PJCIS pushes for mandatory data breach notification

The parliamentary committee tasked with investigating the Government's data retention bill has put its support behind the long-mooted introduction of a mandatory data breach notification scheme.

The committee made the recommendation today in its report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 [pdf].

Australia's Privacy Commissioner Timothy Pilgrim has long pushed for the introduction of laws that would force companies to notify customers as well as his office if personal information had been compromised in a data breach.

He revisited the issue recently as part of the data retention debate, arguing telcos and internet service providers did not have a great track record when it came to securing user data.

Pilgrim referenced Telstra's 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

"Australian service providers have experienced significant issues in handling and keeping personal information secure," he told the parliamentary joint committee on intelligence and security (PJCIS).

He also warned the committee that the retained troves of data were likely to be a honeypot for malicious actors - a warning also recently made by Telstra.

The PJCIS today recommended that the Government introduce a mandatory data breach notification scheme before the end of the year, citing the support of Pilgrim, the Australian Information Industry Association, the Australian Law Reform Commission (ALRC), and the Law Institute of Victoria.

The committee members - made up of six Liberal/National MPs and four Labor members - said such a scheme would be an effective mitigation strategy for those affected by a data breach. 

"While the committee notes that this issue is the subject of broader consideration within Government, the committee considers that there must be a scheme in place prior to implementation of the bill," the MPs wrote.

"The committee considers that a mandatory data breach notification scheme would provide a strong incentive for service providers to implement robust security measures to protect data retained under the data retention regime."

The proposal was also recently supported by the Financial Systems Inquiry.

Pilgrim said he looked forward to working with the Government on the details of the notification scheme.

"I welcome the Government’s support for a mandatory data breach notification scheme. Data breach notification can increase consumer trust and mitigate against reputational damage. It is an important step to further protect the personal information of Australians."

The Labor party has attempted several times to pass legislation enforcing data breach notifications, but the bills have been knocked back by the Coalition which argued the draft legislation needed more work in terms of wording and definitions.

The two bills proposed by Labor would have amended the Privacy Act to outline the circumstances in which an entity would have been subject to a serious data breach and how they must then act to address it.

The bills would also have given the Privacy Commissioner powers to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously offended.