As the world becomes increasingly digitised, the threat of cyber attacks is growing. The latest warning comes from IDCARE, Australia’s national identity support service, which has expressed concern that new privacy laws could lead companies to pay ransoms to hackers to keep a data breach quiet.
Increased Penalties for Privacy Breaches
IDCARE’s submission to the federal government’s review of the Privacy Act highlighted the fact that increased penalties for privacy breaches could encourage businesses to opt for a quick ransom payment instead of reporting the breach.
This creates a moral hazard that incentivises companies to keep quiet about the attack, as paying the attacker is often cheaper than paying the penalty.
New Privacy Laws May Encourage Ransomware Attacks
IDCARE also warned that the government’s proposed amendments to the Privacy Act could have the adverse consequence of making privacy compliance “much more litigious.” Instead of informing and supporting people who have been placed in potentially vulnerable positions, the breach frameworks seem to be more about ‘tick a box’ reporting to regulators and protecting other interests.
Complexities of Ransom Payments
IDCARE has warned that increased penalties for privacy breaches – up to $50 million for a serious privacy breach, one-third of the turnover for an affected company, or three times any financial benefit obtained through data misuse – could encourage businesses to pay ransoms to hackers to keep data breaches quiet.
Insurance companies often encourage payment of a ransom to recover data. This creates a moral dilemma for businesses, who must weigh the costs of a ransom payment against the fallout of a public data breach. The conflicting nature of compliance and notification environments only adds to the problem.
Promoting Transparency and Accountability
As the threat of cyber attacks continues to grow, it is more important than ever to promote transparency and accountability in data breaches. We need to create a culture where businesses feel safe and supported in reporting data breaches, rather than being punished for it. By doing so, we can protect customers and businesses alike from the consequences of ransomware attacks.