Introducing a harsher data breach penalty regime without addressing the payment of cyber ransoms has created a “perfect storm” that could lead to reduced reporting of incidents, according to identity and cyber support service IDCare.
In November, the Albanese government passed new laws that significantly increased fines against companies for serious or repeated privacy breaches, following the massive data breach against Optus two months earlier.
Under the changes, companies now face fines of $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of a company’s turnover in the relevant period, whatever is larger, for serious or repeated privacy breaches.
With penalties now significantly larger than the average ransomware payment, IDCare used its submission to the final report from the Privacy Act Review to warn the regime – which could face changes as part of the review – could have repercussions for reporting.
The data theft victim service put this down to the lack of “regulatory interventions… and market levers to create disincentives to pay and incentives to prevent” ransomware, which signals to criminals that Australia remains “open for business”.
“In the absence of regulatory intervention that prohibits or provides disincentives for a ransom payment, or at least places extreme limitations on when it may be contemplated… it is unlikely ransomware groups targeting our organisations will curtail their activities,” it said.
“Legislative changes to increase Privacy Act penalties may actually have a perverse result, such as reducing future reporting of such attacks, because of the conflicted environments may confront.”
IDCare said there is already an absence or reporting and notifications based on the “volume of community members coming to IDCare unaware of how criminals first got hold of their personal information that is being exploited”.
“In other words, we believe that organisations are making decisions to not notify because they or their legal advisors believe that the payment of a ransom remediates the risk. Sadly, we don’t see this reality,” it said.
“The number of community members engaging ICARE who do not know how their personal information as been breached has remained relatively steady at 18 per cent since the introduction of the notifiable breach laws in 2018.”
IDCare said that with the compliance and notification environments now conflicted, not addressing the legality of ransomware payments was a “significant shortfall in the [Privacy Act] reform agenda” .
“Pay a million dollars or face a breach that may cost $50 million. Pay a million dollars or face a third of your customer base leaving. Don’t pay and have your customer data exploited in the most abhorrent and public way in an attempt to send a clear signal to future organisations that this will be the consequence if their demands are not met,” it said.
“The weaponisation of personal information is real and the refining of ransom demand practices continue to maximise criminal opportunities.
“The conflicting nature of breach response and regulatory compliance, coupled with an insurance industry that in some places openly promotes their coverage of such payments, presents a perfect storm for our community and out ability to protect against these privacy infringements.”
IDCare said that until Australia had a clearer policy position on the legality of paying ransoms there would be “little disincentive for… criminals to keep targeting… businesses and government agencies”.
But outlawing ransomware payments altogether also brings complications, particularly for small businesses who may have no backups. In this instance, the cost of paying a ransom to recover files may be less than the cost of remediation, IDCare said.
“In our estimation, the drawing into the Privacy Act of small business is likely to see these scenarios amplify,” it added.
IDCare is currently working with the Tasmanian government to respond to a data breach at third-party file transfer service, GoAnywhere MFT. The breach is estimated to have compromised 16,000 documents belonging to the state’s Education department.
Do you know more? Contact James Riley via Email.