NAB chief Ross McEwan has warned the government that data breach fines levied as a percentage of turnover would be “terminal” for some businesses, and could encourage breaches to be hidden.
His comments build on those from the Australian Banking Association, which earlier this week warned that a penalty of 30 percent of adjusted turnover could run into “billions of dollars” for a large financial entity.
The government is proposing a substantial increase in the size of fines for serious or repeated data breaches under the Privacy Act.
The amendments have already passed the lower house of parliament, and a senate committee is due to report its findings on the bill’s contents by November 22.
NAB is the first Australian corporate to make a direct submission [pdf] to the senate inquiry; aside from a submission from AWS, the rest are from industry groups or government agencies.
McEwan made a direct request to parliament to “give further consideration to the intention of the bill.”
“We believe the increase in penalties – and particularly the calculation for determining penalty that relates to adjusted annual turnover – are disproportionate and create a much greater maximum penalty than similar privacy and data protection laws across the globe,” McEwan said.
“For context, a data breach from a major Australian company subject to the maximum penalty in the bill could be in the region of four times the largest civil penalty order ever made against an Australian corporate.”
That record is currently held by Westpac, which was fined $1.3 billion in 2020 for breaches of anti-money laundering laws.
McEwan warned that companies “may be less willing to promptly disclose data breaches to [the] government as a resul for fear of facing potentially terminal penalties.”
“Penalties of this magnitude, without appropriate containment measures, will have the capacity to effectively put an organisation out of business,” he said.
“It can also appear to punish companies who are increasingly the victim to an upsurge in malicious and sophisticated hacks.”
McEwan urged punitive measures to be “reserved for egregious failures of compliance and risk management.”
He also “strongly urged consideration of a range of other measures designed to mitigate the risks to individuals that arise as a result of cyber crime, in addition to an enhanced but appropriately measured penalty regime.”
McEwan said that government could also play a part in de-risking the sector by paring back requirements that cause data to be kept much longer than needed.
“For example, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, reporting entities such as banks are required to keep customer identification records for seven years after the banking relationship has concluded,” he said.
“This mandated retention period is much longer than we would otherwise require and significantly increases our risk profile.”
He also backed digital identity as a mechanism to minimise the amount of data that organisations needed to collect and/or hold themselves.