Australian Privacy Act (APA)
Predominantly focused on the protection of financial information and reporting, the initial act is put into practice.
Varonis debuts trailblazing features for securing Salesforce. Learn More
Contents
A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
Minister of Cybersecurity Clare O'Neil said, “This is the new world that we live in. We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data.”
“We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organizations to protect customer data." - Clare O'Neil
While the 13 Australian Privacy Principles (APP) of the law remain unchanged, the penalties facing organizations and agencies who fail to properly secure personal data are sharply increasing.
Specifically designed to send a message that “...the penalty for a major data breach can no longer be regarded as the cost of doing business,.” the new fine structure scales along with the revenue of the organization and the severity of the breach.
Previously the maximum fine for a data breach was capped at AU$2.5 million.
Going forward, an organization that incurs a data breach or severe ransomware attack must pay a fine of the greater of the following:
Alongside the increased penalties, the amendment expands the government's ability to bring potential data breaches to light by granting them the power to obtain information and documents from anyone who may be involved with an actual or suspected eligible data breach.
With these changes, it's imperative that all agencies and organizations in Australia strictly adhere to the requirements for secure data collection, processing, and protection, which we will now cover.
Predominantly focused on the protection of financial information and reporting, the initial act is put into practice.
As data breaches began making waves, this modification to the APA was passed, mandating reporting of data breaches to the Office of the Australian Information Commissioner (OAIC), notification to affected Australian citizens, and a maximum fine of AU$2.5 million.
Privacy Legislation Amendment. In light of massive data breaches, fines are increased to the greater of AU$50 million or a percentage of revenues.
In the last year, 30% of Australia's population has suffered from a data breach. It's abundantly clear that all organizations can come under attack from any angle and when potentially any system, account, or person can be an attack vector, the reasonable thing to do is “assume breach.”
Considered from a threat actor's perspective, compromising even a single user in most organizations would grant them access to thousands of on-prem files and dozens of SaaS applications and cloud services. Reducing this blast radius — all the data that an attacker could exfiltrate if one employee is compromised — is crucial to preventing breaches.
By pulling back the access rights of each user, you're forcing attackers to work harder. They will have to compromise more accounts, causing more anomalous activity on the network and upping the likelihood that they will be noticed.
To reduce the blast radius, it's important to:
This approach is proven to reduce attacker risk, but a sometimes unremarked upon benefit is that it's also remarkably effective at reducing the risk of mistakes or malicious actions done by insiders.
Strong security controls, as described above, can prevent the following:
While the new penalties and requirements can seem daunting, Varonis has helped thousands of organizations meet their compliance requirements, prevent breaches, and protect their most valuable data assets.
To learn more, contact team_au@varonis.com or info_au@varonis.com to schedule a free Data Risk Assessment.
Below are three ways we can help you begin your journey to reducing data risk at your company:
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.
Free Data Risk Assessment
Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.