Scott Ludlam (WA, Australian Greens) Share this | Hansard source

I thank the minister for his answer and thank other senators for their contributions. The second two amendments—which I will move shortly, once we have dealt with this one—go to the fact that with many data breaches, such as those that I, Labor senators and Senator Griff identified during our contributions, it takes some time before some of these companies or departments even know that they have had a breach. So the clock is not ticking from the time they realise they have lost control of people's information but from the time that the breach occurs. That could be weeks, months or, in some cases, years after the breach is discovered. I believe that in most cases in the list of examples I read earlier it was a period of weeks before the breach was actually discovered, at which point your obligations begin.

I take Senator Brandis's point; 'expeditious' is entirely appropriate. That implies that the ICT teams get moving and try to identify what has actually happened. What we do not want to have is companies and departments being tied up for up to 30 days, working as rapidly as they can, trying to figure out whether they are obliged to report the breach. We would rather just see, on balance, that the reporting happens earlier. That will go to the second amendment that we are going to move shortly. We think 30 days is far too long and we also believe you have identified the reason that it is far too long in your own explanatory memorandum, where you have said—I am going to put this on the record one last time:

… the average number of days between a breach and the individual being notified was 405 days, whereas the average time between a data breach and the misuse of compromised information was 72 hours—

three days. You have made the case for three days in your EM, probably more eloquently than I am this morning. I am seeking your guidance, Mr Temporary Chair. I am taking Senator Griff's advice in the interests of compromise and wish to substitute 'five days' for 'three days'. Do I need leave to amend 'three days' to read 'five days'?