New legislation that punishes companies and individuals who fail to report data breaches could make Australian firms even more attractive targets for criminals, a local cyber-security expert says.
The law coming into force in February aims to help individuals affected by an attack that exposes personal information.
But, according to FireEye Asia Pacific chief technology officer Bryce Boland, it will also invite low-risk extortion “at scale”.
“Failing to disclose can result in penalties and potentially jail time, so this is now a new lever criminals can use in their extortion attacks,” Mr Boland said.
The legislation applies to companies with a turnover of more than $3 million, as well as any federal government agencies and organisations that operate under the Privacy Act.
It requires prompt data breach disclosures and comes with hefty fines of up to $360,000 for individuals and $1.8 million for companies.
“Australian companies are getting compromised, information is stolen, nothing is investigated, executives don’t know – and legislation will make them accountable for it,” Mr Boland said.
Listed companies are already vulnerable to attacks that leverage reputational damage, such as the theft of data to leverage individuals or in exchange for a ransom to cover up the breach.
The attacker could also sell the information or short the stock before releasing the data, Mr Boland said.
Mr Boland said many Australian companies mistakenly think security is just a case of “anti-virus, firewall and then wipe the hard drive”.
He said the new legislation could add to their problems.
“Criminals are going to have a field day with this,” Mr Boland said.
“It’s going to be the wild west in extortion.”