Companies suffering data breaches have been temporarily saved from having to report on them after proposed legislation failed to be heard in the Senate on its last day of sitting.
The bill will now not be heard until after the federal election, and potentially not at all.
The Coalition has not expressed its support for the bill in its current form, but iTnews understands the party does believe in mandatory data breach notifications as a matter of principle, to cover those entities not participating in various voluntary data breach notification codes.
The concept would remain on the parliamentary agenda if a Coalition Government is elected in the upcoming federal election, in order to have some form of mandatory data breach notification scheme in place to accompany the arrival of new privacy reforms, due next March.
The Privacy Alerts Bill 2013 aimed to force organisations that suffered a data breach to notify the Privacy Commissioner and affected customers when information had been compromised.
The bill had received unconditional support from a parliamentary committee investigating the issue, which recommended it be passed by the Senate.
But Coalition senators, in an addendum to the committee report, communicated concerns about a “lack of due process and time for scrutiny” of the bill.
They also highlighted concerns with the lack of definition for the terms “serious breach” and “serious harm”, and warned against regulatory overload.
The bill proposed to amend the Privacy Act with two new provisions:
- “Serious data breach” - which outlines the circumstances in which an entity would have committed a serious data breach, and
- “Notifying serious data breaches” - which outlines the circumstances in which an entity must notify of a serious data breach and to whom it must do so.
According to the confidential bill, obtained by SC Magazine last month, failure to take reasonable steps to secure data prior to a breach would mean organisations faced fines of up to $1.7 million for serious and repeat offences, or up to $340,000 for individuals.
Small-scale offenders would face fines of $34,000 for individuals and $170,000 for organisations.