Tim Watts (Gellibrand, Australian Labor Party) Share this | Hansard source

Last week was online safety week and an increasingly critical part of online safety today is data security. It is more important than ever that we keep personal data safe. Massive volumes of data are being collected online every second. Data about your spending patterns, your daily movements, who you associate with and in what contexts and obviously data that can be used for the purposes of fraud and theft—credit card details and the like. The responsibility to keep this data secure is a shared one. Individuals should take care to change their passwords periodically, to not use the same password across different internet sites and to use two-factor authentication where possible. However, while some of this data is stored on hardware owned by individuals, most of it is now shared 'on the cloud', which is geek speak for on someone else's computer—in a server farm controlled not by the individual but by a company. Australians rely on the companies entrusted with this data to protect it and, when they are unable to protect it, to minimise the consequences of these failures.

Unfortunately, data breaches are a continuing fact of modern life. Australia has more data breaches reported than anywhere else in APAC, according to the Gemalto Breach Level Index. So far in 2016 there have been 2,928 publicly disclosed data breaches which have exposed more than 2.2 billion records—records including the data of individuals like you or I.

In the past two years we have seen a huge number high-profile hacks around the world, including Anthem Health Insurance with 80 million records stolen, the DNC and Hillary Clinton's campaign chair records, where five million records were stolen. Ashley Madison had 37 million records stolen; Mossack Fonseca, 11.5 million; and the Philippines' Commission on Elections had 55 million records stolen. Recently, tech giant Yahoo had the details from 500 million accounts stolen—that is, 500 million records capturing names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts. This breach occurred in 2014 but was only publicly reported in 2016.

This is the new normal. Australian governments, businesses and individuals need to adapt to a new environment in which the security of their data is constantly challenged and in which data breaches periodically occur. Responding to this new online security environment will require a multifaceted approach. One crucial element of this response must be legislation requiring individuals to be alerted when their data has been compromised. Globally, Australia is falling behind in this respect. The majority of states in the US have already introduced data breach notification laws. The EU has similar regulation, and New Zealand and Canada are already well advanced on this matter.

In contrast, in Australia, companies currently report to the Privacy Commissioner on breaches on a voluntary basis. The previous Labor government introduced legislation to require such data breach notification through the Privacy Amendment (Privacy Alerts) Bill 2013, but the incoming Abbott government did nothing to advance the issue for the next two years. In February 2015 the Parliamentary Joint Committee on Intelligence and Security produced a bipartisan report recommending introduction of a mandatory data breach notification scheme by the end of 2015. The government agreed with those recommendations in March 2015, and an exposure draft to deliver on this was subsequently released eight months later, despite this issue having been well ventilated for more than three years before this.

This draft legislation would require companies and organisations to inform people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information—for example, where a person's credit card details, identification details, passwords or other information were leaked or obtained fraudulently. The bill was included on a list of bills intended to be introduced during the winter 2016 sitting of the 44th parliament, but, like the end of 2015 deadline previously agreed by the government, there is no sign of the data breach notification bill.

Still no such bill has been tabled. The government has now indicated that it will be introducing a data breach notification bill in the spring sittings of this parliament. We will wait and see. But the delays to date are not good enough. Labor thinks that all Australians have a right to know when their data has been breached. In the modern environment this is a crucial element of overall online security. We can look to consumers and we can inform consumers about what they can do to protect themselves, but we need to ensure that corporations play their role as well in the data governance arrangements of this country. There is nothing that an Australian consumer can do if their data has been breached on a server in Singapore. We will continue to push the government on this issue until it takes action. I hope to see a mandatory data breach notification scheme introduced into this parliament as promised by the government in this setting.

See this speech in context