• / Blog
  • / Increased SME penalties for data breaches

Increased SME penalties for data breaches

  • Adroit Insurance and Risk
  • May 23, 2023

Recent data breaches fuel new penalties

The recent, high-profile, Optus and Medibank, data breaches have resulted in changes to the Privacy Act 1988, including substantially larger penalties for companies and individuals. These changes also bring Australia’s privacy legislation into closer alignment with the European GDPR Privacy laws (General Data Protection Regulation).

Penalties for major breaches of the Privacy Act

Serious or repeated non-compliance with the Privacy Act, existing penalties have increased for individuals from $444,000 to $2.5 million per breach.

For companies, the greater of the following three penalties can now apply:

Up to $50 million (increased from $2.2 million) per breach;
3x the value of any benefit the business gains; and
30% of the business’s adjusted Australian revenue, during the period of non-compliance.

New powers for the OAIC

In addition, the powers of the OAIC (Office of the Australian Information Commissioner), have been widened to:

The right to conduct an assessment of an organisation’s compliance with the Notable Data Breaches Scheme under the Privacy Act;
The right to require information regarding an actual or suspected data breach;
The right to share information with other enforcement agencies and the public;
The right to make public any finding following an investigation; and
The right to issue infringement notices for failure to provide requested information.

How to protect your business from breaching the Privacy Act

SMEs with an annual turnover above $3 million must comply with thie Privay Act. However, some businesses with less than $3 Million turnover must comply, if they are in the medical or health sectors or deal in personal information.

Cyber risk management is your first line of defence against successful data breaches. These include only collecting and holding essential customer information and do so for no longer than necessary. It’s also important that cyber security policies are updated across your organisation and that all employees have ongoing training..

Cyber Insurance is also a great way to protect your company from the financial cost of any breach or investigation. . This insurance is specifically designed to help your business recover from a data breach by, for example, covering the costs of data recovery and restoration, legal defence, cyber extortion and crisis management.

Does your business have cyber insurance?

Contact us today


TITLE: Increased SME penalties for data breaches

The Optus and Medibank data breaches have galvanised both the public and the government. The result is a set of amendments to the Privacy Act that brings us into line with the European GDPR and major increases in fines for non-compliance and greater powers for the OAIC to investigate and deal with breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *