Mandatory Reporting Notification Laws in Australia: It’s Still All Talk!


Adrian Turner, Cyber Security Growth Centre opening the AISA National Conference in Sydney

Co-founder and Chairman of the Board of Tenable Network Security, Ron Gula helped open the Australian Information Security Association National (AISA) Conference in Sydney this morning with a keynote presentation, ‘Cyber Security – do we have it right?’ The answer is a resounding, ‘not yet!’

One of the questions is why doesn’t Australia have Mandatory Reporting in place and why have threat reports, such as the ACSC Threat Report 2016 excluded discussion around how the introduction of mandatory reporting would benefit and look like once in operation in Australia. There has been years of discussion around this. Indeed the Australian Cyber Security Centre Threat Report 2016 admits they don’t know the full extent of the cyber threat or the cyber breach footprint because companies and enterprises are reluctant to disclose cyber security incidents, stating “the ACSC’s visibility of cyber security incidents affecting industry and critical infrastructure networks is heavily reliant on voluntary self reporting. Some companies may be hesitant to report incidents to the government due to concerns the disclosure may adversely affect their reputation or create legal or commercial liabilities. For example, in some cases victim organisations have sought legal advice before reporting an incident. Many cyber security incidents across the private sector are undetected or unreported.”

According to Ron Gula, breach disclosure is important and helps raise the awareness of the extent of the threat. “There are two things that have happened in the US. Each State had different laws so there were different periods for disclose. President Obama introduced legislation that unified this timeframe and made it 30 days for all. It doesn’t remove the need for disclosure but it makes, during a very difficult time, a simple decision. I think breach disclosure is important, because if we didn’t have it no one would do it and volunteer.  Whenever you discover a breach you also discover how they got in and what was needed to fix it. Anything that raises the awareness that breaches have happened is one of the reasons why the US is a bit more mature in how to measure intrusions.”

In response to the Federal Parliament’s Joint Committee on Intelligence and Security’s inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, a mandatory data breach notification scheme was proposed in March 2015 for implementation by the end of 2015. Despite this timeframe, we’re still waiting.

The Australian Government invited public comment on a draft serious data breach notification bill before the introduction of legislation in Parliament in early 2016. The Department of Prime Minister and Cabinet has proposed introducing and passing the Privacy Amendment (Notifiable Data Breaches) Bill (“Data Breaches Bill”) in the Spring 2016 parliamentary session which runs until December 1, 2016, so the Government is aiming to have the Data Breaches Bill passed by the end of the year. Although this deadline may still seem optimistic, both the Labor Party and the Greens have supported a previous mandatory data breach notification scheme.

As part of the AISA preparations for a response to the Government’s Cyber White Paper discussion paper in 2011, AISA conducted a number of surveys with members and submitted that data breach notification regulations should be introduced incorporating the lessons learned from the USA and EU experiences, any data breach notification scheme should be part of a broader and “more responsive” regulatory approach supporting information and over 81% of members supported the introduction of a legal requirement for data breach notification. In the view of AISA members supporting the legislation, the main reason for introducing a data breach notification law is to act an as incentive for the organisations covered by the Privacy Act to improve data security practices.

And so despite the Cyber Security Strategy and another ACSC Threat Report giving case study after case study of serious breaches, the talk and waiting continues. Let’s hope the 43rd Parliament and Turnbull Government can achieve passing this legislation before 2017.

Update from this morning is that the legislation was introduced to the House of Representatives, and has been read a first time and second reading was also moved, 19 October 2016.