At a glance.
- Amendments to Australia’s Privacy Act proposed in parliament.
- US Senator pushes for more intelligence-sharing with FTC.
Amendments to Australia’s Privacy Act proposed in parliament.
As Australia continues to grapple with a recent onslaught of high-profile data breaches, attorney-general Mark Dreyfus introduced amendments to the Privacy Act to the House of Representatives this morning that will raise fines for repeated or serious privacy breaches from AUD$2.2 (about $1.4 million) to up to AUD$50 million (about $32 million), or 30% of the company’s earnings for the relevant period if that amount exceeded $32 million. As the Record by Recorded Future notes, Dreyfus foreshadowed the changes in a statement over the weekend. “Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate.” Dreyfus stated. “It's not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
In addition to the increase in penalties, CRN Australia notes that the country’s notifiable data breaches scheme will be updated, and the Australian information commissioner will be granted increased access to breach intel in order to assess an entity’s compliance with the scheme. As Dreyfus explains, “This is necessary to provide the information commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals, and take actions such as issue a direction for the entity to notify individuals who have been affected by a data breach.” As well, the country's data regulator will be given more power to intervene in the case of an attack against critical services, and in order to minimize financial fraud, companies will be required to notify the banks of customers who were potentially affected by a data breach. After last month’s breach of Optus, the country’s second-largest telecommunications company, Australia’s Cyber Security Minister Clare O’Neil indicated that the changes are long overdue, stating that Australia is “probably a decade behind” in privacy protections.
US Senator pushes for more intelligence-sharing with FTC.
US Senator Ron Wyden of Oregon yesterday announced that he has submitted a letter to the Federal Trade Commission (FTC) and the Office of the Director of National Intelligence (DNI) calling for the FTC to be granted access to classified threat intelligence regarding cybersecurity threats. “The U.S. government cannot protect Americans’ privacy and U.S. national security from the serious threat posed by sophisticated foreign hackers if the FTC does not have a seat at the table,” Wyden wrote. He stated that DNI should invite FTC staff to classified briefings and inform the FTC about the types of datasets most likely to be targeted by foreign threat actors. Equipped with this knowledge, he said, the FTC will be better able to identify the companies at greatest risk of attack and help them beef up their security strategy before it’s too late. He also called out the Chinese government as a particular threat, as they’ve been publicly identified by the Department of Justice for carrying out cyberattacks on organizations with access to troves of American data like insurance provider Anthem, credit reporting agency Equifax, and the Office of Personnel Management.
Rosa Smothers, former CIA cyber threat analyst and technical intelligence officer, now an SVP at KnowBe4, commented on the probable implications of such an expansion of the Federal Trade Commission's role: “Senator Wyden highlights the need for the FTC to fill vital knowledge gaps when it comes to making policy. More personnel will need clearances, particularly at the TS/SCI level. I would also recommend FTC cleared personnel embed with the FBI’s counter intelligence teams working on China-sponsored intelligence collection efforts, both cyber and insider threat-related.”