Data breach notification law misses Senate

Australia's mandatory data breach notification legislation has failed to be heard in the Senate on its last day of sitting.

The bill will now not be heard until after the federal election, and potentially not at all.

The Coalition has not expressed its support for the bill in its current form, but does believe in mandatory data breach notifications as a matter of principle, to cover those entities not participating in various voluntary data breach notification codes, iTnews understands.

The concept would remain on the parliamentary agenda if a Coalition Government is elected in the upcoming federal election, in order to have some form of mandatory data breach notification scheme in place to accompany the arrival of new privacy reforms, due next March.

Lockstep consulting managing director Stephen Wilson said it was disappointing the Bill has not yet passed Senate.

"Businesses are already preparing for data breach notification," Wilson said.  "They are planning for March 2014."

Organisations Wilson had dealt with were preparing by focusing on core competencies including the ability to quickly detect breaches and building risk management triage for mandatory reporting. They would also need to tie perimeter security to privacy and risk governance, Wilson said.

US organisations have benefited from better security visibility and customer approval under existing data breach notification laws, according to Wilson, even under laws which set the bar lower than under the Australian proposal in requiring many more forms of breaches to be reported.

Australian businesses including Vodafone Australia have said Australia's data breach legislation would likely be an extension of existing security protocols.

“We are a customer-facing organisation and already have processes in place to communicate with customers,” Vodafone Australia head of information security Eyman Ahmed Ahmed said in May.

The Privacy Alerts Bill 2013 aimed to force organisations that suffered a data breach to notify the Privacy Commissioner and affected customers when information had been compromised. 

The bill had received unconditional support from a parliamentary committee investigating the issue, which recommended it be passed by the Senate. 

But Coalition senators, in an addendum to the committee report, communicated concerns around a “lack of due process and time for scrutiny” of the bill.

They also highlighted concerns around the lack of definition for the terms “serious breach” and “serious harm”, and warned against regulatory overload. 

The bill proposed to amend the Privacy Act with two new provisions:

• “Serious data breach” - which outlines the circumstances in which an entity would have committed a serious data breach, and 
• “Notifying serious data breaches” - which outlines the circumstances in which an entity must notify of a serious data breach and to whom it must do so.

According to the confidential bill, obtained by SC last month, failure to take reasonable steps to secure data prior to a breach would mean organisations faced fines of up to $1.7 million for serious and repeat offences, or up to $340,000 for individuals. 

Small-scale offenders would face fines of $34,000 for individuals and $170,000 for organisations.