How Much Does a Privacy Breach Cost in Australia?
Phenomenally high penalties pertaining to privacy breaches are now routinely found in news headlines. In 2021, companies were fined more than 1 billion Euros for GDPR breaches. Meanwhile, fines in excess of $1 million are commonplace for privacy complaints in the USA. But how much does a privacy breach cost in Australia?
Understanding privacy breach costs in Australia
Before we delve into precise figures, it’s important to grasp the different types of costs organisations incur following a privacy or security breach. The associated costs run deeper than ‘just’ the compensatory penalties imposed by the Office of the Australian Information Commissioner (OAIC). In fact, the OAIC’s financial penalties may be the least costly element of a privacy breach for Australian organisations.
The total costs vary depending on the precise type of breach but, generally, Australian companies could expect a data breach to cost $2.82 million in 2021. This amount is a 30.2% increase from the average cost of $2.15 million in 2020, and it is widely anticipated that the associated costs of a data breach will continue to increase into the future.
The cause of the data breach also plays into the likely cost of that data breach, according to the IBM Cost of a Data Breach Report 2021. Data breaches resulting from business email compromise are the most expensive, while those caused by physical security compromise, cloud misconfiguration, and system errors were less costly. Malicious insider breaches, social engineering hacks, vulnerabilities in third-party software, and phishing were also amongst the more expensive breaches.
Australian organisations are amongst the most willing in the world to pay a ransom if they experience a ransomware attack. Given the average ransom paid by businesses at the end of 2020 was $154,104, this represents a significant risk (and cost) to the average Australian organisation.
However, Australian authorities are keen to slow down payments, recognising that they keep the ransomware industry afloat. See our previous post about proposed regulations impacting the payment of ransomware.
A look into OAIC penalties for privacy breaches
The OAIC has a range of powers that it can use when handling complaints that come to it about privacy breaches or investigating potential breaches on its own motion (Commissioner initiated investigations). These powers help determine what sort of outcomes are likely from complaints and other investigations.
In most cases, once satisfied that there is a valid cause for complaint and that the OAIC has jurisdiction, the OAIC will try and reach a conciliated outcome between the complainant and the organisation involved.
Generally, the outcome will depend on the cause of the complaint (e.g. was access denied? Did the organisation refuse to correct an inaccurate record? Has the organisation refused to delete information that may no longer be required?).
In many cases, the outcome of the conciliation may be an apology and an acknowledgement that some change of internal processes (e.g. more training) will be implemented to prevent the breach from recurring. The OAIC has provided a list of the following outcomes for complaints where the issues raised related to the Australian Privacy Principles (APPs) (in order of how often the outcome occurs):
- Access provided.
- Record amended.
- Change of practice.
- Deletion of personal information.
- Privacy training.
- Review of process.
- Waived premium.
- Free subscription.
- No further contact.
Compensation for privacy breaches in Australia
The vast majority of complaints to the OAIC between January 2020 and January 2022 were resolved without any compensation being granted.
The OAIC’s privacy complaint outcomes reporting service separates the outcomes that include compensation into 5 categories:
- Less than $1,000.
- $1,000 to $5,000.
- $5,000 to $10,000.
- Over $10,000.
By far the most cases involved no award of compensation at all.
In fact, it is rare that financial compensation is awarded and particularly not without compelling evidence of actual financial costs.
Our review of eight determinations made by the OAIC in 2020 revealed the following:
- Large awards of compensation are unlikely.
- To recover for distress and anxiety, some independent evidence is usually needed – psychologist or medical reports, for example.
- Even with supporting evidence, compensation for non-economic loss (distress, etc) is likely to be low – typically between $1,500 and $3,000. For breaches involving highly sensitive information, it might go up to $10,000.
- Legal expenses are unlikely to be recoverable (especially without an itemised invoice).
- Failure to participate in an OAIC investigation can result in aggravated damages. But the amount is likely to be less than $2,000 (even for ignoring a Section 44 notice).
- It takes at least 2 years from the time of a complaint to the OAIC making a Determination, raising questions as to the timeliness of redress.
(For more information see our previous blog post.)
Digging deeper into the outcomes reported in the OAIC’s complaint outcomes reporting service, we found the following features:
– Breaches of APP 6, APP 11, and APP 12 resulted in the highest penalties.
The complaints that resulted in compensation in excess of $10,000 all related to breaches of APP 6, APP 11, and APP 12.
For your reference:
APP 6 relates to the use or disclosure of personal information.
APP 11 relates to the security of personal information.
APP 12 relates to access to personal information.
– Privacy complaints relating to APP 11 were the most common.
– Certain industries were more likely to encounter privacy complaints.
Health services providers, finance companies, Australian Government agencies, insurance providers, utilities providers, debt collectors, and telecommunications providers are more likely than other sectors to receive privacy complaints.
If you’re concerned about your organisation’s privacy risk, reach out. Our privacy lawyers would love to assist.