Australia flags new corporate penalties for privacy breaches

CANBERRA, Australia (AP) — Australia on Saturday proposed tougher penalties for companies that fail to protect customers’ personal data after two major cybersecurity breaches left millions vulnerable to criminals.

The penalties for serious breaches of the Privacy Act would increase from 2.2 million Australian dollars ($1.4 million) now to AU$50 million ($32 million) under amendments to be introduced to Parliament next week, Attorney-General Mark Dreyfus said.

A company could also be fined the value of 30% of its revenues over a defined period if that amount exceeded AU$50 million ($32 million).

Dreyfus said “big companies could face penalties up to hundreds of millions of dollars” under the new law.

“It is a very, very substantial increase in the penalties,” Dreyfus told reporters.

“It’s designed to make companies think. It’s designed to be a deterrent so that companies will protect the data of Australians,” he added.

Parliament resumes on Tuesday for the first time since mid-September.

Since Parliament last sat, unknown hackers stole personal data from 9.8 million customers of Optus, Australia’s second-largest wireless telecommunications carrier. The theft has left more than one-third of Australia’s population at heightened risk of identity theft and fraud.

Unknown cybercriminals this week demanded ransom from Australia’s largest health insurer, Medibank, after claiming to have stolen 200 gigabytes of customers’ data including medical diagnoses and treatments. Medibank has 3.7 million customers. The company said the hackers had proved they hold the personal records of at least 100.

The thieves have reportedly threatened to make public medical conditions of high-profile Medibank customers.

Dreyfus said both breaches...