vast amounts of data they collect and stronger penalties to incentivize good behavior, Attorney General Mark Dreyfus said in a statement on Saturday.

“Unfortunately, significant privacy breaches in recent weeks have shown existing security measures to be inadequate,” Dreyfus said. “It is not enough that a penalty for a major data breach is considered the cost of doing business.”

The bill will also give Australia’s Information Commissioner greater powers to resolve privacy breaches.

Optus, an Australian subsidiary of Singapore Telecommunications Ltd., revealed last month that a major security breach had exposed details of 9.8 million current and former customers in one of the country’s largest-ever hacks. More than 2 million people had compromised identity document numbers, raising concerns about large-scale financial fraud.

The hack threatens to become a crisis for Optus and its Singapore parent. The company is already paying for replacement driver’s licenses and passports, and the total costs, including bills and fines, could run into the hundreds of millions of dollars, according to some estimates.

SingTel said this month that a second Australian company, Dialog, was also hacked. The data of fewer than 20 customers and 1,000 current and former employees may have been accessed in the hack.

Earlier this month, Australian phone company Telstra Corp. called for a review of laws governing data retention after scams targeting customers hit new highs.