Beware of $50 million cyber-hacking fines: Lawyer warns officers
Realtors and real estate agencies that fail to protect consumer data from scammers could face maximum penalties of more than $50 million under new regulations expected to be imposed at the federal level.
The new sanctions, announced by the Albanian government, are in response to recent hacks by companies like Optus and Medibank.
According to Nicole Murdoch, a Brisbane-based technology lawyer at EAGLEGATE Lawyers, the new maximum sentences – contained in the Privacy Act – are “necessary to replace the old, woefully insufficient penalties for data breaches”.
While maximum fines previously stood at $2.2 million, the new maximum penalties for ‘serious or repeated invasion of privacy’ are $50 million, or three times the value of the benefit. obtained through the misuse of data, or 30% of a company’s adjusted revenue in the relevant period.
According to Ms Murdoch, the fine imposed would correspond to the higher value.
From his point of view, “following the Optus hack and other data system hacks reported since then, it is crucial that there is sufficient motivation to induce companies to strengthen their cybersecurity systems”.
The changes will bring Australia more into line with EU law, under which companies are held liable for high-level data breaches that face penalties of up to €20 million – or 4% of annual turnover. a business – whichever is greater.
Rhys Fuller, a paralegal at EAGLEGATE, also reported that small businesses will be just as liable under the new penalties as larger businesses, since the new penalties apply “to any business that has data about its customers.”
“Thus, real estate companies, rental agencies, even law firms, any company that is entrusted with personal data and customer information will be liable if they fail to ensure adequate security of this data” , he pointed out.
While the range of companies affected by the tough new data breach penalties may shock some, Fuller said they make sense.
“It’s about driving home the need to strengthen and prioritize security and cybersecurity measures,” he said.
“A company that ultimately breaches its obligation to protect customer or consumer data and sensitive information, intentionally or unintentionally, should be held accountable.”
The proposed changes relate to serious or ongoing privacy breaches, but Fuller warned that the penalties could be significant enough to bankrupt small and medium-sized businesses, especially since “what constitutes a serious breach of privacy will depend on the interpretation of the court”.
“A repeated breach of privacy or data, however, could show that a company does not take its cybersecurity measures seriously, whether through the use of outdated technologies and measures, or the fact that the company does not take reasonable measures to ensure the protection of its data.”, he concluded.