Australian Privacy Act (APA)
Predominantly focused on the protection of financial information and reporting, the initial act is put into practice.
A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
Minister of Cybersecurity Clare O'Neil said, “This is the new world that we live in. We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data.”
“We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data." - Clare O'Neil
While the 13 Australian Privacy Principles (APP) of the law remain unchanged, the penalties facing organizations and agencies who fail to properly secure personal data are sharply increasing.
Specifically designed to send a message that “...the penalty for a major data breach can no longer be regarded as the cost of doing business,.” the new fine structure scales along with the revenue of the organization and the severity of the breach.
Previously the maximum fine for a data breach was capped at AU$2.5 million.
Going forward, an organization that incurs a data breach or severe ransomware attack must pay a fine of the greater of the following:
- AU$50 million
- If the court determines that the organization has profited from the unlawful data disclosure, the fine would be three times the value of that..
- If the court cannot determine the value of that benefit, the fine would be 30% of the adjusted turnover (revenue) of the corporation for the 12 months prior to the violation of the law.
Alongside the increased penalties, the amendment expands the government's ability to bring potential data breaches to light by granting them the power to obtain information and documents from anyone who may be involved with an actual or suspected eligible data breach.
With these changes, it's imperative that all agencies and organizations in Australia strictly adhere to the requirements for secure data collection, processing, and protection, which we will now cover.
Australian Privacy Act (APA) Timeline
1988
2017
Notifiable Data Breach Scheme
As data breaches began making waves, this modification to the APA was passed, mandating reporting of data breaches to the Office of the Australian Information Commissioner (OAIC), notification to affected Australian citizens, and a maximum fine of AU$2.5 million.
2022
Privacy Legislation Amendment
Privacy Legislation Amendment. In light of massive data breaches, fines are increased to the greater of AU$50 million or a percentage of revenues.
How to avoid becoming a data breach statistic
In the last year, 30% of Australia's population has suffered from a data breach. It's abundantly clear that all organizations can come under attack from any angle and when potentially any system, account, or person can be an attack vector, the reasonable thing to do is “assume breach.”
Considered from a threat actor's perspective, compromising even a single user in most organizations would grant them access to thousands of on-prem files and dozens of SaaS applications and cloud services. Reducing this blast radius — all the data that an attacker could exfiltrate if one employee is compromised — is crucial to preventing breaches.
By pulling back the access rights of each user, you're forcing attackers to work harder. They will have to compromise more accounts, causing more anomalous activity on the network and upping the likelihood that they will be noticed.
To reduce the blast radius, it's important to:
- Complete an inventory of your most critical data. If you're unsure of what that is, try to consider what an attacker would find most profitable.
- Inventory the permissions and behaviors around this critical data. Would you be alerted to a user who appeared to be logging in from a new country, copying 100x of their normal amount of files, and doing all of this in the middle of the night?
- Automate and maintain the controls protecting your data.
This approach is proven to reduce attacker risk, but a sometimes unremarked upon benefit is that it's also remarkably effective at reducing the risk of mistakes or malicious actions done by insiders.
Strong security controls, as described above, can prevent the following:
- Microsoft 365 users from accidentally sharing a link containing PII that is open to the entire internet
- Ransomware from infecting your organization because a user clicked a link they shouldn't have
- Government identifiers being accessed in files open to your entire company
- A company facing a fine as they're unable to identify PII with their Salesforce instance
While the new penalties and requirements can seem daunting, Varonis has helped thousands of organizations meet their compliance requirements, prevent breaches, and protect their most valuable data assets.
To learn more, contact team_au@varonis.com or info_au@varonis.com to schedule a free Data Risk Assessment.
