Australia Increases Fines for Massive Data Breaches

After suffering two large, and embarrassing, data breaches in recent weeks, the Australian government increased the fine for serious data breaches from $2.2 million to a minimum of $50 million. (That’s $50 million AUD, or $32 million USD.)

This is a welcome change. The problem is one of incentives, and Australia has now increased the incentive for companies to secure the personal data or their users and customers.

EDITED TO ADD (10/15): I got the details wrong. One, this is a proposed increase. Two, the amount of $50 million AUD is only applicable in very few cases.

Tags: , , ,

Posted on October 26, 2022 at 6:13 AM25 Comments

Comments

JonKnowsNothing October 26, 2022 8:56 AM

@All

per a MSM report on the Medibank Health Insurer, the data breach appears to be not just exfiltration of data but ransom-ware demand for non-disclosure of the information.

What was taken was the complete health records of ALL 3.9 million customers

The standard echo of “Here’s what you can do to protect yourself now…” clearly is the barn leaving the horse.

There isn’t anything a person can do to protect themselves, because we no longer have any control whatsoever about the data kept about us in every possible digital format, in every repository, by any government.

JonKnowsNothing October 26, 2022 9:16 AM

@All

re: The problem is one of incentives…

Incentives implies the DESIRE to do something additional provided there is COMPENSATION in alignment with the task at hand.

Penalties are applied as PUNISHMENT for non-conforming practices as defined by jurisdiction and social norms and REDUCE COMPENSATION.

Penalties are not Incentives.

  • Incentives would be if companies see better profits and larger market shares if they did Better Security then they would get more money.
  • Penalties are applied because there isn’t any added revenue for doing better. It’s all cash out-of-their-corporate-pockets.

It’s such a small amount of cash in relation to their profits, companies are more than able to pay fines and penalties or to challenge these in courts. They pay large retainers for legal services so they might as well get their money’s worth.

There are many arguments about whether penalties reduce non-compliance. In many studies the answer is not-by-much.

Clive Robinson October 26, 2022 9:59 AM

@ Bruce,

Re : “to a minimum of $50 million”

“This is a welcome change. The problem is one of incentives, and Australia has now increased the incentive”

And a nice little revenue earner and sound bite platform for politicians

And a nice little revenue earner in the short term, but not for the victims but for the Government, and sound bite platform for politicians. Of a Government who are known to be run by a bunch of crooks…

Minimum fines, are a “No No” they are not justice but an oportunity to “strut” and fill the gap left by diminishing tax base.

Because of that the long term effect will be the victims will be left more vulnerable. Because data will go abroad, and jobs will go abroad. Any company left in Australia with data concerns will in effect become a shell with losses not assets so the fine becomes irrelevant, and Australia will be the poorer just for a little crooked polititian vanity…

Fines are not the way to get “corporate responsability” they are tax deductable so not real, and they do not in any way change corporate behaviour.

Mandatory minimun fines will only encorage the likes of the large accounting and law partnerships who are “limited liability” anyway to sell schemes to negate the effects of the fines. We know this because we’ve seen similar before in various other Western Nations the UK and US being just two amongst many.

Like “insurance” has been a failure for victims of such corporate irresponsability “minimum fines” are just not going to change short term thinking corporate behaviour.

The only way to start stoping it is to have “people own their own data” and all Directors and their advisors getting lengthy prison sentances and the only way that is going to happen is when the fiction of,

“Any person “legal” or natural”

Is dropped and one or two other changes such as getting rid of certain tax alowances that “natural persons” do not get but “legal person” corporates do get.

Someone will no doubt point out that the majority of poliricians are “bought and payed for” by corporate lobbyists and political funders and the like, with money that comes via those tax advantages “legal person” corporates have… So they will say that polititians/legislators will never pass the legislation…

Which is the point realy and why this “Minimum Fine” is going to be a nonsense and do more harm than good.

Aaron October 26, 2022 10:06 AM

Mmm, yes let’s punish the victim; that will teach them a lesson!

Who does the Australian government pay when they have a data breach?

TexasDex October 26, 2022 11:23 AM

“This is a welcome change. The problem is one of incentives, and Australia has now increased the incentive”

…to hide data breaches better.

Frank B. October 26, 2022 12:29 PM

Fines are not incentives to change. When people get fined for speeding they buy a radar detector so they don’t get caught again.

This is government protecting their corporate pals while everyone’s personal information hangs in the balance.

Complete nonsense.

Ted October 26, 2022 3:06 PM

It’s not just Medibank policyholders who are aghast and considering litigation but, believe it or not, investors as well.

I’m sure more will come out about Medibank’s data protection programs, but for this incident it’s being reported that login credentials were stolen from a web browser and then sold online to the party that performed the exfiltration.

https://www.brisbanetimes.com.au/business/companies/medibank-customer-details-confirmed-in-hack-20221025-p5bsle.html

@ResearcherZero included a news link in his Squid post that contained a broken-english message from the group.

https://www.schneier.com/blog/archives/2022/10/friday-squid-blogging-the-reproductive-habits-of-giant-squid.html/#comment-411536

“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

The potential that people could be targeted based on this info is a very real concern. Events like these definitely have the power to reshape the data protection landscape.

JonKnowsNothing October 26, 2022 4:23 PM

@ Sofakinbd

re: % of global gross earnings seems like a better metric

iirc(badly)

Some country, maybe the EU, did have that type of law and one of the Big Tech Dogs got clobbered. The massive fine lasted about as long as a mini ice cube in 115F. It looked good on paper but when the time to collect the funds happened, along with the threat of No More Big Tech Dogs, the fine became minuscule.

It wasn’t the USA.

lurker October 26, 2022 6:01 PM

@Bruce, “The problem is one of incentives …”

How is this an incentive, and to whom? Insurance Cos. have incentives in the form of no-claims bonus. Yes, yes, you pay for it in premiums; and many insurance cos. will fine you (increase premiums) if you get burgled | burned down | &c. But not Govt mandated penalties. Anyhow we’ve always claimed they do things strangely across the ditch.

Anonymous October 26, 2022 10:56 PM

% of global gross earnings seems like a better metric to me.

The proposed legislation would see the fine for “serious or repeated privacy breaches” increased to either $50 million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period.

The fine would be whichever value is the highest.

ResearcherZero October 27, 2022 2:59 AM

@Ted

Even with a $50M incentive I’m skeptical things will change.

Australia was a penal colony, and because of it’s remoteness and distance between communities, oversight and background checks were difficult. The culture has changed little, and ad-hock solutions are common.

There is even a weird little timezone that seems to operate informally, like that of in remote corners of Nepal.
https://www.howderfamily.com/blog/australias-weird-little-time-zone/

Occasionally people venture into these places, but not everyone returns the same. We sent a computer technician in there once, attached to a long cable. The cable layers survived, but we never got the technician back.

It’s a bleak world inside some of those places. Only the odd groan or howl can be heard above the constant hum of fans and typing. Dirt floors, gravel, wooden benches with the legs set into the ground. The only lighting that pierces the dust and gloom comes from a few louvers just below the ceiling, or the faint glow of monitors which illuminate the tormented faces of the damned.

Clive Robinson October 27, 2022 4:30 AM

@ ResearcherZero, ALL,

Re : Odd little timezones

Actually they are more common than you think.

Time zones as we come to think of them are actually so recent it’s unsurprising people especially in more issolated communities will want to stick with the old notion of local sun time, which atleast makes sense to their senses[1].

Time zones as we have now had forced upon us, came in with the age of steam when it was possible to travel fast enough and long enough east or west for a pocket watch to be easily five or more minutes out of sync with your destination… Making time tables near impossible for the average person to understand let alone use.

So the railway companies published their time tables with refrence to some fixed point (the clock outside Charing Cross station being one) and people that worked with and around the railways thus pushed the issue out into the community. Especially as the “telegraph” later brought time at a speed that was to most instant.

But even today in Englands less distant points there are tiny enclaves that by tradition still follow local sun time which can not only be out by an average amount over the year, but also varies upto about 15mins within the year as the seasons change.

When you think about it sun dials are quite accurate for local sun time, but hopless for any time zone. Likewise mechanical clocks can be quite accurate for timezone time, but hopless for any local sun time. Which is problematic for “navigation” at sea etc. People have over the centuries if not millennium made mechanical devices that can convert one time to the other[3]. But even now with modern computers mostly we use quite granular lookup tables with linear interpolation, which can and does cause problems in modern computer networks and communications systems (something the legal profession is still trying to ignore or abuse where it can)…

[1] For reasons I won’t go into, for a while last year I followed time on a different planet in the solar system, as well as alowing for angular displacments with regards orbits, it gets quite odd and you need to program a computer to do the differences using fourier transforms. Something we are going to have to think about as we move out into the Solar system[2]. We talk about “Universal Time Coordinated”(UTC) but it’s not “universal” in any way.

[2] If you think about it, people work best in “teams” and even when hundrds if not thousands of miles appart try to have commonality of time. But now consider different planatary bodies. If you have say a “ground team” on UTC based in the US, which would be weird enough for most, but about as odd as funny hour shift work, how would they “team work” with people on say Mars? Who would like as not adopt not just the local Martian day length, but local solar time to their location as well…

[3] Have a look at “orrery” mechanics to see the gearing but they are fairly hopeless other than as curiosities. But also have a look at the “Antikythera mechanism” as we learn more about it’s internals. It is an orrery of actual usability as far as we can tell, and has since been called “the oldest known analog computer”. Which actually gives a visual clue as to why modern astro information uses “harmonic analysis” to predict the positions of the planets with Fourier Analysis. Which if you’ve ever written an Astro-Nav program of any longterm use, you will have had to get to grips with.

Boris October 27, 2022 8:01 AM

Higher fines like this may just encourage extorsion attempts: “Pay us the ransom and we won’t tell anyone. The alternative is a $50M fine…”

Mara October 27, 2022 12:02 PM

Australia has now increased the incentive for companies to secure the personal data or their users and customers.

It should also be considered an incentive to not collect data unnecessarily, which in many ways is a better result. It’s much easier than securing data, for one thing.

Clive Robinson October 27, 2022 2:25 PM

@ Mara, ALL,

Re : Collecting less data.

“It should also be considered an incentive to not collect data unnecessarily, which in many ways is a better result.”

Unfortunately despite several years of that being said, the “data collection industry” is going the other way, towards not just “Collect it all” but “extort for more data” in various ways.

Not least being the US Medical and insurance industries that demand data they are not entitled to for you to be able to get their services. Which in turn means if you try to withhold the data your employment will be terminated…

The simple fact is there is some kind of “cult thinking” that collecting any and all data, will bring extra profit… So they view not doing so as “Leaving money on the floor”…

The fact that many organisations spend more money on collecting personal data and storing it than they make on selling it, thus actually loose money doing so does not appear to get through to them.

It’s the same as the myth of “Internet Connectivity” employees computers get “connected” not “issolated” for some myth. The simple fact is most companies would be much more secure and would spend less if the emoloyees were issolated from external communications, especially the Internet.

Then there is the myth of “Bring Your Own Devices”(BYOD), again it does not bring incrrased profit only increased risk to the likes of data losses and ransomwear etc.

But there are two whole markets predicated on these myths. Those selling the “data connectivity” in it’s many forms, and those selling mostly pointless “Internet Security”.

I realise that most of this blogs readers either work in one of those two markets or consume their goods and services… But it does not change the fact that it’s nearly all “sunk costs” with little or no “return on investment” for all but certain parts of what are traditional markets that have simply moved across. And in the process payed for it by making their customers unemployed, thus not able to buy their products…

At the bottom all economies are based on “consumers buying goods and services”. If you limit or stop people being “consumers” by “out-sourcing” thrir jobs or terminating their jobs etc, then as people can see around them currently things start to go wrong, they head into a downwards spiral and the only way the people at the top can look good is by doing more and more of the same. Eventually you get to the point where you can not produce the goods or services, or find customers who can afford them at the prices that will keep an employer in business…

I can explain what happens next, but it realy does not matter for the majority, who effectively cease to exist in any meaningfull way and die at younger and younger ages because of poor living standards, health and nutrition. Again things those living in the US can see around them quite starkly if they chose to look.

FA October 27, 2022 4:45 PM

… Who would like as not adopt not just the local Martian day length, but local solar time to their location as well

Unlikely. They would have to live within a artificial environment providing something close to an earth atmosphere, temperature, etc. They would just adopt and sync to some time zone on earth. It’s nothing new. Think about time on the ISS (UTC, probably a compromise between Houston and Moscow), or on a nuclear sub that stays submerged for monts.

Clive Robinson October 27, 2022 5:46 PM

@ FA,

Re : Time Zones

“Think about time on the ISS (UTC, probably a compromise between Houston and Moscow), or on a nuclear sub that stays submerged for monts.”

In both cases they are in the Earth center mass domain thus syncing to Earth orbit is not to do with environment factors. Secondly the ISS day if you can call it that is around 90mins. As for nuke subs where the personnel stay out of range of the Sun, it’s sensible to use UTC or similar for security reasons as it plugs a security hole to do with knowing where the sub actually is at any time.

If you are on Mars or other major planetary body not linked to Earths orbit, then for various reasons relating the length of the day the personnel use to local sun time makes a lot of sense. Where as trying to remain synced to the earth day length does not as it will be in constant flux in a quite complex way. It would actually make more sense to sync the Earth bound team to the disyant planetary body local solar day.

There are published papers on this from NASA personnel explaining why, if you want to go and look them up.

It’s not ubrelated to the “blue LED” issue of Smart Device screens that mess with the human circadian rhythm causing not just insomnia, but cognative deficit, slow reactions, inefficient physical and other bodily functions to name but a few. A synopsis of the latest thinking can be found at,

https://www.sleepfoundation.org/circadian-rhythm

Trying to follow “Earth time on Mars” would be the equivalent of suffering from near continuous jet/shift lag, both of which are known to cause a higher incidence of suicide and risky behaviours and higher prevelence of fatality due to accidents, and could account for as much as a ten year reduction in life expectancy. Which in proffessionals has a significant detrimental effect on society due to “lost opportunity cost” of early loss of “high value experience and knowledge”.

Some believe that the use of Smart Devices in the evening could easily slow proffessional development of a society such that forward progress would be down by more than 3/10ths so science and technology would take 40% or longer to reach a given point. Which would be totally devistating to any economy let alone competative first world ones.

MarkH October 27, 2022 9:40 PM

Like so many things, time measurement looks simple at first and grows more baffling the deeper one looks into it.

I just learned that many physical constants are, in a sense, (slightly) wrong, because their measurements are distorted by gravity-based time dilation slowing clocks in human-accessible laboratories.

A more universal basis for physical constants would probably be referred to time as it would be measured in average voids between galaxies.

Some astronomical calculations correct for this.

@ResearcherZero:

“we never got the technician back” — Fell for a local beauty, or eaten by a dingo?

Unknown October 28, 2022 1:45 AM

The fine can also be considered a deterrent. Most people’s behaviors are shaped by presence or absence of deterrents or incentives.

Its the same with employees; there are incentives and deterrents to encourage or discourage certain behaviors. Most employees heed the deterrents abd thereby stay out of trouble. Society and organizations cannot function successfullu wen there are no adverse consequences to costly and negative behaviors. That’s why we got criminal laws and codes of conduct to shape behaviors in desired ways.

Sydney November 4, 2022 4:48 AM

Some have considered the two data breaches of Optus and Medibank as false flags. .Intended to create support for a universal digital ID that is, oh so much safer. Articles are appearing, discussing how Estonia created such a system and how safe and effective it has been. We have Anders to thank on this blog for regular sitreps from Estonia about the dire affairs concerning said ID. Oh and its also well known : the guts, backbone, moral fibre, high level of education and
worldly intelligence, integrity,honesty, sovereign independence, and legal and pure extracurricular lifestyle and habits of Australias leader and in fact every single representative employed in that house on the hill. We all love them for it.

pd November 9, 2022 5:44 PM

Now we await the first hack to target the gov.au systems. Not so long ago I used a browser extension tool (since killed by WebExtensions) to check the quality of the my.gov.au – Australia’s social security gateway that requires those unable to “fight the power” due to life difficulties to divulge anything and everything about themselves for the purposes of means testing – HTTPS implementation. It was poor. Received a lowly less than 5/10 score. By comparison, the CommBank site at the time scored 7 ish and the only reason it was not higher was the lack of a EV certificate.

If the gov is hacked, the politicians are probably protected from paying that fine and instead, some poor civil servant who may have been begging for more resources to protect citizen’s “toxic asset” data, may carry the can.

Chris November 15, 2022 3:39 PM

There’s still NO incentive to use technology that protects customers or users though (e.g. nothing to prevent phishing, malware, MitM attacks, scams, fake phone calls and SMS, etc etc) and section 5.3 of the corporations act still makes it illegal for any business to act in any way other than in the best interests of itself (making it technically illegal for any company to spend money protecting end users…)

It absolutely is a problem of incentives – and curbing the $42 billion dollars Australians lose every year to cybercrime has worse than no incentives at all (only section 5.3 negative incentives!)

It’s worth noting that the ACSC ceased it’s long-standing headline and practice of reporting annual losses this week – unlike last year ($33bn lost) they now only print a selection of minor statistics (e.g. $98M from business email compromise) and if you call up and ask for more details, they refuse to release it: https://www.righttoknow.org.au/request/details_of_fy2122_cybercrime_rep

It’s also worth noting that no fines and no breach reporting rules exist for Government, which accounts for a whopping 63% of all Australian cyber intrusions (according to government reports, assuming those can be believed – the number is probably higher). There’s also no mechanism to discipline or remove public servants who refuse to implement cyber security rules, and there has NEVER been a cyber audit in Australia of any government system that has found full compliance with the rules. (and yes, there’ve been a LOT of audits).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.