NAB Chief Urges Government to Reconsider Fines for Large Data Breaches

Richard M. November 10, 2022 4 minute read

The Chief of NAB Ross McEwan has urged the government that penalties for data breaches charged as a percentage of turnover would be “terminal” for certain businesses and promote breaches to be kept hidden.

Ross McEwan’s remarks add to those made by the Australian Banking Association, which cautioned that a fine of 30% of modified turnover could cost a significant financial institution billions of dollars.

The government is recommending a significant rise in penalties for serious or persistent data theft under the Privacy Act.

A Senate committee is required to submit its findings regarding the content of the bill by November 22. The revisions have already been approved by the lower house of parliament.

McEwan requested parliament to “give further consideration to the intention of the bill.”

“We believe the increase in penalties – and particularly the calculation for determining penalty that relates to adjusted annual turnover – are disproportionate and create a much greater maximum penalty than similar privacy and data protection laws across the globe,” McEwan stated. “For context, a data breach from a major Australian company subject to the maximum penalty in the bill could be in the region of four times the largest civil penalty order ever made against an Australian corporate.”

Ross McEwan cautioned that enterprises “may be less willing to promptly disclose data breaches to [the] government as a result for fear of facing potentially terminal penalties.”

“Penalties of this magnitude, without appropriate containment measures, will have the capacity to effectively put an organization out of business,” he stated.

NAB Chief insisted punitive actions be “reserved for egregious failures of compliance and risk management.” He also “strongly urged consideration of a range of other measures designed to mitigate the risks to individuals that arise as a result of cybercrime, in addition to an enhanced but appropriately measured penalty regime.”

According to Ross McEwan, government regulations that force data to be stored for longer than needed could help to reduce the sector’s risks. “For example, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, reporting entities such as banks are required to keep customer identification records for seven years after the banking relationship has concluded,” he stated.

“This mandated retention period is much longer than we would otherwise require and significantly increases our risk profile.” McEwan also supported the use of digital identity as a tool to reduce the volume of data that enterprises must gather and/or maintain on their own.