The government has published an exposure draft of its long-awaited bill for mandatory data breach notifications, specifying what it considers to be a serious breach and how organisations will need to respond.
The exposure draft, which is open for consultation until March 4 next year, comes as the government failed to deliver on its promise to have a scheme up and running by the end of this year.
The bill runs along almost identical lines to the Privacy Alerts bill introduced by Labor in 2013, and again last year. It is understood to have bipartisan support.
It outlines what the government considers to be a serious breach and details the steps an organisation must take to address such an incident.
A serious breach, under the bill, occurs when there is unauthorised access to, disclosure or loss of customer information held by an entity, which as a result generates a real risk of serious harm to individuals involved.
Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
An entity must notify customers, the Privacy Commissioner and potentially the media "as soon as practicable after it is aware" or has reasonable grounds to believe a serious data breach has occurred.
Where an organisation suspects a serious data breach has occurred, but isn't certain, it will have 30 days to assess whether it needs to notify.
The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.
The Privacy Commissioner would be able to force organisations suffering a serious data breach, but who had not notified customers, to do so. The ability to apply for an exemption is included in the bill.
"The rationale of data breach notification is to allow individuals whose personal information has been compromised in a data breach to take remedial steps to avoid potential adverse consequences, such as financial loss or identity theft," the government's exposure draft states.
"Examples might include cancelling a credit card, or changing an online password."
Organisations would need to do everything reasonable to notify customers, such as contacting them through email, post or phone, the bill states.
If each individual cannot be contacted, an organisation would need to publish a notice on its website and potentially through media and social media.
The scheme applies only to organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, will fall outside the legislation.
The obligations do apply to all telecommunications service providers subject to the data retention legislation.
The Privacy Commissioner would have the power to chase civil penalties for non-compliance.
Individuals would face fines of $340,000 while organisations face up to $1.7 million.
The government had promised to introduce a mandatory data breach notification scheme as part of its adoption of 39 recommendations made earlier this year by the parliamentary joint committee tasked with reviewing the government's data retention bill.
The Coalition government refused to support it because of concerns about a lack of definition around terms like “serious breach” and “serious harm”.
The Office of the Australian Information Commissioner received 110 voluntary reports of a data breach in 2014-15, compared to just 67 in the year prior.
Privacy Commissioner Timothy Pilgrim has previously indicated the frequency of breaches was climbing but notifications to his office had decreased.
"I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised," Pilgrim saidin 2013.
"There are real incentives for agencies and organisations to notify of a privacy breach. Apart from being good privacy practice, it can also engender consumer trust, reduce the cost of dealing with a data breach and mitigate against reputational damage".
He today said he welcomed the release of the draft bill and reiterated his support for mandatory data breach notification.
"Data breach notification can be an important mitigation strategy in the event of a serious data breach. Notification enables people affected by a breach to take steps to protect their personal information; such as cancelling credit cards or updating log ins with service providers," Pilgrim said in a statement.
"A mandatory notification scheme will provide confidence to all Australians that, in the event of a serious data breach, they will be given the opportunity to manage their personal information accordingly."
In the last two months alone, companies including Kmart Australia, David Jones, Aussie Farmers Direct, Samsung subisidary LoopPay, UK telco TalkTalk, education toy maker VTech and the websites of Queensland's TAFE and Department of Education fell victim to security breaches.