by SYDNEY, April 5 (Reuters) – An Australian government-backed service for victims of identity theft has slammed a plan to toughen privacy laws amid an explosion in online data theft, saying this would incentivize compromised companies to pay a ransom and invite more hacking.
IDCare, a nonprofit that helps victims of internet crime, said that by making it easier for regulators to fine companies for poor data security and not criminalizing ransom payments, the australia could inadvertently fuel a wave of cybercrime.
The message came in an unpublished submission, reviewed by Reuters, to the Attorney General who is working to update privacy law for the internet age, just as the country is experiencing a spike in large-scale data theft which the government says has affected almost every family.
“An important reason why Australian governments and businesses are increasingly targeted by ransomware attacks…is because we pay,” IDCare said in the submission.
IDCare’s opinions will matter a lot in a government review of privacy laws that should make it easier to fine or prosecute companies that don’t protect customer data, as it has become one of the groups of Canberra reference to help victims of cybercrime.
Canberra raised the maximum fine to A$50 million ($34 million) from A$2.2 million for companies that failed to stop data theft after the first major attack in October, when some 10 million customer accounts at number 2 telecom company Optus, owned by Singapore Telecommunications (STEL.SI), got tricked.
The government is now considering making it easier to apply this fine and to simplify prosecutions for the theft of personal information.
IDCare said that by raising the threat of massive fines, Australia would force companies to choose between paying A$1 million, the typical cost of a ransom demand, or notifying authorities and risking a fine of up to AUD 50 million.
“In terms of ransomware attacks, Australia is open for business,” he said.
IDCare noted that Australia was the fifth most targeted country by data thieves in January 2023, far worse than other countries relative to its economy and population.
Without rules that prohibit or discourage ransom payments, he said “ransomware groups targeting our organizations are unlikely to curtail their activities.”
A spokesman for Attorney General Mark Dreyfus said the government had moved quickly to increase penalties following large-scale data breaches and would consider 116 proposals as part of a review of the Data Protection Act. protection of privacy before deciding on other measures.
The Australian Information Commissioner’s Office said its approach to seeking sanctions or setting new rules would be “pragmatic, evidence-based and proportionate”.
PEAK DEMAND
Since Australia made it mandatory for businesses to report data breaches in 2018, IDCare’s submission said community demand for its services has skyrocketed.
Less than a month after the Optus hack, leading health insurer Medibank Private Ltd (MPL.AX) revealed that millions of its accounts had been compromised, with potentially sensitive medical information stolen from hundreds of thousands of people .
Then last month, a consumer finance provider, Latitude Financial Group Holdings Ltd (LFS.AX), said hackers stole data from some 14 million customer accounts over nearly 20 years.
In each case, authorities directed affected customers to IDCare, which helps victims close exposed accounts, notify affected service providers, and prevent losses.
To stem a rise in calls, IDCare is now setting up “major incident” websites for those affected by breaches, its chief commercial officer Mark Rowley told Reuters.
It also plans to open a new support center in Sydney by mid-2023, adding to centers in Brisbane, Perth and New Zealand, and increase staff from 40 to 60.
“There is no doubt that since last October the wave of ongoing data incidents has continued, if not intensified, so there is a real need to accelerate plans,” Rowley said.
“I don’t think this year any of us have planned events of this magnitude in Australia.”
($1 = 1.4806 Australian dollars)
Reporting by Byron Kaye; Editing by Praveen Menon and Sonali Paul
Our standards: The Thomson Reuters Trust Principles.
