The government will miss its self-imposed deadline to introduce a mandatory data breach notification scheme before the end of the year when parliament today closes for 2015 without a bill being introduced.
Today marks the last day of parliamentary sitting for this year, and the last chance for the government to introduce a bill before February 2016.
However, despite a government pledge to implement a mandatory data breach reporting scheme before the end of the year, an enabling bill did not make it into parliament.
It was not prioritised as one of the 19 government bills cleared by Tuesday's cabinet meeting for introduction, iTnews has confirmed.
However, sources told iTnews a bill has in fact been drafted and is ready to be introduced.
It is understood an exposure draft will be released today for consultation and submissions will be taken until March next year.
The Attorney-General's Department would only say that an announcement would be made shortly.
The government pledged at the time to adopt all the recommendations, which included introducing the data breach notification scheme before the end of this year.
It marks the second time a bill governing data breach notifications has missed the deadline for introduction into parliament.
In 2013, the then-Labor government's Privacy Alerts bill suffered the same fate in the last day of sitting before the federal election, and subsequent change of government.
It was resurrected as a private member's bill in March the following year, but the Coalition government refused to support it because of concerns about a lack of definition around terms like “serious breach” and “serious harm”.
It is unclear how similar the Coalition's new data breach notifications bill is to Labor's earlier version.
Labor had proposed amending the Privacy Act to specify the circumstances that constituted a 'serious' data breach and how an entity must then act to address it - including to notify the Privacy Commissioner and customers, and on occasion, media.
The bill would also have given the Privacy Commissioner powers to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously failed to meet their obligations.
As breaches escalate
The lack of a national scheme for the reporting of data breaches is concerning at a time when these sorts of incidents continue to grow in number, security experts say.
In the last two months alone, companies including Kmart Australia, David Jones, Aussie Farmers Direct, Samsung subisidary LoopPay, UK telco TalkTalk, education toy maker VTech and the websites of Queensland's TAFE and Department of Education fell victim to security breaches.
In most instances the businesses voluntarily reported the incidents to customers, but this is not always the case. The most infamous example of non-disclosure was by local retailer Catch of the Day, which waited three years to inform its customers of a security breach.
IBRS security advisor James Turner said national disclosure obligations would make it harder for organisations to try to hide breaches from their customers.
"Once organisations know that they can't just push it down to IT, it's going to become a much bigger public issue," Turner said.
Stalling the implementation of a notification scheme could incite more attackers to go after Australian organisations, he said.
"If we end up being one of the last countries to have data breach notification, attackers know that we're almost a soft target," Turner said.
"They know they can go after organsiations and they'll try to stay quiet about it because they're embarrassed.
"And that creates a fog of war for attackers to operate in, and no-one wants to see Australia being weakened from a cyber resilience perspective."
He said the model of the scheme would be vital to its success, citing the non-uniform state-based approach in the United States.
"Who gets notified and on what timeline - that's really important," Turner said.
"Because if it's simply that they have to tell the public about the breach [within a certain] time, that doesn't consider whether they have all the facts, or know exactly what happened. The worst thing that can happen is an organisation leaps forward and tries to do the right thing but misinforms its customers."
When Labor's first bill was introduced in 2013, Privacy Commissioner Timothy Pilgrim noted the frequency of breaches was climbing but notifications to his office had decreased.
"I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised," Pilgrim said at the time.
"There are real incentives for agencies and organisations to notify of a privacy breach. Apart from being good privacy practice, it can also engender consumer trust, reduce the cost of dealing with a data breach and mitigate against reputational damage".