Let’s talk about privacy. Not the kind you lose when someone reads over your shoulder at the café. I mean your actual privacy — your personal data, the digital breadcrumbs you leave behind, and the legal firestorm that awaits businesses that treat cybersecurity like a “we’ll do it later” chore.

We’ve entered an era where “oops, we got hacked” doesn’t fly anymore. The regulators aren’t just shaking their heads. They’re sharpening their pencils — and their penalties.

The Privacy Act (Yes, There’s One. And Yes, It Has Teeth)

Australia’s Privacy Act 1988 has been around for a while, but it’s recently grown a sharper set of claws. It governs how organisations collect, use, store, and disclose personal information. If you’re handling the data of Australians, you’re on the hook.

But here’s the spicy bit: in 2022, the government decided enough was enough and passed amendments that beefed up the penalties for serious or repeated privacy breaches. We’re no longer talking about a slap on the wrist and a “please don’t do it again.”

Statutory penalties can now reach $50 million, or:

• Three times the value of any benefit obtained through the misuse of data, or
• 30% of the company’s adjusted turnover during the breach period —

Whichever is greater.

Yikes.

That’s not “go sit in the naughty corner” money. That’s “we might lose the business” money. So if you’re a business leader still trying to dodge cybersecurity spend with the ol’ “we’ve never had a breach before” excuse, it’s time to start budgeting for lawyers and reputation repair too.

Directors of Australian organisations can now be held personally liable for serious or repeated breaches of privacy under the updated Privacy Act 1988, especially when there’s a failure to act on known risks or a disregard for compliance obligations. Regulators are tightening the screws, and ignorance is no longer a shield. If you’re sitting on a board thinking this is the IT guy’s problem — you might want to reread your duties. Because when the data hits the fan, it’s not just reputations on the line, it’s your name, your wallet, and potentially your career.

Cyber risk is now a director-level responsibility. Treat it like one.

Enter the Scam Prevention Framework

Because data breaches weren’t enough drama, we’ve also got scams. You know the ones — dodgy texts pretending to be the ATO, or the friendly “Hi Mum, lost my phone” messages that have swindled Australians out of more than $3.1 billion in 2023 alone.

To tackle this, the government is rolling out a Scam Prevention Framework, led by the ACCC and backed by the newly created National Anti-Scam Centre. The idea is simple: make platforms (yes, including telcos, banks, and digital platforms) actually do something about the scams being launched from their front yards.

And surprise, surprise — there are penalties here too. If you’re a provider and you’re not actively preventing scams or responding to reports, expect a regulatory boot up the backend. It’s about shared responsibility, and this time, no one gets to hide behind the “not my job” banner.

While this is only for telcos, banks and digital platforms, it will eventually become your problem too as the individual business. Just like the mandatory data breach notification in the Privacy Act over time.

Practical Cybersecurity: Not Just a Buzzword

This is where I get fired up. Cybersecurity isn’t just about fancy tools and AI threat detection. It’s about common sense with digital guardrails.

• Don’t collect what you don’t need.
• Protect what you do collect.
• Train your staff like they’re the first line of defence — because they are.
• Implement practical cybersecurity controls based on good practical risk assessments — Not Audits based on standards.

The best cybersecurity strategies I’ve seen aren’t the flashiest. They’re practical, they make sense, and they’re embedded into the day-to-day rhythm of a business. It’s culture, not chaos.

We’ve reached a point where “we didn’t know” or “our IT guy was on leave” won’t hold up. Whether you’re a CEO, a small business owner, or running an e-commerce empire out of your garage, you have a responsibility. And not just to regulators — but to your customers, your staff, and the very survival of your business.

The Bottom Line

You don’t need to become a cybersecurity expert overnight. But you do need to take it seriously. Privacy law is no longer a polite suggestion, and scams are no longer someone else’s problem.

Practical, human-focused cybersecurity is no longer optional. It’s the seatbelt in your car. The lock on your front door. The common sense we forgot somewhere between downloading every app under the sun and using “Password123” like it’s a national treasure.

And if all else fails — just remember, regulators don’t take bribes. But they do take statutory penalties seriously.

So, if you’re reading this and thinking, “Do we even have a privacy policy?” — you already know the answer.

About Shimazaki Sentinel

At Shimazaki Sentinel, we’ve been warning of this shift for years. Cyber security is no longer just a technical issue — it’s a boardroom issue. Liability now reaches the top, and directors must own it. That’s why our clients don’t just come to us for a firewall — they come for foresight.

Shimazaki Sentinel is a global leader in cyber security, geopolitical intelligence, and digital counterterrorism. We specialise in protecting organisations from complex digital and geopolitical threats, offering strategic insight, practical defence, and proactive risk management. With decades of frontline experience, we provide clarity, confidence, and conviction in an increasingly volatile world — because when the stakes are high, we don’t blink.

This isn’t theory. It’s lived experience. And it’s what makes the difference between businesses that recover and those that become headlines.