By Byron Kaye
SYDNEY (Reuters) - An Australian government-backed service for victims of identity theft blasted a plan to toughen privacy laws amid an explosion of online data theft, saying it would spur compromised companies to pay ransom and invite more hacking.
IDCare, a non-profit that helps internet crime victims, said by making it easier for regulators to fine companies for poor data security and failing to criminalise ransom payment, Australia may inadvertently fuel a cyber-crimewave.
The message came in an unpublished submission, reviewed by Reuters, to the attorney general who is working to update privacy law for the internet age just as the country experiences a spike in large-scale data thefts that the government says has touched almost every family.
"A significant reason why Australian governments and businesses are increasingly targeted by ransomware attacks ... is because we pay," IDCare said in the submission.
IDCare's views will count heavily in a government review of privacy laws expected to make it easier to fine or sue companies that fail to protect customer data, as it has become one of Canberra's go-to referral groups to help victims of cyber crime.
Canberra raised the maximum fine to A$50 million ($34 million) from A$2.2 million for companies that fail to stop data theft after the first major attack in October, when some 10 million customer accounts at No. 2 telco Optus, owned by Singapore Telecommunications, had information taken.
The government is now considering making it easier to apply that fine and simpler for individuals to sue for theft of personal information.
IDCare said by raising the threat of massive fines, Australia would force companies to choose whether to pay A$1 million, the typical cost of a ransom demand, or notify the authorities and risk a fine of up to A$50 million.
"In terms of ransomware attacks, Australia is open for business," it said.
IDCare noted that Australia was the country fifth-most targeted by data thieves in January 2023, far worse than other countries relative to its economy and population.
Without rules that bar or discourage ransom payments, it said "it is unlikely ransomware groups targeting our organisations will curtail their activities".
A spokesperson for Attorney-General Mark Dreyfus said the government had acted swiftly to increase penalties following large-scale data breaches and would consider 116 proposals in a review of privacy law before deciding further steps.
The Office of the Australian Information Commissioner said its approach in seeking penalties or setting new rules would be "pragmatic, evidence-based and proportionate".