The bill before the Senate today—the Privacy Amendment (Notifiable Data Breaches) Bill—amends the Privacy Act to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the act. The bill requires agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner and affected individuals of an ‘eligible data breach’. An eligible data breach is one where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Failure to comply with an obligation included in the bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. Entities that are already exempt from the requirements of the Privacy Act, such as intelligence agencies and small businesses, will not be subject to the requirements of this bill, and law enforcement agencies will not be required to notify affected individuals if it is likely to prejudice law enforcement activities.
This bill was introduced to the parliament in October last year—that is more than three years since Labor, in government, introduced a bill to provide for a mandatory data breach notification scheme. That is three years of those opposite dragging their feet while thousands of Australians have been victims of data breaches. In those three years, Labor has consistently called on those opposite to establish a mandatory data breach notification scheme. The introduction of Labor’s bill—the Privacy Amendment (Privacy Alerts) Bill—followed lengthy consultation with industry. It was endorsed by a Senate committee and passed the House of Representatives with the support of those opposite, but lapsed with the dissolution of parliament for the 2013 election. In 2014, in opposition, we introduced a private senator’s bill which was almost identical to our government bill. In 2015, we made the introduction of the notification scheme a condition of our support for the government’s data retention laws. The government undertook to have the scheme introduced by the end of that year.
The bipartisan Parliamentary Joint Committee on Intelligence and Security had recommended in 2013 that, if the government was to pursue any data retention regime, the legislation should include a mandatory data breach notification scheme. In fact, Senator Brandis—the minister now responsible for carriage of this legislation—was a member of the committee at the time. In 2015, the same committee insisted that the government implement mandatory data breach notification legislation by the end of that year. Having missed that deadline, the measure was then thwarted by Mr Turnbull’s political stunt of proroguing parliament and calling an early double-dissolution election. After years of dragging their feet, this government has finally caught up with Labor on this issue. All I can say about that is: it is about time.
This is not a particularly controversial measure, so why has it taken this government so long to follow Labor’s lead? All they had to do was pick up the legislation that we put to parliament in 2013 or the private senator’s bill that we put to Parliament in 2014. In fact, Labor’s 2014 privacy alerts bill was still before the parliament when Mr Turnbull pulled his double-dissolution stunt two years later. In government, Labor had already done the hard yards by consulting with industry, drafting the bill and securing bipartisan support. All the Abbott-Turnbull government had to do was pick up the bill and run with it. Had they done so years earlier, the outcome could have been much better for the thousands of Australians who have been the victims of data breaches. Those opposite have dragged their feet on this issue. There have been a number of major data breaches over the past three years—some involving literally hundreds of thousands of sensitive customer records. Without a mandatory notification scheme, we do not know how many other breaches have gone unreported, how many thousands or even millions of customer records are involved, or what information has been compromised. Had the government introduced the bill earlier, I am in no doubt that many more Australians would have been promptly notified of data breaches involving their personal information.
McAfee Labs’ threat report for August 2015 states that there has been a ‘monumental increase in the number of major data breaches and in the volume of records stolen’ between 2010 and 2015. I will outline a few of the many examples of large-scale data breaches that have gone public, including some that occurred in the three years that this government has been procrastinating on this bill. But I stress that these are just the breaches that we know of.
In 2013, Telstra had to issue a formal apology to customers after phone numbers, names and home addresses were found online during a Google search. While Telstra said that the privacy breach was not acceptable, they had already been investigated by the Privacy Commissioner for two data breaches in the three years prior. One of those breaches, in 2011, resulted in the details of almost 800,000 customers being left online for eight months.
In October 2015, Kmart revealed that it was urgently working to address a privacy breach in which customer data had been stolen during a cyber attack. The customer details taken during the attack included names, email addresses, delivery and billing addresses, phone numbers and product purchase details. Fortunately, no credit card or other payment details had been compromised, as the company used an external gateway for payments and did not store the details internally. A similar breach was reported by retailer David Jones the following day, with the stolen data including names, email and mailing addresses, and order details but no financial information or passwords. Later that year, in November, hackers stole data lodged through online inquiry forms from the Queensland TAFE and Department of Education websites, although the Queensland government said that they were confident the data were not very sensitive and that no financial information had been obtained.
In October last year, the records of 550,000 Australians donating blood to the Red Cross Blood Service were published online. The file included personal details such as the donor’s name, gender, residential and email address, phone number, date of birth, country of birth and blood type. It also included sensitive medical information, like whether someone had engaged in at-risk sexual behaviour in the last year.
Australians have also been caught up in larger data breaches involving multinational corporations. In 2011, personal information of 77 million subscribers to the Sony PlayStation network was stolen, including names, addresses, email addresses, birthdates, usernames, passwords, logins and security questions. Sony revealed that the hack may have even resulted in the theft of credit card information. Following the hack, Sony could not guarantee that credit card data was not involved in the breach, but their Australian division was warning Australian customers to check their credit card accounts for suspicious activity.
There are many more examples I could go through. In fact, in the 2015-16 financial year alone, the Breach Level Index report provides 22 reports of data breaches in Australia involving over four million records. It is no wonder the Abbott-Turnbull government has taken so long to introduce a mandatory data breach notification scheme, when they themselves cannot practice what they preach.
In September last year, a group of academics from the University of Melbourne notified the government that it was possible to figure out provider ID numbers from Medicare Benefits Schedule and Pharmaceutical Benefits Schedule datasets published on the Department of Health’s website. While the government was notified of the issue on 12 September, it took them until the 29th—that is, 17 days later—to admit to the breach. While we welcome the privacy and information commissioner’s decision to investigate the breach, it should be remembered that this is the very same commissioner whose position those opposite had been attempting to abolish for two years. Since the data—now removed from the department’s website—was published, it has been downloaded 1,500 times.
Only a month after this breach, you may recall that we were debating legislation to outsource the management of sensitive health data on the National Cancer Screening Register to Telstra. As I explained during the debate on that bill, the data to be handed over to Telstra included sensitive data such as Medicare numbers, Medicare claims information and cancer-screening test results. I also mentioned during that debate that Telstra themselves have a poor track record when it comes to the security of customers’ information. For example, you only have to look the two massive data breaches Telstra have had in recent history, which I referred to earlier in this speech and in the speech on the cancer screening bill. Despite industry concerns about the arrangement, the bill passed the parliament, giving effect to the $220 million contract which was secretively awarded to Telstra before the last election.
Another serious data breach involved the personal details of world leaders at the 2014 Brisbane G20 Summit being emailed to an external recipient in early 2015. This breach involved the passport numbers of major world leaders such as US President at the time, Barack Obama, and Chinese President Xi Jinping, yet in an embarrassment for the Australian government these world leaders were not immediately notified of the breach. This was a bad record for the department of immigration, which had inadvertently published the personal information of 10,000 asylum seekers in February 2014. This information was made available for 14 days and accessed 123 times. Many of the asylum seekers affected said that the breach had made returning to their home countries even more perilous. The then immigration minister, Mr Morrison, launched an investigation into how the data breach threatened the safety of the asylum seekers if they had returned home. Sadly, however, a court found that the investigation withheld information from asylum seekers critical to arguing their case, ensuring their claims failed. They were not told what the breach entailed or who might have accessed the information, and they were denied a copy of the KPMG report into the breach. So much for open government. The guidelines set down by the Office of the Australian Information Commissioner state:
In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals … should be notified.
Yet the examples I have just given demonstrate a consistent failure by this government to follow this very reasonable guideline. So, not only does the government have a poor track record when it comes to the pace of this important reform; they also have a poor track record when it comes to following the very principles that they seek to impose on others through this bill. If those opposite truly believed in mandatory data breach notification for the private sector then not only should they have acted more quickly on this reform but also they should have set a better example themselves.
The standard they have set when it comes to data breach notification is very, very poor indeed. When I was chair of the parliament’s Joint Select Committee on Cyber-Safety we conducted an inquiry into cybersafety for senior Australians. The report of that inquiry, released in March 2013, made some observations about the issue of mandatory reporting of data breaches. One submission to the inquiry cited 2008 research by the Australian Institute of Criminology that found that only eight per cent of small to medium enterprises reported data breaches, despite security incidents costing those businesses an estimated $600 million. Other research indicated that 73 per cent of small to medium enterprises had experienced at least one data breach in 2010. We also noted in our report research from the Australian Information Security Association that found that security of information is a low budget priority in most industries. The AISA also said:
Any data breach notification scheme should be part of a broader and “more responsive” regulatory approach supporting information security.
It was noted in the report that the Labor government at that time was working on a scheme for mandatory notification of data breaches. This was the work that led to our 2013 bill.
This bill is based on a very sound principle: that a person has a right to know if the security of their personal information has been compromised, whether it is held by a retailer, a financial institution, a telecommunications provider or any other business. Right now, if any Australian has their personal information compromised either accidentally or through hacking, the company that holds the data is under no obligation to inform the victim that that has occurred. There are, thankfully, many companies who make it their policy to do the right thing and notify customers immediately when their personal data has been breached, but it is not compulsory. When customers have their personal information, such as their name, address, date of birth, passwords and even their banking and credit card details, disclosed or accessed without their authorisation there is no legal obligation for them to know that it has happened.
There are a number of advantages to mandatory notification of data breaches. Mandatory notification allows affected customers to take steps to protect their information. For example, if the breach includes financial information, customers can change bank accounts or cancel their credit cards. If it includes passwords, they can change their passwords. Unfortunately customers cannot readily change other pieces of information, such as their address or date of birth, but at least knowing the information is out there can prepare them and give them the opportunity to discuss their concerns with any institutions that might use that information for identity checking or security. Of course we know about the issues around identity theft, so we need to always bear that in mind.
Mandatory notification also provides companies holding personal information with an incentive to strengthen their data protection measures and to make sure that the breach does not happen in the first place. If a company is compelled by law to notify its customers of a data breach then the risk of reputational damage to the company might make the investment in stronger data security more attractive.
It stands to reason that Labor will support this bill because we have been calling on the government to introduce mandatory data breach notification for over three years. It has been three years in which we have had an Attorney-General who is not interested in protecting the privacy of Australians because he has been a bit distracted. He has been distracted by defending the so-called rights of bigots and those who seek to engage in hate speech, he has been distracted by his ideological attacks on Australia’s arts industry and he has been distracted by his public spats with the Australian Human Rights Commissioner and the Solicitor-General. So it is no wonder, with the storm of controversy that this minister creates for himself, that he is too busy to get on with the job of protecting Australians’ right to privacy. He is too busy to ensure the timely introduction of this important and well-overdue reform. But, after three years of inaction, we do finally have a bill before the Senate and, as overdue as this bill may be, I guess it is a case of better late than never.