Login
iscover
Real estate agents and agencies who fail to protect consumer data from scammers could face maximum penalties of more than $50 million under new regulations set to be imposed on a federal level.
The new penalties, announced by the Albanese government, are in response to the recent hacks of the likes of Optus and Medibank.
According to Nicole Murdoch, a Brisbane-based technology lawyer with EAGLEGATE Lawyers, the new maximum penalties — contained within the Privacy Act — are “necessary to replace the previous woefully inadequate data breach penalties”.
While maximum fines previously sat at $2.2 million, the new maximum penalties for “serious or repeated privacy breaches” sit at $50 million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period.
According to Ms Murdoch, the fine handed out would sit at whichever value is the highest.
From her perspective, “in the wake of the Optus hack and the other data system hacks reported since then, it’s crucial there is a big enough motivator to make businesses strengthen their cyber security systems”.
The changes will put Australia more in line with European law, which sees businesses held liable for high-level data breaches facing penalties of up to €20 million — or 4 per cent of a business’ annual turnover — whichever is highest.
Rhys Fuller, a paralegal with EAGLEGATE, has also flagged that small businesses will be just as liable under the new penalties as big corporates, given the new penalties apply “to any business that holds data on its customers”.
“So real estate firms, rental agencies, even law firms, any business that is entrusted with personal data and information about clients will be liable if they fail to ensure adequate security of that data,” he outlined.
While the range of businesses affected by the tough new data hack penalties may shock some, Mr Fuller said that they do make sense.
“It’s about getting home the need to reinforce and prioritise cyber safety and security measures,” he stated.
“A business that ultimately breaches its obligation to protect customer or consumer data and sensitive information, whether intentional or not, should be held accountable.”
The proposed amendments do relate to serious or continued privacy breaches, but Mr Fuller warned that the penalties could be significant enough to bankrupt small-to-medium-sized businesses, especially given that “what constitutes a serious privacy breach will be up to interpretation of the court”.
“A repeated privacy or data breach, however, could show that a business is not taking its cyber security measures seriously, whether it may be through the use of outdated technology and measures, or through the business not taking reasonable steps to ensure its data protection,” he concluded.
ABOUT THE AUTHOR
Grace Ormsby
Grace is a journalist across Momentum property and investment brands. Grace joined Momentum Media in 2018, bringing with her a Bachelor of Laws and a Bachelor of Communication (Journalism) from the University of Newcastle. She’s passionate about delivering easy to digest information and content relevant to her key audiences and stakeholders.
Newsletter
