Increasing the financial penalty for companies subject to significant data breaches may encourage companies to keep these cyber attacks secret, according to identity and cyber support firm IDCare.
In a submission to the federal government’s response to the Privacy Act review final report, IDCare warned of the dangers of paying ransoms to cyber attackers, and how ramping up penalties for breached companies can have negative unintended consequences.
The federal government substantially hiked up penalties for serious or repeated interference with the privacy of an individual late last year, with the $2.2 million fine increased to whichever is greater of $50 million, three times the value of the benefits obtained or attributable to the breach, or 30 per cent of the company’s adjusted turnover during the breach turnover period.
The fine for an individual was also increased from $444,000 to $2.5 million.
These new penalties were passed by Parliament late last year.
This could lead to “perverse outcomes”, IDCare told the federal government, unless there are also disincentives in place for the payment of ransomware.
“In the absence of regulatory intervention that prohibits or provides disincentives for a ransom payment, or at least places extreme limitations on when it may be contemplated, it is unlikely ransomware groups targeting our organisations will curtail their activities,” the IDCare submission said.
“Legislative changes to increase Privacy Act penalties may actually have a perverse result, such as reducing future reporting of such attacks, because of the conflicted environments many confront.”
IDCare regularly works with organisations following cyber attacks, and has partnered with the likes of the Department of Home Affairs, the Commonwealth Bank and Australia Post.
According to IDCare, some companies are receiving legal advice to pay ransoms to hackers that have obtained their data in order to not report the incident to regulators.
“Some law firms over the years have advised payment as a means to lean on the remediation exemption – that is, the criminal has said they have destroyed all copies and haven’t shared, therefore the breach is contained and there is no serious risk of harm,” the company said.
“The reality is that data remains accessible even today. It is foolish to believe the payment of a ransom leads to the data being deleted and not shared. To lean on this as an exemption to notify is a legal furphy.”
IDCare has seen an uptick in vendors offering data aggregation services on the dark web. This involves data from breaches being offered for sale as “mega breaches person packages”.
“This counters the argument that paying a ransom actually lessens the risk of sharing and subsequent exploitation,” the submission said.
“An absence of this direct issue being addressed in the Privacy Act review is a significant shortfall in the reform agenda. It may in fact be a symptom of bureaucratic organisation, where cyber, privacy and corporate regulation diverge into Ministerial responsibilities, but it is a key gap.”
The final report from the widespread and long-running review of the Privacy Act included recommendations for a right to sue over privacy breaches, the right for your data to be erased, and for individuals to opt out of targeted marketing.
Submissions on the government’s response to this final report were due by the end of March.
