Australia has a data retention policy, but no notification law
Australia has a data retention policy, but no notification law

A breach reporting law is making its third attempt at passage in the Australian parliament.

Not for lack of trying. Breach notification laws have made attempts to be passed two previous times after the Joint Parliamentary Committee on Intelligence and Security recommended in February 2015 that Australia get breach notification laws for itself alongside a then-incoming data retention policy.

The Australian Privacy Commissioner, giving evidence to Parliament in 2013, said that if lawmakers were to decide that massive amounts of personal data should be retained by telecommunications companies, then there should be an “obligation for service providers to notify the Commissioner and affected individuals in the event that they experience a data breach affecting telecommunications data collected and retained under the scheme”.

Australia continues with one but not the other. Under the data retention policy, aw enforcement can look at citizens' private correspondence which is held by telecommunications companies for up to two years. This is currently not a requirement to report whether those great tranches of information are stolen or not.

Under the proposed law, breaches with a “real risk of serious harm” will have to be reported. That is to say, any breach which involves critical, personal or financial information.  The breached party will need to notify the Australian Information Commissioner and affected parties “as soon as is practicable”.

Non compliance could result in the imposition of sanctions, compensation payments or civil penalties for repeat offenders.  

That is, if any of this passes. So far, two attempts have been made and both have failed under both labour and coalition governments. Does Australia even need breach notification laws?

“Breach notification is a double edged sword“, Steve Armstrong, MD of Logically Secure told SCMagazineUK.com. “Enforce very early notifications and you only assist the attackers - they will watch to see if you have found them (via the notification), and you may not have fully scoped the impact of the compromise. Notifications that are too late or never happen at all risk allowing attackers to leverage stolen customer data.”

“However, as the latest Yahoo notification has shown, even with legislation unless a regulator is issuing punishments for ignoring the rules, the rules will continue to be ignored,” Armstrong added.  

“Clearly there is a need to enshrine data breach notification into law, as the implications to consumers and stakeholders are potentially extremely damaging,” Graham Mann, managing director of Encode UK, told SC.

“The challenge will be structuring the bill so that it is both effective and politically digestible. The issue that needs to be addressed in any such law is that of detection. At present, few organisations have the capability of identifying breaches. So, will the bill mandate that organisations must implement specific data breach identification solutions? If not, then it is likely that data breaches will go undetected for months and perhaps years.”

EU member states also do not yet have breach notification laws. The landmark General Data Protection Regulation (GDPR) will come into action next year and will penalise companies with fines of up to two percent of global turnover.  However, some claim that Europe is unprepared.  Not least, UK CIOs, who according to a survey carried out earlier this year, 90 percent of which do not feel prepared for the incoming regulations.

With the advent of Brexit, it is not quite clear if the UK will keep the breach notification provisions within the GDPR. However, the UK's Information Commissioner, Elizabeth Denham recently told the BBC that British business should continue to move towards compliance with the EU-wide regulation:  "I don't think Brexit should mean Brexit when it comes to standards of data protection."