National identity support service IDCARE is critical of the federal government’s increased penalties for privacy breaches, saying they could encourage companies to pay ransoms in an attempt to keep a breach secret.
It made the comments in a submission [pdf] to the federal government’s review of the Privacy Act.
Breach frameworks seem “less about informing and supporting a person to take-action who has been placed in a potentially vulnerable position, but more about a need for ‘tick a box’ reporting to regulators and to protect other interests”, IDCARE said in its submission.
That leaves Australian businesses vulnerable to ongoing ransom attacks, the organisation said.
“In terms of ransomware attacks, Australia is open for business … there is little disincentive for these criminals to keep targeting Australian businesses and government agencies,” the submission said.
Fear of the recently-introduced penalties – up to $50 million for a serious privacy breach, one-third of the turnover for an affected company, or three times any financial benefit obtained through data misuse – makes things worse, IDCARE’s submission said.
“This is further exacerbated by the conflicting nature of compliance and notification environment," it said.
"Pay a million dollars or face a breach that may cost $50 million. Don’t pay and have your customer data exploited in the most abhorrent and public way in an attempt to send a clear signal to future organisations that this will be the consequence if their demands are not met."
While making the payment of ransoms a specific offence could discourage companies from paying, IDCARE said “there are many complexities to this”, including unnamed insurance companies that encourage the payment of a ransom, if that is the cheapest way for a victim company to recover their data.
IDCARE also warns that the government’s proposed amendments to the Privacy Act will have the “perverse outcome” of making privacy compliance “much more litigious”.