Data breach penalty laws pass lower house

Increased fines for companies that have serious data breaches are one step closer, after new laws passed the lower house.

The bill will hike up fines for breaches from $2.2 million to either $50 million, 30 per cent of a company's turnover during the affected period, or three times the value of any benefit gained through the information misuse.

The proposal was introduced in the wake of the Optus and Medibank hack, which has affected millions of customers.

Attorney-General Mark Dreyfus said companies needed to do better to prevent large data breaches from happening.

"Significant privacy breaches in recent weeks have shown existing safeguards are outdated and inadequate," he said.

"This bill makes clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business."

Debate on the laws will now move to the upper house.

The proposal will also allow the Australian information commissioner to have greater power to resolve privacy breaches and be able to share information about the breaches to help affected customers.

Mr Dreyfus said a review will be finished by the end of the year ahead of an overhaul of privacy laws next year.

However, the Australian Information Industry Association said the government should instead take a "positive, collaborative approach" to what is a complex issue.

Association CEO Simon Bush said the recent cyber attacks on major businesses were concerning for all Australians.

"We rightly have high expectations of organisations who have our data," he said.

"That is why we want the government and industry to work together to uplift cyber security and data governance across all sectors.

"Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board."

Mr Bush said the Privacy Act review was the best place for dealing with such issues, and the government should focus on lifting cyber security skills in the Australian workforce.

"Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia."